Introduction
Strongswan is an application that allows you to use the VPN service according to the IKEv2 protocol. It consists of two parts. The first one is an application that acts as a VPN server/gateway to which devices will connect
The second component is the client application installed on phones. This allows end devices to connect to the VPN gateway and get access to the appropriate network resources.
This manual guides through the process of preparation and configuration of the environment for both components: VPN gateway and end devices configuration using FAMOC.
Server configuration
General requirements
Generating certificates
To properly configure, you will need a set of certificates (7, 8):
ROOT_CA certificate
SUB_CA certificate
VPN_CERT certificate + private key VPN_CERT_KEY
If the VPN gateway is integrated with the existing Microsoft CA PKI infrastructure, the VPN_CERT gateway certificate must be issued from the same SUB_CA from which the end devices client certificates will be issued.
It is important that the VPN_CERT certificate:
Have the same SAN value set as the FQDN under which VPN gateway machine resolves from the Internet:
Subject Alternative Name: DNS: FQDNHave following extendedKeyUsage set:
serverAuth (1.3.6.1.5.5.7.3.1 - TLS Web Server Authentication)
ikeIntermediate (1.3.6.1.5.5.8.2.2 - IP security end entity)
VPN gateway
On the VPN gateway machine (STANDALONE VPN or FAMOC PROXY), we must install a Strongswan packet that acts as a VPN server.
1. Strongswan installation
2. Add Strongswan to booting processes
3. Upload ROOT CA file and SUB CA file (check Section 3) to directory: /etc/strongswan/ipsec.d/cacerts/
4. Upload server private key (VPN_CERT_KEY) to:
/etc/strongswan/ipsec.d/private
5. Change private key permissions: chmod 640 /etc/strongswan/ipsec.d/private/VPN_CERT_KEY
6. Upload the server certificate key (VPN_CERT) to /etc/strongswan/ipsec.d/certs
7. Edit the Strongswan configuration file as shown in the diagram below /etc/strongswan/ipsec.conf:
LAN - resources to be accessed after connecting to the VPN, e.g. intranet (IP address or the entire subnet)
CLIENT_SUBNET - IP addresses pool for devices that will have access to the VPN
DNS_IP - DNS server address
VPN_CERT - VPN server certificate (VPN gateway)
FQDN - VPN server address (VPN gateway), solvable domain name required
8. Creating file: ipsec.secrets, in directory: /etc/strongswan/
9. Disable IPv4 forwarding:
10. Configure IP tables (according to requirement 6):
11. Save iptables configuration:
12. Test launch of the VPN gateway in the debug mode:
13. If the gateway launched correctly in debug mode, close it (ctrl + c) and start in production as a Strongswan process
Application machine (FAMOC)
For the proper functioning of the VPN client for android devices, it is necessary to download the appropriate client application provided by FancyFon.
FAMOC configuration
Certificate Authority (CA) configuration
In order to fully use the potential of integration with the VPN gateway, it is recommended to configure the Certificate Authority (CA) which will be responsible for the distribution of certificates for client devices. Based on them, the phones will be authorized to connect to the VPN gateway.
To do so, we will add local FAMOC CA. We can do it here:
“ADVANCED” -> “Settings” -> “Servers” -> “Add server”
After creating a local FAMOC CA, you can begin configuring VPN clients for end devices.
Android configuration
In order for Android phones to be able to use a VPN connection, it is necessary to:
Install VPN Strongswan client on the device
Configure VPN strongswan client
iOS configuration
In order for iOS phones to be able to use the VPN connection, it is necessary to properly prepare the configuration of the iOS profile. It is not necessary to install additional, external applications - the native iOS VPN client is configured.
iOS profile configuration is located at: ADVANCED -> Config center -> Configurations -> Add configuration -> iOS -> iOS general profile configuration
In “Certificates” section you have to configure:
CLIENT_CERT certificate installed on iOS devices, generated by indicating defined VPN_CA
If the defined ROOT_CA (7) is not trusted on devices (e.g. we use self-sign certificate, or internal PKI infrastructure) - it is also necessary to add it in configuration.
An example of configuration of certificates is shown in the screenshot below:
In the "VPN configuration" section, specify the configuration for the native VPN client for iOS devices. The most important fields in the configuration are:
Connection name - this is the name of the VPN profile on the device
Server address - VPN gateway FQDN
Local ID - one of the parameters defining how the device will present itself to the VPN server. Important - it must match the "UPN attribute" field on the client certificate
Remote ID - the second parameter defining how the device will present itself to the VPN server
Authentication method - it is recommended to have a certificate generated by FAMOC CA and defined in the "CERTIFICATES" section in the iOS configuration (see above)
Proxy - if used - here you can define it
DNS server addresses - here define the IP addresses of the DNS servers used
Summary
This manual guides you through the process of configuring the Strongswan FAMOC VPN environment (VPN gateway, FAMOC configuration, client configuration). These steps will allow you to go through the entire procedure from setting up a VPN gateway to configure end devices and connect to configured resources. In case of any doubts or questions regarding described procedure, please contact our technical support department at support@fancyfon.com.