StrongSwan: Difference between revisions

From ThinkServer
Major rework for new VICI framework underway. Finished to 'Configuring strongSwan'
Line 58: Line 58:
# Make sure you are in the correct directory above.
# Make sure you are in the correct directory above.
# Generate a private key for the CA:
# Generate a private key for the CA:
#:<pre>pki --gen --type ecdsa --size 384 --outform pem > private/caKey.pem</pre>
#:<pre>pki --gen --type ecdsa --size 384 --outform pem > caKey.pem</pre>
# Change the permissions of the private key, so that only root can access it:
# Change the permissions of the private key, so that only root can access it:
#:<pre>chmod 600 private/caKey.pem</pre>
#:<pre>chmod 600 private/caKey.pem</pre>
# Now we have the private key, generate the CA certificate:
# Now we have the private key, generate the CA certificate:
#:<pre>pki --self --ca --lifetime 3650 --in private/caKey.pem --dn "C=GB, O=strongSwan, CN=strongSwan CA" --outform pem > cacerts/caCert.pem</pre>
#:<pre>pki --self --ca --lifetime 3650 --in caKey.pem --dn "C=GB, O=strongSwan, CN=strongSwan CA" --outform pem > caCert.pem</pre>


You now have a self-signed CA certificate, ready to sign any certificates to be used by the VPN server.
You now have a self-signed CA certificate, ready to sign any certificates to be used by the VPN server.

Revision as of 22:27, 8 April 2019

strongSwan is a VPN server that allows a connection over an insecure network, such as the internet, to access a secure private network. The connection is encrypted and authenticated for confidentiality and to prevent tampering of the data. It allows the following:

  • Secure internet browsing, for example, over an insecure, open Wi-Fi connection.
  • Allows full access to your internal network securely over an insecure network.

We will be setting up the connection to allow a connection from this server to a Windows 10 1809 (October 2018 Update) client. Windows 10 1809 supports the Internet Key Exchange v2 (IKEv2), which is a modern VPN protocol and has some provisions for working over the internet, such as MOBIKE. This helps in situations where the internet connection maybe unreliable and has to reconnect. Windows 10 1809 supports the use of the following modern ciphers:

  • Certificate authentication.
  • ECDSA certificates (256 and 384-bit keys).
  • ESP supports AES-GCM 128 & 256-bit for both encryption and authentication.

We will be configuring our connection to use ECDSA 384-bit certificates and AES256-GCM encryption/authentication, currently the strongest supported settings (at least on Windows).

Note that Windows initially uses VERY weak encryption (3DES) and authentication schemes by default (from the Windows 2000 days) so it is very important to set up the connection correctly and not use the default Windows settings. strongSwan => 5.6.1 has deprecated the default Windows scheme by disabling 3DES and MODP-1024 as these are insecure. As such, Windows will not just work "out of the box" anymore and requires configuration to use stronger ciphers.

strongSwan 5.6.3 in openSUSE Tumbleweed (8th April 2019) was used as the basis for this guide.

We will be using the modern strongSwan VICI backend, not the old stroke backend as strongSwan is starting to phase this method out.

Commands under Windows with the icon may need administrator credentials to complete them.

Packages needed

Make sure the following packages are installed:

  • strongswan
  • openssl

These packages are usually installed by default in an normal setup. If installing, allow any dependencies the packages asks for.

IKEv2 requires port 500 and 4500 to be port forwarded/opened in the firewall/router.

Remove the following packages:

  • firewalld

As this is a system package, restart the computer afterwards. We will be using iptables to manipulate the network traffic, not firewalld as we don't run a firewall at the server level, it is run futher up. It can be configured through the SuSEFirewall2 but we do not use this so additional research is required. The package may need to be marked as Taboo in Tumbleweed so that it doesn't try to reinstall it later.

Important note

openSUSE has not implemented all of the modern VICI backend yet. As such, to run the service, strongswan can be enabled at startup. However, the swanctl --load-all needs to be loaded manually on each reboot. This notice will be removed the the strongswan-swanctl and charon-systemd packages are added.

Creating the certificates

Certificates, especially when created correctly, are the strongest possible way to authenticate. IKEv2 does allow the use of a Username/Pre-shared Key (PSK) but this is a very weak method and is easily brute-forced.

We will be creating modern, elliptic curve certificates. These use very short keys (384-bits) compared to RSA keys (4096-bits) but provide the same or better security.

Initial setup

  1. As most of this work will require root privileges, open a Terminal and elevate to root by typing su. Type the root user password.
  2. Move to the correct path. If strongSwan is installed correctly, you should be able to type cd /etc/swanctl. This is strongSwan's PKI directory.

Creating a self-signed certificate authority (CA)

To sign out certificates we will be creating, we first need to create a CA certificate.

  1. Make sure you are in the correct directory above.
  2. Generate a private key for the CA:
    pki --gen --type ecdsa --size 384 --outform pem > caKey.pem
  3. Change the permissions of the private key, so that only root can access it:
    chmod 600 private/caKey.pem
  4. Now we have the private key, generate the CA certificate:
    pki --self --ca --lifetime 3650 --in caKey.pem --dn "C=GB, O=strongSwan, CN=strongSwan CA" --outform pem > caCert.pem

You now have a self-signed CA certificate, ready to sign any certificates to be used by the VPN server.

IMPORTANT: The private key, created in the private folder must NEVER be disclosed. If anybody were to obtain access to this key, they would be able to create any certificate they like, impersonate you and connect to the server. As this is the CA certificate, a compromise would require a whole new CA key, certificate and any certificates signed by the old, compromised CA. KEEP THIS SAFE. It would be advisable to keep this on a memory stick once done until it would be needed in the future to sign more certificates.

Creating a certificate for the server

  1. Make sure you are still in the correct directory.
  2. Generate a private key for the certificate:
    pki --gen --type ecdsa --size 384 --outform pem > private/serverKey.pem
  3. Change the permissions of the private key, so that only root can access it:
    chmod 600 private/serverKey.pem
  4. Now we have the private key, generate the server certificate:
    pki --issue --in serverKey.pem --type priv --cacert caCert.der --cakey caKey.der --dn "C=GB, O=strongSwan, CN=thinkserver.freddythechick.net" --san "thinkserver.freddythechick.net" --flag serverAuth --flag ikeIntermediate --lifetime 1825 --outform pem > serverVCert.pem

The certificate created will be used to authenticate the VPN server. Only one needs creating.

IMPORTANT NOTES

When customising to fit your server, certain parts of the server certificate generation must be done correctly for Windows to allow the certificate to be used. If not done correctly, Windows will refuse to connect. It is advisable to make sure these are correct in the first place to avoid errors further down the line and painstaking troubleshooting.

  • The Common Name (CN) part of the Distinguishable Name (DN) MUST be the DNS resolvable name you will be using to connect to the VPN server from Windows.
  • The SAN MUST also be the DNS resolvable name you will be using to connect to the VPN server from Windows. It MUST also match the CN from the DN.
  • It MUST contain the serverAuth flag. The ikeIntermediate is included for compatibility with MacOS and doesn't affect a Windows installation so is safe to add.

Creating a certificate for clients

Each client that needs to connect to the server requires a certificate to be generated for it.

  1. Make sure you are still in the correct directory.
  2. Generate a private key for the certificate:
    ipsec pki --gen --type ecdsa --size 384 --outform pem > private/client1Key.pem
  3. Change the permissions of the private key, so that only root can access it:
    chmod 600 private/client1key.pem
  4. Now we have the private key, generate the server certificate:
    pki --issue --in client1Key.der --type priv --cacert caCert.der --cakey caKey.der --dn "C=GB, O=strongSwan, CN=client1.freddythechick.net" --san "client1.freddythechick.net" --lifetime 1825 --outform pem> client1Cert.pem

The CN in the DN this time can be anything for the Windows client. No flags are required.

Packaging the required certificates and keys for Windows

All the keys and certificates required for the connection can be packaged into a convenient PKCS#12 package, to allow for easy installation on Windows.

  1. Make sure you are still in the correct directory.
  2. Use OpenSSL to create the PKCS#12 package:
    openssl pkcs12  -in client1Cert.pem -inkey client1Key.pem -certfile caCert.pem -export -out client1.p12
  3. Type a password you will remember when asked. This will protect the private key while it is in transit.
  4. Retype the password you just typed.

The .p12 file can then be copied to the Windows machine that it is to be installed on.

Configuring strongSwan

Configuration is carried out in /etc/ipsec.conf and /etc/ipsec.secrets. These basic code snippets will be enough to get the VPN tunnel working, but can be tweaked and configured to your requirements.

/etc/ipsec.conf

conn windows
     leftcert=servercert.pem
     leftsubnet=0.0.0.0/0
     esp=aes256gcm16!
     rightsourceip=10.126.127.0/24
     keyechange=ikev2
     auto=add
  • In this instance, left is the server and right are the hosts.
  • leftsubnet=0.0.0.0/0 forwards everything over the tunnel. If you want to narrow this to only your network and not everything (including the internet), this can be narrowed. For example, leftsubnet=192.168.0.0/24.

/etc/ipsec.secrets

This file points to the private key of the server.

%any : ECDSA serverkey.pem

Configuring Windows

This part is arguably the more trickier part of the procedure. The Windows "Agile VPN" client has particular ways it must be configured or the VPN connection will fail. Error messages emitted when the connection fails are generally unhelpful and need manual troubleshooting to find the problem. If followed correctly, these procedures will allow you to connect successfully first time.

Installing the certificates

Before we can install the certificate, the .p12 file we generated earlier must be copied locally to the computer it will be installed on. They don't seem to install properly when you try installing from a network share.

Remember that each client must have its own certificate generated. Certificates should not be reused for other machines.

  • Double-click on the .p12 certificate file.
  • On the first "Welcome to the Certificate Import Wizard" page, change the "Store Location" from Current User to Local Machine.
  • Click Next.
  • The file name provided should be OK. Click Next.
  • In the password box, type the password you provided to generate the file earlier. Make sure the "Include all extended properties." check box is ticked.
  • If you would like to be able to backup the certificate later, you may want to check the "Mark this key as exportable. This will allow you to back up or transport your keys at a later time." check box. Bearing in mind, if you have the certificates and keys on the server, these can be exported at a later time if needed. If this text box is not ticked, your private key is kept secure if, for example, your computer was stolen.
  • Click Next.
  • The radio box should be in "Automatically select the certificate store based on the type of certificate" box. This is OK.
  • Click Next.
  • On the "Completing the Certificate Import Wizard" page, click Finish. You should get a prompt saying the import was successful. This will complete the import.

For the certificates to be found by the VPN client, they must be installed in the Computer store, not the User store. Hence, make sure the "Store Location" is changed from Current User to Local Machine.

Making the VPN profile

Windows 10 has two ways of making a new VPN profile, via the Control Panel or via the Settings App. We will be using the Control Panel method as this allows more control of the profile.

  • Open the Control Panel. Change to the Large Icon view if needed.
  • Click Network and Sharing Centre.
  • Under your active networks section, in the "Change your network settings" section, click "Set up a new connection or network".
  • Under "Choose a connection option", click "Connect to a workplace". Then click Next.
  • Under "How do you want to connect?", click "Use my Internet connection (VPN)".
  • In the Internet address box, type your DNS name to your VPN server.
  • In the Destination name box, give your profile a name of your choosing.
  • Make sure the "Allow other people to use this connection" tick box is checked.
  • Click Create. Your new profile will then be created.

You MUST use the same DNS name as you specified earlier on the certificate under CN in the DN and the SAN.

You MUST click the "Allow other people to use this connection" tick box so that it becomes a system wide connection and it can use the Machine Certificates.

We must now set the connection to use IKEv2.

  • In the previous Network and Sharing Centre window, click Change adapter settings, down the left hand side.
  • There will be a new connection created here with the name you gave it earlier. Right click on the connection and click Properties.
  • Click on the Security tab.
  • Under the "Type of VPN" drop-down menu, change the type to IKEv2. The options under "Authentication" should change. Click and select the Use machine certificates radio button. Then click OK.

The connection is now ready.

Configuring strong encryption/ECDSA for the VPN connection

Windows PowerShell is used to change the encryption settings for the VPN connection.

  • In the Start menu, type "powershell". Click "Windows PowerShell" when it appears. It may take a few moments for the prompt to be appear and become ready to use.
  • The following code snippet needs to be typed in to change the encryption settings for the VPN settings
Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN Connection" -AuthenticationTransformConstant

s GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod GCMAES256 -IntegrityCheckMethod SHA384 -DHGroup ECP384

-PfsGroup none -PassThru -AllUserConnection
  • Press the ↵ Enter key.
  • Type Y to confirm the settings and press the ↵ Enter key.
  • The following will be returned by PowerShell:
AuthenticationTransformConstants : GCMAES256
CipherTransformConstants         : GCMAES256
DHGroup                          : ECP384
IntegrityCheckMethod             : SHA384
PfsGroup                         : None
EncryptionMethod                 : GCMAES256
  • The connection should now be ready to use!

Miscellaneous Settings

There is a Windows registry key that may need to be enabled to allow the use of stronger encryption settings. It is not clear at this stage if these settings are required, but the instructions are left here in case they are needed.

  • Press ⊞ Win+R to open the Run box.
  • Type regedit and click OK.
  • Navigate to the following registry path:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\
  • Right-click in the right pane, hover over New and click DWORD (32-bit) Value.
  • Give the new key the name NegotiateDH2048_AES256.
  • Double-click the key to open the key. In the value box, change the 0 to a 2. Click OK.
  • Close the Registry Editor
  • Restart the machine.