How to set up strongswan or openswan for pure IPSEC with iPhone client?

I'm having trouble finding concrete, up-to-date information for how to set up strongswan or openswan to be used by the iphone's VPN client. My server is behind a budget linksys NAT router.

I found this, but it mentions a whole bunch of .pem files with no reference for how to create them. Unfortunately, the "fine" manuals for both packages were quite inscrutable and unfriendly to a novice. I've set up OpenVPN before and managed to get serviceable results very quickly, but after a day and a half of reading out of date docs, I barely even know where to start.

Any help would be greatly appreciated!


Does this help?
Regards, Willem M. Poort

StrongSwan mini Howto Debian 5

install strongswan + openssl
apt-get install strongswan openssl

Create your CA file:

cd /etc/ipsec.d
openssl req -x509 -days 3650 -newkey rsa:2048 -keyout \
private/strongswanKey.pem -out cacerts/strongswanCert.pem
cp cacerts/strongswanCert.pem certs/

If you prefer the CA certificates to be in binary DER format then the following command achieves this transformation:

openssl x509 -in cacerts/strongswanCert.pem -outform DER -out \ 
cacerts/strongswanCert.der

Edit /etc/ssl/openssl.conf (/usr/lib/ssl/openssl.cnf is a symlink):

nano -w /usr/lib/ssl/openssl.cnf

Change the parameters to fit your strongswan environment.

[ CA_default ] 

dir     = /etc/ipsec.d              # Where everything is kept 
certificate = $dir/cacerts/strongswanCert.pem       # The CA certificate 

private_key = $dir/private/strongswanKey.pem        # The private key 

Create missing DIR and files:

mkdir newcerts
touch index.txt
echo “00” > serial

Generate an user certificate:

openssl req -newkey rsa:1024 -keyout private/hostKey.pem \
    -out reqs/hostReq.pem

Sign it for two years:

openssl ca -in reqs/hostReq.pem -days 730 -out \
    certs/hostCert.pem -notext

Usually a Windows-based VPN client needs its private key, its host or user certificate and the CA certificate. The most convenient way to load this information is to put everything into a PKCS#12 file:

openssl pkcs12 -export -inkey private/hostKey.pem \
    -in certs/hostCert.pem  \
    -name "host" \ 
    -certfile cacerts/strongswanCert.pem \
    -caname "strongSwan Root CA" \
    -out host.p12

Edit /etc/ipsec.secrets:

:RSA strongswanKey.pem “pempassword”
:XAUTH user "secret"

Edit /etc/ipsec.conf:

config setup
    plutodebug=none
    uniqueids=yes
    nat_traversal=yes
    interfaces="%defaultroute"

conn %default
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    keyingtries=1
    keylife=20m
    ikelifetime=240m

conn iphone
    auto=add
    dpdaction=clear
    authby=xauthrsasig
    xauth=server
    pfs=no
    leftcert=strongswanCert.pem
    left=<serverip>
    leftsubnet=0.0.0.0/0
    right=%any
    rightsourceip=<virtual client ip>   #local VPN virtual subnet
    rightcert=hostCert.pem

On the iPhone

  1. Import the iphone-client Certificate in p12-Format
  2. Import the CA Certificate in pem-Format
  3. Configure an IPSEC-VPN with the iphone-client Certificate and use as Server the DNS Name (DynDNS-Name). It has to be the same than the one in the Server-Certificate

To import the certificates on your iphone just email them to your self! When creating the ipsec vpn on you iphone you can select the certificate.

Mind you that you need to setup iptables if you want to NAT. (Look in to fwbuilder)