{{tag>[vpn ipsec security]}}
=====strongSwan & OS X 10.8.x=====
Info from:
* [[http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)|strongSwan wiki IOS_Apple]]
* [[http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling|strongSwan wiki Forwarding]]
===Install software===
* Install Debian 7
* apt-get install build-essential
* apt-get ntp gmp libgmp3-dev
* download strongswan-5.0.4.tar.gz
* ./configure
* make
* make install
===Configure server===
==iptables==
#Allow ipsec
iptables -A INPUT -p udp -i eth0 -d $EXT0 --dport 500 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -i eth0 -d $EXT0 --dport 4500 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
==Enable forwarding==
**/etc/sysctl.conf**
net.ipv4.ip_forward=1
Reload: sysctl -p
==Generate keys==
KEYDIR=/root/keys
rm -rf $KEYDIR/*
#C=Country code
#O=Organisation
#CN=Server FQDN
echo generating CA Certificate
ipsec pki --gen --outform pem > $KEYDIR/caKey.pem
ipsec pki --self --in $KEYDIR/caKey.pem --dn "C=NL, O=org, CN=vpn.org.nl" --ca --outform pem > $KEYDIR/caCert.pem
echo generating Server certificate
ipsec pki --gen --outform pem > $KEYDIR/serverKey.pem
ipsec pki --pub --in $KEYDIR/serverKey.pem | ipsec pki --issue --cacert $KEYDIR/caCert.pem --cakey $KEYDIR/caKey.pem \
--dn "C=NL, O=org, CN=vpn.org.nl" --san="vpn.org.nl" \
--flag serverAuth --flag ikeIntermediate --outform pem > $KEYDIR/serverCert.pem
echo generating Client certificate
ipsec pki --gen --outform pem > $KEYDIR/clientKey.pem
ipsec pki --pub --in $KEYDIR/clientKey.pem | ipsec pki --issue --cacert $KEYDIR/caCert.pem --cakey $KEYDIR/caKey.pem \
--dn "C=NL, O=org, CN=client" --outform pem > $KEYDIR/clientCert.pem
echo generating PKCS12 file
openssl pkcs12 -export -inkey $KEYDIR/clientKey.pem -in $KEYDIR/clientCert.pem -name "client" \
-certfile $KEYDIR/caCert.pem -caname "vpn.org.nl" -out $KEYDIR/clientCert.p12
echo Copy keys
cp $KEYDIR/caCert.pem /usr/local/etc/ipsec.d/cacerts/
cp $KEYDIR/serverCert.pem /usr/local/etc/ipsec.d/certs/
cp $KEYDIR/serverKey.pem /usr/local/etc/ipsec.d/private/
cp $KEYDIR/clientCert.pem /usr/local/etc/ipsec.d/certs/
cp $KEYDIR/clientKey.pem /usr/local/etc/ipsec.d/private/
==Configure IPsec==
**/usr/local/etc/ipsec.conf**
config setup
conn iososx
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
right=%any
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.2
rightcert=clientCert.pem
auto=add
**/usr/local/etc/ipsec.secrets**
: RSA serverKey.pem
yourusername : XAUTH "yourpassword"
**/usr/local/etc/strongswan.conf**
# for strongSwan 5.0.0+
charon {
dns1 = 1.2.3.4 #your DNS servers
dns2 = 2.3.4.5
}
==Stop/start/status IPsec and logging==
Status: ipsec status
Stop: ipsec stop
Start: ipsec start
Logging: /var/log/syslog
===Configure OS X===
For Mac OS X, open Keychain.app and import the clientCert.p12 into the System keychain, then mark as "Always Trusted". If you're running into trouble with the negotiation, make sure that in the Access Control tab of the private key, all applications are allowed to access it.
==Configure VPN==
{{:ipsec_network_settings.png|}}
{{:ipsec_authentication_settings.png|}}
===Troubleshooting===
==Entropy==
If 'ipsec pki' seems to hang, you probably don't have enough entropy. Install haveged.
apt-get install haveged
You can check the available entropy:
cat /proc/sys/kernel/random/entropy_avail
==Test your IP-address==
[[http://myip.polaire.nl]]