Azure IPsec Site to Site strongSwan

Exported from Notepad++
Stand 11/2019 #### #Site-to-Site (Net to Net) #VPN-Server DNS (Azure): sdvc4fqaf3qfref.westeurope.cloudapp.azure.com #Wichtig sonnst kommt der Fehler “certificate status is not available” #Client DNS (lokal): bit-devil.ddns.net #Wichtig sonnst kommt der Fehler “certificate status is not available” # openssl genrsa -aes-256-cbc -out /etc/ipsec.d/private/ca.key 2048 openssl req -new -sha512 -key /etc/ipsec.d/private/ca.key -x509 -days 365 -subj ‘/C=CA/ST=CA State/L=CA/O=CA/OU=CA/CN=CA/emailAddress=root@ca.ddns.net’ -out /etc/ipsec.d/cacerts/ca.crt # openssl genrsa -aes256 -out /etc/ipsec.d/private/vpn-server.key 2048 openssl genrsa -aes256 -out /etc/ipsec.d/private/client.key 2048 openssl req -new -sha512 -key /etc/ipsec.d/private/vpn-server.key -subj ‘/C=AA/ST=BB/L=CC/O=DD/OU=EE/CN=sdvc4fqaf3qfref.westeurope.cloudapp.azure.com/emailAddress=root@vpn-server.ddns.net’ -out /etc/ipsec.d/reqs/vpn-server.csr openssl req -new -sha512 -key /etc/ipsec.d/private/client.key -subj ‘/C=FF/ST=GG/L=HH/O=II/OU=JJ/CN=bit-devil.ddns.net/emailAddress=root@client.ddns.net’ -out /etc/ipsec.d/reqs/client.csr openssl x509 -req -days 365 -in /etc/ipsec.d/reqs/vpn-server.csr -CA /etc/ipsec.d/cacerts/ca.crt -CAkey /etc/ipsec.d/private/ca.key -CAcreateserial -out /etc/ipsec.d/certs/vpn-server.crt openssl x509 -req -days 365 -in /etc/ipsec.d/reqs/client.csr -CA /etc/ipsec.d/cacerts/ca.crt -CAkey /etc/ipsec.d/private/ca.key -CAcreateserial -out /etc/ipsec.d/certs/client.crt ##### copy files to client scp -r cacerts/ca.crt 172.17.190.48:/etc/ipsec.d/cacerts/ scp -r certs/client.crt 172.17.190.48:/etc/ipsec.d/certs/ scp -r private/client.key 172.17.190.48:/etc/ipsec.d/private/ scp -r certs/vpn-server.crt 172.17.190.48:/etc/ipsec.d/certs/ ########### #Client Config (minimal) vi /etc/ipsec.conf conn azure keyexchange=ikev2 # leftsubnet=172.17.0.0/16 leftcert=client.crt # right=sdvc4fqaf3qfref.westeurope.cloudapp.azure.com rightcert=vpn-server.crt rightsubnet=10.0.0.0/24 # auto=add #Server Config (minimal) vi /etc/ipsec.conf conn azure keyexchange=ikev2 # leftsubnet=10.0.0.0/24 leftcert=vpn-server.crt left=%any leftfirewall=yes # right=%any rightcert=client.crt rightsubnet=172.17.0.0/16 # auto=add ### #Auf allen VPN Gateways echo 1 > /proc/sys/net/ipv4/ip_forward ### #Auf dem VPN-Server(Gateway in Azure). IP von extern Maskieren da M$ das routing aushebelt. Oder im Azure Portal eine Route Table erstellen. iptables -t nat -A POSTROUTING -s 172.17.0.0/16 -d 10.0.0.0/24 -j MASQUERADE iptables -t nat -I POSTROUTING -m policy –pol ipsec –dir out -j ACCEPT iptables -t nat -L ############## #Route auf lokaler Ebene hinzuf├╝gen route add -net 10.0.0.0/24 gw 172.17.190.48 #Route in Azure VMs anlegen (nicht notwendig wenn MASQUERADE). Oder im Azure Portal eine Route Table erstellen. #Lnx: route add -net 172.17.0.0/16 gw 10.0.0.4 #Win: route add 172.17.0.0 mask 255.255.255.0 10.0.0.4 metric 1 if 6 ############## ################################## ################################## #elliptic curve Zertifikat #CA cd /etc/ipsec.d openssl ecparam -name brainpoolP512t1 -genkey | openssl ec -aes256 -out /etc/ipsec.d/private/ca.key openssl req -new -sha512 -key /etc/ipsec.d/private/ca.key -x509 -days 365 -subj ‘/C=CA/ST=CA State/L=CA/O=CA/OU=CA/CN=CA/emailAddress=root@ca.ddns.net’ -out /etc/ipsec.d/cacerts/ca.crt openssl x509 -fingerprint -noout -in /etc/ipsec.d/cacerts/ca.crt ipsec pki –print –in cacerts/ca.crt openssl x509 -in cacerts/ca.crt -text #Server/client Priv Key openssl ecparam -name brainpoolP512t1 -genkey | openssl ec -aes256 -out /etc/ipsec.d/private/vpn-server.key openssl ecparam -name brainpoolP512t1 -genkey | openssl ec -aes256 -out /etc/ipsec.d/private/client.key #Server/client Cert Req openssl req -new -sha512 -key /etc/ipsec.d/private/vpn-server.key -subj ‘/C=AA/ST=BB/L=CC/O=DD/OU=EE/CN=sdvc4fqaf3qfref.westeurope.cloudapp.azure.com/emailAddress=root@vpn-server.ddns.net’ -out /etc/ipsec.d/reqs/vpn-server.csr openssl req -new -sha512 -key /etc/ipsec.d/private/client.key -subj ‘/C=FF/ST=GG/L=HH/O=II/OU=JJ/CN=bit-devil.ddns.net/emailAddress=root@client.ddns.net’ -out /etc/ipsec.d/reqs/client.csr ##Server/client Zert openssl x509 -req -days 365 -in /etc/ipsec.d/reqs/vpn-server.csr -CA /etc/ipsec.d/cacerts/ca.crt -CAkey /etc/ipsec.d/private/ca.key -CAcreateserial -out /etc/ipsec.d/certs/vpn-server.crt openssl x509 -req -days 365 -in /etc/ipsec.d/reqs/client.csr -CA /etc/ipsec.d/cacerts/ca.crt -CAkey /etc/ipsec.d/private/ca.key -CAcreateserial -out /etc/ipsec.d/certs/client.crt ipsec pki –print –in certs/vpn-server.crt ipsec pki –print –in certs/client.crt openssl x509 -in certs/vpn-server.crt -text openssl x509 -in certs/client.crt -text ################################## ################################## #Road Warrior minimal #Zerti generieren, siehe oben. Aber nur CA und VPN-Server #VPN-Server (Azure) vi /etc/ipsec.d/ipsec.conf conn azure # left=%any leftsubnet=10.0.0.0/24 leftfirewall=yes leftid=”C = AA, ST = BB, L = CC, O = DD, OU = EE, CN = sdvc4fqaf3qfref.westeurope.cloudapp.azure.com” leftcert=vpn-server.crt leftauth=pubkey # rightsourceip=172.17.190.123 rightauth=eap-md5 rightsendcert=never right=%any rightsubnet=172.17.0.0/16 # eap_identity=%any auto=add ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 authby=secret vi /etc/ipsec.d/ipsec.secrets rw_lokal : EAP “test1234″ #Client (Roadwarrior lokal) vi /etc/ipsec.d/ipsec.conf conn azure # leftfirewall=yes left=%defaultroute leftsourceip=%config leftauth=eap # right=sdvc4fqaf3qfref.westeurope.cloudapp.azure.com rightsubnet=10.0.0.0/24 rightauth=pubkey rightid=”C = AA, ST = BB, L = CC, O = DD, OU = EE, CN = sdvc4fqaf3qfref.westeurope.cloudapp.azure.com” rightcert=vpn-server.crt # auto=add ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 authby=secret Beim Aufbau der Verbindung zuvor Username und PW angeben “ipsec stroke user-creds azure rw_lokal test1234”. Danach normal “ipsec up azure” ################################## ################################## #RW eap-gtc (User/Pass gegen pam bzw. passwd) #CA cd /etc/ipsec.d openssl ecparam -name brainpoolP512t1 -genkey | openssl ec -aes256 -out /etc/ipsec.d/private/ca.key openssl req -new -sha512 -key /etc/ipsec.d/private/ca.key -x509 -days 365 -subj ‘/C=CA/ST=CA State/L=CA/O=CA/OU=CA/CN=CA/subjectAltName=ca.ddns.net/emailAddress=root@ca.ddns.net’ -out /etc/ipsec.d/cacerts/ca.crt openssl x509 -fingerprint -noout -in /etc/ipsec.d/cacerts/ca.crt ipsec pki –print –in cacerts/ca.crt openssl x509 -in cacerts/ca.crt -text #Server/client Priv Key openssl ecparam -name brainpoolP512t1 -genkey | openssl ec -aes256 -out /etc/ipsec.d/private/vpn-server.key openssl ecparam -name brainpoolP512t1 -genkey | openssl ec -aes256 -out /etc/ipsec.d/private/client.key #Server/client Cert Req openssl req -new -sha512 -key /etc/ipsec.d/private/vpn-server.key -subj ‘/C=AA/ST=BB/L=CC/O=DD/OU=EE/CN=sdvc4fqaf3qfref.westeurope.cloudapp.azure.com/subjectAltName=vpn-server.ddns.net/emailAddress=root@vpn-server.ddns.net’ -out /etc/ipsec.d/reqs/vpn-server.csr openssl req -new -sha512 -key /etc/ipsec.d/private/client.key -subj ‘/C=FF/ST=GG/L=HH/O=II/OU=JJ/CN=bit-devil.ddns.net/subjectAltName=client.ddns.net/emailAddress=root@client.ddns.net’ -out /etc/ipsec.d/reqs/client.csr ##Server/client Zert openssl x509 -req -days 365 -in /etc/ipsec.d/reqs/vpn-server.csr -CA /etc/ipsec.d/cacerts/ca.crt -CAkey /etc/ipsec.d/private/ca.key -CAcreateserial -out /etc/ipsec.d/certs/vpn-server.crt openssl x509 -req -days 365 -in /etc/ipsec.d/reqs/client.csr -CA /etc/ipsec.d/cacerts/ca.crt -CAkey /etc/ipsec.d/private/ca.key -CAcreateserial -out /etc/ipsec.d/certs/client.crt ipsec pki –print –in certs/vpn-server.crt ipsec pki –print –in certs/client.crt openssl x509 -in certs/vpn-server.crt -text openssl x509 -in certs/client.crt -text ################################## ################################## #Azure VPN Server vi /etc/ipsec.d/ipsec.conf conn azure # left=%any leftsubnet=10.0.0.0/24 leftfirewall=yes leftid=”C=BI, O=Bit-Devil, CN=bit-devil.no-ip.org” leftid=”C = AA, ST = BB, L = CC, O = DD, OU = EE, CN = sdvc4fqaf3qfref.westeurope.cloudapp.azure.com” leftcert=vpn-server.crt leftauth=pubkey # rightsourceip=172.17.190.123 rightauth=eap-gtc rightsendcert=never right=%any rightsubnet=172.17.0.0/16 # eap_identity=%any auto=add ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 authby=secret type=tunnel compress=yes forceencaps=yes ikelifetime=30m dpdaction=clear dpddelay=30m dpdtimeout=45m rekey=yes rekeyfuzz=100% margintime = 9m # ike=aes256gcm128-sha512-ecp512bp esp=aes256gcm128-sha512-ecp512bp vi /etc/ipsec.d/ipsec.secrets : ECDSA vpn-server.key “test1234″ #Client Roadwarrior vi /etc/ipsec.d/ipsec.conf conn azure # leftfirewall=yes left=%defaultroute leftsourceip=%config leftauth=eap-gtc # right=sdvc4fqaf3qfref.westeurope.cloudapp.azure.com rightsubnet=10.0.0.0/24 rightauth=pubkey rightid=”C = AA, ST = BB, L = CC, O = DD, OU = EE, CN = sdvc4fqaf3qfref.westeurope.cloudapp.azure.com” rightcert=vpn-server.crt # auto=add ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 authby=secret type=tunnel compress=yes forceencaps=yes ikelifetime=30m dpdaction=clear dpddelay=30m dpdtimeout=45m rekey=yes rekeyfuzz=100% margintime = 9m # ike=aes256gcm128-sha512-ecp512bp esp=aes256gcm128-sha512-ecp512bp # vi /etc/ipsec.d/ipsec.secrets : ECDSA client.key “test1234” ipsec stroke user-creds azure <linux-os-user> <password> ipsec up azure ip forwarding nach bedarf aktivieren. ########################################################### ########################################################### ###########################################################

Post Revisions:

This post has not been revised since publication.