[Vpn-help] Shrew Soft VPN Client + openSwan Ipsec Howto

Stefan Bauer sb at puhlmann.net
Wed Nov 28 05:36:28 CST 2007


Dear Users,

we work out a suitable configuration for openSwan to operate with the last
openSwan package included in debian and many other distributions. We want to
contribute our configurations because we step in some problems during our
research.

The setup is for a roadwarrior scenario where customers or employees need a
secure connection from outside of the company to the protected lan inside.
We accept any ip's from outside and let them take ip's from the pool
192.168.2.0/24.

The lan behind the ipsec gateway (our private company network segment) is
192.168.0.0/24

We use X509 Certificates to authorize the roadwarrior server and the clients
against each other.

Here we go: (helpful suggestions are greatly appreciated)

The SSL-Part (creating the Certification Authority, server cert and client
certs):

1. Creating the CA (valid for 10 years)

openssl req -x509 -days 3650 -newkey rsa:2048 -keyout
/etc/ipsec.d/private/caKey.pem -out /etc/ipsec.d/cacerts/caCert.pem

2. Creating a certification-request for our server or/and client:

Openssl is fussy about a directory structure so we create it here:

cd /etc/openssl/
mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
touch demoCA/index.txt
echo "01" >> demoCA/serial

Now the certification-request for our server:

openssl req -newkey rsa:1024 -keyout /etc/ipsec.d/private/serverKey.pem -out
\ /etc/ipsec.d/private/serverReq.pem

3. Signing the certification-request with our just created
certification-authority (CA) (valid for 2 years)

openssl ca -in /etc/ipsec.d/private/serverReq.pem -days 730 -out
/etc/ipsec.d/private/serverCert.pem -notext -cert
/etc/ipsec.d/cacerts/caCert.pem -keyfile /etc/ipsec.d/private/caKey.pem

4. Creating client-certs

Hint: we create a p12 container which contains nearly all files for the
clients: (we assume that you already created a client cert request and
signed this by the CA Like we explained at point 2)

openssl pkcs12 -export -inkey roadwarriorKey.pem -in raodwarriorCert.pem
-name "Mr. Mike Roadwarrior" -certfile /etc/ipsec.d/cacerts/caCert.pem
-caname "company name for a better assignment" -out mikeroadwarrior-rw.p12

we got a nice and handy .p12 file which can be integrated in shrew net vpn
client for the clients through the import function.

The Configurations:

Server:

/etc/ipsec.conf

 config setup
 # nat-t activation
     nat_traversal=yes   
 # Debug activation
 # plutodebug=control
 # global settings
 conn %default
 # networksettings, timeouts...
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 # roadwarrior part
 conn roadwarrior
 # authy by cert
    authby=rsasig
 #
 leftrsasigkey=%cert
 rightrsasigkey=%cert
 #
 leftcert=serverCert.pem
 auto=add
 #
 pfs=no
 dpddelay=30
 dpdtimeout=120
 dpdaction=clear
 #
 left=%defaultroute
 #
 leftsubnet=192.168.0.0/24
 #
 right=%any
 #
 rightsubnetwithin=192.168.2.0/24
 #
 keyingtries=3
 # Oportunistic Encryption not active
 include /etc/ipsec.d/examples/no_oe.conf

/etc/ipsec.secrets

: RSA serverKey.pem "oursecretpassword"


Client:

(if you put all these lines into a textfile, it can be imported without
problems into shrew net vpn)

n:network-ike-port:500
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:30
n:network-dpd-enable:1
n:network-frag-enable:1
n:network-frag-size:1300
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:0
n:client-dns-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:phase1-dhgroup:0
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-list-auto:0
n:phase1-keylen:0
n:phase2-keylen:0
s:network-natt-enable:enable
s:phase2-compress:none
s:policy-list-type:include
s:policy-entry-network:192.168.3.0 / 255.255.255.0
s:network-host:hostname.of.your.company.vpn.srv
s:client-auto-mode:pull
s:client-iface:virtual
s:client-ip-addr:192.168.2.23
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-wins-addr:0.0.0.0
s:client-dns-addr:0.0.0.0
s:auth-method:mutual-rsa
s:ident-client-type:asn1dn
s:ident-server-type:asn1dn
s:ident-client-data:C=DE, ST=Bavaria, O=puhlmann.net, CN=Stefan
Bauer/emailAddress=sb at puhlmann.net
s:ident-server-data:C=DE, ST=Bavaria, O=puhlmann.net,
CN=vpn.plzk.de/emailAddress=security at plzk.de
s:auth-server-cert:mikeroadwarrior-rw.p12
s:auth-client-cert:mikeroadwarrior-rw.p12
s:auth-client-key:mikeroadwarrior-rw.p12
s:phase1-exchange:main
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-aes
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:-1
s:policy-list-include:192.168.0.0 / 255.255.255.0


Two more hints:

s:ident-server-data must be the same as the output of:

openssl x509 -in /etc/ipsec.d/cacerts/caCert.pem -noout -text |grep Subject

And s:ident-client-data have to be:

openssl x509 -in raodwarriorCert.pem -noout -text |grep Subject

Thats it. Last but not least, a big thank you for this nice piece of vpn
client software!



Best regards

Stefan Bauer

--
Haiko Puhlmann, Beratung + Konzeption
EDV-Systeme und -Kommunikation
Georgenschwaigstraße 4
80807 München
Tel: +49-89-3536960-0
Fax: +49-89-3536960-9




More information about the vpn-help mailing list