Skip to content

Instantly share code, notes, and snippets.

@fffe

fffe/!IPSec.md

Created December 31, 2018 13:12
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save fffe/5b49cb4e88d62312b612a45db79c8d73 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save fffe/5b49cb4e88d62312b612a45db79c8d73 to your computer and use it in GitHub Desktop.
Download ZIP
IPsec 'roadwarrior' IKEv2 setup for iOS/macOS with VTI
Raw
!IPSec.md

Install requirements

apt-get install strongswan strongswan-pki iptables-persistent

Generate some keys

Set an appropriate umask

umask 077

Generate a CA key pair

pki --gen --type ecdsa --outform pem > ca.key
pki --self --in ca.key --dn "CN=vpn" --ca --outform pem > ca.crt

Generate a key pair for the server

pki --gen --type ecdsa --outform pem > host.key
pki --pub --in host.key | pki --issue --cacert ca.crt --cakey ca.key --dn "CN=host.vpn.domain" --san "host.vpn.domain" --outform pem > host.crt

Generate a key pair for a client

pki --gen --type ecdsa --outform pem > example_client.key
pki --pub --in example_client.key | pki --issue --cacert ca.crt --cakey ca.key --dn "CN=example_client" --san "[email protected]" --outform pem > example_client.crt

Convert the client key pair to p12 to make it easier for Apple Configurator

openssl pkcs12 -export -inkey example_client.key -in example_client.key -out example_client.p12

Copy the server's key pair and CA certificate into place

install -m 644 ca.crt /etc/ipsec.d/cacerts/ca.crt
install -m 644 host.crt /etc/ipsec.d/certs/host.crt
install -m 600 host.key /etc/ipsec.d/private/host.key

Copy Strongswan config files into place

install -m 644 strongswan.conf /etc/strongswan.conf
install -m 644 ipsec.conf /etc/ipsec.conf
install -m 600 ipsec.secrets /etc/ipsec.secrets
install -m 755 ipsec_up.sh /etc/strongswan.d
install -m 755 ipsec_down.sh /etc/strongswan.d

Set up masquerading for IPv4.

iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o ipsec0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ipsec0 -o eth0 -j ACCEPT
iptables-save > /etc/iptables/rules.v4

Set up a VPN profile with Apple Configurator

The network and VPN settings on macOS and iOS don't expose all features. Apple Configurator makes setting them up easier.

  1. Create a new profile (or open one you have already, whatever)
  2. In the certificates tab, add ca.crt and example_client.p12
  3. In the VPN tab, create a new VPN with these settings:
Field Value
Connection Name Whatever you want
Connection Type IKEv2
Server Your server IP address
Remote Identifier host.vpn.domain
Local Identifier [email protected]
Machine Authentication Certificate
Identity Certificate Select example_client.p12
Certificate Type ECDSA
Disable Redirects Checked
Use IPv4 / IPv6 Internal Subnet Attributes Checked
Enable Perfect Forward Secrecy Checked

For both IKE SA Params and Child SA Params:

Field Value
Encryption Algorithm AES-256-GCM
Diffie-Hellman Group 20
Integrity Algorithm SHA2-384

Apply profile to the device, and connect to the VPN.

Raw
ipsec.conf
conn %default
keyexchange=ikev2
auto=add
dpdaction=clear
dpddelay=300s
left=YOURIPADDRESS
leftid=host.vpn.domain
leftsubnet=0.0.0.0/0,::/0
leftcert=host.crt
ike=aes256gcm16-prfsha384-ecp384!
esp=aes256gcm16-ecp384!
rightdns=8.8.8.8
forceencaps=yes
mark=42
conn clients
rightsourceip=10.100.0.100-10.100.0.200,fd00:1000::100-fd00:1000::200
rightid=*@vpn.domain
leftsendcert=always
Raw
ipsec.secrets
: ECDSA host.key
Raw
ipsec_down.sh
#!/bin/bash
ip tunnel del ipsec0
Raw
ipsec_up.sh
#!/bin/bash
ip tunnel add ipsec0 local YOURIPADDRESS remote 0.0.0.0 mode vti key 42
sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
sysctl -w net.ipv4.ip_forward=1
ip link set ipsec0 up
ip route add 10.100.0.0/24 dev ipsec0
Raw
strongswan.conf
charon {
load_modular = yes
install_routes = 0
follow_redirects = no
dlopen_use_rtld_now = yes
make_before_break = yes
start-scripts {
up = /etc/strongswan.d/ipsec_up.sh
}
stop-scripts {
down = /etc/strongswan.d/ipsec_down.sh
}
plugins {
include strongswan.d/charon/aesni.conf
include strongswan.d/charon/kernel-netlink.conf
include strongswan.d/charon/nonce.conf
include strongswan.d/charon/openssl.conf
include strongswan.d/charon/pem.conf
include strongswan.d/charon/random.conf
include strongswan.d/charon/sha1.conf
include strongswan.d/charon/sha2.conf
include strongswan.d/charon/socket-default.conf
include strongswan.d/charon/stroke.conf
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment