<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Arial","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1244337891;
mso-list-type:hybrid;
mso-list-template-ids:-417309902 1753641960 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:%1;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:20.25pt;
text-indent:-18.0pt;}
@list l1
{mso-list-id:1436249900;
mso-list-type:hybrid;
mso-list-template-ids:-2113786690 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Hi Strongswan lovers.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I would just like to share my findings when playing around with strongswan, IKEv2, and simple certificates in 2 virtual Ubuntu 12.04 machines hosted by Win7.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>This is just a help for newbies: Read or Ignore </span><span style='font-size:10.0pt;font-family:Wingdings'>J</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Setting up strongswan 4.5.2 using certificates in “.der” format:<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Windows 7<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>---------------------------------------------------------------------------------<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>VMware 1 VMware 2 |<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>----------------------------| -------------------------------| |<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>Host Batman (Ubuntu 12.04) | ================ | Host Superman ((Ubuntu 12.04)| |<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>Public IP: 192.168.141.10 | | 192.168.141.20 | |<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>Private IP 10.0.10.10 | | 10.0.20.20 | |<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>----------------------------- -------------------------------- |<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>---------------------------------------------------------------------------------<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The two Ubuntu 12.04 hosts reside in two VMware virtual machines on top of a Win7 OS (for both hosts):<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>First a new netcard is added using VMware | Virtual Machine | Virtual Machine Settings | Add… | Network Adapter <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Here set “LAN Segment” to “LAN Segment 1” (create if not there, the same segment will be used on the other virtual machine).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Tweeking Linux when running in virtual machines<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Some tweeking with Ubuntu needs to be done afterwards, otherwise the Ubuntu will turn the network device on and off all the time (No idea why):<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l1 level1 lfo1'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Open “network settings” by clicking the network symbol in upper right corner of the screen.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l1 level1 lfo1'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>In the “Wired” tab choose “Wired Connection 1”, corresponding to “eth0” and press “Edit”. <o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l1 level1 lfo1'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>In the “IPv6 Settings” tab, choose method “Ignore”<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l1 level1 lfo1'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>In the “IPv4 Settings” tab, choose method “Automatic (DHCP)”<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l1 level1 lfo1'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Press “Save”<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l1 level1 lfo1'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>6.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>In the “Wired” tab choose “Wired Connection 2”, corresponding to “eth1” and press “Edit”. <o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l1 level1 lfo1'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>7.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>In the “IPv6 Settings” tab, choose method “Ignore”<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l1 level1 lfo1'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>8.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>In the “IPv4 Settings” tab, choose method “Shared to other computers”<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l1 level1 lfo1'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>9.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Press “Save”<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Hopefully the enable/disable problems should stop now<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Creating the public and private networks :<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Host Batman:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>On host Batman run the following cmd’s as root:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Batman> sudo ifconfig eth1 192.168.141.10 netmask 255.255.255.0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Batman> sudo ifconfig eth1 add 10.0.10.10 netmask 255.255.255.0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Batman> sudo ifconfig eth1:0 broadcast 10.0.10.255<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Host Superman:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>On host Superman run the following cmd’s as root:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Superman> sudo ifconfig eth1 192.168.141.20 netmask 255.255.255.0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Superman> sudo ifconfig eth1 add 10.0.20.20 netmask 255.255.255.0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Superman> sudo ifconfig eth1:0 broadcast 10.0.20.255<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>This will create the public and private IP-addresses on “eth1” for both hosts.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Try to use “ifconfig” to verify this.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>After a Reboot, Hibernate, or Sleep these cmd’s might need to be rerun, otherwise the network is not setup correctly.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Installing strongswan (on both hosts)<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>> sudo apt-get install strongswan<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Creating the PKI (Public Key Infrastructure<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>First a root certificate needs to be created and then certificates for each host will be generated.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Generating Root Certificate<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>First generate root key:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>ipsec pki --gen > superherosKey.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The generated the root-key can now be used for generating a root certificate:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>ipsec pki --self --in superherosKey.der --dn "C=DK, O=Superheros, CN=Earth" --ca > superherosCert.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>These are to be stored in a secure place. The users should have reduces access to the root key (all but root should not have access to the key)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Generating Host Batman certificate<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>On a secure machine generate a private root key/certificate pair:<o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>For Host Batman do:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Generate Host Batman private key<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>ipsec pki --gen > BatmanKey.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Now generate the Host Batman certificate by signing with root certificate and the using the private root key and the host key to encrypt:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>ipsec pki --pub --in BatmanKey.der | ipsec pki --issue --cacert superherosCert.der --cakey superherosKey.der --dn "C=DK, O=JusticeLeauge, CN=Gotham" > BatmanCert.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The Distingushed name (--dn): “C=DK, O=JusticeLeauge, CN=Gotham" can be used for identifying the host<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The Subject Alternative Name ‘--san “192.168.141.10”’ can added and used on the other host (host Superman) to identify this specific host (host Superman)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>You should afterwards as root copy files so you will have:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>/etc/ipsec.d/cacerts/superherosCert.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>/etc/ipsec.d/certs/BatmanCert.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>/etc/ipsec.d/private/BatmanKey.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>You can verify your generation of certificates by issuing the following cmd:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Batman> sudo ipsec pki --verify --in /etc/ipsec.d/certs/BatmanCert.der --ca /etc/ipsec.d/cacerts/superherosCert.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Configuring strongswan on Host Batman<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Configuration is fairly simple. Only the ipsec.conf and ipsec.secret: files need to be configured<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>/etc/ipsec.secrets file:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>#ipsec.secrets - <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>: RSA BatmanKey.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>/etc/ipsec.conf<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'># ipsec.conf - strongSwan IPsec configuration file<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>config setup<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> charondebug="dmn 4, ike 4, knl 4, cfg 4, mgr 4, chd 4, net 4"<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> charonstart=yes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> plutostart=no<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>conn IKEv2-CERT-hostBatman-hostSuperman<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> ikelifetime=180m<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> lifetime=60m<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> rekeymargin=3m<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> keyingtries=1<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> keyexchange=ikev2<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> leftcert=BatmanCert.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> left=192.168.141.10<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> right=192.168.141.20<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> rightid="C=DK, O=JusticeLeauge, CN=Metropolis"<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> leftsubnet=10.0.10.0/24<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> rightsubnet=10.0.20.0/24<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> auto=start<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>include /var/lib/strongswan/ipsec.conf.inc<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>If you want any host to be able to connect to this host, then replace the “rightid” with:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> rightid=%any<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>If you added the subject alternative name (--san) you can replace the “rightid” with the following to pinpoint precisely the host that can connect to this host.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> rightid=192.168.141.20<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Generating Host Superman certificate<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>On a secure machine generate a private root key/certificate pair:<o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>For Host Superman do:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Generate Host Superman private key<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>ipsec pki --gen > SupermanKey.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Now generate the Host Superman certificate by signing with root certificate and the using the private root key and the host key to encrypt:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>ipsec pki --pub --in SupermanKey.der | ipsec pki --issue --cacert superherosCert.der --cakey superherosKey.der --dn "C=DK, O=JusticeLeauge, CN=Metropolis" > supermanCert.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The Distingushed name (--dn): “C=DK, O=JusticeLeauge, CN=Metropolis" can be used for identifying the host<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The Subject Alternative Name ‘--san “192.168.141.20”’ can added and used on the other host (host Batman) to identify this specific host (host Superman)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>You should afterwards as root copy files so you will have:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>/etc/ipsec.d/cacerts/superherosCert.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>/etc/ipsec.d/certs/SupermanCert.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>/etc/ipsec.d/private/SupermanKey.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>You can verify your generation of certificates by issuing the following cmd:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Superman> sudo ipsec pki --verify --in /etc/ipsec.d/certs/SupermanCert.der --ca /etc/ipsec.d/cacerts/superherosCert.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Configuring strongswan on Host Superman<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Configuration is fairly simple. Only the ipsec.conf and ipsec.secret: files need to be configured<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>/etc/ipsec.secrets file:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>#ipsec.secrets - <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>: RSA SupermanKey.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>/etc/ipsec.conf<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'># ipsec.conf - strongSwan IPsec configuration file<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>config setup<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> charondebug="dmn 4, ike 4, knl 4, cfg 4, mgr 4, chd 4, net 4"<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> charonstart=yes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> plutostart=no<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>conn IKEv2-CERT-hostBatman-hostSuperman<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> ikelifetime=180m<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> lifetime=60m<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> rekeymargin=3m<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> keyingtries=1<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> keyexchange=ikev2<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> leftcert=SupermanCert.der<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> left=192.168.141.20<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> right=192.168.141.10<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> rightid="C=DK, O=JusticeLeauge, CN=Gotham"<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> leftsubnet=10.0.20.0/24<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> rightsubnet=10.0.10.0/24<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> auto=start<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>include /var/lib/strongswan/ipsec.conf.inc<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>If you want any host to be able to connect to this host, then replace the “rightid” with:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> rightid=%any<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>If you added the subject alternative name (--san) you can replace the “rightid” with the following to pinpoint precisely the host that can connect to this host.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> rightid=192.168.141.10<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Testing your configuration<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>You can now restart the strongswan IKEv2 daemon (charon) on both machines by typing (on both)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>> sudo ipsec restart<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Inspecting the status of the current set of SA’s (on both) (SA = Security Association): <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>> sudo ipsec statusall<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The log can be found in /var/log/syslog if not configured else in the /etc/strongswan.conf<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Testing the SA by pinging on host from the other.As example from Batman ping the private network on Superman:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Batman> ping 10.0.20.20<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The routing table (on host Superman) can be inspected by using the route-cmd<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Superman> route<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Kernel IP routing table<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Destination Gateway Genmask Flags Metric Ref Use Iface<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>default 192.168.140.2 0.0.0.0 UG 0 0 0 eth0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>10.0.20.0 * 255.255.255.0 U 0 0 0 eth1<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>192.168.140.0 * 255.255.255.0 U 1 0 0 eth0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>192.168.141.0 * 255.255.255.0 U 0 0 0 eth1<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>As seen the foreign private is not present but the ping to 10.0.10.10 will work<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The routing can be inspected using the traceroute cmd (from host Superman):<o:p></o:p></p><p class=MsoNormal>Superman> sudo traceroute 10.0.10.10<o:p></o:p></p><p class=MsoNormal>traceroute to 10.0.10.10 (10.0.10.10), 64 hops max<o:p></o:p></p><p class=MsoListParagraph style='margin-left:20.25pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>1<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>10.0.10.10 (10.0.10.10) 0.593ms 0.406ms 0.463ms<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The ICMP traffic (the ping) can be inspected by looking at the private network<o:p></o:p></p><p class=MsoNormal>Batman> tcpdump net 10.0.20.20 -i eth1<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The encrypted packages of the same traffic can be inspected by looking at the public network<o:p></o:p></p><p class=MsoNormal>Batman> tcpdump net 192.168.141.20 -i eth1<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>BR,<o:p></o:p></span></p><p class=MsoNormal style='line-height:13.0pt;text-autospace:none'><b><span lang=DA style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>Kristian </span></b><span lang=DA><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>