Roadworrios Ipsec VPN with SSL certificate authentication

28 Mar 2014

I was trying to set up a vpn server to allow multiple roadwarrior users in our company to access our internal network.
We are using openswan installed on an alix board and I found that there is bit of a lack of documentation about how to configure it on openswan.
Specially we tried at first to set up a roadwarrior configuration with PSK and we discover that it is not possible to have simultaneous connection for different users.

This procedure explains how to create a roadwarrior configuration with SSL-certificates authentication (that allow also simultaneous connection).
We generate the Certification Authority itself and sign the certs with the CA afterwards.
This can also be done by a free Certification Authority like CaCert.

Here some good reads:

Step by step example:

  1. Create a the necessary directory structure for openssl
    (may you want also to change openssl configuration, generally under /etc/ssl/openssl.cnf):

     
    cd /etc/ipsec.d
    rm -rf ./demoCA
    mkdir demoCA
    mkdir demoCA/newcerts
    mkdir demoCA/private
    touch demoCA/index.txt
    echo "01" >> demoCA/serial
    

  2. Create the CA (valid for 10 years)

     
    openssl req -x509 -days 3650 -newkey rsa:2048 -keyout /etc/ipsec.d/private/caKey.pem -out /etc/ipsec.d/cacerts/caCert.pem
    

  3. Create a certification request for the server

    openssl req  -newkey rsa:2048 -keyout /etc/ipsec.d/private/serverKey.pem -out /etc/ipsec.d/private/serverReq.pem
    

  4. Convert the server key in order to be read by openswan

    openssl rsa -in /etc/ipsec.d/private/serverKey.pem -out /etc/ipsec.d/private/serverKey.pem.openswan
    

  5. Sign the certification request with our just created certification-authority (CA) (valid for 2 years)

    openssl ca -in /etc/ipsec.d/private/serverReq.pem -days 730 -out /etc/ipsec.d/certs/serverCert.pem -notext -cert /etc/ipsec.d/cacerts/caCert.pem -keyfile /etc/ipsec.d/private/caKey.pem
    

  6. Create a client certification request

    openssl req -newkey rsa:2048 -keyout /etc/ipsec.d/private/userAKey.pem  -out /etc/ipsec.d/private/userAReq.pem
    

  7. Sign the client certification request

    openssl ca -in /etc/ipsec.d/private/userAReq.pem -days 730 -out /etc/ipsec.d/certs/userACert.pem -notext -cert /etc/ipsec.d/cacerts/caCert.pem -keyfile /etc/ipsec.d/private/caKey.pem
    

  8. Add server private key, file /etc/ipsec.secrets:

    : RSA serverKey.pem.new "your password"
    

  9. Configure ipsec. Example /etc/ipsec.conf:

    conn roadwarriorsrsa
        authby=rsasig
        #
        left=  ??? 
        leftid=  ???
        leftsubnet=  ???
        leftrsasigkey=%cert
        leftcert=serverCert.pem
        #
        right=%any
        rightrsasigkey=%cert
        # PHASE 1
        # negothiation mode
        aggrmode=no
        ike=3des-sha1;modp1024,aes256-sha2256;modp2048
        ikelifetime=3h
        # PHASE 2
        type=tunnel
        phase2=esp
        phase2alg=3des-sha1;modp1024
        salifetime=3h

    conn useruserA also=roadwarriorsrsa rightid=@userA.yourdomani rightsubnet= ??? rightcert=userACert.pem auto=add

    conn useruserB also=roadwarriorsrsa rightid=@userB.yourdomani rightsubnet= ??? rightcert=userBCert.pem auto=add

User A and B are two roadwarrior users that can connect at the same time to your server.

Here an example of a shrewsoft client configuration for the above setting:

n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:0
n:client-dns-used:1
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
s:network-host:  ???
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:  ???
s:client-ip-mask:  ???
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:  ???
s:client-dns-suffix:  ???
s:auth-method:mutual-rsa
s:ident-client-type:fqdn
s:ident-server-type:address
s:ident-client-data:userA.yourdomain
s:phase1-exchange:main
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
s:policy-level:auto
s:policy-list-include:   ???
s:auth-client-cert:userACert.pem
b:auth-client-cert-data:   ???
s:auth-client-key:userAKey.pem
b:auth-client-key-data:   ???
s:auth-server-cert:caCert.pem
b:auth-server-cert-data:   ???

Some usefull shell command:

  • Check ipsec loaded your CA certifcates:

     ipsec auto --listcacerts

  • Check ipsec loaded your certifcates:

     ipsec auto --listcerts

  • List loaded public keys:

     ipsec auto --listpubkeys

  • Check a certifcate:

     openssl x509 -text -noout -in /etc/ipsec.d/cacerts/caCert.pem

  • Check a Key:

     openssl rsa -in privateKey.key -check