12

I'm looking for a configuration instructions for IKEv2 VPN that uses pre-shared keys instead of certs (those are different methods for tunnel encryption I'd assume?).

I've followed this wonderful tutorial to get IKEv2 VPN working (with certificate) and it works.

My question is what needs to be changed so that it would use PSK instead? I'd assume changes in /etc/ipsec.secrets and /etc/ipsec.conf are to be made.

My current ipsec.conf looks like this:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@server_name_or_ip
    leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    rightsendcert=never
    eap_identity=%identity

UPD: Based on my tinkering and @ChandanK answer, I've made two scripts to deploy a StrongSwan VPN server on a fresh Ubuntu 16.04 install here: https://github.com/truemetal/ikev2_vpn

Dannie P
  • 253
  • 1
  • 2
  • 10

2 Answers2

11

Assuming that you want to setup your right side with psk. This is fairly easy.

1. remove eap_identity and rightsendcert fields. 2. set rightauth=secret

Now edit /etc/ipsec.secrets file:

1. remove "your_username %any% : EAP "your_password"" line. 2. add ": PSK <your_password>"

Then reread the secrets and restart the service.

$sudo ipsec rereadsecrets $sudo ipsec reload $sudo ipsec restart

All set. Follow "Connecting from iOS" and create a new ikev2 vpn connection. In authentication settings select none and put the shared secret key. Hopefully you connect.

Edit:

Based on the comments, configuration changes required to switch to pre-shared key authentication:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@server_name_or_ip
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    authby=secret

Remove the following line from ipsec.secrets:

server_name_or_ip : RSA "/etc/ipsec.d/private/vpn-server-key.pem

Then reread the secrets and restart the service.

ChandanK
  • 281
  • 2
  • 5
  • Hey. Thanks for your answer. So `left` is VPN server, and `right` are iOS clients. I'd probably prefer to keep `username/password pair` and use `PSK` instead of `cert`. I do have to use either `cert` or `PSK`, correct? – Dannie P Aug 25 '17 at 12:07
  • Anything should be added to `ipsec.conf` for PSK? What about `leftcert` and `leftsendcert` fields, are those to be removed? – Dannie P Aug 25 '17 at 12:07
  • leftcert and leftsendcert is for server verification with client. In your client side ipsec.conf (on ubuntu client for example) you should have "rightauth=pubkey". Obviously you have to copy server-root-ca.pem at desired location. If your concern is this should also be psk, then remove these two lines and add leftauth=secret. Also you need to change the ipsec.secrets file too to incorporate this change and be careful with ids. Check out this: https://wiki.strongswan.org/projects/strongswan/wiki/Ipsecsecrets – ChandanK Aug 29 '17 at 16:14
  • I need to use `psk` instead of `.pem cert`. Could you please extend your answer with the correct `ipsec.conf` contents? I'll deploy a VPS and test that configuration right if you do that. – Dannie P Aug 30 '17 at 09:54
  • * right away, if you do that – Dannie P Aug 30 '17 at 10:15
  • 1
    For a simple setup: you can remove `leftcert` and `leftsendcert` fields. Also remove `rightauth=secret` and add `authby=secret`. This will take care both {left|rightauth=psk}. Also remove `server_name_or_ip : RSA "/etc/ipsec.d/private/vpn-server-key.pem"` from ipsec.secrets file. You don't need this. Finally `sudo ipsec rereadsecrets|reload|restart`. All set, connect from client. – ChandanK Aug 31 '17 at 03:05
  • I've adjusted `ipsec.conf` according to your comments above. Please confirm if that looks right: https://pastebin.com/Y3mDsBqQ – Dannie P Aug 31 '17 at 21:58
  • Looks good. Add `rightsubnet=10.10.10.0/24`. – ChandanK Sep 01 '17 at 01:32
  • Did you got this working? – ChandanK Sep 02 '17 at 01:27
  • I've just checked and It did work. Thank you. Adding right subnet tuned out to be not necessary - worked without that. Please add contents of the `ipsec.conf` from last `pastebin` for others to see and I'll accept your answer. – Dannie P Sep 02 '17 at 17:26
  • @ChandanK Is this the way to setup your VPN when you need a shared secret? (if yes, what will be the shared secret in the case above?) – DenCowboy Jan 22 '18 at 08:58
  • @ChandanK Is it PSK ? + do I need to follow any of the steps about certificates (in this tutorial) – DenCowboy Jan 22 '18 at 11:54
  • @DenCowboy PSK stands for "pre shared key"; if you're looking forward that, you should not really need certificates – Dannie P Jan 23 '18 at 00:00
  • @DannieP thanks, tonight I'll try the setup. But what is the "shared secret". For example on google cloud I need to provide a shared secret when I create a tunnel: https://www.cloudassessments.com/blog/extend-your-network-to-google-cloud-using-cloud-vpn/ – DenCowboy Jan 23 '18 at 06:47
  • 1
    @DenCowboy I think you can try the PSK as shared secret. It works here in macOS settings: https://www.evernote.com/l/AYVKjgmPfIVIGZ4csEQjNoSwIgy0R43Q79kB/image.png – Dannie P Jan 23 '18 at 12:11
  • Thanks! So that's the in the answer of ChandanK? – DenCowboy Jan 23 '18 at 12:24
  • 1
    @DenCowboy yes, right. I've found some time and posted my scripts on github, check it out - maybe you'll find it useful: https://github.com/truemetal/ikev2_vpn – Dannie P Jan 23 '18 at 13:58
  • It was very useful. I'm able to connect to my VPN, the only 'issue' remaining is that I loose my internet connection when I'm connected. I'm checking the strongswan forums now. – DenCowboy Jan 25 '18 at 19:06
  • @DenCowboy internet drops right after you run the script and connect to vpn? It definitely worked for me (the PSK way), I connected from macos. – Dannie P Feb 06 '18 at 13:52
  • @DenCowboy I've found issues like that happen when you screw up something in iptables. That's actually the reason I made those scripts - I would just screw something up when copying the commands by hand. – Dannie P Feb 06 '18 at 13:54
  • @DenCowboy I've checked `ikev2-deploy-certs.sh` and it works. Anyways since several people asked questions on this script, I've updated the repo with a demo video on deployment and connection using that script. It's on the front page (readme) now. Cheers – Dannie P Feb 07 '18 at 13:41
3

Based on my tinkering and @ChandanK answer, I've made two scripts to deploy a StrongSwan VPN server on a fresh Ubuntu 16.04 install here: https://github.com/truemetal/ikev2_vpn

Dannie P
  • 253
  • 1
  • 2
  • 10
  • Hi I follow your thread and got this error `unable to resolve %any, initiate aborted`, any idea? – 23r23f23q Jul 04 '18 at 16:20
  • Hey @23r23f23q, I'm not sure what the problem could be, but you might want to check out the deployment demo video on the GitHub repo page - it worked in February. Cheers – Dannie P Jul 04 '18 at 17:04