Configuring StrongS/WAN for an IPSec VPN using EAP/MS-CHAPv2

Download & Compile StrongS/WAN

wget http://download.strongswan.org/strongswan.tar.bz2
  • Extract and compile - I used the following configure script
tar -xvf strongswan.tar.bz2
sudo yum install gmp-devel openssl-devel
./configure --enable-eap-identity --enable-eap-mschapv2 --enable-md4 --enable-md5 --enable-openssl --enable-pkcs11 --enable-blowfish --enable-agent --enable-eap-md5 --enable-eap-peap --enable-eap-tls 
make -j4
sudo make install
  • make install will install the config files by default in /usr/local/etc
  • Make sure you update your path to include /usr/local/sbin

Configure StrongS/WAN

/usr/local/etc/ipsec.conf

config setup

conn %default
      keyexchange=ikev2
      ike=aes256-sha1-modp1024!
      esp=aes256-sha1!
      dpdaction=clear
      dpddelay=300s
      rekey=no

conn roadwarrior
      left=173.255.229.6
      leftsubnet=0.0.0.0/0
      leftauth=pubkey
      leftfirewall=yes
      leftcert=/etc/openvpn/keys/secure.seanmadden.net.crt
      leftsendcert=always
      right=%any
      rightauth=eap-mschapv2
      rightsendcert=never
      rightsourceip=172.16.0.0/24
      auto=start

Things to change:

/usr/local/etc/ipsec.secrets

# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA /etc/openvpn/keys/secure.seanmadden.net.key

sean : EAP "password!"

Things to change:

  • 'sean' → username for the user
  • 'password' → password for the user in cleartext
  • RSA → The key file for the certificate specified in ipsec.conf

IPTABLES!

iptables -t nat -A POSTROUTING -j SNAT --to-source 173.255.229.6

Things to change:

  • –to-source “x.x.x.x” → IP address of 'left' in ipsec.conf

WINDOWS!

Roadwarrior Linux Clients

conn secure
      left=%any
      leftcert=orcus.crt
      leftsourceip=%config
      leftid=orcus
      leftfirewall=yes
      right=173.255.229.6
      rightsubnet=0.0.0.0/0
      rightcert=secure.seanmadden.net.crt
      auto=start

Server Linux Clients

conn secure
      left=%any
      leftcert=orcus.crt
      leftdns=%config
      leftsourceip=%config
      leftid=orcus
      leftfirewall=yes
      right=173.255.229.6
      rightsubnet=172.16.0.0/16
      rightcert=secure.seanmadden.net.crt
      auto=start
networking/configure_strongswan_as_an_ipsec_vpn.txt · Last modified: 2017/02/05 17:43 (external edit)
Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0