Changes in 2ea21dd: Created strongSwan5Example (markdown)

howto/IPsecWithPublicKeys/strongSwan5Example.md

@@ -0,0 +1,119 @@

+# IPsec with public key authentication on strongSwan >= 5.0.0

+## Setup

+### Generate an RSA keypair

+

+ root@debian:~# mkdir /etc/ipsec.d/public

+ root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem

+ root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pub

+ root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets

+

+### Exchange public keys with your peer

+1. Display the public key. Send the key data to your peer.

+

+ root@debian:~# more /etc/ipsec.d/public/mykey.pub

+ -----BEGIN PUBLIC KEY-----

+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+

+ nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn

+ 9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv

+ +Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc

+ fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+

+ 7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y

+ tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI

+ JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl

+ MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+

+ rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX

+ PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo

+ ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==

+ -----END PUBLIC KEY-----

+

+2. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.

+

+[pubkey-converter]: https://github.com/ryanriske/pubkey-converter "Public key conversion script"

+

+## Configuration

+### Configure the phase 1 IKE parameters

+In this example, we'll use the following settings:

+

+| Key | Value |

+| :------------ | :------------ |

+| Encryption | AES-128 |

+| Hash | HMAC-SHA1 |

+| DH Group | 5 (modp1536) |

+| Lifetime | 28800 seconds |

+| Peer address | 192.0.2.2 |

+| Local address | 192.0.2.1 |

+

+1. Add your peer's public key

+

+ root@debian:~# cat << EOF > /etc/ipsec.d/public/peerkey.pub

+ -----BEGIN PUBLIC KEY-----

+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuQ1hX3+AEiLis4p5jvmY

+ IfEgaq9488GU2nkuR1gZK4/CphrccmztgADU/TkiE5IOOo7zKPparcl8dZwJfX+j

+ 9oIEfvIHqWbF8rIkmJDAn5ZQANDsVKSVvu8nqNZhAslBkFUw1Il6KJrdZEwV4ILL

+ jZmPjN/TIpzPStufeKLfUr7OodFnJXdvWGW1OwRVR8YPZP+13S2nbaqohJZYulTz

+ EcEaWFhXRKzm1dxXqt2H0S93mv5CT0JzVUAv35lB39NMqcRwrg5Fsw0z448nlenS

+ pIDnP8AIPm5shNf9kZJCksOE9GfPMz5KZDOoR3rWPvvapY/Zs+SBz8drPwHrZahG

+ KjxV2Txl7XYkFEWvre+rpiWSidIsnzizEBQ1ea6Inwd6Y29uzmQLhus1OPfhnCIk

+ AVycK+stCZObPl6abomk/avaT+FwnjRgSZzkotlbA2IHgEjF26C4a3ZUGBwDZ+7r

+ U2A7DKbHRN84f62BcMyiZpavXPvk4AUQD5+lRItbFDDeZYtoIdHb9gmMcNHWsGL8

+ YVxF2A8IAvr7Q1TQfwm2WPAWvjai2rbl6w8ZYiQBPUwkFtUATXU7XyGcLmjCGJGg

+ HZoAqPHddX1z7HosFId+SSc7ugCnUNtwSYHq+DczBVdTa65aPv758zxeKzUqJBKy

+ mP4HkvHlEmXHP2oAQ4G6PTkCAwEAAQ==

+ -----END PUBLIC KEY-----

+ EOF

+

+2. Configure a connection policy in ipsec.conf for your peer

+

+ root@debian:~# cat << EOF >> /etc/ipsec.conf

+ conn MYPEER

+ # peer IPs

+ left=192.0.2.1

+ right=192.0.2.2

+ # phase 1 parameters

+ ike=aes128-sha1-modp1536!

+ ikelifetime=28800s

+ # authentication

+ authby=pubkey

+ leftrsasigkey=/etc/ipsec.d/public/mykey.pub

+ rightrsasigkey=/etc/ipsec.d/public/peerkey.pub

+ EOF

+

+3. All done! Configure the phase 2 parameters as you otherwise would.

+

+## Full GRE/IPsec example

+ root@debian:~# ip addr show dev gre1

+ 11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN

+ link/gre 192.0.2.1 peer 192.0.2.2

+ inet 10.1.2.0/31 scope global gre1

+ valid_lft forever preferred_lft forever

+ inet6 fe80::200:5efe:6825:1c22/64 scope link

+ valid_lft forever preferred_lft forever

+ root@debian:~# more /etc/ipsec.conf

+ # ipsec.conf - strongSwan IPsec configuration file

+ 

+ config setup

+ 

+ conn %default

+ keyexchange=ikev1

+ dpdaction=restart

+ 

+ conn MYPEER

+ # peer IPs

+ left=192.0.2.1

+ right=192.0.2.2

+ # phase 1 parameters

+ ike=aes128-sha1-modp1536!

+ ikelifetime=28800s

+ # authentication

+ authby=pubkey

+ leftrsasigkey=/etc/ipsec.d/public/mykey.pub

+ rightrsasigkey=/etc/ipsec.d/public/peerkey.pub

+ # phase 2 parameters

+ esp=aes128-sha1-modp1536!

+ lifetime=3600s

+ type=transport

+ leftprotoport=gre

+ rightprotoport=gre

+ # startup

+ auto=route

+ keyingtries=%forever

\ No newline at end of file

...	...	@@ -0,0 +1,119 @@
	1	+# IPsec with public key authentication on strongSwan >= 5.0.0
	2	+## Setup
	3	+### Generate an RSA keypair
	4	+
	5	+ root@debian:~# mkdir /etc/ipsec.d/public
	6	+ root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
	7	+ root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pub
	8	+ root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
	9	+
	10	+### Exchange public keys with your peer
	11	+1. Display the public key. Send the key data to your peer.
	12	+
	13	+ root@debian:~# more /etc/ipsec.d/public/mykey.pub
	14	+ -----BEGIN PUBLIC KEY-----
	15	+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
	16	+ nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn
	17	+ 9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv
	18	+ +Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc
	19	+ fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+
	20	+ 7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y
	21	+ tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI
	22	+ JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl
	23	+ MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+
	24	+ rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX
	25	+ PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
	26	+ ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
	27	+ -----END PUBLIC KEY-----
	28	+
	29	+2. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.
	30	+
	31	+[pubkey-converter]: https://github.com/ryanriske/pubkey-converter "Public key conversion script"
	32	+
	33	+## Configuration
	34	+### Configure the phase 1 IKE parameters
	35	+In this example, we'll use the following settings:
	36	+
	37	+\| Key \| Value \|
	38	+\| :------------ \| :------------ \|
	39	+\| Encryption \| AES-128 \|
	40	+\| Hash \| HMAC-SHA1 \|
	41	+\| DH Group \| 5 (modp1536) \|
	42	+\| Lifetime \| 28800 seconds \|
	43	+\| Peer address \| 192.0.2.2 \|
	44	+\| Local address \| 192.0.2.1 \|
	45	+
	46	+1. Add your peer's public key
	47	+
	48	+ root@debian:~# cat << EOF > /etc/ipsec.d/public/peerkey.pub
	49	+ -----BEGIN PUBLIC KEY-----
	50	+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuQ1hX3+AEiLis4p5jvmY
	51	+ IfEgaq9488GU2nkuR1gZK4/CphrccmztgADU/TkiE5IOOo7zKPparcl8dZwJfX+j
	52	+ 9oIEfvIHqWbF8rIkmJDAn5ZQANDsVKSVvu8nqNZhAslBkFUw1Il6KJrdZEwV4ILL
	53	+ jZmPjN/TIpzPStufeKLfUr7OodFnJXdvWGW1OwRVR8YPZP+13S2nbaqohJZYulTz
	54	+ EcEaWFhXRKzm1dxXqt2H0S93mv5CT0JzVUAv35lB39NMqcRwrg5Fsw0z448nlenS
	55	+ pIDnP8AIPm5shNf9kZJCksOE9GfPMz5KZDOoR3rWPvvapY/Zs+SBz8drPwHrZahG
	56	+ KjxV2Txl7XYkFEWvre+rpiWSidIsnzizEBQ1ea6Inwd6Y29uzmQLhus1OPfhnCIk
	57	+ AVycK+stCZObPl6abomk/avaT+FwnjRgSZzkotlbA2IHgEjF26C4a3ZUGBwDZ+7r
	58	+ U2A7DKbHRN84f62BcMyiZpavXPvk4AUQD5+lRItbFDDeZYtoIdHb9gmMcNHWsGL8
	59	+ YVxF2A8IAvr7Q1TQfwm2WPAWvjai2rbl6w8ZYiQBPUwkFtUATXU7XyGcLmjCGJGg
	60	+ HZoAqPHddX1z7HosFId+SSc7ugCnUNtwSYHq+DczBVdTa65aPv758zxeKzUqJBKy
	61	+ mP4HkvHlEmXHP2oAQ4G6PTkCAwEAAQ==
	62	+ -----END PUBLIC KEY-----
	63	+ EOF
	64	+
	65	+2. Configure a connection policy in ipsec.conf for your peer
	66	+
	67	+ root@debian:~# cat << EOF >> /etc/ipsec.conf
	68	+ conn MYPEER
	69	+ # peer IPs
	70	+ left=192.0.2.1
	71	+ right=192.0.2.2
	72	+ # phase 1 parameters
	73	+ ike=aes128-sha1-modp1536!
	74	+ ikelifetime=28800s
	75	+ # authentication
	76	+ authby=pubkey
	77	+ leftrsasigkey=/etc/ipsec.d/public/mykey.pub
	78	+ rightrsasigkey=/etc/ipsec.d/public/peerkey.pub
	79	+ EOF
	80	+
	81	+3. All done! Configure the phase 2 parameters as you otherwise would.
	82	+
	83	+## Full GRE/IPsec example
	84	+ root@debian:~# ip addr show dev gre1
	85	+ 11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
	86	+ link/gre 192.0.2.1 peer 192.0.2.2
	87	+ inet 10.1.2.0/31 scope global gre1
	88	+ valid_lft forever preferred_lft forever
	89	+ inet6 fe80::200:5efe:6825:1c22/64 scope link
	90	+ valid_lft forever preferred_lft forever
	91	+ root@debian:~# more /etc/ipsec.conf
	92	+ # ipsec.conf - strongSwan IPsec configuration file
	93	+
	94	+ config setup
	95	+
	96	+ conn %default
	97	+ keyexchange=ikev1
	98	+ dpdaction=restart
	99	+
	100	+ conn MYPEER
	101	+ # peer IPs
	102	+ left=192.0.2.1
	103	+ right=192.0.2.2
	104	+ # phase 1 parameters
	105	+ ike=aes128-sha1-modp1536!
	106	+ ikelifetime=28800s
	107	+ # authentication
	108	+ authby=pubkey
	109	+ leftrsasigkey=/etc/ipsec.d/public/mykey.pub
	110	+ rightrsasigkey=/etc/ipsec.d/public/peerkey.pub
	111	+ # phase 2 parameters
	112	+ esp=aes128-sha1-modp1536!
	113	+ lifetime=3600s
	114	+ type=transport
	115	+ leftprotoport=gre
	116	+ rightprotoport=gre
	117	+ # startup
	118	+ auto=route
	119	+ keyingtries=%forever
...	...	\ No newline at end of file