5

Strongswan on openSuSe 11.2 quick setup

view full story
linux-howto

http://forums.opensuse.org – The purpose of this story is to help OpenSuSe 11.2 users easily install and configure Strongswan VPN IKE2: gateway RSA authentication with X.509 certificate. Strongswan is probably one of the best VPN solutions nowadays on the market, if not the best! Why: In order to explain that simply, imagines the following totally fictional story. A Bulgarian student lives and studies in Germany and during his education he constantly needs access to network resources that are in Bulgaria. By coincidence his mother has a desktop computer in Bulgaria that is constantly connected to the network for 12,72 Euros a month. The Desktop PC has two network cards: the first has the static private IP address 192.168.25.1 and the second has static public IP and is connected to fiber-optic channel with upload of ~2 Megabyte and ~18 Megabyte download. The student is thinking maybe he can use that desktop computer as a proxy in order to get to those resources that are not in Internet but are in one of the Intranets in Bulgaria. The student configures SSH on one of the high ports and makes sure that only private key authentication is allowed on that server. After that he configures port forwarding of port 3128 to localhost:3128 in putty and together with Firefox and FoxyProxy(one of the thousands plug-ins for Firefox) he is using that proxy without no trouble. After a while one of his German colleagues asks him to help him find a particular file that is not available on the web. The student knows that that file could be downloaded from the one of the closed internal networks in Bulgaria and he decide to help his German friend. After seeing what kinds of resources are available in that closed network the German friend begs him about the possibility to frequently use that proxy. The student does not want to give his friend a real account to that server, but he also knows that if he tries to open the squid port in that network one of the mean administrators will simply put deny access list for his static IP address. The student decides to implement a VPN connection. He is very concern about the security and he decides that the whole bandwidth should be encrypted. The student thinks for a while and sets the requirements for his network. He decides to have the following services running behind that desktop. A. When configuring squid the student devices to set the TAG’s in squid.conf “forwarded_for off” and “via off”. B. Samba server in order to share the downloaded resources easily. The student knows that samba server could be mounted locally on any windows machine. C. Make sure that the users of that desktop PC which are using only Skype and Firefox will not suffer from his actions, thus he also plans to use traffic shaper in order to leave them enough bandwidth in case the student wants to switch x11vnc or they are working on that PC. How: The student has installed OpenSuSe 11.2 on that PC and configures a domain name to point to that public IP address of that PC. He chooses the name server.systes.net From now the student calls that desktop PC “server.sytes.net” and his personal home laptop in Germany “client”. Because the student suggest using RSA authentication with X.509 certificates, those certificates has to be generated first. Instalation First he needs to install strongswan and couple of utilities that might be useful. zypper install openssl strongswan iputils ipsec restart Later on, he will install squid and samba and HTB traffic shaper. Preparation He can create the certificates in two ways: A. the easy one (edit “openssl.cnf” and issue couple of commands in the terminal) B. the super easy one (use an script “/usr/share/ssl/misc/CA.sh” ) He decides to use the easy way and thus generate 3 certificates. A. one for the certificate authority(this will be also hosted on server.sytes.net). B. one for the server side certificate for server.sytes.net . C. one for the client certificate (for me). Before generating the certificates he goes and edit the file /etc/ssl/openssl.cnf The student makes sure that he is editing the following lines there. The first two lines are very important especially if he is using Windows 7 or Windows Vista as an IPSec client. Requirements for Certificates used with Windows 7: strongSwan - Win7CertReq - strongSwan extendedKeyUsage = serverAuth subjectAltName = DNS:server.sytes.net dir = /etc/ipsec.d # Where everything is kept certificate = $dir/cacerts/cacert.pem # The CA certificate default_days = 3650 # This means the certificates will be valid 10 years. default_bits = 2048 countryName_default = BG stateOrProvinceName_default = Plovdivska localityName_default = Plovdiv 0.organizationName_default = BlaBla Now that he is done with the openssl.cnf file he can go and generate the certificates. He goes to the folder /etc/ipsec.d/ and creates two files there: “index.txt” and “serial”. Using vim or emacs he types into “serial” two zeros “00”. Saves and exit. cd /etc/ipsec.d/ touch index.txt touch serial Now he can generate the Certificate Authority. He types pwd in order to be sure that he is in the same directory “/etc/ipsec.d/” Generate the CA openssl req -x509 -newkey rsa:2048 -keyout private/cakey.pem -out cacerts/cacert.pem After he answers the question two files will be created: a) /etc/ipsec.d/private/cakey.pem b) /etc/ipsec.d/cacerts/cacert.pem Generate the server.sytes.net certificate The students need to create first certificate for his mother, although she will not be using it he knows that he has to do it. The student checks again that he typed in the common name question the name he supplied in the subjectAltName = DNS:server.sytes.net. In this case it is “server.sytes.net” openssl req -newkey rsa:2048 -keyout private/maikaKey.pem -out reqs/maikaReq.pem openssl ca -in reqs/maikaReq.pem -out certs/maikaCert.pem –notext The first command creates the certificate maikaKey.pem and the certificate request maikaReq.pem. The second command is signing the certificate by the CA that he has generated before. During the certificate generation the student has supplied a password. Let’s say that the password was the word “secret”. Now he opens the file /etc/ipsec.secrets and types the following line into it: : RSA maikaKey.pem "secret" After that he checks if the certificate private key is really seen by the system and issue: # ipsec listall He checks if the maika key has the private key and looks for the following line pubkey: RSA 2048 bits, has private key It’s all good Generate the Client Certificates Now the Student is generating now his own certificate that he will use. He is doing the same what he has done for the server certificate, but just because he is forced to use windows 7 because of propriety software written only for windows he has to export that certificate in different format, which is readable in windows. If the student was using only Linux, the live would be so much easier; he would not had to execute the third command. He was pissed off. openssl req -newkey rsa:2048 -keyout private/clientKey.pem -out reqs/clientReq.pem openssl ca -in reqs/clientReq.pem -out certs/clientCert.pem –notext openssl pkcs12 -export -inkey private/clientKey.pem -in certs/clientCert.pem -name "client" -certfile cacerts/cacert.pem -caname "Tnet Root CA" -out clientCert.p12 After the students exports the file clientCert.p12 he copies the file and follows the instructions of strongswan to import it into the system. strongSwan - Win7EapCert - strongSwan Configure /etc/ ipsec.conf He opens the main configuration file. The student has tested this configuration only for IKE version 2. He knows that they are two very important parameters: “lefthostaccess=yes” and “leftfirewall=yes”. config setup crlcheckinterval=180 plutostart=no charondebug="cfg 4" strictcrlpolicy=no charonstart=yes conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 left=server.sytes.net leftcert=maikaCert.pem leftid=[email protected] leftfirewall=yes lefthostaccess=yes conn nat-t leftsubnet=192.168.25.0/24 right=%any rightsubnet=192.168.20.0/24 rightsourceip=192.168.20.100/26 auto=add auth=esp Edit the Firewall The student opens Yast firewall and opens UPD ports 500 and 4500 on the external interface (not the internal on). yast firewall Allowed Services -> Advanced -> UDP port 500 4500 Start the IPSec chkconfig -s ipsec on ipsec start How it is the time to test it he tries to establish a connection. He screams TI IS ALIVE! Routing After the student has done all this he only needs to set the routing on windows. He puts a permanent (-p) route to that network and uses the IP address he got from the strongswan as a gateway, in his case it was 192.168.20.101. route add 192.168.25.0 mask 255.255.255.0 192.168.20.101 metric 1 –p He tries to ping 192.168.25.1 and everything works. The student had two network card is that desktop PC but he is thinking, “what if he didn’t had two network cards but only one?”. Then he remembers that he can fake a network card interface easily in Linux and he can put as many IP addresses on that interface as he wish, so he goes to the directory “/etc/sysconfig/network/”, finds the configuration file for the interface in his case it is ifcfg-eth0. He makes a copy of it with the name ifcfg-br1 and assign over yast internal zone to that interface. ifcfg-eth0 is his external zone because that is that interface with his public IP address. The student knows that this is a bridge as this if he makes an error in his firewall configuration he can expose himself to the local network traffic circling in the local desktop network. BOOTPROTO='static' BRIDGE='yes' BRIDGE_FORWARDDELAY='0' BRIDGE_PORTS='eth0' BRIDGE_STP='off' BROADCAST='' ETHTOOL_OPTIONS='' IPADDR='192.168.25.1' MTU='' NETWORK='' PREFIXLEN='24' REMOTE_IPADDR='' STARTMODE='auto' USERCONTROL='no' NAME='' And the Student can always add IP addresses like this IPADDR1='192.168.20.1' NETMASK1='255.255.255.0' LABEL1='fake card' After he gave to that interface an IP address 192.168.25.1 with the mask 255.255.255.0, he knows that he can have only 62 friend using the proxy because his pull of addresses is 192.168.20.100/26 which means addresses from 192.168.20.65 till 192.168.20.126. But what will happen with the bandwidth if all of them decide to download over that proxy. Subneting and traffic shaping Now the student is thinking well I have to create 62 certificates for 62 friend that can use this proxy, but I want 50 % of the bandwidth for me only and 25 % for parents and the rest for everyone else; Well the student is lazy and decides to do the rest of the story the next weekend and he will post it in different forum for traffic shaping. Coming soon! (Distributions)