StrongSwan IPSec IKEv2 VPN with LEDE Reboot 17.01.2

You’ve managed to find this tutorial before my commentary or other helpful notes have been added. This means it hasn’t been fully tested. Hopefully you’ll be able to reproduce the same results, but just because I have a working setup doesn’t mean you will. Think before you type; even more so before hitting enter. If you decide to follow this guide – please leave a comment with your feedback, questions, fixes or anything else that could be help others.

strongSwan is an OpenSource IPsec implementation. It was originally based on the discontinued FreeS/WAN project and the X.509 patch that we developed. In order to have a stable IPsec platform to base the extensions of the X.509 capability on, we decided to launch the strongSwan project in 2005.

Since then a new IKE daemon has been written in a modern object-oriented coding style so that the current code base does not share code with its ancestor anymore. Initially that daemon only supported IKEv2, while IKEv1 was handled by an extended version of FreeS/WAN’s pluto daemon. But because adoption of IKEv2 by other vendors took longer than anticipated support for IKEv1 was added to the new daemon with strongSwan 5.0.0.

strongSwan originally was designed for Linux, but has since been ported to Android, FreeBSD, macOS, Windows and many other platforms.

Install  strongSwan with opkg.

opkg update && opkg install strongswan-full

Make your our private root certificate authority and server certificate.

cd /etc/ipsec.d/

ipsec pki --gen --type rsa --size 4096 --outform pem \
  > private/LEDE_Root_certAuthority.key
chmod 600 private/LEDE_Root_certAuthority.key
ipsec pki --self --ca \
  --lifetime 3650 \
  --in private/LEDE_Root_certAuthority.key \
  --type rsa \
  --dn "C=DE, O=LEDE Project, CN=LEDE Root certAuthority" \
  --outform pem \
  > cacerts/LEDE_Root_certAuthority.crt

ipsec pki --gen --type rsa --size 2048 --outform pem \
  > private/server.example.com.key
chmod 600 private/server.example.com.key
ipsec pki --pub --in private/server.example.com.key --type rsa | \
  ipsec pki --issue --lifetime 1825 \
  --cacert cacerts/LEDE_Root_certAuthority.crt \
  --cakey private/LEDE_Root_certAuthority.key \
  --dn "C=US, OU=Domain Validated, CN=server.example.com" \
  --san "server.example.com" \
  --san "lede.lan" \
  --san "lede.local" \
  --san "lede.private" \
  --flag serverAuth --flag ikeIntermediate \
  --outform pem > certs/server.example.com.crt

Validate your newly created certificates.

ipsec pki --print --in /etc/ipsec.d/cacerts/LEDE_Root_certAuthority.crt
ipsec pki --print --in /etc/ipsec.d/certs/server.example.com.crt

Edit /etc/strongswan.conf with your favorite text editor.

# strongswan.conf - strongSwan configuration file

charon {
  dns1 = 192.168.1.1
  load_modular = yes
  plugins {
    include strongswan.d/charon/*.conf
    dhcp {
      server = 192.168.1.1
      force_server_address = yes
      identity_lease = yes
    }
  }
}
# include strongswan.d/*.conf

Edit /etc/ipsec.conf with your favorite text editor.

# ipsec.conf - strongSwan IPsec configuration file

config setup
  strictcrlpolicy=no
  uniqueids=yes

conn rw-base
  fragmentation=yes
  dpdaction=clear
  dpdtimeout=120s
  dpddelay=30s
  compress=yes

conn rw-config
  also=rw-base
  rightsourceip=%dhcp
  rightdns=192.168.1.1
  leftsubnet=0.0.0.0/0
  leftid=server.example.com
  leftcert=server.example.com.crt
  reauth=no
  rekey=no
  ike=aes256-sha256-modp2048!
  esp=aes256-sha256!
  leftsendcert=always

conn rw-local-network
  also=rw-config
  leftfirewall=yes
  lefthostaccess=yes

conn ikev2-eap-mschapv2
  also=rw-local-network
  keyexchange=ikev2
  rightauth=eap-mschapv2
  eap_identity=%identity
  auto=add

Edit /etc/ipsec.secrets with your favorite text editor.

# /etc/ipsec.secrets - strongSwan IPsec secrets file

server.example.com : RSA server.example.com.key

Username1 : EAP "Password"
Username2 : EAP "Password"

Edit /etc/config/firewall with your favorite text editor.

config rule
option name  Allow-ESP
option src  wan
option proto  esp
option target  ACCEPT

config rule
option name  Allow-ISAKMP
option src  wan
option proto  udp
option dest_port  500
option target  ACCEPT

config rule
option name  Allow-IKEv2
option src  wan
option proto  udp
option dest_port  4500
option target  ACCEPT

config rule
option name  Allow-AH
option src  wan
option proto  ah
option target  ACCEPT

Restart the firewall and strongSwan to effect changes. Check the status of strongSwan to ensure it has started properly.

/etc/init.d/firewall reload
ipsec restart
ipsec statusall

Make a backup of the root certificate.

cp /etc/ipsec.d/cacerts/LEDE_Root_certAuthority.crt /root/.

The recently generated strongSwan server certificate will work perfect with LuCi. This next step is optional and requires the luci-ssl package be installed. Make sure the LEDE_Root_certAuthority.crt is installed and trusted on your connecting device.

rm /etc/uhttpd.key && rm /etc/uhttpd.crt
cp private/server.example.com.key /etc/uhttpd.key
cp certs/server.example.com.crt /etc/uhttpd.crt
/etc/init.d/uhttpd restart

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s