Project Based Learning (A.I).pptx detail explanation
IPSec VPN Tutorial Part1
1. Layer 3 IPSEC-VPN Manual
1. Introdaction
IPSec is a network protocol used in creating secure network connection known as
VPN (Virtual Private Network). IPSEC-VPN uses a family of protocols that
provide authentication, key exchange, and encryption. Authentication protocol
supports various ways that facilitate the usage of PSK (Pre-Shared Key), X.509
Certificates, Encrypted Tokens, and Smart Cards.
Key exchange protocol is known as IKE (Internet Key Exchange), IKE is
implemented in its two published updated versions IKE-v1, and IKE-v2). there are
many softwares provide IPSec protocol like Strongswan and Openswan, in this
tutorial used Strongswan, and apply three methods of authentication with IKE v2,
and using XCA software for creating certificates and keys.
2. Requirements
2.1. Software
a) Strongswan
b) XCA
2.2. Hardware
a) Feitian ePass 2003 Token
2. 3. Step Strongswan on Ubuntu 12.04
#apt-get update
#apt-get install curl
#apt-get build-dep strongswan
Get last version of Strongswan from http://www.strongswan.org/download.html
Uncompressed it using
#tar -xvzf strongswan-5.x.x.tar.gz or
#tar -xvjf strongswan-5.x.x.tar.bz2
#./configure --prefix=/usr --sysconfdir=/etc --enable-curl --enable-pkcs11
--enable-openssl --enable-gcrypt
#make
#make install
4. Configure Strongswan
all configuration in 3 files ipsec.conf, ipsec.secrets, strongswan.conf at /etc/
ipsec.secrets we must create it
#touch /etc/ipsec.secrets
There are 3 scenarios
1- PSK Pre-shared Key
2- Using Certificates
3- Using Tokens
in all scenarios
left node, user1, node1 ip =192.168.0.1
right node, user2, node2 ip =192.168.0.2
First you should read CA Tutorial First before Certificates and Tokens scenarios
configuration
3. 4.1. PSK Pre-shared Key
ipsec.conf should by like
config setup
charondebug=[4]
strictcrlpolicy=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn host-host connection name
left=192.168.0.1 this PC ip address
leftsubnet=192.168.0.0/24
leftid=192.168.0.2
leftfirewall=yes
right=192.168.0.2 other PC ip address
rightsubnet=192.168.0.0/24
rightid=192.168.0.2
authby=psk
auto=add
ipsec.secrets should by like
left node ip : PSK “{key as plain text}”
Ex: 192.168.0.1 : PSK "12345"
strongswan.conf won't change
4. 4.2. Using Certificates
Put Root CA Public key in /etc/ipsec.d/cacert
user public key in /etc/ipsec.d/certs
user private key in /etc/ipsec.d/private
ipsec.conf should by like
config setup
charondebug=[4]
strictcrlpolicy=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn host-host connection name
left=192.168.0.1 this PC ip address
leftid="C=eg, ST=Cairo, L=Cairo, O=IWF, OU=IWF_OU, CN=user1,
E=user1@iwf.com"
leftcert=user1Cert.der user public key certificate file
leftfirewall=yes
right=192.168.0.2 other PC ip address
rightid="C=eg, ST=Cairo, L=Cairo, O=IWF, OU=IWF_OU, CN=user2,
E=user2@iwf.com"
auto=add
ipsec.secrets should by like
left-node-CN right-node-CN : key_generation_algorithm user_Private_keyfile.der
Ex: user1 user2: RSA user1Key.der
strongswan.conf won't change
5. 4.3. Using Tokens
ipsec.conf should by like
config setup
strictcrlpolicy=no
charondebug=4
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn host-host connection name
left=192.168.0.1 this PC ip address
leftid="C=eg, ST=Cairo, L=Cairo, O=IWF, OU=IWF_OU, CN=user1,
E=user1@iwf.com"
leftcert=%smartcard:00
leftfirewall=yes
right=192.168.0.2 other PC ip address
rightid="C=eg, ST=Cairo, L=Cairo, O=IWF, OU=IWF_OU, CN=user2,
E=user2@iwf.mil"
auto=add
ipsec.secrets should by like
: PIN %smartcard: {user key on token id from command pkcs15-tool -k} “{ Token
PIN}”
Ex: : PIN %smartcard:ddc2b4e4d299a72972fbff880847b21e94860310 "12345678"
6. strongswan.conf we will add red lines inside libstrongswan{} block
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
plugins {
pkcs11 {
modules {
my-xy-module {
path = /usr/lib/opensc-pkcs11.so
}
}
}
}
}
5. Test Connection
Start VPN service
#ipsec start
using this command to up your connection
#ipsec up {connection name}
#ipsec up host-host
using this command to get status of connection
#ipsec statusall
Finish
Good Luck
Abdallah Abuouf
http://abuouf.me