StrongSwan IPSec IKEv2 VPN with LEDE Reboot 17.01.4

You’ve managed to find this tutorial before my commentary or other helpful notes have been added. This means it hasn’t been fully tested. Hopefully you’ll be able to reproduce the same results, but just because I have a working setup doesn’t mean you will. Think before you type; even more so before hitting enter. If you decide to follow this guide – please leave a comment with your feedback, questions, fixes or anything else that could be help others.

strongSwan is an OpenSource IPsec implementation. It was originally based on the discontinued FreeS/WAN project and the X.509 patch that we developed. In order to have a stable IPsec platform to base the extensions of the X.509 capability on, we decided to launch the strongSwan project in 2005.

Since then a new IKE daemon has been written in a modern object-oriented coding style so that the current code base does not share code with its ancestor anymore. Initially that daemon only supported IKEv2, while IKEv1 was handled by an extended version of FreeS/WAN’s pluto daemon. But because adoption of IKEv2 by other vendors took longer than anticipated support for IKEv1 was added to the new daemon with strongSwan 5.0.0.

strongSwan originally was designed for Linux, but has since been ported to Android, FreeBSD, macOS, Windows and many other platforms.

Install  strongSwan with opkg.

opkg update && opkg install strongswan-full

Make your our private root certificate authority and server certificate.

cd /etc/ipsec.d/

ipsec pki --gen --type rsa --size 4096 --outform pem \
    > private/LEDE_Root_CA.key
chmod 600 private/LEDE_Root_CA.key
ipsec pki --self --ca \
    --lifetime 3650 \
    --in private/LEDE_Root_CA.key \
    --type rsa \
    --dn "C=DE, O=LEDE Project, CN=LEDE Root certAuthority" \
    --outform pem \
    > cacerts/LEDE_Root_CA.crt

ipsec pki --gen --type rsa --size 4096 --outform pem \
    > private/server.example.com.key
chmod 600 private/server.example.com.key
ipsec pki --pub --in private/server.example.com.key --type rsa | \
    ipsec pki --issue --lifetime 1825 \
    --cacert cacerts/LEDE_Root_CA.crt \
    --cakey private/LEDE_Root_CA.key \
    --dn "C=US, OU=Domain Validated, CN=server.example.com" \
    --san "server.example.com" \
    --san "lede.lan" \
    --san "lede.local" \
    --san "lede.private" \
    --flag serverAuth --flag ikeIntermediate \s
    --outform pem > certs/server.example.com.crt

Validate your newly created certificates.

ipsec pki --print --in /etc/ipsec.d/cacerts/LEDE_Root_CA.crt
ipsec pki --print --in /etc/ipsec.d/certs/server.example.com.crt

Edit /etc/strongswan.conf with your favorite text editor.

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
    dns1 = 192.168.1.1
    load_modular = yes
    plugins {
        include strongswan.d/charon/*.conf
        dhcp {
            server = 192.168.1.1
            force_server_address = yes
            identity_lease = yes
        }
    }
}
# include strongswan.d/*.conf

Edit /etc/ipsec.conf with your favorite text editor.

# ipsec.conf - strongSwan IPsec configuration file

config setup
	strictcrlpolicy=no
	uniqueids=yes

conn rw-base
	fragmentation=yes
	dpdaction=clear
	dpdtimeout=120s
	dpddelay=30s
	compress=yes

conn rw-config
	also=rw-base
	rightsourceip=%dhcp
	rightdns=192.168.1.1
	leftsubnet=0.0.0.0/0
	leftid=@server.example.com
	leftcert=server.example.com.crt
	reauth=no
	rekey=no
	ike=aes256-sha256-modp2048,aes256-sha1-modp1024,3des-sha1-modp1024!
	esp=aes256-sha256,aes256-sha1,3des-sha1!
	leftsendcert=always

conn rw-local-network
	also=rw-config
	leftfirewall=yes
	lefthostaccess=yes

conn ikev2-eap-mschapv2
	also=rw-local-network
	keyexchange=ikev2
	rightauth=eap-mschapv2
	eap_identity=%identity
	auto=add

Edit /etc/ipsec.secrets with your favorite text editor.

# /etc/ipsec.secrets - strongSwan IPsec secrets file

server.example.com : RSA server.example.com.key

Username1 : EAP "Password"
Username2 : EAP "Password"

Edit /etc/config/firewall with your favorite text editor.

config rule
	option name 'Allow-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option proto 'udp'
	option dest_port '500'
	option target 'ACCEPT'

config rule
	option name 'Allow-IKEv2'
	option src 'wan'
	option proto 'udp'
	option dest_port '4500'
	option target 'ACCEPT'

config rule
	option name 'Allow-AH'
	option src 'wan'
	option proto 'ah'
	option target 'ACCEPT'

Restart the firewall and strongSwan to effect changes. Check the status of strongSwan to ensure it has started properly.

/etc/init.d/firewall reload
ipsec restart
ipsec statusall

Make a backup of the root certificate.

cp /etc/ipsec.d/cacerts/LEDE_Root_CA.crt /root/.

The recently generated strongSwan server certificate will work perfect with LuCi. This next step is optional and requires the luci-ssl package be installed. Make sure the LEDE_Root_CA.crt is installed and trusted on your connecting device.

rm /etc/uhttpd.key && rm /etc/uhttpd.crt
cp private/server.example.com.key /etc/uhttpd.key
cp certs/server.example.com.crt /etc/uhttpd.crt
/etc/init.d/uhttpd restart
Advertisements