StrongSwan: Difference between revisions

Line 123:

= Configuring strongSwan =

Configuration is carried out in <code>/etc/~~ipsec~~.conf~~</code> and <code>/etc/ipsec.secrets~~</code>. These basic code snippets will be enough to get the VPN tunnel working, but can be tweaked and configured to your requirements.

Configuration is carried out in <code>/etc/swanctl/swanctl.conf</code>. These basic code snippets will be enough to get the VPN tunnel working, but can be tweaked and configured to your requirements.

== ~~<code>/etc/ipsec.conf</code>~~ ==

== Copying the certificates to the correct places ==

~~conn windows~~

As the certificates are now generated, the certificates need to be copied to the correct places for strongSwan to find them. If they are moved to the correct places, strongSwan will search the folders and load everything it finds in the folders, needing no further configuration to find them. I would copy them as oppose to moving them, as you will have a backup copy where you stored them, should you need to start fresh. Don't forget the last <code>/</code> when copying or it will copy it to this name rather than the folder.

~~leftcert=servercert~~.~~pem~~

~~leftsubnet=0~~.0.~~0.0~~/0

~~esp=aes256gcm16!~~

~~rightsourceip=10~~.~~126.127.0/24~~

~~keyechange=ikev2~~

~~auto=add~~

* ~~In this instance, left is the server and right are the hosts~~.

* Copy <code>serverCert.pem</code> to <code>/etc/swanctl/x509/</code>:

* <code>~~leftsubnet=0~~.0.0.~~0/0~~</code> ~~forwards everything over the tunnel. If you want to narrow this~~ to ~~only your network and not everything (including the internet), this can be narrowed. For example,~~ <code>~~leftsubnet=192.168.0.0~~/24</code>.

cp serverCert.pem /etc/swanctl/x509/

* Copy <code>serverKey.pem</code> to <code>/etc/swanctl/ecdsa/</code>:

cp serverKey.pem /etc/swanctl/ecdsa/

* Copy <code>caCert.pem</code> to <code>/etc/swanctl/x509ca/</code>:

cp caCert.pem /etc/swanctl/x509ca/

~~== <code>/etc/ipsec~~.~~secrets</code> ==~~

That is all that needs to be copied to make the server function. '''DO NOT copy the CA key or any client certificates or keys! The CA key must be kept secure and away from the server and is only needed when signing new client certificates. Client certificates and keys are only needed on the clients that will be connecting to this server and are not known by the server initially.'''

~~This file points to the private key of the server~~.

== <code>/etc/swanctl/swanctl.conf</code> ==

%any : ~~ECDSA serverkey~~.~~pem~~

connections {

windows {

local_addrs = 192.168.1.9

#local_addrs = %any

pools = primary-ipv4

#encap = yes

local {

auth = pubkey

id = thinkserver.freddythechick.net

}

remote {

auth = pubkey

}

children {

net {

local_ts = dynamic

updown = /usr/lib/ipsec/_updown iptables

esp_proposals = aes256gcm16-ecp384

}

version = 2

proposals = aes256gcm16-sha384-ecp384

}

pools {

primary-ipv4 {

addrs = 10.1.0.0/16

}

== Loading the new settings ==

Once strongSwan is configured, the settings need loading into the VICI backend. This is done by typing:

swanctl --load-all

You should get an output similar to the following:

loaded certificate from '/etc/swanctl/x509/serverCert.der'

loaded certificate from '/etc/swanctl/x509ca/caCert.der'

opening directory '/etc/swanctl/x509ocsp' failed: No such file or directory

opening directory '/etc/swanctl/x509aa' failed: No such file or directory

opening directory '/etc/swanctl/x509ac' failed: No such file or directory

opening directory '/etc/swanctl/x509crl' failed: No such file or directory

opening directory '/etc/swanctl/pubkey' failed: No such file or directory

opening directory '/etc/swanctl/private' failed: No such file or directory

opening directory '/etc/swanctl/rsa' failed: No such file or directory

loaded ecdsa key from '/etc/swanctl/ecdsa/serverKey.der'

opening directory '/etc/swanctl/bliss' failed: No such file or directory

opening directory '/etc/swanctl/pkcs8' failed: No such file or directory

opening directory '/etc/swanctl/pkcs12' failed: No such file or directory

no authorities found, 0 unloaded

loaded pool 'primary-ipv4'

successfully loaded 1 pools, 0 unloaded

loaded connection 'windows'

successfully loaded 1 connections, 0 unloaded

Ignore any failed directories. We do not use these in this configuration. You will be checking the files in the <code>x509</code>, <code>x509ca</code> and <code>ecdsa</code> files have loaded correctly, as they have above. You should also have 1 pool and 1 connection at this point.

= Configuring Windows =

@@ Line 123: / Line 123: @@
 = Configuring strongSwan =
-Configuration is carried out in <code>/etc/ipsec.conf</code> and <code>/etc/ipsec.secrets</code>. These basic code snippets will be enough to get the VPN tunnel working, but can be tweaked and configured to your requirements.
+Configuration is carried out in <code>/etc/swanctl/swanctl.conf</code>. These basic code snippets will be enough to get the VPN tunnel working, but can be tweaked and configured to your requirements.
-== <code>/etc/ipsec.conf</code> ==
+== Copying the certificates to the correct places ==
- conn windows
+As the certificates are now generated, the certificates need to be copied to the correct places for strongSwan to find them. If they are moved to the correct places, strongSwan will search the folders and load everything it finds in the folders, needing no further configuration to find them. I would copy them as oppose to moving them, as you will have a backup copy where you stored them, should you need to start fresh. Don't forget the last <code>/</code> when copying or it will copy it to this name rather than the folder.
-      leftcert=servercert.pem
-      leftsubnet=0.0.0.0/0
-      esp=aes256gcm16!
-      rightsourceip=10.126.127.0/24
-      keyechange=ikev2
-      auto=add
-* In this instance, left is the server and right are the hosts.
+* Copy <code>serverCert.pem</code> to <code>/etc/swanctl/x509/</code>:
-* <code>leftsubnet=0.0.0.0/0</code> forwards everything over the tunnel. If you want to narrow this to only your network and not everything (including the internet), this can be narrowed. For example, <code>leftsubnet=192.168.0.0/24</code>.
+ cp serverCert.pem /etc/swanctl/x509/
+* Copy <code>serverKey.pem</code> to <code>/etc/swanctl/ecdsa/</code>:
+ cp serverKey.pem /etc/swanctl/ecdsa/
+* Copy <code>caCert.pem</code> to <code>/etc/swanctl/x509ca/</code>:
+ cp caCert.pem /etc/swanctl/x509ca/
-== <code>/etc/ipsec.secrets</code> ==
+That is all that needs to be copied to make the server function. '''DO NOT copy the CA key or any client certificates or keys! The CA key must be kept secure and away from the server and is only needed when signing new client certificates. Client certificates and keys are only needed on the clients that will be connecting to this server and are not known by the server initially.'''
-This file points to the private key of the server.
+== <code>/etc/swanctl/swanctl.conf</code> ==
-  %any : ECDSA serverkey.pem
+  connections {
+   windows {
+      local_addrs  = 192.168.1.9
+      #local_addrs = %any
+      pools = primary-ipv4
+      #encap = yes
+      local {
+         auth = pubkey
+         id = thinkserver.freddythechick.net
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = dynamic
+            updown = /usr/lib/ipsec/_updown iptables
+            esp_proposals = aes256gcm16-ecp384
+         }
+      }
+      version = 2
+      proposals = aes256gcm16-sha384-ecp384
+   }
+ }
+ pools {
+     primary-ipv4 {
+         addrs = 10.1.0.0/16
+         }
+ }
+== Loading the new settings ==
+Once strongSwan is configured, the settings need loading into the VICI backend. This is done by typing:
+ swanctl --load-all
+You should get an output similar to the following:
+ loaded certificate from '/etc/swanctl/x509/serverCert.der'
+ loaded certificate from '/etc/swanctl/x509ca/caCert.der'
+ opening directory '/etc/swanctl/x509ocsp' failed: No such file or directory
+ opening directory '/etc/swanctl/x509aa' failed: No such file or directory
+ opening directory '/etc/swanctl/x509ac' failed: No such file or directory
+ opening directory '/etc/swanctl/x509crl' failed: No such file or directory
+ opening directory '/etc/swanctl/pubkey' failed: No such file or directory
+ opening directory '/etc/swanctl/private' failed: No such file or directory
+ opening directory '/etc/swanctl/rsa' failed: No such file or directory
+ loaded ecdsa key from '/etc/swanctl/ecdsa/serverKey.der'
+ opening directory '/etc/swanctl/bliss' failed: No such file or directory
+ opening directory '/etc/swanctl/pkcs8' failed: No such file or directory
+ opening directory '/etc/swanctl/pkcs12' failed: No such file or directory
+ no authorities found, 0 unloaded
+ loaded pool 'primary-ipv4'
+ successfully loaded 1 pools, 0 unloaded
+ loaded connection 'windows'
+ successfully loaded 1 connections, 0 unloaded
+Ignore any failed directories. We do not use these in this configuration. You will be checking the files in the <code>x509</code>, <code>x509ca</code> and <code>ecdsa</code> files have loaded correctly, as they have above. You should also have 1 pool and 1 connection at this point.
 = Configuring Windows =