VPN Remote Access at HSR: Linux via Command Line¶
The following how-to describes the configuration steps required to set up a VPN connection to HSR Hochschule für Technik Rapperswil using command line tools.
Make sure strongSwan is installed, see InstallationDocumentation for details.
You must be root in order to be able to configure and start strongSwan:
sudo -s
The remote access connection is configured in the /etc/ipsec.conf file:
# ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
conn hsr
left=%any
leftsourceip=%config
leftid=asteffen
leftauth=eap
rightauth=pubkey
right=strongswan.hsr.ch
rightid=strongswan.hsr.ch
rightsubnet=0.0.0.0/0 # HSR does not allow split tunneling
keyexchange=ikev2
ikelifetime=8h
keylife=3h
ike=aes128-sha1-modp2048!
esp=aes128-sha1!
auto=add
The HSR user password is stored in the /etc/ipsec.secrets file:
# ipsec.secrets - strongSwan IPsec secrets file asteffen : EAP "my HSR password"
The QuoVadis Root CA 2 certificate must be copied into the /etc/ipsec.d/cacerts directory:
cp /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2.crt /etc/ipsec.d/cacerts
Optionally you can restrict the number of charon plugins to be loaded and configure additional strongSwan options in the /etc/strongswan.conf file.
Warning: You are on your own and must be sure what you are doing!
# strongswan.conf - strongSwan configuration file
# speed up Diffie-Hellman computations without compromising security
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
# load only the minimally required plugins
charon {
load = random pkcs1 pem x509 openssl hmac revocation curl kernel-netlink socket-default eap-mschapv2 eap-identity resolve stroke
}
# suppress the load statement warning
starter {
load_warning = no
}
The IKEv2 charon daemon is either started automatically during boot time via an /etc/init.d/ script or manually using the command
ipsec start
The log file (on Ubuntu /var/log/daemon.log) shows
Feb 1 05:39:19 merthyr charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.1rc1) Feb 1 05:39:19 merthyr charon: 00[KNL] listening on interfaces: Feb 1 05:39:19 merthyr charon: 00[KNL] eth0 Feb 1 05:39:19 merthyr charon: 00[KNL] wlan0 Feb 1 05:39:19 merthyr charon: 00[KNL] 10.10.0.20 Feb 1 05:39:19 merthyr charon: 00[KNL] 2001:aa::221:6aff:fe06:cf4c Feb 1 05:39:19 merthyr charon: 00[KNL] fe80::221:6aff:fe06:cf4c Feb 1 05:39:19 merthyr charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 1 05:39:19 merthyr charon: 00[CFG] loaded ca certificate "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2" from '/etc/ipsec.d/cacerts/QuoVadis_Root_CA_2.crt' Feb 1 05:39:19 merthyr charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 1 05:39:19 merthyr charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 1 05:39:19 merthyr charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 1 05:39:19 merthyr charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Feb 1 05:39:19 merthyr charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Feb 1 05:39:19 merthyr charon: 00[CFG] loaded EAP secret for asteffen Feb 1 05:39:19 merthyr charon: 00[DMN] loaded plugins: random pkcs1 pem x509 openssl hmac revocation curl kernel-netlink socket-default eap-mschapv2 eap-identity resolve stroke Feb 1 05:39:19 merthyr charon: 00[JOB] spawning 16 worker threads Feb 1 05:39:19 merthyr charon: 05[CFG] received stroke: add connection 'hsr' Feb 1 05:39:19 merthyr charon: 05[CFG] left nor right host is our side, assuming left=local Feb 1 05:39:19 merthyr charon: 05[CFG] added configuration 'hsr'
The VPN connection to the HSR strongSwan gateway is established by
ipsec up hsr
and the log shows
Feb 1 05:39:23 merthyr charon: 11[CFG] received stroke: initiate 'hsr'
Feb 1 05:39:23 merthyr charon: 12[IKE] initiating IKE_SA hsr[1] to 152.96.1.40
Feb 1 05:39:23 merthyr charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 1 05:39:23 merthyr charon: 12[NET] sending packet: from 10.10.0.20[500] to 152.96.1.40[500]
Feb 1 05:39:23 merthyr charon: 13[NET] received packet: from 152.96.1.40[500] to 10.10.0.20[500]
Feb 1 05:39:23 merthyr charon: 13[ENC] parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
Feb 1 05:39:23 merthyr charon: 13[IKE] initiating IKE_SA hsr[1] to 152.96.1.40
Feb 1 05:39:23 merthyr charon: 13[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 1 05:39:23 merthyr charon: 13[NET] sending packet: from 10.10.0.20[500] to 152.96.1.40[500]
Feb 1 05:39:23 merthyr charon: 14[NET] received packet: from 152.96.1.40[500] to 10.10.0.20[500]
Feb 1 05:39:23 merthyr charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Feb 1 05:39:23 merthyr charon: 14[IKE] local host is behind NAT, sending keep alives
Feb 1 05:39:23 merthyr charon: 14[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Feb 1 05:39:23 merthyr charon: 14[IKE] establishing CHILD_SA hsr
Feb 1 05:39:23 merthyr charon: 14[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 1 05:39:23 merthyr charon: 14[NET] sending packet: from 10.10.0.20[4500] to 152.96.1.40[4500]
Feb 1 05:39:23 merthyr charon: 15[NET] received packet: from 152.96.1.40[4500] to 10.10.0.20[4500]
Feb 1 05:39:23 merthyr charon: 15[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Feb 1 05:39:23 merthyr charon: 15[IKE] received end entity cert "C=CH, ST=St. Gallen, L=Rapperswil, O=Hochschule Rapperswil, OU=IT-Systems, CN=strongswan.hsr.ch"
Feb 1 05:39:23 merthyr charon: 15[IKE] received issuer cert "C=BM, O=QuoVadis Limited, OU=www.quovadisglobal.com, CN=QuoVadis Global SSL ICA"
Feb 1 05:39:23 merthyr charon: 15[CFG] using certificate "C=CH, ST=St. Gallen, L=Rapperswil, O=Hochschule Rapperswil, OU=IT-Systems, CN=strongswan.hsr.ch"
Feb 1 05:39:23 merthyr charon: 15[CFG] using untrusted intermediate certificate "C=BM, O=QuoVadis Limited, OU=www.quovadisglobal.com, CN=QuoVadis Global SSL ICA"
Feb 1 05:39:23 merthyr charon: 15[CFG] checking certificate status of "C=CH, ST=St. Gallen, L=Rapperswil, O=Hochschule Rapperswil, OU=IT-Systems, CN=strongswan.hsr.ch"
Feb 1 05:39:23 merthyr charon: 15[CFG] requesting ocsp status from 'http://ocsp.quovadisglobal.com' ...
Feb 1 05:39:23 merthyr charon: 15[CFG] using certificate "C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP Authority Signature"
Feb 1 05:39:23 merthyr charon: 15[CFG] using untrusted intermediate certificate "C=BM, O=QuoVadis Limited, OU=www.quovadisglobal.com, CN=QuoVadis Global SSL ICA"
Feb 1 05:39:23 merthyr charon: 15[CFG] using trusted ca certificate "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Feb 1 05:39:23 merthyr charon: 15[CFG] reached self-signed root ca with a path length of 1
Feb 1 05:39:23 merthyr charon: 15[CFG] ocsp response correctly signed by "C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP Authority Signature"
Feb 1 05:39:23 merthyr charon: 15[CFG] ocsp response is valid: until Feb 01 23:00:18 2011
Feb 1 05:39:23 merthyr charon: 15[CFG] certificate status is good
Feb 1 05:39:23 merthyr charon: 15[CFG] using trusted ca certificate "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Feb 1 05:39:23 merthyr charon: 15[CFG] checking certificate status of "C=BM, O=QuoVadis Limited, OU=www.quovadisglobal.com, CN=QuoVadis Global SSL ICA"
Feb 1 05:39:23 merthyr charon: 15[CFG] using certificate "C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP Authority Signature"
Feb 1 05:39:23 merthyr charon: 15[CFG] using untrusted intermediate certificate "C=BM, O=QuoVadis Limited, OU=www.quovadisglobal.com, CN=QuoVadis Global SSL ICA"
Feb 1 05:39:23 merthyr charon: 15[CFG] using trusted ca certificate "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Feb 1 05:39:23 merthyr charon: 15[CFG] reached self-signed root ca with a path length of 1
Feb 1 05:39:23 merthyr charon: 15[CFG] ocsp response correctly signed by "C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP Authority Signature"
Feb 1 05:39:23 merthyr charon: 15[CFG] ocsp response contains no status on our certificate
Feb 1 05:39:23 merthyr charon: 15[CFG] requesting ocsp status from 'http://ocsp.quovadisglobal.com' ...
Feb 1 05:39:23 merthyr charon: 15[CFG] using certificate "C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP Authority Signature"
Feb 1 05:39:23 merthyr charon: 15[CFG] using untrusted intermediate certificate "C=BM, O=QuoVadis Limited, OU=www.quovadisglobal.com, CN=QuoVadis Global SSL ICA"
Feb 1 05:39:23 merthyr charon: 15[CFG] using trusted ca certificate "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Feb 1 05:39:23 merthyr charon: 15[CFG] reached self-signed root ca with a path length of 1
Feb 1 05:39:23 merthyr charon: 15[CFG] ocsp response correctly signed by "C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP Authority Signature"
Feb 1 05:39:23 merthyr charon: 15[CFG] ocsp response is valid: until Jun 12 21:14:29 2011
Feb 1 05:39:23 merthyr charon: 15[CFG] certificate status is good
Feb 1 05:39:23 merthyr charon: 15[CFG] reached self-signed root ca with a path length of 1
Feb 1 05:39:23 merthyr charon: 15[IKE] authentication of 'strongswan.hsr.ch' with RSA signature successful
Feb 1 05:39:23 merthyr charon: 15[IKE] server requested EAP_IDENTITY, sending 'asteffen'
Feb 1 05:39:23 merthyr charon: 15[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Feb 1 05:39:23 merthyr charon: 15[NET] sending packet: from 10.10.0.20[4500] to 152.96.1.40[4500]
Feb 1 05:39:23 merthyr charon: 16[NET] received packet: from 152.96.1.40[4500] to 10.10.0.20[4500]
Feb 1 05:39:23 merthyr charon: 16[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Feb 1 05:39:23 merthyr charon: 16[IKE] server requested EAP_MSCHAPV2 authentication
Feb 1 05:39:23 merthyr charon: 16[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Feb 1 05:39:23 merthyr charon: 16[NET] sending packet: from 10.10.0.20[4500] to 152.96.1.40[4500]
Feb 1 05:39:23 merthyr charon: 01[NET] received packet: from 152.96.1.40[4500] to 10.10.0.20[4500]
Feb 1 05:39:23 merthyr charon: 01[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Feb 1 05:39:23 merthyr charon: 01[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
Feb 1 05:39:23 merthyr charon: 01[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Feb 1 05:39:23 merthyr charon: 01[NET] sending packet: from 10.10.0.20[4500] to 152.96.1.40[4500]
Feb 1 05:39:24 merthyr charon: 09[NET] received packet: from 152.96.1.40[4500] to 10.10.0.20[4500]
Feb 1 05:39:24 merthyr charon: 09[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
Feb 1 05:39:24 merthyr charon: 09[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Feb 1 05:39:24 merthyr charon: 09[IKE] authentication of 'asteffen' (myself) with EAP
Feb 1 05:39:24 merthyr charon: 09[ENC] generating IKE_AUTH request 5 [ AUTH ]
Feb 1 05:39:24 merthyr charon: 09[NET] sending packet: from 10.10.0.20[4500] to 152.96.1.40[4500]
Feb 1 05:39:24 merthyr charon: 05[NET] received packet: from 152.96.1.40[4500] to 10.10.0.20[4500]
Feb 1 05:39:24 merthyr charon: 05[ENC] parsed IKE_AUTH response 5 [ AUTH CP(ADDR DNS DNS NBNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 1 05:39:24 merthyr charon: 05[IKE] authentication of 'strongswan.hsr.ch' with EAP successful
Feb 1 05:39:24 merthyr charon: 05[IKE] IKE_SA hsr[1] established between 10.10.0.20[asteffen]...152.96.1.40[strongswan.hsr.ch]
Feb 1 05:39:24 merthyr charon: 05[IKE] scheduling reauthentication in 27785s
Feb 1 05:39:24 merthyr charon: 05[IKE] maximum IKE_SA lifetime 28325s
Feb 1 05:39:24 merthyr charon: 05[IKE] installing DNS server 152.96.20.10 to /etc/resolv.conf
Feb 1 05:39:24 merthyr charon: 05[IKE] installing DNS server 152.96.21.10 to /etc/resolv.conf
Feb 1 05:39:24 merthyr charon: 05[CFG] handling INTERNAL_IP4_NBNS attribute failed
Feb 1 05:39:24 merthyr charon: 05[CFG] handling INTERNAL_IP4_NBNS attribute failed
Feb 1 05:39:24 merthyr charon: 05[IKE] installing new virtual IP 172.16.28.1
Feb 1 05:39:24 merthyr charon: 05[IKE] CHILD_SA hsr{1} established with SPIs c3260cb1_i cf23ab4d_o and TS 172.16.28.1/32 === 0.0.0.0/0
Feb 1 05:39:24 merthyr charon: 05[IKE] peer supports MOBIKE
You can verify if the tunnel is up by pinging the internal skripte.hsr.ch server
ping -c 1 skripte.hsr.ch PING sidv0012.hsr.ch (152.96.21.12) 56(84) bytes of data. 64 bytes from sidv0012.hsr.ch (152.96.21.12): icmp_req=1 ttl=62 time=21.9 ms
Use ipsec statusall to get the connection status
Status of IKEv2 charon daemon (strongSwan 4.5.1dr5):
uptime: 54 seconds, since Feb 01 05:39:18 2011
malloc: sbrk 393216, mmap 0, used 310192, free 83024
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3
loaded plugins: random pkcs1 pem x509 openssl hmac revocation curl kernel-netlink socket-default eap-mschapv2 eap-identity resolve stroke
Listening IP addresses:
10.10.0.20
2001:aa::221:6aff:fe06:cf4c
Connections:
hsr: %any...152.96.1.40
hsr: local: [asteffen] uses EAP authentication
hsr: remote: [strongswan.hsr.ch] uses public key authentication
hsr: child: dynamic === 0.0.0.0/0
Security Associations:
hsr[1]: ESTABLISHED 49 seconds ago, 10.10.0.20[asteffen]...152.96.1.40[strongswan.hsr.ch]
hsr[1]: IKE SPIs: 0888a3592f27c307_i* b87006fa62b55f26_r, EAP reauthentication in 7 hours
hsr[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
hsr{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c3260cb1_i cf23ab4d_o
hsr{1}: AES_CBC_128/HMAC_SHA1_96, 283 bytes_i (42s ago), 1527 bytes_o (14s ago), rekeying in 2 hours
hsr{1}: 172.16.28.1/32 === 0.0.0.0/0
More information can be obtained with the ipsec listall command
List of X.509 End Entity Certificates:
altNames: sswano2.hsr.ch, strongswan.hsr.ch, sswano1.hsr.ch, root@hsr.ch
subject: "C=CH, ST=St. Gallen, L=Rapperswil, O=Hochschule Rapperswil, OU=IT-Systems, CN=strongswan.hsr.ch"
issuer: "C=BM, O=QuoVadis Limited, OU=www.quovadisglobal.com, CN=QuoVadis Global SSL ICA"
serial: 1c:b0
validity: not before Dec 17 15:26:34 2009, ok
not after Dec 16 15:26:34 2012, ok
pubkey: RSA 2048 bits
keyid: b8:75:26:6e:87:b0:07:59:a8:a8:db:68:5c:2a:41:16:ef:c4:02:d3
subjkey: 98:ab:dc:f7:26:bb:8a:9c:9f:66:01:fd:55:30:42:f3:a5:2d:e8:75
authkey: 32:4d:a1:4f:ea:f0:ae:99:b6:ee:9b:07:2c:84:08:11:50:8b:e2:7e
List of X.509 CA Certificates:
subject: "C=BM, O=QuoVadis Limited, OU=www.quovadisglobal.com, CN=QuoVadis Global SSL ICA"
issuer: "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
serial: 05:7a
validity: not before Jan 12 17:13:33 2007, ok
not after Jan 12 17:13:11 2017, ok
pubkey: RSA 2048 bits
keyid: bf:f0:f0:22:bf:96:30:fc:96:69:a0:07:76:19:01:f3:de:98:4c:4b
subjkey: 32:4d:a1:4f:ea:f0:ae:99:b6:ee:9b:07:2c:84:08:11:50:8b:e2:7e
authkey: 1a:84:62:bc:48:4c:33:25:04:d4:ee:d0:f6:03:c4:19:46:d1:94:6b
subject: "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
issuer: "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
serial: 05:09
validity: not before Nov 24 19:27:00 2006, ok
not after Nov 24 19:23:33 2031, ok
pubkey: RSA 4096 bits
keyid: 73:97:82:ea:b4:04:16:6e:25:d4:82:3c:37:db:f8:a8:12:fb:cf:26
subjkey: 1a:84:62:bc:48:4c:33:25:04:d4:ee:d0:f6:03:c4:19:46:d1:94:6b
authkey: 1a:84:62:bc:48:4c:33:25:04:d4:ee:d0:f6:03:c4:19:46:d1:94:6b
List of X.509 OCSP Signer Certificates:
subject: "C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP Authority Signature"
issuer: "C=BM, O=QuoVadis Limited, OU=www.quovadisglobal.com, CN=QuoVadis Global SSL ICA"
serial: 05:26
validity: not before Mar 29 16:30:39 2007, ok
not after Jan 12 17:13:11 2017, ok
pubkey: RSA 1024 bits
keyid: 29:87:0e:a1:ec:d4:eb:1b:dc:f8:5b:a1:95:e9:fc:27:58:92:3f:79
subjkey: be:f0:4a:72:91:f5:dd:97:88:77:cf:b9:bf:35:97:dd:90:04:10:11
authkey: 32:4d:a1:4f:ea:f0:ae:99:b6:ee:9b:07:2c:84:08:11:50:8b:e2:7e
List of OCSP responses:
signer: "be:f0:4a:72:91:f5:dd:97:88:77:cf:b9:bf:35:97:dd:90:04:10:11"
validity: produced at Feb 01 05:39:23 2011
usable till Feb 01 23:00:18 2011, ok
signer: "be:f0:4a:72:91:f5:dd:97:88:77:cf:b9:bf:35:97:dd:90:04:10:11"
validity: produced at Feb 01 05:39:24 2011
usable till Jun 12 21:14:29 2011, ok
List of registered IKEv2 Algorithms:
encryption: AES_CBC[openssl] CAMELLIA_CBC[openssl] 3DES_CBC[openssl] RC5_CBC[openssl] IDEA_CBC[openssl]
CAST_CBC[openssl] BLOWFISH_CBC[openssl] DES_CBC[openssl] DES_ECB[openssl] NULL[openssl]
integrity: HMAC_SHA1_96[hmac] HMAC_SHA1_128[hmac] HMAC_SHA1_160[hmac] HMAC_SHA2_256_128[hmac] HMAC_SHA2_256_256[hmac]
HMAC_MD5_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA2_384_192[hmac] HMAC_SHA2_384_384[hmac]
HMAC_SHA2_512_256[hmac]
aead:
hasher: HASH_SHA1[openssl] HASH_MD2[openssl] HASH_MD4[openssl] HASH_MD5[openssl] HASH_SHA224[openssl]
HASH_SHA256[openssl] HASH_SHA384[openssl] HASH_SHA512[openssl]
prf: PRF_KEYED_SHA1[openssl] PRF_HMAC_SHA1[hmac] PRF_HMAC_SHA2_256[hmac] PRF_HMAC_MD5[hmac]
PRF_HMAC_SHA2_384[hmac] PRF_HMAC_SHA2_512[hmac]
dh-group: MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] MODP_1536[openssl] ECP_256[openssl]
ECP_384[openssl] ECP_521[openssl] ECP_224[openssl] ECP_192[openssl] MODP_3072[openssl] MODP_4096[openssl]
MODP_6144[openssl] MODP_8192[openssl] MODP_1024[openssl] MODP_1024_160[openssl] MODP_768[openssl]
MODP_CUSTOM[openssl]
random-gen: RNG_STRONG[random] RNG_TRUE[random]
The connection can be terminated any time by issuing
ipsec down hsr