Monday, April 30, 2018

How to install strongswan ikev2 vpn service on a pi zero/w or pi 3 running Jessie based Dietpi with an External Static IP (Comcast/xfinity)



1.    First grab the jessie based image file from here.
2.    Once downloaded, extract the image file from .7z file.
3.    Download and open image writing software, I use Etcher.io
4.    Flash the extracted image on to the SD card.
5.    Eject or remove the SD card. For MAC users, go ahead just remove the SD card on completion of Flash.

The following steps are for raspberry pi zero/w or if you intend to use your pi headless with WiFi:

·     Insert the SD card back into the Computer.
·     Open the file “dietpi.txt” using your favorite text editor, I like to use nano in terminal.
·     Then Look For These Lines:

##### Networking Options #####

#          If both Ethernet and Wifi are enabled, Wifi will take priority and Ethernet will be disabled.
#                      1=enabled
AUTO_SETUP_NET_ETHERNET_ENABLED=1
AUTO_SETUP_NET_WIFI_ENABLED=0

#          Enter your Wifi details below, if applicable (Case Sensitive).
AUTO_SETUP_NET_WIFI_SSID=MySuperDooperWiFi
AUTO_SETUP_NET_WIFI_KEY=0123456789
#          available | WPA-PSK / WPA-EAP / NONE | WEP=No longer supported
AUTO_SETUP_NET_WIFI_KEYMGR=WPA-PSK

·     If you want WFi enabled , replace 0 with a 1 and enter your SSID by replacing “MySuperDooperWiFi in the following lines and enter your password by replacing 0123456789.
·     Save and exit the file followed by ejecting your SD card.

VPN installation:
Insert the SD card into the pi and turn it on.
Let the initial automated process complete.
Headless users will need to find the IP of their PI and ssh into it using Username: root and Password: dietpi
Begin strong swan install by using the following command
·     apt-get install strongswan && apt-get install libcharon-extra-plugins
Next, we will run these commands:
·     apt-get install libstrongswan-standard-plugins && apt-get install iptables
·     apt-get install python
we will use python to run a webserver to copy over the certificate files to a computer, at the end of this tutorial.

Post Installation:
Using terminal open the file /etc/ipsec.conf and remove everything in it and paste the following:


config setup
  uniqueids=never
  charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
  auto=start
  closeaction=restart
  keyexchange=ikev2
 ike=aes128-sha256-ecp256
 esp=aes128-sha256-ecp256
  dpdaction=clear
  dpddelay=300s
  dpdtimeout = 5s 
  forceencaps=yes
  fragmentation=yes
  keyingtries=5
  rekey=yes
  left=%any
  leftfirewall=yes
 leftid=YOUR_PUB_IP_ADDRESS
  leftsubnet=0.0.0.0/0
 leftcert=vpnHostCert.pem
  leftsendcert=always
  mobike=yes
  right=%any
 rightdns=208.67.222.222,208.67.220.220
 rightsourceip=10.0.0.101/24
  type=tunnel

conn IKEv2
  rightauth=pubkey
  eap_identity=%any



Replace the leftid line with your external IPv4 address (Whatismyip.com).
Next we will edit the file /etc/ipsec.secrets by copy and paste the following at the bottom of the file:

: ECDSA vpnHostKey.pem

Next we will edit /etc/sysctl.conf and remove the hashtag in front of net.ipv4.ip_forward=1 to enable packet forwarding. 
Save and exit, then type sysctl –p to enable changes made to sysctl.conf.

Once that's done, edit /etc/rc.local to add the following to the bottom, before exit0. Save and exit when done.

# VPN NAT
iptables -t nat -A POSTROUTING -s 10.0.0.101/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.101/24 -o eth0 -j MASQUERADE

# ISAKMP (handling of security associations)
iptables -A INPUT -p udp --dport 500 --j ACCEPT

# NAT-T (handling of IPsec between NAT-Ted devices)
iptables -A INPUT -p udp --dport 4500 --j ACCEPT

# ESP payload (the encrypted data packets)
iptables -A INPUT -p esp -j ACCEPT

# VPN MSS CLAMPING TO IPSEC/VIRTUAL IP's
iptables -t mangle -A FORWARD -o eth0 \
-p tcp -m tcp --tcp-flags SYN,RST SYN \
-m tcpmss --mss 1361:1536 \
-j TCPMSS --set-mss 1360

echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc

Once that's done, change directory to /etc/ipsec.d/. From there, create the file ecsda_certs and make it an executable (chmod +x ecdsa_certs). Then, edit the new file and copy and paste the following into the file:


---------------------------------------------

#!/bin/sh

pubIP=$(curl http://ipecho.net/plain);

clear
echo "strongSwan Certificate Creation"
echo ""
echo "Please make a note of your public IP address: $pubIP"
echo "You'll need it later on in the iPCU/Apple Configurator setup process."
echo ""
echo "Creating Certificate Authority...."

ipsec pki --gen --type ecdsa --size 384 \
--outform pem \
> private/strongswanKey.pem

chmod 600 private/strongswanKey.pem

ipsec pki --self --ca --lifetime 3650 \
--in private/strongswanKey.pem --type ecdsa \
--dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
--outform pem \
> cacerts/strongswanCert.pem

echo ""
echo "Creating VPN Host Certificate...."

ipsec pki --gen --type ecdsa --size 256 \
--outform pem \
> private/vpnHostKey.pem

chmod 600 private/vpnHostKey.pem

ipsec pki --pub --in private/vpnHostKey.pem --type ecdsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--dn "C=CH, O=strongSwan, CN=$pubIP" \
--san $pubIP \
--flag serverAuth --flag ikeIntermediate \
--outform pem > certs/vpnHostCert.pem

echo ""
echo "Creating Client Certificate...."

ipsec pki --gen --type ecdsa --size 256 \
--outform pem \
> private/ClientKey.pem

chmod 600 private/ClientKey.pem

ipsec pki --pub --in private/ClientKey.pem --type ecdsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--dn "C=CH, O=strongSwan, CN=Client Key" \
--san Client_Key \
--outform pem > certs/ClientCert.pem

echo ""
echo "Exporting Client Certificate as PKCS#12 File...."
echo ""

openssl pkcs12 -export -inkey private/ClientKey.pem \
-in certs/ClientCert.pem -name "Client's VPN Certificate" \
-certfile cacerts/strongswanCert.pem \
-caname "strongSwan Root CA" \
-out Client.p12

echo ""
echo "Certificate and .p12 file created!"



Next, run the executable ./ecdsa_certs. Once those keys/certs have been created, transfer the Client.p12, cacerts/strongswanCert.pem and the private/strongSwanKey.pem files onto a flash drive. Make note of the password you've assigned to the .p12 file and make note of the IP address, as you'll need these when creating the client-based profiles
open UDP ports 4500 and 500