[strongSwan] SW 4.5.2: Using IKEv2 and certificates when running Ubuntu in virtual machines

Kristian.Lippert at tieto.com Kristian.Lippert at tieto.com
Wed Jul 4 12:03:32 CEST 2012


Hi Strongswan lovers.
I would just like to share my findings when playing around with strongswan, IKEv2, and simple certificates in 2 virtual Ubuntu 12.04 machines hosted by Win7.
This is just a help for newbies: Read or Ignore :)

Setting up strongswan 4.5.2 using certificates in ".der" format:

Windows 7
---------------------------------------------------------------------------------
VMware 1                                        VMware 2                         |
----------------------------|                  -------------------------------|  |
Host Batman (Ubuntu 12.04)  | ================ | Host Superman ((Ubuntu 12.04)|  |
Public IP: 192.168.141.10   |                  | 192.168.141.20               |  |
Private IP 10.0.10.10       |                  | 10.0.20.20                   |  |
-----------------------------                  --------------------------------  |
---------------------------------------------------------------------------------

The two Ubuntu 12.04 hosts reside in two VMware virtual machines on top of a Win7 OS (for both hosts):
First a new netcard is added using VMware | Virtual Machine | Virtual Machine Settings | Add... | Network Adapter
Here set "LAN Segment" to "LAN Segment 1" (create if not there, the same segment will be used on the other virtual machine).

Tweeking Linux when running in virtual machines
Some tweeking with Ubuntu needs to be done afterwards, otherwise the Ubuntu will turn the network device on and off all the time (No idea why):

1.     Open "network settings" by clicking the network symbol in upper right corner of the screen.

2.     In the "Wired" tab choose "Wired Connection 1", corresponding to "eth0" and press "Edit".

3.     In the "IPv6 Settings" tab, choose method "Ignore"

4.     In the "IPv4 Settings" tab, choose method "Automatic (DHCP)"

5.     Press "Save"

6.     In the "Wired" tab choose "Wired Connection 2", corresponding to "eth1" and press "Edit".

7.     In the "IPv6 Settings" tab, choose method "Ignore"

8.     In the "IPv4 Settings" tab, choose method "Shared to other computers"

9.     Press "Save"
Hopefully the enable/disable problems should stop now

Creating the public and private networks :

Host Batman:
On host Batman run the following cmd's as root:
Batman> sudo ifconfig eth1 192.168.141.10 netmask 255.255.255.0
Batman> sudo ifconfig eth1 add 10.0.10.10 netmask 255.255.255.0
Batman> sudo ifconfig eth1:0 broadcast 10.0.10.255

Host Superman:
On host Superman run the following cmd's as root:
Superman> sudo ifconfig eth1 192.168.141.20 netmask 255.255.255.0
Superman> sudo ifconfig eth1 add 10.0.20.20 netmask 255.255.255.0
Superman> sudo ifconfig eth1:0 broadcast 10.0.20.255

This will create the public and private IP-addresses on "eth1" for both hosts.
Try to use "ifconfig" to verify this.
After a Reboot, Hibernate, or Sleep these cmd's might need to be rerun, otherwise the network is not setup correctly.

Installing strongswan (on both hosts)
> sudo apt-get install strongswan

Creating the PKI (Public Key Infrastructure
First a root certificate needs to be created and then certificates for each host will be generated.

Generating Root Certificate
First generate root key:
ipsec pki --gen > superherosKey.der

The generated the root-key can now be used for generating a root certificate:
ipsec pki --self --in superherosKey.der --dn "C=DK, O=Superheros, CN=Earth" --ca > superherosCert.der

These are to be stored in a secure place. The users should have reduces access to the root key (all but root should not have access to the key)

Generating Host Batman certificate
On a secure machine generate a private root key/certificate pair:

For Host Batman do:

Generate Host Batman private key
ipsec pki --gen > BatmanKey.der

Now generate the Host Batman certificate by signing with root certificate and the using the private root key and the host key to encrypt:

ipsec pki --pub --in BatmanKey.der | ipsec pki --issue --cacert superherosCert.der --cakey superherosKey.der --dn "C=DK, O=JusticeLeauge, CN=Gotham" > BatmanCert.der

The Distingushed name (--dn): "C=DK, O=JusticeLeauge, CN=Gotham" can be used for identifying the host
The Subject Alternative Name '--san "192.168.141.10"' can added and used on the other host (host Superman) to identify this specific host (host Superman)

You should afterwards as root copy files so you will have:
/etc/ipsec.d/cacerts/superherosCert.der
/etc/ipsec.d/certs/BatmanCert.der
/etc/ipsec.d/private/BatmanKey.der

You can verify your generation of certificates by issuing the following cmd:

Batman> sudo ipsec pki --verify --in /etc/ipsec.d/certs/BatmanCert.der --ca /etc/ipsec.d/cacerts/superherosCert.der

Configuring strongswan on Host Batman
Configuration is fairly simple. Only the ipsec.conf and ipsec.secret: files need to be configured
/etc/ipsec.secrets file:
#ipsec.secrets -
: RSA BatmanKey.der

/etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file
config setup
        charondebug="dmn 4, ike 4, knl 4, cfg 4, mgr 4, chd 4, net 4"
            charonstart=yes
            plutostart=no

conn IKEv2-CERT-hostBatman-hostSuperman
      ikelifetime=180m
      lifetime=60m
      rekeymargin=3m
      keyingtries=1
      keyexchange=ikev2
      leftcert=BatmanCert.der
      left=192.168.141.10
      right=192.168.141.20
      rightid="C=DK, O=JusticeLeauge, CN=Metropolis"
      leftsubnet=10.0.10.0/24
      rightsubnet=10.0.20.0/24
      auto=start

include /var/lib/strongswan/ipsec.conf.inc

If you want any host to be able to connect to this host, then replace the "rightid" with:
      rightid=%any
If you added the subject alternative name (--san) you can replace the "rightid" with the following to pinpoint precisely the host that can connect to this host.
      rightid=192.168.141.20


Generating Host Superman certificate
On a secure machine generate a private root key/certificate pair:

For Host Superman do:

Generate Host Superman private key
ipsec pki --gen > SupermanKey.der

Now generate the Host Superman certificate by signing with root certificate and the using the private root key and the host key to encrypt:

ipsec pki --pub --in SupermanKey.der | ipsec pki --issue --cacert superherosCert.der --cakey superherosKey.der --dn "C=DK, O=JusticeLeauge, CN=Metropolis" > supermanCert.der

The Distingushed name (--dn): "C=DK, O=JusticeLeauge, CN=Metropolis" can be used for identifying the host
The Subject Alternative Name '--san "192.168.141.20"' can added and used on the other host (host Batman) to identify this specific host (host Superman)

You should afterwards as root copy files so you will have:
/etc/ipsec.d/cacerts/superherosCert.der
/etc/ipsec.d/certs/SupermanCert.der
/etc/ipsec.d/private/SupermanKey.der

You can verify your generation of certificates by issuing the following cmd:

Superman> sudo ipsec pki --verify --in /etc/ipsec.d/certs/SupermanCert.der --ca /etc/ipsec.d/cacerts/superherosCert.der


Configuring strongswan on Host Superman
Configuration is fairly simple. Only the ipsec.conf and ipsec.secret: files need to be configured
/etc/ipsec.secrets file:
#ipsec.secrets -
: RSA SupermanKey.der

/etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file
config setup
        charondebug="dmn 4, ike 4, knl 4, cfg 4, mgr 4, chd 4, net 4"
            charonstart=yes
            plutostart=no

conn IKEv2-CERT-hostBatman-hostSuperman
      ikelifetime=180m
      lifetime=60m
      rekeymargin=3m
      keyingtries=1
      keyexchange=ikev2
      leftcert=SupermanCert.der
      left=192.168.141.20
      right=192.168.141.10
      rightid="C=DK, O=JusticeLeauge, CN=Gotham"
      leftsubnet=10.0.20.0/24
      rightsubnet=10.0.10.0/24
      auto=start

include /var/lib/strongswan/ipsec.conf.inc

If you want any host to be able to connect to this host, then replace the "rightid" with:
      rightid=%any
If you added the subject alternative name (--san) you can replace the "rightid" with the following to pinpoint precisely the host that can connect to this host.
      rightid=192.168.141.10

Testing your configuration

You can now restart the strongswan IKEv2 daemon (charon) on both machines by typing (on both)
> sudo ipsec restart

Inspecting the status of the current set of SA's (on both) (SA = Security Association):
> sudo ipsec statusall

The log can be found in /var/log/syslog if not configured else in the /etc/strongswan.conf

Testing the SA by pinging on host from the other.As example from Batman ping the private network on Superman:
Batman> ping 10.0.20.20

The routing table (on host Superman) can be inspected by using the route-cmd
Superman> route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.140.2   0.0.0.0         UG    0      0        0 eth0
10.0.20.0       *               255.255.255.0   U     0      0        0 eth1
192.168.140.0   *               255.255.255.0   U     1      0        0 eth0
192.168.141.0   *               255.255.255.0   U     0      0        0 eth1
As seen the foreign private is not present but the ping to 10.0.10.10 will work

The routing can be inspected using the traceroute cmd (from host Superman):
Superman> sudo traceroute 10.0.10.10
traceroute to 10.0.10.10 (10.0.10.10), 64 hops max

1         10.0.10.10 (10.0.10.10) 0.593ms 0.406ms 0.463ms

The ICMP traffic (the ping) can be inspected by looking at the private network
Batman> tcpdump net 10.0.20.20 -i eth1

The encrypted packages of the same traffic can be inspected by looking at the public network
Batman> tcpdump net 192.168.141.20 -i eth1

BR,
Kristian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120704/691ad35a/attachment.html>


More information about the Users mailing list