Strongswan configuration recipe for Turris Omnia

Let me share with everyone the step-by-step guide (recipe) that I used to configure Strongswan (ipsec)

Version History

  • 20180409 Revised: Added additional bookmarks (configuring for iOS)
  • 20160325 Revised: Added section on opkg packages to install
  • 20160226 Revised : (1) Added list of blog posts/references related to ipsec/openwrt that were consulted, (2) added - mobike=yes - to ipsec.conf
  • 20170225 Initial blog post

Notes:

  1. My Turris is set to create a LAN with an IP address of 192.168.3.1 (which is different than the 192.168.1.1 default ). Adjust the IP address below accordingly.
  2. I have confirmed a working install on both MacOS Sierra (10.12.3 ) and iOS (10.2.1)
  3. Make sure to Import the CA certificate to iOS

Install the required packages

opkg update
opkg install strongswan-full strongswan-default strongswan-mod-kernel-libipsec iptables-mod-filter iptables-mod-nat-extra

Generate the Certificate Authority (CA)

cd /etc/ipsec.d/
ipsec pki --gen --type rsa --size 4096 --outform pem \
    > private/strongswan-key.pem

chmod 600 private/strongswan-key.pem

ipsec pki --self --ca \
    --lifetime 3650 \
    --in private/strongswan-key.pem \
    --type rsa \
    --dn "C=CA, ST=Ontario, L=Toronto, O=Privaterra, CN=Turris Root CA" \
    --outform pem \
    > cacerts/strongswan-certificate.pem

To verify the certificate

ipsec pki --print --in cacerts/strongswan-certificate.pem

To generate the VPN Host Certificate

cd /etc/ipsec.d/

ipsec pki --gen --type rsa --size 4096 --outform pem \
    > private/vpn-host-key.pem

chmod 600 private/vpn-host-key.pem

ipsec pki --pub --in private/vpn-host-key.pem --type rsa | \
    ipsec pki --issue --lifetime 1825 \
    --cacert cacerts/strongswan-certificate.pem \
    --cakey private/strongswan-key.pem \
    --dn "C=CA, ST=Ontario, L=Toronto, O=Privaterra, CN=vpn.privaterra.info" \
    --san "vpn.privaterra.info" \
    --flag serverAuth --flag ikeIntermediate \
    --outform pem > certs/vpn-host-certificate.pem

To verify the host certificate

ipsec pki --print --in certs/vpn-host-certificate.pem

To generate the Client Certificate

cd /etc/ipsec.d/

ipsec pki --gen --type rsa --size 2048 --outform pem \
    > private/rguerra-key.pem

chmod 600 private/rguerra-key.pem

ipsec pki --pub --in private/rguerra-key.pem --type rsa | \
    ipsec pki --issue --lifetime 1825 \
    --cacert cacerts/strongswan-certificate.pem \
    --cakey private/strongswan-key.pem \
    --dn "C=CA, ST=Ontario, L=Toronto, O=Privaterra, CN=rguerra@privaterra.org" \
    --san "rguerra@privaterra.org" \
    --outform pem > certs/rguerra-certificate.pem

To verify the client certificate:

ipsec pki --print --in certs/rguerra-certificate.pem

To export the Client Certificate

cd /etc/ipsec.d/

openssl pkcs12 -export -inkey private/rguerra-key.pem \
    -in certs/rguerra-certificate.pem \
    -name "Robert's VPN Certificate" \
    -certfile cacerts/strongswan-certificate.pem \
    -caname "Turris Root CA" \
    -out certs/rguerra.p12

Command to import keys into OS X user login keychain

security import rguerra.p12 -P <export password> -k ~/Library/Keychains/login.keychain

Import the CA certificate. As of iOS 9.2.1, a reboot is apparently necessary for the certificate import to take effect.

Copy the certificates in place

cp /etc/ipsec.d/cacerts/strongswan-certificate.pem ~/.
cp /etc/ipsec.d/certs/rguerra.p12 ~/.

Certificate Summary

/etc/ipsec.d/private/strongswan-key.pem         # CA private key
/etc/ipsec.d/cacerts/strongswan-certificate.pem # CA certificate
/etc/ipsec.d/private/vpn-host-key.pem           # VPN host private key
/etc/ipsec.d/certs/vpn-host-certificate.pem     # VPN host certificate
/etc/ipsec.d/private/rguerra-key.pem              # Client "Robert" private key
/etc/ipsec.d/certs/rguerra-certificate.pem        # Client "Robert" certificate

Strongswan configuration

strongswan.conf - strongSwan configuration file

nano /etc/strongswan.conf

#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
	dns1 = 192.168.3.1
	load_modular = yes
	threads = 16
	plugins {
		include strongswan.d/charon/*.conf
		dhcp {
			force_server_address = yes
			server = 192.168.3.1
			identity_lease = yes
			}
		}
	}

ipsec.conf configuration

nano /etc/ipsec.conf

config setup
#	charondebug="cfg 2, dmn 2, ike 2, net 2"
	strictcrlpolicy=no
	uniqueids=no

conn %default

    dpdaction=clear
    dpddelay=35s
    dpdtimeout=2000s

    keyexchange=ikev2
    auto=add
    rekey=no
    reauth=no
    fragmentation=yes
    mobike=yes

# Left

    left=%any
    leftcert=vpn-host-certificate.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    lefthostaccess=yes
    leftfirewall=yes

# Right

    right=%any
    eap_identity=%identity
    rightsourceip=%dhcp
    rightdns=192.168.3.1
#    type=tunnel

	ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
	esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
	
conn IPSec-IKEv2-EAP
    leftid=vpn.privaterra.info
    rightauth=eap-mschapv2

Configure Secrets file

nano /etc/ipsec.secrets

# /etc/ipsec.secrets - strongSwan IPsec secrets file
vpn.privaterra.info : RSA vpn-host-key.pem
username : EAP "secret key phrase"

Add additional usernames & related secrets as needed.

To reload the secrets file

ipsec rereadsecrets

IPsec IKE Testing

Now stop the IPsec IKE daemon and restart it in foreground, so that we can immediately see its log messages on the ssh console:

ipsec stop
ipsec start --nofork

After testing is done, interrupt the “ipsec start –nofork” command by pressing Ctrl-C and start ipsec again by typing the following command:

ipsec start

We can check the detailed information about established and configured connections by typing the ipsec status and statusall commands.

ipsec status
ipsec statusall

Add the following to /etc/config/network

config interface 'ipsec'
	option proto 'none'
	option ifname 'ipsec0'
	option auto '1'

Add the following to /etc/config/firewall

config zone
	option forward 'REJECT'
	option name 'vpn'
	option output 'ACCEPT'
	option network 'ipsec'
	option input 'ACCEPT'

config rule
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '4500'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'ah'

config forwarding
	option dest 'lan'
	option src 'vpn'

config forwarding
	option dest 'wan'
	option src 'vpn'

config forwarding
	option dest 'vpn'
	option src 'lan'

Activating the changes

After the network firewall settings have been saved, the network settings need to be reloaded

/etc/init.d/network reload
/etc/init.d/firewall reload

MAC OS Configuration

  1. System configuration (control panel)
  2. Network
  3. Create a new service
  4. Interface type - VPN -
  5. VPN type - IKEv2 -
  6. Service Name : Turris VPN

Turris VPN Settings

  • server address: vpn.privaterra.info
  • Remote ID: vpn.privaterra.info
  • Select Authentication settings: Set to username, and enter the username/password combination specified in the /etc/ipsec.secrets file
  • Apply settings
  • Connect to test

References & sources of information consulted for this blog post


  1. Providing an IPSEC VPN Endpoint on OpenWRT for IOS

  2. Setup a private VPN on OpenWRT 15.05.01 using StrongSwan

  3. StrongSwan Configuration Guide

  4. strongSwan 5: How to create your own private VPN

  5. OpenWrt: IPSec Road Warrior Configuration: Android, Windows 7, BB10, PlayBook Clients

  6. Configuring IPsec IKEv2 in OpenWrt 15.05

  7. linux.xvx.cz/files/turris_configured/

  8. How to do VPN on Demand for iOS at zero cost despite Apple’s best efforts to prevent this

  9. IPSEC VPN on Ubuntu 16.04 with StrongSwan

  10. strongswan.org - Sample configurations: Test ikev2/rw-cert

  11. OpenWrt 12.09 + StrongSwan 5.0.0 + iOS , Android

  12. Running a strongswan server with radius on your VPS

  13. How to Set Up an IKEv2 VPN Server with StrongSwan on Ubuntu 16.04

  14. pfSense IKEv2 for iOS/macOS - Part 1 (Certificate Configuration), Part 2 (VPN Configuration), Part 3 (Mobile Profile), Part 4 (On Demand VPN)

2 Likes

Nicely done!! Thank you so much for sharing this. I have almost the same config except auth part where I used certificate from StartSSL so I don’t have to import anything to my clients (just for osx configuration is necessary to use profile created with Apple configurator).

Does anyone has a recipe for creating a site-to-site vpn with 2 turris omnia?

It seems you’re using kernel-libipsec userspace implementation, it works over TUN/TAP and is much slower than usual in-kernel IPsec.

I would be interested in activating the kernel implementation/options that you mention. Could you please mention how I could do that? Thanks!

You need to disable kernel-libipsec module. The configuration file should be probably somewhere at /etc/strongswan.d/charon/kernel-libipsec.conf. You should change load = yes to load = no. After that, kernel ipsec module would be used and no new interface would appear (no ipsec0). IPsec-encrypted packets would be received and sent from your internet interface.

Thanks for the tip!

Should I also remove the ipsec interface entry in /etc/config/network ? (see below)

config interface 'ipsec'
	option proto 'none'
	option ifname 'ipsec0'
	option auto '1'

Yes. It probably would require additional allowing firewall rules too.