linux – Jan Taczanowski's tech blog

Preparing Raspberry Pi for building additional kernel modules.

01/11/2018 Jan Taczanowski 1 Comment

Today I was trying to build ipt-netflow kernel module on my Raspberry Pi with Raspbian linux. For hours I was stuck with proper system setup to make it ready for compiling additional kernel modules. The problem was with make prepare modules_prepare command which gives me such error:

root@raspberrypi:/usr/src/linux-headers-4.9.59+# make prepare modules_prepare
  CHK     include/config/kernel.release
  CHK     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
make[1]: *** No rule to make target 'arch/arm/tools/gen-mach-types', needed by 'include/generated/mach-types.h'.  Stop.
arch/arm/Makefile:315: recipe for target 'archprepare' failed
make: *** [archprepare] Error 2

root@raspberrypi:/usr/src/linux-headers-4.9.59+# make prepare modules_prepare

CHK include/config/kernel.release

CHK include/generated/uapi/linux/version.h

CHK include/generated/utsrelease.h

make[1]: *** No rule to make target 'arch/arm/tools/gen-mach-types', needed by 'include/generated/mach-types.h'. Stop.

arch/arm/Makefile:315: recipe for target 'archprepare' failed

make: *** [archprepare] Error 2

Google was not very helpful with this problem. Finally, basing on various trops, I got it worked. Uff.. Here is the proper way to setup Raspberry Pi for compiling additional kernel modules:

Install kernel headers and other tools:

apt-get update
apt-get install raspberrypi-kernel-headers module-assistant pkg-config libncurses5-dev

1 2	apt-get update apt-get install raspberrypi-kernel-headers module-assistant pkg-config libncurses5-dev

Install rpi-source tool. This downloading full kernel sources, not only kernel headers.

wget https://raw.githubusercontent.com/notro/rpi-source/master/rpi-source -O /usr/bin/rpi-source
chmod +x /usr/bin/rpi-source
/usr/bin/rpi-source -q --tag-update

wget https://raw.githubusercontent.com/notro/rpi-source/master/rpi-source -O /usr/bin/rpi-source

chmod +x /usr/bin/rpi-source

/usr/bin/rpi-source -q --tag-update

Install kernel sources (Lack of this was the cause of problems).

rpi-source --skip-gcc

1	rpi-source --skip-gcc

You will see something like that:

root@raspberrypi:/home/pi# rpi-source --skip-gcc

 *** Using: /usr/share/doc/raspberrypi-bootloader/changelog.Debian.gz

 *** Latest firmware revision: 12e0bf86e08d6067372bc0a45d7e8a10d3113210

 *** Linux source commit: 36612d5d7a88672a3e7dd6cb458dbbbca0d75efe

 *** Kernel source already installed: /root/linux-36612d5d7a88672a3e7dd6cb458dbbbca0d75efe

root@raspberrypi:/home/pi# rpi-source --skip-gcc

*** Using: /usr/share/doc/raspberrypi-bootloader/changelog.Debian.gz

*** Latest firmware revision: 12e0bf86e08d6067372bc0a45d7e8a10d3113210

*** Linux source commit: 36612d5d7a88672a3e7dd6cb458dbbbca0d75efe

*** Kernel source already installed: /root/linux-36612d5d7a88672a3e7dd6cb458dbbbca0d75efe

I suggest you create a symlink to /usr/src/linux:

ln -s /root/linux-36612d5d7a88672a3e7dd6cb458dbbbca0d75efe /usr/src/linux

1	ln -s /root/linux-36612d5d7a88672a3e7dd6cb458dbbbca0d75efe /usr/src/linux

Copy current kernel config to downloaded kernel sources and make oldconfig:

modprobe configs
cd /usr/src/linux
zcat /proc/config.gz > .config
make oldconfig

modprobe configs

cd /usr/src/linux

zcat /proc/config.gz > .config

make oldconfig

Run module assistant:

m-a prepare

1	m-a prepare

Prepare kernel for modules compilation:

make prepare modules_prepare

1	make prepare modules_prepare

After this steps I was able to compile third party kernel modules. 🙂
At the end I would like to highly recommend ipt-netflow kernel module – it is very robust solution for sending netflows from linux machines.

Securing Asterisk SIP PBX by simple iptables rule checking if the domain is correct

01/05/2018 Jan Taczanowski 14 Comments

Hi,

For some time I’ve been looking for a simple way to protect my Asterisk SIP pbx against attacks from bots, scanners which scans and trying dialing to premium numbers. Opening SIP port to the internet causes that there was no one minute without suspect requests hitting my Asterisk. The log was full of that attempts.

While analyzing this problem I noticed that bots, scanners, attackers using everywhere IP address of my server to trying break it. While my proper clients using domain of my Asterisk server. If user is using domain name in his SIP client/phone,this domain is used in further communication on SIP protocol.

Below I will show example of INVITE (INVITE is using to establish VoIP call) SIP request from user using domain name (sip.example.com), and from user using IP address (10.10.10.10) of Asterisk server.

With domain:

INVITE sip:202@sip.example.com:5060 SIP/2.0
Accept: application/conference-info+xml, application/sdp, message/sipfrag, multipart/mixed
Via: SIP/2.0/UDP 192.168.50.118:5071;branch=z9hG4bKe0aa06e32b6841d20.8df0298f12545d84a;rport
Route: <sip:sip.example.com:5060;lr>
Max-Forwards: 70
From: "107" <sip:107@sip.example.com:5060>;tag=d04f22eca5
To: <sip:202@sip.example.com:5060>;tag=as5bf765cf
Call-ID: 01f0d32f2156bb22
CSeq: 1027520776 INVITE

INVITE sip:202@sip.example.com:5060 SIP/2.0

Accept: application/conference-info+xml, application/sdp, message/sipfrag, multipart/mixed

Via: SIP/2.0/UDP 192.168.50.118:5071;branch=z9hG4bKe0aa06e32b6841d20.8df0298f12545d84a;rport

Route: <sip:sip.example.com:5060;lr>

Max-Forwards: 70

From: "107" <sip:107@sip.example.com:5060>;tag=d04f22eca5

To: <sip:202@sip.example.com:5060>;tag=as5bf765cf

Call-ID: 01f0d32f2156bb22

CSeq: 1027520776 INVITE

With IP address:

INVITE sip:202@10.10.10.10:5060 SIP/2.0
Accept: application/conference-info+xml, application/sdp, message/sipfrag, multipart/mixed
Via: SIP/2.0/UDP 192.168.50.118:5071;branch=z9hG4bKe0aa06e32b6841d20.8df0298f12545d84a;rport
Route: <sip:10.10.10.10:5060;lr>
Max-Forwards: 70
From: "107" <sip:107@10.10.10.10:5060>;tag=d04f22eca5
To: <sip:202@10.10.10.10:5060>;tag=as5bf765cf
Call-ID: 01f0d32f2156bb22
CSeq: 1027520776 INVITE

INVITE sip:202@10.10.10.10:5060 SIP/2.0

Accept: application/conference-info+xml, application/sdp, message/sipfrag, multipart/mixed

Via: SIP/2.0/UDP 192.168.50.118:5071;branch=z9hG4bKe0aa06e32b6841d20.8df0298f12545d84a;rport

Route: <sip:10.10.10.10:5060;lr>

Max-Forwards: 70

From: "107" <sip:107@10.10.10.10:5060>;tag=d04f22eca5

To: <sip:202@10.10.10.10:5060>;tag=as5bf765cf

Call-ID: 01f0d32f2156bb22

CSeq: 1027520776 INVITE

Knowing that, I want to block requests to Asterisk server which are NOT contains my domain name. In this point I want to clarify that I have special subdomain for telephones. Bots, scanners, attackers are not knowing about this domain.
Blocking unwanted requests can be done by iptables rules with string matching.

# UDP port 5060 rule
# Allow for currently established SIP connection
iptables -A INPUT -i eth0 -p udp --dport 5060 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow for packets witch contain my domain name
iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "sip.example.com" --algo bm -j ACCEPT
# Drop other packets (without my domain)
iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "INVITE sip:" --algo bm -j DROP
iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP
iptables -A INPUT -i eth0 -p udp --dport 5060 -j DROP

# UDP port 5060 rule

# Allow for currently established SIP connection

iptables -A INPUT -i eth0 -p udp --dport 5060 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow for packets witch contain my domain name

iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "sip.example.com" --algo bm -j ACCEPT

# Drop other packets (without my domain)

iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP

iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "INVITE sip:" --algo bm -j DROP

iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP

iptables -A INPUT -i eth0 -p udp --dport 5060 -j DROP

# TCP port 5060 rule
# Allow for packet which contain my domain name
iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "sip.example.com" --algo bm -j ACCEPT
# Block other SIP request like REGISTER INVITE OPTION if they not contain my domain name
iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "INVITE sip:" --algo bm -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP
# Allow to establish TCP connection and other packets then REGISTER INVITE OPTIONS (without domain)
iptables -A INPUT -i eth0 -p tcp --dport 5060 -j ACCEPT

# TCP port 5060 rule

# Allow for packet which contain my domain name

iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "sip.example.com" --algo bm -j ACCEPT

# Block other SIP request like REGISTER INVITE OPTION if they not contain my domain name

iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP

iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "INVITE sip:" --algo bm -j DROP

iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP

# Allow to establish TCP connection and other packets then REGISTER INVITE OPTIONS (without domain)

iptables -A INPUT -i eth0 -p tcp --dport 5060 -j ACCEPT

Differences between rules result from different approach between TCP and UDP protocols when establishing a connection. TCP need to do three way handshake to establish connection, UDP not doing this.

After applying these rules, I did not see even one attack 🙂
At the and we can check increasing iptables counters:

asterisk:~ # iptables -nvL
Chain INPUT (policy ACCEPT 74700 packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   50 42859 ACCEPT     tcp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5060 STRING match  "sip.example.com"
   14 10038 DROP       tcp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5060 STRING match  "REGISTER sip:"
    0     0 DROP       tcp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5060 STRING match  "INVITE sip:"
    0     0 DROP       tcp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5060 STRING match  "OPTIONS sip:"
  685  215K ACCEPT     tcp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5060
   51 32475 ACCEPT     udp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 state RELATED,ESTABLISHED
    2  1487 ACCEPT     udp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "sip.example.com"
   10  6930 DROP       udp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "REGISTER sip:"
    0     0 DROP       udp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "INVITE sip:"
    4  1725 DROP       udp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "OPTIONS sip:"
    2    64 DROP       udp  --  eth0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060

asterisk:~ # iptables -nvL

Chain INPUT (policy ACCEPT 74700 packets, 24M bytes)

pkts bytes target prot opt in out source destination

50 42859 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 STRING match "sip.example.com"

14 10038 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 STRING match "REGISTER sip:"

0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 STRING match "INVITE sip:"

0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 STRING match "OPTIONS sip:"

685 215K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060

51 32475 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 state RELATED,ESTABLISHED

2 1487 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "sip.example.com"

10 6930 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "REGISTER sip:"

0 0 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "INVITE sip:"

4 1725 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "OPTIONS sip:"

2 64 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060

Strongswan IPsec on LEDE/OpenWRT with fast-classifier and shortcut-fe modules

10/02/2018 Jan Taczanowski 5 Comments

I have using TP-Link TL-WDR4300 router with LEDE software. Recently, thanks to fast-classifier and shortcut-fe modules the router got a second life 🙂 To my surprise after loading fast-classifier modules it can be able to pass 500Mb/s over NAT, which is absolutely great result 🙂

But after that I noticed that my site-to-site IPsec tunnel, based on Strongswan stopped working properly… Ping was working, tcp connections over tunnel could be established, but after passing some tcp packets the connection freezes. I suspected a problem with MTU, but that was not it.
After unload kmod-fast-classifier and kmod-shortcut-fe tunnel was working properly. I’m started to reading source code of fast-classifier and shortcut-fe modules. I found that:

/*
* Don't process packets that aren't being tracked by conntrack.
*/
ct = nf_ct_get(skb, &ctinfo);
if (unlikely(!ct)) {
    fast_classifier_incr_exceptions(FAST_CL_EXCEPTION_NO_CT);
    DEBUG_TRACE("no conntrack connection, ignoring\n");
    return NF_ACCEPT;
}
/*
* Don't process untracked connections.
*/
if (unlikely(nf_ct_is_untracked(ct))) {
    fast_classifier_incr_exceptions(FAST_CL_EXCEPTION_CT_NO_TRACK);
    DEBUG_TRACE("untracked connection\n");
    return NF_ACCEPT;
}

* Don't process packets that aren't being tracked by conntrack.

ct = nf_ct_get(skb, &ctinfo);

if (unlikely(!ct)) {

fast_classifier_incr_exceptions(FAST_CL_EXCEPTION_NO_CT);

DEBUG_TRACE("no conntrack connection, ignoring\n");

return NF_ACCEPT;

}

* Don't process untracked connections.

if (unlikely(nf_ct_is_untracked(ct))) {

fast_classifier_incr_exceptions(FAST_CL_EXCEPTION_CT_NO_TRACK);

DEBUG_TRACE("untracked connection\n");

return NF_ACCEPT;

}

I realized that the offloading which is doing by fast-classifier and shortcut-fe is basing on conntrack table. The next thought was that conntrack is needed to realize NAT. Only connection between my LAN and internet (WAN) should be tracked and should be in conntrack table. I don’t need to track connection beetween my local nets connected through site-to-site vpn! Connections between my local nets can be realized only based on routing table. I decided to disable conntrack for my local nets and see if it solved my problem.
My network looks as follows:

(router with LEDE) [192.168.0.0/24 | WAN IP] <<--IPsec tunnel over internet-->> [WAN IP | 192.168.1.0/24] (remote network)

1	(router with LEDE) [192.168.0.0/24 \| WAN IP] <<--IPsec tunnel over internet-->> [WAN IP \| 192.168.1.0/24] (remote network)

Strongswan configuration: /etc/ipsec.conf (192.168.0.0/24)

conn site_to_site_ipsec_tunnel
  dpdaction=clear
  dpddelay=20s
  authby=secret
  auto=add
  keyexchange=ikev2
  fragmentation=yes
  left=%any
  leftid=%any
  leftsubnet=192.168.0.0/24
  right=%any
  rightsubnet=192.168.1.0/24
  rightid=%any

conn site_to_site_ipsec_tunnel

dpdaction=clear

dpddelay=20s

authby=secret

auto=add

keyexchange=ikev2

fragmentation=yes

left=%any

leftid=%any

leftsubnet=192.168.0.0/24

right=%any

rightsubnet=192.168.1.0/24

rightid=%any

Strongswan configuration: /etc/ipsec.conf (192.168.1.0/24)

conn site_to_site_ipsec_tunnel
  authby=secret
  auto=start
  closeaction=restart
  dpddelay=20
  dpdaction=restart
  keyexchange=ikev2
  keyingtries=%forever
  fragmentation=yes
  left=%defaultroute
  leftsubnet=192.168.1.0/24
  right=<IP address of my IPsec gateway>
  rightid=%any
  rightsubnet=192.168.0.0/24

conn site_to_site_ipsec_tunnel

authby=secret

auto=start

closeaction=restart

dpddelay=20

dpdaction=restart

keyexchange=ikev2

keyingtries=%forever

fragmentation=yes

left=%defaultroute

leftsubnet=192.168.1.0/24

right=<IP address of my IPsec gateway>

rightid=%any

rightsubnet=192.168.0.0/24

File with secrets is the same on booth sides. /etc/ipsec.secrets

# /etc/ipsec.secrets - strongSwan IPsec secrets file
%any %any : PSK "mypassword"

1 2	# /etc/ipsec.secrets - strongSwan IPsec secrets file %any %any : PSK "mypassword"

Excluding particular connections from conntrack can be done by iptables with raw and conntrack module – I had to install them earlier.

opkg update
opkg install iptables-mod-conntrack-extra kmod-ipt-conntrack kmod-ipt-conntrack-extra kmod-ipt-raw

1 2	opkg update opkg install iptables-mod-conntrack-extra kmod-ipt-conntrack kmod-ipt-conntrack-extra kmod-ipt-raw

I excluded whole local network class – 192.168.0/0/12

iptables -t raw -A PREROUTING -s 192.168.0.0/12 -d 192.168.0.0/12 -j CT --notrack

1	iptables -t raw -A PREROUTING -s 192.168.0.0/12 -d 192.168.0.0/12 -j CT --notrack

Now my IPsec tunnel started passing traffic properly! 🙂 And there is no connections from my localnets in conntrack! (so fast-classifier not offloading this connections).
The only issue was that I was unable to connect to LEDE router (192.168.0.1) from my remote network behind IPsec tunnel. I resolved that by exclude IP of router from iptables rule:

iptables -t raw -A PREROUTING -m iprange --src-range 192.168.0.2-192.168.1.254 --dst-range 192.168.0.2-192.168.1.254 -j CT --notrack

1	iptables -t raw -A PREROUTING -m iprange --src-range 192.168.0.2-192.168.1.254 --dst-range 192.168.0.2-192.168.1.254 -j CT --notrack

I had to install iprange module before:

opkg install iptables-mod-iprange

1	opkg install iptables-mod-iprange

Now I can enjoy very fast internet connection with fast-classifier and fully working strongswan IPsec vpn connections 🙂

IKEv2 with Let’s Encrypt- robust IPsec vpn solution for Windows, Android, Linux, macOS and iOS clients

14/01/2018 Jan Taczanowski No Comments

Hello 🙂

In this post I will describe how to prepare solid vpn gateway which works flawlessly with many different clients.

I choose the solution based on modern IKEv2 protocol created with Microsoft and Cisco together. In a big simplification – IKEv2 (Internet Key Exchange version 2) is responsible to set up a security association (SA) in the IPsec protocol suite.

Advantages of IKEv2 over IKEv1 protocol:

it tolerates interruptions, latency etc. on network connection. For example, if the connection is temporarily lost, or if a user moves a client computer from one network to another, IKEv2 automatically restores the VPN after the network connection is reestablished — in transparent way to the user.
EAP authentication – we can authenticate simply, by username and password
better dead peer/tunnel detection
consume less bandwidth

IKEv2 has built in client in Windows 7 and newer and on macOS and iOS systems.
For Android there is a StrongSwan client app which is working very well. In Linux we can simply use Strongswan which is one of IPsec implementation for Linux.

In setup below I will use certificate for server obtained from Let’s Encrypt. It is needed because Windows clients will not work with self signed certificate without adding our CA as trusted. My goal is that we don’t have to provide anything other then user name and password 🙂

I will skip the part describing an obtaining a certificate from Let’s Encrypt. It is well documented in internet.
For server/gateway side I used Strongswan which provides support for IKEv2.

Server configuration

For setup server side we have to:
Install Strongswan:
(I’m installing it on OpenSUSE)

zypper install strongswan

1	zypper install strongswan

or if you using Debian based Linux distribution

apt-get install strongswan

1	apt-get install strongswan

I already have a certificate Let’s Encrypt for my domain. The typical catalog structure with the certificates from Let’s Encrypt looks as follows:

router:~ # ls -l /etc/certbot/live/taczanowski.net/
lrwxrwxrwx 1 root root  39 01-10 00:22 cert.pem -> ../../archive/taczanowski.net/cert2.pem
lrwxrwxrwx 1 root root  40 01-10 00:22 chain.pem -> ../../archive/taczanowski.net/chain2.pem
lrwxrwxrwx 1 root root  44 01-10 00:22 fullchain.pem -> ../../archive/taczanowski.net/fullchain2.pem
lrwxrwxrwx 1 root root  42 01-10 00:22 privkey.pem -> ../../archive/taczanowski.net/privkey2.pem
-rw-r--r-- 1 root root 543 11-10 18:23 README

router:~ # ls -l /etc/certbot/live/taczanowski.net/

lrwxrwxrwx 1 root root 39 01-10 00:22 cert.pem -> ../../archive/taczanowski.net/cert2.pem

lrwxrwxrwx 1 root root 40 01-10 00:22 chain.pem -> ../../archive/taczanowski.net/chain2.pem

lrwxrwxrwx 1 root root 44 01-10 00:22 fullchain.pem -> ../../archive/taczanowski.net/fullchain2.pem

lrwxrwxrwx 1 root root 42 01-10 00:22 privkey.pem -> ../../archive/taczanowski.net/privkey2.pem

-rw-r--r-- 1 root root 543 11-10 18:23 README

To use it in Strongswan it is necessary to create links to certificates and keys:

ln -s /etc/certbot/live/taczanowski.net/cert.pem /etc/ipsec.d/certs/cert.pem
ln -s /etc/certbot/live/taczanowski.net/chain.pem /etc/ipsec.d/certs/chain.pem
ln -s /etc/certbot/live/taczanowski.net/privkey.pem /etc/ipsec.d/private/privkey.pem

ln -s /etc/certbot/live/taczanowski.net/cert.pem /etc/ipsec.d/certs/cert.pem

ln -s /etc/certbot/live/taczanowski.net/chain.pem /etc/ipsec.d/certs/chain.pem

ln -s /etc/certbot/live/taczanowski.net/privkey.pem /etc/ipsec.d/private/privkey.pem

W need to provide Let’s Encrypt intermediate certificate:

wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -O \
/etc/ipsec.d/cacerts/lets-encrypt-x3-cross-signed.pem

1 2	wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -O \ /etc/ipsec.d/cacerts/lets-encrypt-x3-cross-signed.pem

This is very important step, I was spent a lot of hours to discover that Windows works properly only if we are providing intermediate certificate. Other CA certs in /etc/ipsec.d/cacerts/ , especially self-signed may also causing problems

Now we can edit /etc/ipsec.conf
My configuration looks as follows:

router:~ # cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# strictcrlpolicy=yes
    # Allow for multiple connections form one account
	uniqueids = no
	charondebug = ike 3, cfg 3

conn IKEV2
	auto=add
	dpdaction=clear
    dpddelay=60s
    rekey=no
	fragmentation=yes
	keyexchange=ikev2

	# left - server configuration
	left=%any
	leftsubnet=0.0.0.0/0 #all client traffic is redirected through vpn gateway
	leftauth=pubkey
	leftcert=cert.pem
	leftsendcert=always
	leftid=taczanowski.net

	# right - client confguration
	right=%any
	rightsourceip=192.168.62.0/24 # pool of IPs which we providing for vpn clients
	rightauth=eap-mschapv2  # authenticate by username and password
	rightsendcert=never
	rightdns=8.8.8.8 # DNS server for clients
	rightid=%any
	eap_identity=%identity

router:~ # cat /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup

# strictcrlpolicy=yes

# Allow for multiple connections form one account

uniqueids = no

charondebug = ike 3, cfg 3

conn IKEV2

auto=add

dpdaction=clear

dpddelay=60s

rekey=no

fragmentation=yes

keyexchange=ikev2

# left - server configuration

left=%any

leftsubnet=0.0.0.0/0 #all client traffic is redirected through vpn gateway

leftauth=pubkey

leftcert=cert.pem

leftsendcert=always

leftid=taczanowski.net

# right - client confguration

right=%any

rightsourceip=192.168.62.0/24 # pool of IPs which we providing for vpn clients

rightauth=eap-mschapv2 # authenticate by username and password

rightsendcert=never

rightdns=8.8.8.8 # DNS server for clients

rightid=%any

eap_identity=%identity

After that we have to add private key (/etc/ipsec.d/private/privkey.pem) and define usernames and passwords for vpn clients.

router:~ # cat /etc/ipsec.secrets
#
# ipsec.secrets
#
# This file holds the RSA private keys or the PSK preshared secrets for
# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
#
: RSA privkey.pem
user1 : EAP "user1_password"
user2 : EAP "user2_password"

router:~ # cat /etc/ipsec.secrets

# ipsec.secrets

# This file holds the RSA private keys or the PSK preshared secrets for

# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.

: RSA privkey.pem

user1 : EAP "user1_password"

user2 : EAP "user2_password"

This is the whole Strongswan configuration. To apply configuration Strongswan must be restarted:

 service strongswan restart

1	service strongswan restart

If don’t have configured NAT/masquerade your clients will not have internet.

If you want allow your clients access to the internet, you have to enable nat/masquerade

iptables -t nat -A POSTROUTING -s 192.168.62.0/24 -j MASQUERADE

1	iptables -t nat -A POSTROUTING -s 192.168.62.0/24 -j MASQUERADE

In some cases there is a problem with mtu/mss which can cause for example problem with opening some web pages. Strongswan documentation recommends reduce the MSS for packets transmitded through tunnel. Strongswan documentation
To reduce the mss, add a rule to iptables:

iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1201:1536 \
-j TCPMSS --set-mss 1200
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN \
-m tcpmss --mss 1201:1536 -j TCPMSS --set-mss 1200

iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1201:1536 \

-j TCPMSS --set-mss 1200

iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN \

-m tcpmss --mss 1201:1536 -j TCPMSS --set-mss 1200

From my observations, reducing mss to 1200 ensures trouble-free operation on all clients

Clients configuration

In most clients it is trivial.
Windows

Android

iPhone – iOS

macOS
Very simple configuration, analogous to iOS/iPhone

Linux
Unfortunately, manual configuration is slightly complicated. But then it works very well.
In newer releases of Linux distribution there is a gui plugin for network manager which provide easy configuration of vpn connection. But I haven’t tried it.

Strongswan configuration: /etc/ipsec.conf

x201:/etc/ipsec.d/cacerts # cat /etc/ipsec.conf 
# ipsec.conf - strongSwan IPsec configuration file

config setup
	# strictcrlpolicy=yes
	# uniqueids = no

conn ikev2
    right=taczanowski.net
    rightid=%taczanowski.net
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftauth=eap
    leftdns=%config4
    fragmentation=yes
    eap_identity=user1
    auto=add

x201:/etc/ipsec.d/cacerts # cat /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup

# strictcrlpolicy=yes

# uniqueids = no

conn ikev2

right=taczanowski.net

rightid=%taczanowski.net

rightsubnet=0.0.0.0/0

rightauth=pubkey

leftsourceip=%config

leftauth=eap

leftdns=%config4

fragmentation=yes

eap_identity=user1

auto=add

password for user1 i stored in /etc/ipsec.secret:

x201:/etc/ipsec.d/cacerts # cat /etc/ipsec.secrets 
#
# ipsec.secrets
#
# This file holds the RSA private keys or the PSK preshared secrets for
# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
#
user1 : EAP "user1_password"

x201:/etc/ipsec.d/cacerts # cat /etc/ipsec.secrets

# ipsec.secrets

# This file holds the RSA private keys or the PSK preshared secrets for

# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.

user1 : EAP "user1_password"

We have to had intermediate and CA root certyficate in /etc/ipsec.d/cacerts:
intermediate:

wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -O \
/etc/strongswan/ipsec.d/cacerts/lets-encrypt-x3-cross-signed.pem

1 2	wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -O \ /etc/strongswan/ipsec.d/cacerts/lets-encrypt-x3-cross-signed.pem

root CA certificate is available to copy from DST Root CA X3
I had to copy it to a file in such way (with adding “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“:

x201:/etc/ipsec.d/cacerts # cat /etc/ipsec.d/cacerts/root.pem
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

x201:/etc/ipsec.d/cacerts # cat /etc/ipsec.d/cacerts/root.pem

-----BEGIN CERTIFICATE-----

MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/

MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT

DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow

PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD

Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB

AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O

rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq

OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b

xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw

7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD

aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV

HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG

SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69

ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr

AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz

R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5

JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo

Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ

-----END CERTIFICATE-----

In the default configuration, strongswan does not set the dns addresses provided by the server. This behavior can be changed by editing /etc/strongswan.d/charon/resolv.conf. I uncommented line with “file = /etc/resolv.conf”

x201:/etc/ipsec.d/cacerts # cat /etc/strongswan.d/charon/resolve.conf 
resolve {

    # File where to add DNS server entries.
    file = /etc/resolv.conf

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

    resolvconf {

        # Prefix used for interface names sent to resolvconf(8).
        # iface_prefix = lo.inet.ipsec.

    }

}

x201:/etc/ipsec.d/cacerts # cat /etc/strongswan.d/charon/resolve.conf

resolve {

# File where to add DNS server entries.

file = /etc/resolv.conf

# Whether to load the plugin. Can also be an integer to increase the

# priority of this plugin.

load = yes

resolvconf {

# Prefix used for interface names sent to resolvconf(8).

# iface_prefix = lo.inet.ipsec.

}

Restart Strongswan:

service strongswan restart

1	service strongswan restart

And connection should be start:

ipsec up ikev2

1	ipsec up ikev2

We can check connection status:

x201:/etc/ipsec.d/cacerts # ipsec status
Security Associations (1 up, 0 connecting):
       ikev2[1]: ESTABLISHED 12 seconds ago, 192.168.50.132[192.168.50.132]...192.168.51.1[taczanowski.net]
       ikev2{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cfdfc3f7_i c14e6cdb_o
       ikev2{1}:   192.168.62.3/32 === 0.0.0.0/0

x201:/etc/ipsec.d/cacerts # ipsec status

Security Associations (1 up, 0 connecting):

ikev2[1]: ESTABLISHED 12 seconds ago, 192.168.50.132[192.168.50.132]...192.168.51.1[taczanowski.net]

ikev2{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cfdfc3f7_i c14e6cdb_o

ikev2{1}: 192.168.62.3/32 === 0.0.0.0/0

And disconnect connection:

ipsec down ikev2

1	ipsec down ikev2

[Update 21.12.2018]

Carsten who reads this post shared with me some observations with configuring IKEv2 connections on Windows clients.

In more sophisticated scenario, than described here when we don’t want to set vpn connection as default gateway for clients (redirect all trafic to vpn tunnel), but we want use vpn connection only for some specified remote networks then Windows client is a problem.
Windows has no support for traffic selector provided by strongSwan.
Carsten writes:

The VPN LAN should be different to the remote LAN.
Therefore in Windows “Use default gateway on remote network” must be set.
Therefore “leftsubnet=0.0.0.0/0” is necessary, because all traffic of the client goes through the VPN (which is not nice).
Without “Use default gateway on remote network” Windows only sets a route for the VPN LAN, which is useless. It should be possible to set a route to the remote LAN by using the PowerShell. I haven’t tried that yet.

This problem is also described here

Thanks Carsten for sharing your observations.