Add Sources:
deb http://http.debian.net/debian wheezy-backports main
deb-src http://http.debian.net/debian wheezy-backports main
apt-get update
apt-get -t wheezy-backports install strongswan libcharon-extra-plugins
Check version installed :
ipsec version
Create certificates :
ipsec pki --gen --outform pem > ca.pem
ipsec pki --gen --outform pem > server.pem
ipsec pki --self --in ca.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > ca.cert.pem
openssl x509 -outform der -in ca.cert.pem -out ca.cert.crt (for Windows compatible format)
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \
--cakey ca.pem --dn "C=CN, O=strongSwan, CN=YOURDOMAIN.COM" \
--san YOURDOMAIN.COM --flag serverAuth --flag ikeIntermediate \
--outform pem > server.cert.pem
cp -r server.pem ca.pem /etc/ipsec.d/private/
cp -r server.cert.pem /etc/ipsec.d/certs/
cp -r ca.cert.pem /etc/ipsec.d/cacerts/
modify the file accordingly :
nano /etc/ipsec.conf
config setup
uniqueids=never
conn %default
left=10.1.2.21
leftsubnet=10.1.2.0/24
leftfirewall=yes
right=%any
rightsourceip=10.8.1.0/24
auto=add
conn shrewsoft_xauth_psk
keyexchange=ikev1
leftauth=psk
rightauth=psk
rightauth2=xauth
conn windows7/8
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
leftauth=pubkey
leftcert=server.cert.pem
rightauth=eap-mschapv2
eap_identity=%any
nano /etc/ipsec.secrets
10.1.2.21 %any : PSK "123"
test : XAUTH "456"
: RSA server.pem
user : EAP "456"
Enable ipv4 forwarding :
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Apply Settings immediately :
sysctl -p
Enable Natting :
iptables -A POSTROUTING -t nat -j SNAT --to-source 10.1.2.21
Modify for split tunneling for ikev1 :
nano /etc/strongswan.d/charon/attr.conf
attr {
# <attr> is an attribute name or an integer, values can be an IP address,
# subnet or arbitrary value.
split-include=10.1.2.0/24
split-exclude=0.0.0.0/0
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
}
Enable Unity plugin :
nano /etc/strongswan.d/charon.conf
# Send Cisco Unity vendor ID payload (IKEv1 only).
cisco_unity = yes
service ipsec restart
Install ca.cert.pem or ca.cert.crt on windows client and the Use default gateway on remote network option in the Advanced TCP/IP settings of
the VPN connection has to be disabled. For ShrewSoft no modification is required.
deb http://http.debian.net/debian wheezy-backports main
deb-src http://http.debian.net/debian wheezy-backports main
apt-get update
apt-get -t wheezy-backports install strongswan libcharon-extra-plugins
Check version installed :
ipsec version
Create certificates :
ipsec pki --gen --outform pem > ca.pem
ipsec pki --gen --outform pem > server.pem
ipsec pki --self --in ca.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > ca.cert.pem
openssl x509 -outform der -in ca.cert.pem -out ca.cert.crt (for Windows compatible format)
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \
--cakey ca.pem --dn "C=CN, O=strongSwan, CN=YOURDOMAIN.COM" \
--san YOURDOMAIN.COM --flag serverAuth --flag ikeIntermediate \
--outform pem > server.cert.pem
cp -r server.pem ca.pem /etc/ipsec.d/private/
cp -r server.cert.pem /etc/ipsec.d/certs/
cp -r ca.cert.pem /etc/ipsec.d/cacerts/
modify the file accordingly :
nano /etc/ipsec.conf
config setup
uniqueids=never
conn %default
left=10.1.2.21
leftsubnet=10.1.2.0/24
leftfirewall=yes
right=%any
rightsourceip=10.8.1.0/24
auto=add
conn shrewsoft_xauth_psk
keyexchange=ikev1
leftauth=psk
rightauth=psk
rightauth2=xauth
conn windows7/8
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
leftauth=pubkey
leftcert=server.cert.pem
rightauth=eap-mschapv2
eap_identity=%any
nano /etc/ipsec.secrets
10.1.2.21 %any : PSK "123"
test : XAUTH "456"
: RSA server.pem
user : EAP "456"
Enable ipv4 forwarding :
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Apply Settings immediately :
sysctl -p
Enable Natting :
iptables -A POSTROUTING -t nat -j SNAT --to-source 10.1.2.21
Modify for split tunneling for ikev1 :
nano /etc/strongswan.d/charon/attr.conf
attr {
# <attr> is an attribute name or an integer, values can be an IP address,
# subnet or arbitrary value.
split-include=10.1.2.0/24
split-exclude=0.0.0.0/0
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
}
Enable Unity plugin :
nano /etc/strongswan.d/charon.conf
# Send Cisco Unity vendor ID payload (IKEv1 only).
cisco_unity = yes
service ipsec restart
Install ca.cert.pem or ca.cert.crt on windows client and the Use default gateway on remote network option in the Advanced TCP/IP settings of
the VPN connection has to be disabled. For ShrewSoft no modification is required.
No comments:
Post a Comment