StrongSwan IKEv2 Pubkey Server Settings

StrongSwanのインストール

# apt install libstrongswan libstrongswan-standard-plugins \
  strongswan strongswan-charon strongswan-libcharon \
  strongswan-starterroot libcharon-extauth-plugins \
  libcharon-extra-plugins strongswan-charon strongswan-libcharon \
  resolvconf

StrongSwanとFirewallの設定

config setup
 cachecrls=no
 strictcrlpolicy=no

conn %default
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev2

conn common
 left=bluefin.ga
 leftid=bluefin.ga
 leftid2=@bluefin.ga
 leftcert=server@bluefin.ga.crt
 leftauth=pubkey
 #ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
 #esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!

 # PUBKEY for Linux(NetworkManager applet), Windows, macOS, Android(strongswan)
conn client-linux
 leftsubnet=0.0.0.0/0,::/0
 leftsendcert=always
 right=%any
 rightid2=@bluefin.ga.roadwarrior
 rightauth=pubkey
 rightsourceip=192.168.100.0/27,2a01:4f8:ffff:ffff:1000::/112
 rightfirewall=yes
 rightsendcert=ifasked
 dpdaction=restart
 dpddelay=300s
 rekey=no
 reauth=no
 fragmentation=yes
 ike=aes128-sha256-modp2048,aes256-sha256-modp2048,aes256-sha384-modp2048
 esp=aes128-sha256-modp2048,aes256-sha256-modp2048,aes256-sha384-modp2048
 also=common
 auto=add
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc

: RSA server@bluefin.ga.pem

#pokemonGO : EAP "pikatyu"
# IPsec
ACCEPT          net     $FW             esp
ACCEPT          net     $FW             udp     500,4500
ACCEPT          $FW     net             esp
ACCEPT          $FW     net             udp     500,4500
#IPsec
iptables -I INPUT    -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I PREROUTING -m policy --pol ipsec --dir in -j ACCEPT
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

# MTU/MSS fix
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

証明書および鍵の配置

ipsec.d
|-- aacerts
|-- acerts
|-- cacerts
|   `-- bluefin_CA.crt
|-- certs
|   `-- server@bluefin.ga.crt
|-- crls
|   `-- bluefin_CA_1.pem
|-- ocspcerts
|-- policies
|-- private
|   `-- server@bluefin.ga.pem
|-- reqs
`-- server
    `-- cacert

証明書の作成

OpenSSLを使い証明書を作成します。手間のかかる作業なのでXCAというフロントエンドを使います。

ルート証明書

サーバー用証明書

クライアント証明書

CA証明書の書き出し

サーバ証明書の書き出し

クライアント証明書の書き出し

PKCS#12はWindowsやAndroidで使います。

DNSの設定