Changes in 238bd48: Created strongSwan5Example (markdown)

				howto/IPsecWithPublicKeys/strongSwan5Example.md
			
          @@ -0,0 +1,119 @@

          +# IPsec with public key authentication on strongSwan >= 5.0.0

          +## Setup

          +### Generate an RSA keypair

          +

          +    root@debian:~# mkdir /etc/ipsec.d/public

          +    root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem

          +    root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pub

          +    root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets

          +

          +### Exchange public keys with your peer

          +1. Display the public key. Send the key data to your peer.

          +

          +        root@debian:~# more /etc/ipsec.d/public/mykey.pub

          +        -----BEGIN PUBLIC KEY-----

          +        MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+

          +        nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn

          +        9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv

          +        +Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc

          +        fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+

          +        7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y

          +        tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI

          +        JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl

          +        MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+

          +        rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX

          +        PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo

          +        ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==

          +        -----END PUBLIC KEY-----

          +

          +2. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.

          +

          +[pubkey-converter]: https://github.com/ryanriske/pubkey-converter "Public key conversion script"

          +

          +## Configuration

          +### Configure the phase 1 IKE parameters

          +In this example, we'll use the following settings:

          +

          +| Key           | Value         |

          +| :------------ | :------------ |

          +| Encryption    | AES-128       |

          +| Hash          | HMAC-SHA1     |

          +| DH Group      | 5 (modp1536)  |

          +| Lifetime      | 28800 seconds |

          +| Peer address  | 192.0.2.2     |

          +| Local address | 192.0.2.1     |

          +

          +1. Add your peer's public key

          +

          +        root@debian:~# cat << EOF > /etc/ipsec.d/public/peerkey.pub

          +        -----BEGIN PUBLIC KEY-----

          +        MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuQ1hX3+AEiLis4p5jvmY

          +        IfEgaq9488GU2nkuR1gZK4/CphrccmztgADU/TkiE5IOOo7zKPparcl8dZwJfX+j

          +        9oIEfvIHqWbF8rIkmJDAn5ZQANDsVKSVvu8nqNZhAslBkFUw1Il6KJrdZEwV4ILL

          +        jZmPjN/TIpzPStufeKLfUr7OodFnJXdvWGW1OwRVR8YPZP+13S2nbaqohJZYulTz

          +        EcEaWFhXRKzm1dxXqt2H0S93mv5CT0JzVUAv35lB39NMqcRwrg5Fsw0z448nlenS

          +        pIDnP8AIPm5shNf9kZJCksOE9GfPMz5KZDOoR3rWPvvapY/Zs+SBz8drPwHrZahG

          +        KjxV2Txl7XYkFEWvre+rpiWSidIsnzizEBQ1ea6Inwd6Y29uzmQLhus1OPfhnCIk

          +        AVycK+stCZObPl6abomk/avaT+FwnjRgSZzkotlbA2IHgEjF26C4a3ZUGBwDZ+7r

          +        U2A7DKbHRN84f62BcMyiZpavXPvk4AUQD5+lRItbFDDeZYtoIdHb9gmMcNHWsGL8

          +        YVxF2A8IAvr7Q1TQfwm2WPAWvjai2rbl6w8ZYiQBPUwkFtUATXU7XyGcLmjCGJGg

          +        HZoAqPHddX1z7HosFId+SSc7ugCnUNtwSYHq+DczBVdTa65aPv758zxeKzUqJBKy

          +        mP4HkvHlEmXHP2oAQ4G6PTkCAwEAAQ==

          +        -----END PUBLIC KEY-----

          +        EOF

          +

          +2. Configure a connection policy in ipsec.conf for your peer

          +

          +        root@debian:~# cat << EOF >> /etc/ipsec.conf

          +        conn MYPEER

          +            # peer IPs

          +            left=192.0.2.1

          +            right=192.0.2.2

          +            # phase 1 parameters

          +            ike=aes128-sha1-modp1536!

          +            ikelifetime=28800s

          +            # authentication

          +            authby=pubkey

          +            leftrsasigkey=/etc/ipsec.d/public/mykey.pub

          +            rightrsasigkey=/etc/ipsec.d/public/peerkey.pub

          +        EOF

          +

          +3. All done! Configure the phase 2 parameters as you otherwise would.

          +

          +## Full GRE/IPsec example

          +    root@debian:~# ip addr show dev gre1

          +    11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN

          +        link/gre 192.0.2.1 peer 192.0.2.2

          +        inet 10.1.2.0/31 scope global gre1

          +           valid_lft forever preferred_lft forever

          +        inet6 fe80::200:5efe:6825:1c22/64 scope link

          +           valid_lft forever preferred_lft forever

          +    root@debian:~# more /etc/ipsec.conf

          +    # ipsec.conf - strongSwan IPsec configuration file

          +    

          +    config setup

          +    

          +    conn %default

          +        keyexchange=ikev1

          +        dpdaction=restart

          +    

          +    conn MYPEER

          +        # peer IPs

          +        left=192.0.2.1

          +        right=192.0.2.2

          +        # phase 1 parameters

          +        ike=aes128-sha1-modp1536!

          +        ikelifetime=28800s

          +        # authentication

          +        authby=pubkey

          +        leftrsasigkey=/etc/ipsec.d/public/mykey.pub

          +        rightrsasigkey=/etc/ipsec.d/public/peerkey.pub

          +        # phase 2 parameters

          +        esp=aes128-sha1-modp1536!

          +        lifetime=3600s

          +        type=transport

          +        leftprotoport=gre

          +        rightprotoport=gre

          +        # startup

          +        auto=route

          +        keyingtries=%forever

          \ No newline at end of file

...	...	@@ -0,0 +1,119 @@
	1	+# IPsec with public key authentication on strongSwan >= 5.0.0
	2	+## Setup
	3	+### Generate an RSA keypair
	4	+
	5	+ root@debian:~# mkdir /etc/ipsec.d/public
	6	+ root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
	7	+ root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pub
	8	+ root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
	9	+
	10	+### Exchange public keys with your peer
	11	+1. Display the public key. Send the key data to your peer.
	12	+
	13	+ root@debian:~# more /etc/ipsec.d/public/mykey.pub
	14	+ -----BEGIN PUBLIC KEY-----
	15	+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
	16	+ nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn
	17	+ 9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv
	18	+ +Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc
	19	+ fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+
	20	+ 7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y
	21	+ tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI
	22	+ JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl
	23	+ MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+
	24	+ rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX
	25	+ PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
	26	+ ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
	27	+ -----END PUBLIC KEY-----
	28	+
	29	+2. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.
	30	+
	31	+[pubkey-converter]: https://github.com/ryanriske/pubkey-converter "Public key conversion script"
	32	+
	33	+## Configuration
	34	+### Configure the phase 1 IKE parameters
	35	+In this example, we'll use the following settings:
	36	+
	37	+\| Key \| Value \|
	38	+\| :------------ \| :------------ \|
	39	+\| Encryption \| AES-128 \|
	40	+\| Hash \| HMAC-SHA1 \|
	41	+\| DH Group \| 5 (modp1536) \|
	42	+\| Lifetime \| 28800 seconds \|
	43	+\| Peer address \| 192.0.2.2 \|
	44	+\| Local address \| 192.0.2.1 \|
	45	+
	46	+1. Add your peer's public key
	47	+
	48	+ root@debian:~# cat << EOF > /etc/ipsec.d/public/peerkey.pub
	49	+ -----BEGIN PUBLIC KEY-----
	50	+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuQ1hX3+AEiLis4p5jvmY
	51	+ IfEgaq9488GU2nkuR1gZK4/CphrccmztgADU/TkiE5IOOo7zKPparcl8dZwJfX+j
	52	+ 9oIEfvIHqWbF8rIkmJDAn5ZQANDsVKSVvu8nqNZhAslBkFUw1Il6KJrdZEwV4ILL
	53	+ jZmPjN/TIpzPStufeKLfUr7OodFnJXdvWGW1OwRVR8YPZP+13S2nbaqohJZYulTz
	54	+ EcEaWFhXRKzm1dxXqt2H0S93mv5CT0JzVUAv35lB39NMqcRwrg5Fsw0z448nlenS
	55	+ pIDnP8AIPm5shNf9kZJCksOE9GfPMz5KZDOoR3rWPvvapY/Zs+SBz8drPwHrZahG
	56	+ KjxV2Txl7XYkFEWvre+rpiWSidIsnzizEBQ1ea6Inwd6Y29uzmQLhus1OPfhnCIk
	57	+ AVycK+stCZObPl6abomk/avaT+FwnjRgSZzkotlbA2IHgEjF26C4a3ZUGBwDZ+7r
	58	+ U2A7DKbHRN84f62BcMyiZpavXPvk4AUQD5+lRItbFDDeZYtoIdHb9gmMcNHWsGL8
	59	+ YVxF2A8IAvr7Q1TQfwm2WPAWvjai2rbl6w8ZYiQBPUwkFtUATXU7XyGcLmjCGJGg
	60	+ HZoAqPHddX1z7HosFId+SSc7ugCnUNtwSYHq+DczBVdTa65aPv758zxeKzUqJBKy
	61	+ mP4HkvHlEmXHP2oAQ4G6PTkCAwEAAQ==
	62	+ -----END PUBLIC KEY-----
	63	+ EOF
	64	+
	65	+2. Configure a connection policy in ipsec.conf for your peer
	66	+
	67	+ root@debian:~# cat << EOF >> /etc/ipsec.conf
	68	+ conn MYPEER
	69	+ # peer IPs
	70	+ left=192.0.2.1
	71	+ right=192.0.2.2
	72	+ # phase 1 parameters
	73	+ ike=aes128-sha1-modp1536!
	74	+ ikelifetime=28800s
	75	+ # authentication
	76	+ authby=pubkey
	77	+ leftrsasigkey=/etc/ipsec.d/public/mykey.pub
	78	+ rightrsasigkey=/etc/ipsec.d/public/peerkey.pub
	79	+ EOF
	80	+
	81	+3. All done! Configure the phase 2 parameters as you otherwise would.
	82	+
	83	+## Full GRE/IPsec example
	84	+ root@debian:~# ip addr show dev gre1
	85	+ 11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
	86	+ link/gre 192.0.2.1 peer 192.0.2.2
	87	+ inet 10.1.2.0/31 scope global gre1
	88	+ valid_lft forever preferred_lft forever
	89	+ inet6 fe80::200:5efe:6825:1c22/64 scope link
	90	+ valid_lft forever preferred_lft forever
	91	+ root@debian:~# more /etc/ipsec.conf
	92	+ # ipsec.conf - strongSwan IPsec configuration file
	93	+
	94	+ config setup
	95	+
	96	+ conn %default
	97	+ keyexchange=ikev1
	98	+ dpdaction=restart
	99	+
	100	+ conn MYPEER
	101	+ # peer IPs
	102	+ left=192.0.2.1
	103	+ right=192.0.2.2
	104	+ # phase 1 parameters
	105	+ ike=aes128-sha1-modp1536!
	106	+ ikelifetime=28800s
	107	+ # authentication
	108	+ authby=pubkey
	109	+ leftrsasigkey=/etc/ipsec.d/public/mykey.pub
	110	+ rightrsasigkey=/etc/ipsec.d/public/peerkey.pub
	111	+ # phase 2 parameters
	112	+ esp=aes128-sha1-modp1536!
	113	+ lifetime=3600s
	114	+ type=transport
	115	+ leftprotoport=gre
	116	+ rightprotoport=gre
	117	+ # startup
	118	+ auto=route
	119	+ keyingtries=%forever
...	...	\ No newline at end of file