VPN Strongswan

From HSMWiki
Jump to: navigation, search


To establish a VPN connection, you need to fulfill the following:

  • Confirm the network terms and conditions
  • Your password must not be expired

You can check both at your Settings

Installation

Please perform only one of the following installation instructions and pay attention to the remarks at the end of each instruction!

Packetmanagement with Debian Wheezy and Jessie

Wheezy: Add the following source to get the newest Strongswan version: (/etc/apt/sources.list):

deb http://http.debian.net/debian wheezy-backports main

Execute the following commands after this:

apt-get update
apt-get -t wheezy-backports install ca-certificates strongswan libcharon-extra-plugins libstrongswan-extra-plugins libstrongswan-standard-plugins

Jessie:

Execute the following commands after this:

apt-get update
apt-get install ca-certificates strongswan libcharon-extra-plugins libstrongswan-extra-plugins libstrongswan-standard-plugins


Additionally, you need to add the following lines to the init script(/etc/init.d/ipsec):

# Required-Start:    $network $remote_fs
# Required-Stop:     $network $remote_fs

Create links to the following configuration files:

 ln -s /etc/strongswan.conf ~/Downloads/strongswan/
 ln -s /etc/ipsec.conf ~/Downloads/strongswan/
 ln -s /etc/ipsec.secrets ~/Downloads/strongswan/


Compile with Linux Mint (18)

If you want to compile it manually, you need to use the terminal. Open the start menu at the bottom left side, and search for "Terminal" and start it. Change to the directory of your choice. Here is an example of creating a new directory in "Downloads" and then switching into it.

 mkdir ~/Downloads/strongswan
 cd ~/Downloads/strongswan/

After you switched into your strongswan directory, download the newest version of strongswan(here 5.5.1) and unzip the archive. Use the following commands to perform this:

 wget https://download.strongswan.org/strongswan.tar.gz
 tar -xzvf strongswan.tar.gz

Your directory should now contain two new elements. Check it with the command "ls". You should see something like this:

Verzeichnisnachdownload.png

Change to the directory of your downloaded version. Switch to "root" to execute the commands with highest authority. Download and install the following packets:

 cd strongswan-5.5.1/
 sudo su
 apt-get install libc-dev-bin libc6-dev libgmp-dev \
                 libgmpxx4ldbl libcurl3 libcurl4-openssl-dev \
                 libssl-dev zlib1g-dev

Set important parameters with ".configure ..." . Those will be needed to ensure a correct installation of Strongswan:

 ./configure --enable-curl --enable-eap-mschapv2 \
             --enable-eap-identity --enable-openssl

Configureoutput.png

Compile and install the program finally with:

 make
 make install
 exit


Create links to the following configuration files:

 ln -s /usr/local/etc/strongswan.conf ~/Downloads/strongswan/
 ln -s /usr/local/etc/ipsec.conf ~/Downloads/strongswan/
 ln -s /usr/local/etc/ipsec.secrets ~/Downloads/strongswan/


Please note:

If you do not require the packets to compile Strongswan any longer, you can remove them with:

 sudo apt-get remove libc-dev-bin libc6-dev libgmp-dev zlib1g-dev\
                     libcurl4-openssl-dev libssl-dev 

It is possible to deinstall Strongswan anytime, as long as the directory in which Strongswan was downloaded(here Downloads/Strongswan) is not deleted. Open the Terminal, chance to your Strongswan directory and execute the following command:

 make uninstall

This is also needed if you want to upgrade Strongswan to a newer version.

Configuration

After the installation, the following files need to be edited:

~/Downloads/strongswan/strongswan.conf
~/Downloads/strongswan/ipsec.conf
~/Downloads/strongswan/ipsec.secrets

Preparation

If you installed and compiled Strongswan manually, use the following command to create a link to the certificate of the Deutsche Telekom:

ln -s /etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem /usr/local/etc/ipsec.d/cacerts/

If you installed Strongswa with your packet manager, use this command instead:

ln -s /etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem /etc/ipsec.d/cacerts/

strongswan.conf

Open strongswan.conf with the editor of your choice(nano is used here).

 sudo nano ~/Downloads/strongswan/strongswan.conf

This file must only contain the following text:

charon {
  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown openssl resolve
}

Everything other than this is unnecessary and will sabotage the connection.

ipsec.conf

Open ipsec.conf with the editor of your choice(nano is used here).

 sudo nano ~/Downloads/strongswan/ipsec.conf

You must add the following text to the file:

conn hsmw-vpn
        keyexchange=ikev2
        left=%defaultroute
        leftid=%any
        leftauth=eap
        eap_identity=username@hs-mittweida.de
        leftsourceip=%config
        leftdns=%config4
        leftfirewall=no
        right=141.55.128.84
        rightid=@vpn4.hs-mittweida.de
        rightsubnet=0.0.0.0/0
        rightauth=pubkey
        auto=add

Everything else in this file is needed and should not be deleted.

ipsec.secret

Open ipsec.secret with the editor of your choice(nano is used here).

 sudo nano ~/Downloads/strongswan/ipsec.secret

You can add the following to this file:

username@hs-mittweida.de : EAP "K3nnw0rt"

Open / Close the VPN connection

To establish a vpn tunnel, the following command needs to be executed:

ipsec up hsmw-vpn

You can close the vpn tunnel with this command:

ipsec down hsmw-vpn

Reminder: If you installed and compiled strongswan manually, you need to start your ipsec service manually, too. Execute the following command:

 ipsec start