User:NeddySeagoon/strongswan

From Gentoo Wiki
Jump to: navigation, search

This article describes setting up a strongswan based VPN

I've tried a few times an lost interest but it would be a good thing to have.

Scope

At present, this page is more 'notes to self', since its not working.

The approach will be 'baby steps'. Get a tunnel up between two hosts on the same subnet.

Fix the routing to support a tunnel between subnets. The motivation for that is to enable printing from untrusted hosts on WiFi to my printer on the trusted network. I could just move the printer to the untrusted network but that's a pain.

The next step will be to allow VPN connections from the big bad internet.

My router is a KVM running shorewall. It supports Ipv4 and IPv6. The intent is to make both work. The shorewall setup will be described too.

I won't be able to avoid kernel configuration either.

At present, I don't intend to cover l2tp, since I don't think I have a use for it. However, if Android 8 needs it ...

Motivation

There is lots of documentation around the web describing all the various bits, so it should just be assembling all the bits.

I've tried that, its like trying to cross a chasm in several small jumps. There are bits missing in the middle. Hence the 'baby steps' approach of building on what works.

Planning

The goal is to set up a VPN server, listening to the big bad internet, that will manage the tunnel(s) and route traffic to and from the protected network as if VPN was its own shorewall zone.

The end game then is one shorewall install and one strongswan install on the router KVM. My network will look like

Table below shows firewall setup.  Symbols are
      From - To       may not initiate connections
      From ? To       connection initiation determined by shorewall rules
      From / To       its in the same zone - no restrictions
--------------------------------------------------------------------------------------------------+
|       fw IP           |       From    |                         To                              |
+-------------------------------------------------------------------------------------------------+
|                                       |  net  | Green |  Blue |  DMZ  |   fw  |VPN-Net|VPN-Blue |
+-------------------------------------------------------------------------------------------------+
| Internet/29           |  Net          |   /   |   -   |   -   |   ?   |   ?   |       |    ?    |
+-------------------------------------------------------------------------------------------------+
| 192.168.100.253/24    |  Green        |   ?   |   /   |   ?   |   ?   |   ?   |   ?   |    ?    |    
--------------------------------------------------------------------------------------------------+
| 192.168.54.253/24     |  Blue         |   ?   |   -   |   /   |   ?   |   -   |   -   |    -    |
+-------------------------------------------------------------------------------------------------+
| 192.168.10.253/24     |  DMZ          |   ?   |   -   |   -   |   /   |   -   |   -   |    -    | 
+-------------------------------------------------------------------------------------------------+
| All of the Above      |  fw           |   ?   |   -   |   -   |   ?   |   /   |   
+-------------------------------------------------------------------------------------------------+
| Internet/29           |  VPN-Net      |  ???  |   ?   |   -   |   ?   |   -   |   /  |    -     | 
+-------------------------------------------------------------------------------------------------+
| 192.168.54.253        |  VPN-Blue     |  ???  |   -   |   ?   |   ?   |   -   |   -  |    /     | 
+-------------------------------------------------------------------------------------------------+
Net = Internet
Green = Trusted
Blue = Untrusted
DMZ = Servers reachable from the internet


The IPv6 version will use the same logicp

The Kit of Parts

Kernel

VPN is ipsec based and requires policy routing, so the following kernel options are required at both ends of the tunnel.

[*] TCP/IP networking
[*]   IP: advanced router 
[*]     IP: policy routing

For IPv4

<M>   IP: AH transformation      
<M>   IP: ESP transformation     
< >     IP: ESP transformation offload   
<*>   IP: IPComp transformation    
<M>   IP: IPsec transport mode   
<M>   IP: IPsec tunnel mode  
<M>   IP: IPsec BEET mode 

For IPv6, if you want to support a VPN over IPv6

<*>   IPv6: AH transformation     
<*>   IPv6: ESP transformation    
< >     IPv6: ESP transformation offload   
<*>   IPv6: IPComp transformation   
< >   IPv6: Mobility    
< >   IPv6: Identifier Locator Addressing (ILA)    
<*>   IPv6: IPsec transport mode   
<*>   IPv6: IPsec tunnel mode   
<*>   IPv6: IPsec BEET mode

These settings will also turn on some basic crypto support that will get you started.

Strongswan

This needs to be on the same system running shorewall.

root #emerge -av strongswan

Packets going to/from the VPN tunnel will traverse the firewall twice.

Outgoing packets arrive unencrypted and are routed to the VPN. They are then encrypted and routed over the internet. This process is reversed at the other end.

Shorewall

Shorewall will not be required until we need to do some routing.

Transport Mode (No Routing)

An encrypted link between two hosts on the same network. Until this works, nothing else will work either.

Configuration

Create the root only file /etc/ipsec.secrets to hold the pre shared key. This file must be securely transmitted to all systems that will encrypt/decrypt VPN traffic and installed with

-r-------- 1 root root

permissions.

Edit /etc/ipsec.conf

Debug

Transport Mode (Routing Encrypted Traffic)

An encrypted link between two hosts on different networks. Now we route encrypted traffic. This is the traffic that will eventually be going out onto the internet.

Tunnel Mode