1. Introduction

Strongswan is an application that allows you to use the VPN service according to the IKEv2 protocol. It consists of two parts. The first one is an application that acts as a VPN server/gateway to which devices will connect

The second component is the client application installed on phones. This allows end devices to connect to the VPN gateway and get access to the appropriate network resources.

This manual guides through the process of preparation and configuration of the environment for both components: VPN gateway and end devices configuration using FAMOC.

  1. Server configuration

General requirements

nr

Requirement

Comments

1

OS

CentOS 7 x64

depending on your needs:

- a separate STANDALONE VPN machine

- parallel installation on the FAMOC PROXY machine

2

FQDN

VPN GATEWAY machine must be available at the indicated FQDN

3

Address of LAN available for clients connecting to VPN

IP addresses or entire subnets to which connected client devices will connect through VPN

4

LAN addresses for VPN clients

A pool of IP addresses that will be assigned to connecting clients. NOTE: these addresses will be visible on the firewall between DMZ and LAN. Make sure that firewall allows this traffic.

5

IP DNS IP adress

In order for clients to connect to dao (3. LAN) using domain names, a DNS server that translates these names is necessary.


NOTE:


The DNS IP address must be in the LAN address pool available for clients connecting to VPN (3rd LAN)

6

Firewall

The incoming traffic to the GATEWAY VPN machine from the INTERNET on the UDP 500 and UDP 4500 ports must be unblocked. It is necessary to open this traffic on the external FW and from the side of the GATEWAY VPN machine itself - via iptables (see par. 10 - "VPN gateway" chapter)

7

ROOT_CA + SUB_CA certificate

Pair of ROOT_CA certificate and subordinate CA (SUB_CA) certificate issued on its basis.

Based on this SUB CA certificate, it will be possible to issue:

1) client certificates authorizing the connection to the VPN

2) GATEWAY VPN server certificate (8.)

8

VPN GATEWAY server certificate (VPN_CERT  oraz VPN_CERT_KEY)

Certificate based on SUB_CA (7) that will be used by the VPN gateway


Generating certificates

To properly configure, you will need a set of certificates (7, 8):

  1. ROOT_CA certificate

  2. SUB_CA certificate

  3. VPN_CERT certificate + private key VPN_CERT_KEY

If the VPN gateway is integrated with the existing Microsoft CA PKI infrastructure, the VPN_CERT gateway certificate must be issued from the same SUB_CA from which the end devices client certificates will be issued.

It is important that the VPN_CERT certificate:

  1. Have the same SAN value set as the FQDN under which VPN gateway machine resolves from the Internet:
    Subject Alternative Name: DNS: FQDN

  2. Have following extendedKeyUsage set:

    1. serverAuth (1.3.6.1.5.5.7.3.1 - TLS Web Server Authentication)

    2. ikeIntermediate (1.3.6.1.5.5.8.2.2 - IP security end entity)

VPN gateway

On the VPN gateway machine (STANDALONE VPN or FAMOC PROXY), we must install a Strongswan packet that acts as a VPN server.

1. Strongswan installation

[root@vpn-standalone ~]# yum install strongswan


2. Add Strongswan to booting processes

[root@vpn-standalone ~]# systemctl enable strongswan

Created symlink from /etc/systemd/system/multi-user.target.wants/strongswan.service to /usr/lib/systemd/system/strongswan.service.


[root@vpn-standalone ~]# systemctl status strongswan

● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf

   Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)

   Active: inactive (dead)


3. Upload ROOT CA file and SUB CA file (check Section 3) to directory: /etc/strongswan/ipsec.d/cacerts/

4. Upload server private key (VPN_CERT_KEY) to:
 /etc/strongswan/ipsec.d/private

5. Change private key permissions: chmod 640 /etc/strongswan/ipsec.d/private/VPN_CERT_KEY

6. Upload the server certificate key (VPN_CERT) to /etc/strongswan/ipsec.d/certs

7. Edit the Strongswan configuration file as shown in the diagram below /etc/strongswan/ipsec.conf:

config setup
    uniqueids=never

conn %default
        leftsubnet=LAN

        rightsourceip=CLIENT_SUBNET
        rightdns=DNS_IP
        dpdaction=clear
        keyingtries=3
        lifetime=8h
        ikelifetime=24h
        margintime=30m
        auto=add

conn ikev2
    keyexchange=ikev2
    leftcert=VPN_CERT

    leftid=FQDN
    leftsendcert=always


LAN - resources to be accessed after connecting to the VPN, e.g. intranet (IP address or the entire subnet)

CLIENT_SUBNET - IP addresses pool for devices that will have access to the VPN

DNS_IP - DNS server address

VPN_CERT - VPN server certificate (VPN gateway)

FQDN - VPN server address (VPN gateway), solvable domain name required

8. Creating file: ipsec.secrets, in directory: /etc/strongswan/

: RSA VPN_CERT_KEY


9. Disable IPv4 forwarding:

[root@vpn-standalone ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

[root@vpn-standalone ~]# sysctl -p

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1

net.ipv4.ip_forward = 1


10. Configure IP tables (according to requirement 6):

  1. iptables -I INPUT 4 -m state --state NEW -p udp -m udp --dport 500 -j ACCEPT

  2. iptables -I INPUT 4 -m state --state NEW -p udp -m udp --dport 4500 -j ACCEPT

  3. iptables -I FORWARD 1 -d CLIENT_SUBNET -m policy --dir out --pol ipsec -j ACCEPT

  4. iptables -I FORWARD 1 -s CLIENT_SUBNET -m policy --dir in --pol ipsec -j ACCEPT 


11. Save iptables configuration:

[root@vpn-standalone ~]# iptables-save > /etc/sysconfig/iptables


12. Test launch of the VPN gateway in the debug mode:

[root@vpn-standalone ~]# strongswan start --debug --nofork

Starting strongSwan 5.5.3 IPsec [starter]...

Loading config setup

found netkey IPsec stack

Attempting to start charon...

00[DMN] Starting IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-693.2.2.el7.x86_64, x86_64)

00[LIB] openssl FIPS mode(2) - enabled

00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'

00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'

00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'

00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'

00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'

00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'

00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity

00[JOB] spawning 16 worker threads

charon (13191) started after 80 ms


13. If the gateway launched correctly in debug mode, close it (ctrl + c) and start in production as a Strongswan process

[root@vpn-standalone ~]# systemctl start strongswan


Application machine (FAMOC)

For the proper functioning of the VPN client for android devices, it is necessary to download the appropriate client application provided by FancyFon.

  1. FAMOC configuration

Certificate Authority (CA) configuration

In order to fully use the potential of integration with the VPN gateway, it is recommended to configure the Certificate Authority (CA) which will be responsible for the distribution of certificates for client devices. Based on them, the phones will be authorized to connect to the VPN gateway.

To do so, we will add local FAMOC CA. We can do it here:

  • “ADVANCED” -> “Settings” -> “Servers” -> “Add server”


After creating a local FAMOC CA, you can begin configuring VPN clients for end devices.

Android configuration

In order for Android phones to be able to use a VPN connection, it is necessary to:

  1. Install VPN Strongswan client on the device

  2. Configure VPN strongswan client

iOS configuration

In order for iOS phones to be able to use the VPN connection, it is necessary to properly prepare the configuration of the iOS profile. It is not necessary to install additional, external applications - the native iOS VPN client is configured.

iOS profile configuration is located at: ADVANCED -> Config center -> Configurations -> Add configuration -> iOS -> iOS general profile configuration

In “Certificates” section you have to configure:

  1. CLIENT_CERT certificate installed on iOS devices, generated by indicating defined VPN_CA 

  2. If the defined ROOT_CA (7) is not trusted on devices (e.g. we use self-sign certificate, or internal PKI infrastructure) - it is also necessary to add it in configuration.

An example of configuration of certificates is shown in the screenshot below:

In the "VPN configuration" section, specify the configuration for the native VPN client for iOS devices. The most important fields in the configuration are:

  • Connection name - this is the name of the VPN profile on the device

  • Server address - VPN gateway FQDN

  • Local ID - one of the parameters defining how the device will present itself to the VPN server. Important - it must match the "UPN attribute" field on the client certificate

  • Remote ID - the second parameter defining how the device will present itself to the VPN server

  • Authentication method - it is recommended to have a certificate generated by FAMOC CA and defined in the "CERTIFICATES" section in the iOS configuration (see above)

  • Proxy - if used - here you can define it

  • DNS server addresses - here define the IP addresses of the DNS servers used

  1. Summary

This manual guides you through the process of configuring the Strongswan FAMOC VPN environment (VPN gateway, FAMOC configuration, client configuration). These steps will allow you to go through the entire procedure from setting up a VPN gateway to configure end devices and connect to configured resources. In case of any doubts or questions regarding described procedure, please contact our technical support department at support@fancyfon.com.