How to set up strongswan or openswan for pure IPSEC with iPhone client?
I'm having trouble finding concrete, up-to-date information for how to set up strongswan or openswan to be used by the iphone's VPN client. My server is behind a budget linksys NAT router.
I found this, but it mentions a whole bunch of .pem files with no reference for how to create them. Unfortunately, the "fine" manuals for both packages were quite inscrutable and unfriendly to a novice. I've set up OpenVPN before and managed to get serviceable results very quickly, but after a day and a half of reading out of date docs, I barely even know where to start.
Any help would be greatly appreciated!
Does this help?
Regards, Willem M. Poort
StrongSwan mini Howto Debian 5
install strongswan + openssl
apt-get install strongswan openssl
Create your CA file:
cd /etc/ipsec.d
openssl req -x509 -days 3650 -newkey rsa:2048 -keyout \
private/strongswanKey.pem -out cacerts/strongswanCert.pem
cp cacerts/strongswanCert.pem certs/
If you prefer the CA certificates to be in binary DER format then the following command achieves this transformation:
openssl x509 -in cacerts/strongswanCert.pem -outform DER -out \
cacerts/strongswanCert.der
Edit /etc/ssl/openssl.conf
(/usr/lib/ssl/openssl.cnf
is a symlink):
nano -w /usr/lib/ssl/openssl.cnf
Change the parameters to fit your strongswan environment.
[ CA_default ]
dir = /etc/ipsec.d # Where everything is kept
certificate = $dir/cacerts/strongswanCert.pem # The CA certificate
private_key = $dir/private/strongswanKey.pem # The private key
Create missing DIR and files:
mkdir newcerts
touch index.txt
echo “00” > serial
Generate an user certificate:
openssl req -newkey rsa:1024 -keyout private/hostKey.pem \
-out reqs/hostReq.pem
Sign it for two years:
openssl ca -in reqs/hostReq.pem -days 730 -out \
certs/hostCert.pem -notext
Usually a Windows-based VPN client needs its private key, its host or user certificate and the CA certificate. The most convenient way to load this information is to put everything into a PKCS#12 file:
openssl pkcs12 -export -inkey private/hostKey.pem \
-in certs/hostCert.pem \
-name "host" \
-certfile cacerts/strongswanCert.pem \
-caname "strongSwan Root CA" \
-out host.p12
Edit /etc/ipsec.secrets
:
:RSA strongswanKey.pem “pempassword”
:XAUTH user "secret"
Edit /etc/ipsec.conf
:
config setup
plutodebug=none
uniqueids=yes
nat_traversal=yes
interfaces="%defaultroute"
conn %default
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
keyingtries=1
keylife=20m
ikelifetime=240m
conn iphone
auto=add
dpdaction=clear
authby=xauthrsasig
xauth=server
pfs=no
leftcert=strongswanCert.pem
left=<serverip>
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=<virtual client ip> #local VPN virtual subnet
rightcert=hostCert.pem
On the iPhone
- Import the iphone-client Certificate in p12-Format
- Import the CA Certificate in pem-Format
- Configure an IPSEC-VPN with the iphone-client Certificate and use as Server the DNS Name (DynDNS-Name). It has to be the same than the one in the Server-Certificate
To import the certificates on your iphone just email them to your self! When creating the ipsec vpn on you iphone you can select the certificate.
Mind you that you need to setup iptables if you want to NAT. (Look in to fwbuilder)