ThinkServer

StrongSwan: Difference between revisions

← Older edit
Major rework for new VICI framework underway. Finished to 'Configuring Windows'
m Miscellaneous Settings: Added to Windows 7 statement
 
(16 intermediate revisions by the same user not shown)
Line 4: Line 4:
* Allows full access to your internal network securely over an insecure network.
* Allows full access to your internal network securely over an insecure network.


We will be setting up the connection to allow a connection from this server to a Windows 10 1809 (October 2018 Update) client. Windows 10 1809 supports the Internet Key Exchange v2 (IKEv2), which is a modern VPN protocol and has some provisions for working over the internet, such as MOBIKE. This helps in situations where the internet connection maybe unreliable and has to reconnect. Windows 10 1809 supports the use of the following modern ciphers:
We will be setting up the connection to allow a connection from this server to a Windows 10 1809 (October 2018 Update) client, although this should still work with later versions. Windows 10 1809 supports the Internet Key Exchange v2 (IKEv2) protocol, which is a modern VPN protocol and has some provisions for working over the internet, such as MOBIKE. This helps in situations where the internet connection may be unreliable and has to reconnect. Windows 10 1809 supports the use of the following modern ciphers:


* Certificate authentication.
* Certificate authentication.
* ECDSA certificates (256 and 384-bit keys).
* ECDSA certificates (256 and 384-bit keys).
* ESP supports AES-GCM 128 & 256-bit for both encryption and authentication.
* ESP supports AES-GCM 128 & 256-bit which does both encryption and authentication.


We will be configuring our connection to use ECDSA 384-bit certificates and AES256-GCM encryption/authentication, currently the strongest supported settings (at least on Windows).
We will be configuring our connection to use ECDSA 384-bit certificates and AES256-GCM encryption/authentication, currently the strongest supported settings (at least on Windows).


Note that Windows initially uses '''VERY''' weak encryption (3DES) and authentication schemes by default (from the Windows 2000 days) so it is very important to set up the connection correctly and not use the default Windows settings. '''strongSwan => 5.6.1 has deprecated the default Windows scheme by disabling 3DES and MODP-1024 as these are insecure. As such, Windows will not just work "out of the box" anymore and requires configuration to use stronger ciphers.'''
Note that Windows initially uses '''VERY''' weak encryption (3DES) and authentication schemes by default (from the Windows 2000 era) so it is very important to set up the connection correctly and not use the default Windows settings. '''strongSwan => 5.6.1 has deprecated the default Windows scheme by disabling 3DES and MODP-1024 as these are insecure. As such, Windows will not just work "out of the box" any more and requires configuration to use stronger ciphers.'''


strongSwan 5.6.3 in openSUSE Tumbleweed (8th April 2019) was used as the basis for this guide.
strongSwan 5.6.3 in openSUSE Tumbleweed (8th April 2019) was used as the basis for this guide.


We will be using the modern strongSwan VICI backend, not the old stroke backend as strongSwan is starting to phase this method out.
We will be using the modern strongSwan VICI back-end, not the old stroke back-end. strongSwan is starting to phase the stroke back-end out.


Commands under Windows with the [[File:Administrator_Shield.png]] icon may need administrator credentials to complete them.
Commands under Windows with the [[File:Administrator_Shield.png]] icon may need administrator credentials to complete them.
Line 35: Line 35:
* <code>firewalld</code>
* <code>firewalld</code>


As this is a system package, restart the computer afterwards. We will be using <code>iptables</code> to manipulate the network traffic, not <code>firewalld</code> as we don't run a firewall at the server level, it is run futher up. It can be configured through the SuSEFirewall2 but we do not use this so additional research is required. The package may need to be marked as Taboo in Tumbleweed so that it doesn't try to reinstall it later.
As this is a system package, restart the computer afterwards. We will be using <code>iptables</code> to manipulate the network traffic, not <code>firewalld</code> as we don't run a firewall at the server level, it is run further up. It can be configured through the SuSEFirewall2 but we do not use this so additional research is required if you use this setup. The package may need to be marked as Taboo in Tumbleweed so that it doesn't try to reinstall it later.


= Important note =
= Important note =


openSUSE has not implemented all of the modern VICI backend yet. As such, to run the service, </code>strongswan</code> can be enabled at startup. However, the <code>swanctl --load-all</code> needs to be loaded manually on each reboot. This notice will be removed the the <code>strongswan-swanctl</code> and <code>charon-systemd</code> packages are added.
openSUSE has not implemented all of the modern VICI backend yet. As such, to run the service, </code>strongswan</code> can be enabled at startup. However, the <code>swanctl --load-all</code> needs to be loaded manually on each reboot. This notice will be removed when the <code>strongswan-swanctl</code> and <code>charon-systemd</code> packages are added.


= Creating the certificates =
= Creating the certificates =


Certificates, especially when created correctly, are the strongest possible way to authenticate. IKEv2 does allow the use of a Username/Pre-shared Key (PSK) but this is a very weak method and is easily brute-forced.
Certificates when created correctly are the strongest possible way to authenticate. IKEv2 does allow the use of a Username/Pre-shared Key (PSK) but this is a very weak method and can be easily brute-forced without further provisions.


We will be creating modern, elliptic curve certificates. These use very short keys (384-bits) compared to RSA keys (4096-bits) but provide the same or better security.
We will be creating modern, elliptic curve certificates. These use very short keys (384-bits) compared to RSA keys (4096-bits) but provide the equivalent security.


== Initial setup ==
== Initial setup ==
Line 71: Line 71:
You now have a self-signed CA certificate, ready to sign any certificates to be used by the VPN server.
You now have a self-signed CA certificate, ready to sign any certificates to be used by the VPN server.


'''IMPORTANT:''' The private key, created in the private folder must '''NEVER''' be disclosed. If anybody were to obtain access to this key, they would be able to create any certificate they like, impersonate you and connect to the server. As this is the CA certificate, a compromise would require a whole new CA key, certificate and any certificates signed by the old, compromised CA. '''KEEP THIS SAFE'''. It would be advisable to keep this on a memory stick once done until it would be needed in the future to sign more certificates.
'''IMPORTANT:''' The private key, created in the private folder must '''NEVER''' be disclosed. If anybody were to obtain access to this key, they would be able to create any certificate they like, impersonate you and connect to the server. As this is the CA certificate, a compromise would require a whole new CA key, certificate and any certificates signed by the old, compromised CA. '''KEEP THIS SAFE'''. It would be advisable to keep this on a memory stick, away from the server, once done until it is needed in the future to sign more certificates.


== Creating a certificate for the server ==
== Creating a certificate for the server ==
Line 102: Line 102:
# Change the permissions of the private key, so that only root can access it:
# Change the permissions of the private key, so that only root can access it:
#:<pre>chmod 600 client1Key.pem</pre>
#:<pre>chmod 600 client1Key.pem</pre>
# Now we have the private key, generate the server certificate:
# Now we have the private key, generate the client certificate:
#:<pre>pki --issue --in client1Key.der --type priv --cacert caCert.der --cakey caKey.der --dn "C=GB, O=strongSwan, CN=client1.freddythechick.net" --san "client1.freddythechick.net" --lifetime 1825 --outform pem> client1Cert.pem</pre>
#:<pre>pki --issue --in client1Key.der --type priv --cacert caCert.der --cakey caKey.der --dn "C=GB, O=strongSwan, CN=client1.freddythechick.net" --san "client1.freddythechick.net" --lifetime 1825 --outform pem> client1Cert.pem</pre>


The <code>CN</code> in the DN this time can be anything for the Windows client. No flags are required.
The <code>CN</code> in the DN this time can be anything for the Windows client. No flags are required.


One of these must be created for each client you would like to connect to the server. '''Keep the CA key secure but safe as this will be needed each time you want to sign a client certificate.'''
One of these must be created for each client you would like to connect to the server. '''Keep the CA key secure as this will be needed each time you want to sign a client certificate.'''


== Packaging the required certificates and keys for Windows ==
== Packaging the required certificates and keys for Windows ==
Line 127: Line 127:
== Copying the certificates to the correct places ==
== Copying the certificates to the correct places ==


As the certificates are now generated, the certificates need to be copied to the correct places for strongSwan to find them. If they are moved to the correct places, strongSwan will search the folders and load everything it finds in the folders, needing no further configuration to find them. I would copy them as oppose to moving them, as you will have a backup copy where you stored them, should you need to start fresh. Don't forget the last <code>/</code> when copying or it will copy it to this name rather than the folder.
As the certificates are now generated, the certificates need to be copied to the correct places for strongSwan to find them. If they are moved to the correct places, strongSwan will search the folders and load everything it finds in the folders, needing no further configuration to find them. I would copy them as oppose to moving them, as you will have a backup copy where you stored them, should you need to start fresh. Don't forget the trailing <code>/</code> when copying or it will copy it to this name rather than the folder.


* Copy <code>serverCert.pem</code> to <code>/etc/swanctl/x509/</code>:
* Copy <code>serverCert.pem</code> to <code>/etc/swanctl/x509/</code>:
Line 136: Line 136:
  cp caCert.pem /etc/swanctl/x509ca/
  cp caCert.pem /etc/swanctl/x509ca/


That is all that needs to be copied to make the server function. '''DO NOT copy the CA key or any client certificates or keys! The CA key must be kept secure and away from the server and is only needed when signing new client certificates. Client certificates and keys are only needed on the clients that will be connecting to this server and are not known by the server initially.'''
That is all that needs to be copied to make the server function. '''DO NOT copy the CA key or any client certificates or keys! The CA key must be kept secure and away from the server and is only needed when signing new client certificates. Client certificates and keys are only needed on the clients that will be connecting to this server and are not needed by the server. Client certificates and keys would only be needed by StrongSwan if you were using this computer to connect to another server.'''


== <code>/etc/swanctl/swanctl.conf</code> ==
== <code>/etc/swanctl/swanctl.conf</code> ==
Line 143: Line 143:
   
   
   windows {
   windows {
       local_addrs = 192.168.1.9
       local_addrs = 192.168.1.9
      #local_addrs = %any
       pools = primary-ipv4
       pools = primary-ipv4
      #encap = yes
   
   
       local {
       local {
Line 155: Line 153:
       remote {
       remote {
         auth = pubkey
         auth = pubkey
       }
       }
   
   
       children {
       children {
         net {
         net {
             local_ts  = dynamic
             local_ts  = 0.0.0.0/0
             updown = /usr/lib/ipsec/_updown iptables
             updown = /usr/lib/ipsec/_updown iptables
             esp_proposals = aes256gcm16-ecp384
             esp_proposals = aes256gcm16-ecp384
Line 178: Line 175:
== Loading the new settings ==
== Loading the new settings ==


Once strongSwan is configured, the settings need loading into the VICI backend. This is done by typing:
Once strongSwan is configured, the settings need loading into the VICI back-end. This is done by typing:


  swanctl --load-all
  swanctl --load-all
Line 204: Line 201:


Ignore any failed directories. We do not use these in this configuration. You will be checking the files in the <code>x509</code>, <code>x509ca</code> and <code>ecdsa</code> files have loaded correctly, as they have above. You should also have 1 pool and 1 connection at this point.
Ignore any failed directories. We do not use these in this configuration. You will be checking the files in the <code>x509</code>, <code>x509ca</code> and <code>ecdsa</code> files have loaded correctly, as they have above. You should also have 1 pool and 1 connection at this point.
== Configuring <code>iptables</code> ==
So that the packets are routed to the correct place, <code>iptables</code> should be configured or no traffic will flow through the tunnel. In this case, we are forwarding all traffic to/from the tunnel. First, we need some information to correctly configure <code>iptables</code>
* Find out the name of the network interface under Linux that you are using for the tunnel. This can be done by typing:
ip a
* This returns all the network cards on the computer like this:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
        valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.0/24 brd 192.168.1.255 scope global eth1
        valid_lft forever preferred_lft forever
    inet6 fe80::0000:0000:0000:0000/64 scope link
        valid_lft forever preferred_lft forever
* In this case, we are using <code>eth1</code>. Remember this for later.
* Look in the <code>pool</code> section we created earlier in <code>/etc/swanctl/swanctl.conf</code>. In this setup it is <code>10.1.0.0/16</code>. Remember this for later.
Now we have the correct information, type the following into a terminal (as a superuser):
  iptables -t nat -A POSTROUTING -s 10.1.0.0/16 -o eth1 -m policy --pol ipsec --dir out -j ACCEPT
  iptables -t nat -A POSTROUTING -s 10.1.0.0/16 -o eth1 -j MASQUERADE
Make sure to change the IP address range to the one from your pool and the network interface for the correct one in your case.


= Configuring Windows =
= Configuring Windows =


This part is arguably the more trickier part of the procedure. The Windows "Agile VPN" client has particular ways it must be configured or the VPN connection will fail. Error messages emitted when the connection fails are generally unhelpful and need manual troubleshooting to find the problem. If followed correctly, these procedures will allow you to connect successfully first time.
This part is arguably the more trickier part of the procedure. The Windows "Agile VPN" client has particular ways it must be configured or the VPN connection will fail. Error messages emitted when the connection fails are generally unhelpful and need manual troubleshooting to find the problem. If followed correctly, these procedures will allow you to connect successfully first time. These instructions work for Windows >7.


== Installing the certificates ==
== Installing the certificates ==


Before we can install the certificate, the .p12 file we generated earlier must be copied locally to the computer it will be installed on. They don't seem to install properly when you try installing from a network share.
Before we can install the certificate, the .p12 file we generated earlier must be copied locally to the computer it will be installed on.


Remember that each client must have its own certificate generated. Certificates should not be reused for other machines.
Remember that each client must have its own certificate generated. Certificates should not be reused for other machines.
Line 226: Line 254:
* On the "Completing the Certificate Import Wizard" page, click Finish. You should get a prompt saying the import was successful. This will complete the import.
* On the "Completing the Certificate Import Wizard" page, click Finish. You should get a prompt saying the import was successful. This will complete the import.


For the certificates to be found by the VPN client, they must be installed in the Computer store, not the User store. Hence, make sure the "Store Location" is changed from Current User to Local Machine.
For the certificates to work correctly with the VPN server, they must be installed in the Computer store, not the User store. Hence, make sure the "Store Location" is changed from Current User to Local Machine.


== Making the VPN profile ==
== Making the VPN profile ==


Windows 10 has two ways of making a new VPN profile, via the Control Panel or via the Settings App. We will be using the Control Panel method as this allows more control of the profile.
Windows >7 can make a new VPN profile via the Control Panel. Windows 10 can make a new VPN profile both via the Control Panel or the Settings App. We will be using the Control Panel method as this allows more control of the profile.


* Open the Control Panel. Change to the Large Icon view if needed.
* Open the Control Panel. Change to the Large Icon view if needed.
* Click Network and Sharing Centre.
* Click "Network and Sharing Centre".
* Under your active networks section, in the "Change your network settings" section, click "Set up a new connection or network".
* Under your active networks section, in the "Change your network settings" section, click "Set up a new connection or network".
* Under "Choose a connection option", click "Connect to a workplace". Then click Next.
* Under "Choose a connection option", click "Connect to a workplace". Then click Next.
* Under "How do you want to connect?", click "Use my Internet connection (VPN)".
* Under "How do you want to connect?", click "Use my Internet connection (VPN)".
* In the Internet address box, type your DNS name to your VPN server.
* In the Internet address box, type your DNS name to your VPN server (thinkserver.freddythechick.net).
* In the Destination name box, give your profile a name of your choosing.
* In the Destination name box, give your profile a name of your choosing (Thinkserver).
* [[File:Administrator_Shield.png]] Make sure the "Allow other people to use this connection" tick box is checked.
* [[File:Administrator_Shield.png]] Make sure the "Allow other people to use this connection" tick box is checked.
* Click Create. Your new profile will then be created.
* Click Create. Your new profile will then be created.
Line 248: Line 276:
We must now set the connection to use IKEv2.
We must now set the connection to use IKEv2.


* In the previous Network and Sharing Centre window, click Change adapter settings, down the left hand side.
* In the previous Network and Sharing Centre window, click "Change adapter settings" down the left hand side.
* There will be a new connection created here with the name you gave it earlier. [[File:Administrator_Shield.png]] Right click on the connection and click Properties.
* There will be a new connection created here with the name you gave it earlier (Thinkserver). [[File:Administrator_Shield.png]] Right click on the connection and click 'Properties'.
* Click on the Security tab.
* Click on the "Security" tab.
* Under the "Type of VPN" drop-down menu, change the type to IKEv2. The options under "Authentication" should change. Click and select the Use machine certificates radio button. Then click OK.
* Under the "Type of VPN" drop-down menu, change the type to IKEv2. The options under "Authentication" should change. Click and select the Use machine certificates radio button. Then click OK.


Line 257: Line 285:
== Configuring strong encryption/ECDSA for the VPN connection ==
== Configuring strong encryption/ECDSA for the VPN connection ==


Windows PowerShell is used to change the encryption settings for the VPN connection.
Windows PowerShell is used to change the encryption settings for the VPN connection. This only works on Windows 10 machines as these support the newer ciphers whereas Windows <10 does not support them so well.


* In the Start menu, type "powershell". [[File:Administrator_Shield.png]] Click "Windows PowerShell" when it appears. It may take a few moments for the prompt to be appear and become ready to use.
* In the Start menu, type "powershell". [[File:Administrator_Shield.png]] Click "Windows PowerShell" when it appears. It may take a few moments for the prompt to be appear and become ready to use.
Line 265: Line 293:
* Press the {{key press|Enter}} key.
* Press the {{key press|Enter}} key.
* Type Y to confirm the settings and press the {{key press|Enter}} key.
* Type Y to confirm the settings and press the {{key press|Enter}} key.
* The following will be returned by PowerShell:
AuthenticationTransformConstants : GCMAES256
CipherTransformConstants        : GCMAES256
DHGroup                          : ECP384
IntegrityCheckMethod            : SHA384
PfsGroup                        : None
EncryptionMethod                : GCMAES256
* The connection should now be ready to use!
* The connection should now be ready to use!
Note: <code>GCMAES256</code> is used under <code>AuthenicationTransformConstants</code>, <code>CipherTransformsConstants</code> and <code>EncryptionMethod</code>, even though strongSwan only supports ESP over IKEv2. This is due to an oddity within Windows where if only <code>CipherTransformsConstants</code> and <code>EncryptionMethod</code> are configured, Windows either sends the wrong encryption proposal (AES256 without GCM) or refuses to connect with a policy mismatch. Once all three fields are defined, the connection works correctly.
== Forwarding all traffic through the VPN (Full Tunnel)==
By default, at least in Windows 10 1809, only traffic for your local network behind the VPN server will be forwarded over the VPN connection. Connections to the internet will be forwarded over your local internet connection. This is known as "split-tunnelling". If you are creating this connection for ultimate security and want all your traffic to be forwarded over the tunnel, we need to configure a "full-tunnel".
* Open the Control Panel
* Click "Network and Sharing Centre"
* Click "Change adapter settings" down the left pane.
* Find the VPN connection (Thinkserver). Right-click it and click "Properties"
* Click the "Networking" tab
* Under the "This connection uses the following items:" header, click on "Internet Protocol Version 4 (TCP/IPv4)" line (not the check box)
* Towards the bottom of the new window, click the "Advanced" button
* Tick the "Use default gateway on remote network" checkbox. Click OK on all the settings windows.
This changes the tunnel from a split-tunnel to a full-tunnel. All traffic will be forwarded over the tunnel now.


= Miscellaneous Settings =
= Miscellaneous Settings =


There is a Windows registry key that may need to be enabled to allow the use of stronger encryption settings. It is not clear at this stage if these settings are required, but the instructions are left here in case they are needed.
'''NOTE: This doesn't seem to have any effect on Windows 10 if your are manually configuring the connection with PowerShell.'''
 
There is a Windows registry key that may need to be enabled to allow the use of stronger encryption settings. It is not clear at this stage if these settings are required, but the instructions are left here in case they are needed. These settings are, however, needed for Windows 7 clients which falls back to weak encryption if this is not configured and is probably needed since StrongSwan doesn't support the weak ciphers proposed by Windows 7 any more.


* Press {{key press|Win}}+{{key press|R}} to open the Run box.
* Press {{key press|Win|R}} to open the Run box.
* [[File:Administrator_Shield.png]] Type <code>regedit</code> and click OK.
* [[File:Administrator_Shield.png]] Type <code>regedit</code> and click OK.
* Navigate to the following registry path:
* Navigate to the following registry path:
Retrieved from "https://thinkserver.freddythechick.net/wiki/StrongSwan"