Difference between revisions of "Vpnsec Linux install"

From Cncz
Jump to: navigation, search
(Nieuwe pagina aangemaakt met '[nl]Deze procedure gaat uit van gebruik van <b><tt>NetworkManager</tt></b> Installeer de benodigde software: [/nl] [en]This procedure assumes using <b><tt>NetworkM...')
 
m ([Installatie met NetworkManager op Ubuntu 16.04.1 LTS][Installation with NetworkManager on Ubuntu 16.04.1 LTS])
 
(86 intermediate revisions by 9 users not shown)
Line 1: Line 1:
[nl]Deze procedure gaat uit van gebruik van <b><tt>NetworkManager</tt></b>
+
== [Installatie met NetworkManager op Ubuntu 16.04.1 LTS][Installation with NetworkManager on Ubuntu 16.04.1 LTS] ==
 +
 
 +
<span style="color:#FF0000">Ubuntu 16.04</span>: [Er is een bekende bug waaraan gewerkt wordt, zie: ][There is a known bug people are trying to fix, see: ] [https://bugs.launchpad.net/bugs/1570352 msg4923789].
 +
 
 +
[nl]
 +
Met Ubuntu 16.04.1 LTS is het nu mogelijk om ipsec te gebruiken. Hiertoe moet je wel enig handwerk verrichten, het editten van de connectie middels de VPN applet is nog niet mogelijk.<br>
 +
* Installeer de vereiste software:
 +
[/nl]
 +
[en]
 +
With Ubuntu 16.04.1 LTS it is now possible to use ipsec. However some manual configuration has to be performed, editting the connection using the VPN applet is not possible,<br>
 +
* Install required software:
 +
[/en]
 +
 
 +
<pre>
 +
$ sudo apt install strongswan-nm network-manager-strongswan libstrongswan-standard-plugins strongswan-plugin-eap-mschapv2
 +
</pre>
 +
 
 +
[nl]
 +
* Copier (als root/sudo) de tekst hieronder naar /etc/NetworkManager/system-connections/VPN-science:
 +
[/nl]
 +
[en]
 +
* Copy the contents below to /etc/NetworkManager/system-connections/VPN-science:
 +
[/en]
 +
 
 +
<pre>
 +
[connection]
 +
id=vpnsec.science.ru.nl
 +
uuid=1e0ab541-e051-41c2-819f-a005b296c53b
 +
type=vpn
 +
autoconnect=false
 +
permissions=
 +
secondaries=
 +
timestamp=1465384551
 +
 
 +
[vpn]
 +
virtual=yes
 +
encap=yes
 +
address=vpnsec.science.ru.nl
 +
user=USERNAME
 +
method=eap
 +
password-flags=0
 +
ipcomp=no
 +
service-type=org.freedesktop.NetworkManager.strongswan
 +
 
 +
[vpn-secrets]
 +
password=
 +
 
 +
[ipv4]
 +
dns-search=
 +
method=auto
 +
 
 +
[ipv6]
 +
addr-gen-mode=stable-privacy
 +
dns-search=
 +
ip6-privacy=0
 +
method=auto
 +
</pre>
 +
 
 +
[nl]
 +
* Verander USERNAME in het bestand naar je science login.
 +
* Verander de rechten naar -rw------- (owner rw rechten, group en other geen rechten):
 +
  <pre>
 +
  chmod u=rw,go= /etc/NetworkManager/system-connections/VPN-science
 +
  ls -la /etc/NetworkManager/system-connections/</pre>
 +
* Reboot de machine alvorens gebruik te willen maken van de VPN connection.
 +
[/nl]
 +
[en]
 +
* Change USERNAME to your science login.
 +
* Change the permissions to <tt>-rw-------</tt> (owner rw permisions, group and other no permissions):
 +
  <pre>
 +
  chmod u=rw,go= /etc/NetworkManager/system-connections/VPN-science
 +
  ls -la /etc/NetworkManager/system-connections/</pre>
 +
* Reboot the machine before trying to use the VPN connection.
 +
[/en]
 +
 
 +
[nl]
 +
Het opstarten van de connectie is conform Ubuntu 14.04. (Bij het starten wordt om je science wachtwoord gevraagd)<br>
 +
'''NB: Het wachtwoord wordt leesbaar opgeslagen in het bovengenoemde bestand!'''
 +
[/nl]
 +
[en]
 +
Starting the connection is identical to Ubuntu 14.04. (When starting the VPN connection, your science password is requested)<br>
 +
'''NB: The password will be stored in plain text in the file mentioned above!'''
 +
[/en]
 +
 
 +
== [Installatie met NetworkManager op Ubuntu 14.04 LTS][Installation with NetworkManager on Ubuntu 14.04 LTS] ==
 +
 
 +
[nl]Deze procedure gaat uit van gebruik van Ubuntu 14.04 en <b><tt>NetworkManager</tt></b>. Zie [[#.5BInstallatie_zonder_NetworkManager.5D.5BInstallation_without_NetworkManager.5D|hieronder]] voor een handmatige procedure.
  
 
Installeer de benodigde software:
 
Installeer de benodigde software:
 
[/nl]
 
[/nl]
[en]This procedure assumes using <b><tt>NetworkManager</tt></b>.
+
[en]This procedure assumes using <b><tt>NetworkManager</tt></b>. See [[#.5BInstallatie_zonder_NetworkManager.5D.5BInstallation_without_NetworkManager.5D|below]] for a manual procedure.
  
Install required software:
+
Install the required software:
 
[/en]
 
[/en]
 
<pre>
 
<pre>
# aptitude install network-manager-strongswan strongswan-plugin-eap-mschapv2
+
$ sudo apt-get install network-manager-strongswan strongswan-plugin-eap-mschapv2
 
The following NEW packages will be installed:
 
The following NEW packages will be installed:
   libstrongswan{a} network-manager-strongswan strongswan-ike{a} strongswan-nm{a} strongswan-plugin-eap-mschapv2  
+
   libstrongswan{a} network-manager-strongswan strongswan-ike{a} strongswan-nm{a}
  strongswan-plugin-openssl{a}  
+
  strongswan-plugin-eap-mschapv2 strongswan-plugin-openssl{a}  
0 packages upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
+
...
Need to get 64.5 kB/3,032 kB of archives. After unpacking 13.5 MB will be used.
 
Do you want to continue? [Y/n/?] y
 
Get: 1 http://ubuntumirror.science.ru.nl/nl.archive.ubuntu.com/ubuntu/ trusty-updates/main strongswan-plugin-eap-mschapv2 amd64 5.1.2-0ubuntu2.4 [64.5 kB]
 
Fetched 64.5 kB in 0s (2,945 kB/s)                       
 
Selecting previously unselected package libstrongswan.
 
(Reading database ... 761421 files and directories currently installed.)
 
Preparing to unpack .../libstrongswan_5.1.2-0ubuntu2.4_amd64.deb ...
 
Unpacking libstrongswan (5.1.2-0ubuntu2.4) ...
 
Selecting previously unselected package strongswan-nm.
 
Preparing to unpack .../strongswan-nm_5.1.2-0ubuntu2.4_amd64.deb ...
 
Unpacking strongswan-nm (5.1.2-0ubuntu2.4) ...
 
Selecting previously unselected package strongswan-plugin-openssl.
 
Preparing to unpack .../strongswan-plugin-openssl_5.1.2-0ubuntu2.4_amd64.deb ...
 
Unpacking strongswan-plugin-openssl (5.1.2-0ubuntu2.4) ...
 
Selecting previously unselected package strongswan-ike.
 
Preparing to unpack .../strongswan-ike_5.1.2-0ubuntu2.4_amd64.deb ...
 
Unpacking strongswan-ike (5.1.2-0ubuntu2.4) ...
 
Selecting previously unselected package strongswan-plugin-eap-mschapv2.
 
Preparing to unpack .../strongswan-plugin-eap-mschapv2_5.1.2-0ubuntu2.4_amd64.deb ...
 
Unpacking strongswan-plugin-eap-mschapv2 (5.1.2-0ubuntu2.4) ...
 
Selecting previously unselected package network-manager-strongswan.
 
Preparing to unpack .../network-manager-strongswan_1.3.0-1ubuntu1_amd64.deb ...
 
Unpacking network-manager-strongswan (1.3.0-1ubuntu1) ...
 
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...
 
Setting up libstrongswan (5.1.2-0ubuntu2.4) ...
 
Setting up strongswan-plugin-openssl (5.1.2-0ubuntu2.4) ...
 
Setting up strongswan-plugin-eap-mschapv2 (5.1.2-0ubuntu2.4) ...
 
Setting up strongswan-nm (5.1.2-0ubuntu2.4) ...
 
Setting up strongswan-ike (5.1.2-0ubuntu2.4) ...
 
Setting up network-manager-strongswan (1.3.0-1ubuntu1) ...
 
 
 
  
# service network-manager stop
+
$ sudo service network-manager stop
 
network-manager stop/waiting
 
network-manager stop/waiting
# service network-manager start
+
$ sudo service network-manager start
 
network-manager start/running, process 29031
 
network-manager start/running, process 29031
 
</pre>
 
</pre>
  
 
[nl]Configuratie[/nl][en]Configuration[/en]:
 
[nl]Configuratie[/nl][en]Configuration[/en]:
[[Bestand:vpnsec_linux_1|a]]
 
  
[[Bestand:vpnsec_linux_2|b]]
+
[Selecteer het][Select the] NetworkManager applet [en vervolgens][and after that] <b><tt>Edit Connections...</tt></b>
 +
 
 +
[[Bestand:vpnsec_linux_2.png|400px]]
 +
 
 +
[Klik][Click] <b><tt>Add</tt></b>, [selecteer][select] IPsec/IKEv2 in [de sectie][the section] <b><tt>VPN</tt></b>, [klik][click] <b><tt>Create</tt></b>
 +
 
 +
[[Bestand:vpnsec_linux_3.png|400px]]
 +
 
 +
[Voer gegevens in bij:][Enter data at:]<b><tt>Connection name</tt></b>, <b><tt>Address</tt></b> (<b><tt>vpnsec.science.ru.nl</tt></b>), [gebruikersnaam][loginname], etc. [en zet de betreffende vinkjes][and check the marks where needed].
 +
 
 +
[[Bestand:vpnsec_linux_4.png|400px]]
 +
 
 +
[Sla op][Save]: (<b><tt>Save</tt></b> [en][and] <b><tt>Close</tt></b>)
 +
 
 +
[[Bestand:vpnsec_linux_5.png|400px]]
 +
 
 +
[Starten van de][Start the] <b><tt>VPN</tt></b>. [Selecteer het][Select the] NetworkManager applet, [vervolgens][next] <b><tt>VPN Connections</tt></b> [en tenslotte de gecreëerde connectie][and finally the connection created].
 +
 
 +
[[Bestand:vpnsec_linux_6.png|400px]]
 +
 
 +
=== [Bekende problemen][Known problems] ===
 +
 
 +
[nl]
 +
Als de VPN-verbinding gemaakt is, maar <tt>ping ns1.science.ru.nl</tt> werkt niet, terwijl <tt>ping 131.174.224.4</tt> wel werkt, dan kan de reden zijn dat <tt>dnsmasq</tt> dit veroorzaakt. Dat kan opgelost worden door de DNS-cache van dnsmasq niet te gebruiken, zie [http://askubuntu.com/questions/320921/having-dns-issues-when-connected-to-a-vpn-in-ubuntu-13-04 Ask Ubuntu: DNS problem when connected to a VPN]:
 +
[/nl]
 +
[en]
 +
If the VPN connection has been established, but <tt>ping ns1.science.ru.nl</tt> doesn't work, while <tt>ping 131.174.224.4</tt> does work, then probably <tt>dnsmasq</tt> is the culprit. This can be solved bij disabling the dnsmasq DNS cache, as is described in [http://askubuntu.com/questions/320921/having-dns-issues-when-connected-to-a-vpn-in-ubuntu-13-04 Ask Ubuntu: DNS problem when connected to a VPN]:
 +
[/en]
 +
<pre>
 +
First make sure that there are no lines beginning with nameserver in any files in /etc/resolvconf/resolv.conf.d.
 +
If /etc/resolvconf/resolv.conf.d/tail is a symbolic link to target original, make it point to /dev/null.
 +
 
 +
Second, disconnect from the VPN. Edit /etc/NetworkManager/NetworkManager.conf
 +
 
 +
$ sudo gedit /etc/NetworkManager/NetworkManager.conf
  
[[Bestand:vpnsec_linux_3|c]]
+
and comment out
  
[[Bestand:vpnsec_linux_4|d]]
+
dns=dnsmasq
 +
 
 +
(i.e., add a # so that it looks like the following)
 +
 
 +
#dns=dnsmasq
 +
 
 +
and then
 +
 
 +
sudo service network-manager restart
 +
</pre>
 +
 
 +
== [Installatie met NetworkManager op Debian Jessie][Installation with NetworkManager on Debian Jessie] ==
 +
 
 +
[en]Unfortunately, the strongswan-network-manager package did not make it to Debian Jessie (and as of writing, is not in jessie-backports either). Nevertheless, backporting the current version of the package appears to work fine. The steps involved in achieving this were taken almost verbatim from [http://sebastiangibb.de/debian/2015/09/19/university-cambridge-vpn-debian-jessie.html this guide].[/en]
 +
[nl]Helaas is het strongswan-network-manager package niet in Debian Jessie opgenomen (en zit het op moment van schrijven ook niet in jessie-backports). Desalniettemin lijkt een backport van de huidige versie van het package goed te werken. De stappen om dit te bereiken zijn bijna letterlijk overgenomen van [http://sebastiangibb.de/debian/2015/09/19/university-cambridge-vpn-debian-jessie.html this guide].[/nl]
 +
 
 +
[en]First you have to install the debian packaging tools:[/en]
 +
[nl]Allereerst moet je de debian packaging tools installeren:[/nl]
 +
 
 +
<pre>sudo apt-get install packaging-dev debian-keyring devscripts equivs</pre>
 +
 
 +
[en]Afterwards you have to download the debian source package:[/en]
 +
[nl]Daarna moet je het debian source package downloaden:[/nl]
 +
 
 +
<pre>dget -x http://http.debian.net/debian/pool/main/n/network-manager-strongswan/network-manager-strongswan_1.3.1-1.dsc</pre>
 +
 
 +
[en]Install potentially missing dependencies:[/en]
 +
[nl]Installeer potentieel ontbrekende dependencies[/nl]
 +
 
 +
<pre>cd network-manager-strongswan-1.3.1/
 +
sudo mk-build-deps --install --remove</pre>
 +
 
 +
[en]Add a backport revision number:[/en]
 +
[nl]Voeg een revisienummer voor de backport toe:[/nl]
 +
 
 +
<pre>dch --local ~bpo80+ --distribution jessie-backports "Rebuild for jessie-backports."</pre>
 +
 
 +
[en]Build the package (without package signing)[/en]
 +
[nl]Bouw het package (zonder handtekening)[/nl]
 +
 
 +
<pre>dpkg-buildpackage -us -uc</pre>
 +
 
 +
[en]Install the newly built package:[/en]
 +
[nl]Installeer het zojuist gebouwde package:[/nl]
 +
 
 +
<pre>sudo dpkg -i ../network-manager-strongswan_1.3.1-1~bpo80+1_amd64.deb</pre>
 +
 
 +
[en]Install potentially missing dependencies, just to be sure:[/en]
 +
[nl]Installeer potentieel ontbrekende dependencies, voor de zekerheid:[/nl]
 +
 
 +
<pre>sudo apt-get install -f</pre>
 +
 
 +
[en]Install additional plugins (most notably the eap-mschapv2 plugin):[/en]
 +
[nl]Installeer aanvullende plugins (met name de eap-mschapv2 plugin):[/nl]
 +
 
 +
<pre>sudo apt-get install libcharon-extra-plugins</pre>
 +
 
 +
[en]Restart network manager[/en]
 +
[nl]Herstart network manager[/nl]
 +
 
 +
<pre>sudo systemctl restart network-manager.service</pre>
 +
 
 +
== [Installatie zonder NetworkManager][Installation without NetworkManager] ==
 +
 
 +
[nl]<em>PS: Onderaan extra opmerkingen voor deze stappen onder Fedora Core (FC23).</em>[/nl]
 +
[en]<em>Note: Below some remarks on doing this for Fedora Core (FC23).</em>[/en]
 +
 
 +
[nl]Installeer strongswan, inclusief de curl, eap-identity, eap-mschapv2 en eap-md5 (benodigd voor eap-mschapv2) plugins. Wanneer je strongswan zelf compileert, zorg er dan voor dat je de benodigde plugins meegeeft aan het <b><tt>configure</tt></b>-script.[/nl]
 +
[en]Install strongswan, including the curl, eap-identity, eap-mschapv2 and eap-md5 (required for eap-mschapv2) plugins. When you compile strongswan from source, make sure to pass the right parameters to the <b><tt>configure</tt></b> script.[/en]
 +
<pre>$ ./configure --enable-curl --enable-md5 --enable-openssl --enable-xauth-eap --enable-eap-md5 --enable-eap-gtc --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-mschapv2 --enable-eap-identify
 +
$ make
 +
$ sudo make install
 +
</pre>
 +
[nl]Je kunt testen welke plugins geactiveerd zijn met <b><tt>sudo ipsec statusall</tt></b> of <b><tt>sudo ipsec listplugins</tt></b>. Indien nodig kun je plugins handmatig laden vanuit <b><tt>strongswan.conf</tt></b>.[/nl]
 +
[en]You can test which plugins are loaded with <b><tt>sudo ipsec statusall</tt></b> or <b><tt>sudo ipsec listplugins</tt></b>. If necessary you can load plugins manually by editing <b><tt>strongswan.conf</tt></b>.[/en]
 +
 
 +
[nl]Zorg ervoor dat je <b><tt>ipsec.conf</tt></b>, waarschijnlijk te vinden in /etc of in /usr/local/etc, er als volgt uitziet:[/nl]
 +
[en]Make sure your <b><tt>ipsec.conf</tt></b>, probably located in /etc or in /usr/local/etc, looks like this:[/en]
 +
<pre>
 +
config setup
 +
    strictcrlpolicy=yes
 +
 
 +
conn %default
 +
    ikelifetime=60m
 +
    keylife=20m
 +
    rekeymargin=3m
 +
    keyingtries=1
 +
    keyexchange=ikev2
 +
 
 +
conn science
 +
    left=%defaultroute
 +
    leftfirewall=yes
 +
    leftsourceip=%config
 +
    leftauth=eap-mschapv2
 +
    leftid=mysciencelogin        <-- edit this
 +
    eap_identity=mysciencelogin  <-- edit this
 +
    right=vpnsec.science.ru.nl
 +
    rightauth=pubkey
 +
    rightid=@vpnsec.science.ru.nl
 +
    rightsubnet=0.0.0.0/0
 +
    forceencaps=yes
 +
    auto=start
 +
</pre>
 +
[nl]En je <b><tt>ipsec.secrets</tt></b> als volgt, waarbij je je eigen Science-gebruikersnaam en-wachtwoord invult. Let erop dat dit bestand niet door iedereen te lezen moet zijn, want je wachtwoord staat erin! Het is typisch eigendom van <b><tt>root:root</tt></b> met <b><tt>-rw-------</tt></b> (600) permissies.[/nl]
 +
[en]And your <b><tt>ipsec.secrets</tt></b> as follows, where you enter your own Science account name and password. Watch out that this file cannot be read by everyone, as it contains your password! It is typically owned by <b><tt>root:root</tt></b> with <b><tt>-rw-------</tt></b> (600) permissions.[/en]
 +
<pre>
 +
mysciencelogin : EAP "mypassword"
 +
</pre>
 +
 
 +
[nl]Alles zou nu moeten werken:[/nl]
 +
[en]Everything should work now:[/en]
 +
<pre>
 +
$ sudo ipsec start
 +
$ sudo ipsec up science
 +
</pre>
 +
 
 +
[nl]Het kan nodig zijn om het root-certificaat handmatig in de juiste map te zetten:[/nl]
 +
[en]It can be necessary to put the root certificate in the right folder manually:[/en]
 +
<pre>
 +
$ sudo ln -s /etc/ca-certificates/extracted/cadir/DigiCert_Assured_ID_Root_CA.pem [/usr/local]/etc/ipsec.d/cacerts/DigiCert_Assured_ID_Root_CA.pem
 +
</pre>
 +
 
 +
== Fedora (FC23) ==
 +
 
 +
Work in progress... [Gebruiker:Arjen], FC23, 4/3/2016:
 +
 
 +
[nl]Vervang op Fedora (getest met FC23) <b><tt>ipsec</tt></b> door <b><tt>strongswan</tt></b>.[/nl]
 +
[en]On Fedora (tested on FC23), replace command <b><tt>ipsec</tt></b> by <b><tt>strongswan</tt></b> in the instructions above.[/en]
 +
 
 +
[nl]Je hebt de nieuwste SELinux policies nodig, doe daarom:[/nl]
 +
[en]To get the newest SELinux policies, you need to issue:[/en]
 +
<pre>
 +
dnf update --enablerepo=updates-testing selinux-policy
 +
</pre>
 +
 
 +
[nl]Edit <tt>/etc/strongswan/strongswan.d/charon/resolve.conf</tt> zodat het deze regel bevat:[/nl]
 +
[en]Edit <tt>/etc/strongswan/strongswan.d/charon/resolve.conf</tt> to include a line:[/en]
 +
<pre>
 +
file = /etc/resolv.conf
 +
</pre>
 +
[nl]
 +
Als je fouten krijgt met certificaat CN=TERENA niet trusted etc., doe dan als volgt.
 +
Ga naar [https://pki.cesnet.cz/en/ch-tcs-ssl-ca-3-crt-crl.html]
 +
Download <tt>DigiCert_Assured_ID_Root_CA.crt</tt> en <tt>TERENA_SSL_CA_3.crt</tt>.
 +
 
 +
Extraheer de <tt>.pem</tt> files, copieer deze naar de relevante strongswan config directories, en reread de certificates:
 +
[/nl]
 +
 
 +
[en]
 +
To resolve errors about certificate CN=TERENA SSL CA 3 not being trusted:
 +
 
 +
Navigate to [https://pki.cesnet.cz/en/ch-tcs-ssl-ca-3-crt-crl.html]
 +
Download <tt>DigiCert_Assured_ID_Root_CA.crt</tt> and <tt>TERENA_SSL_CA_3.crt</tt>.
 +
 
 +
Next, extract the <tt>.pem</tt> files, copy these to the strongswan config directories, and reread the certificates, like this:
 +
[/en]
 +
<pre>
 +
openssl x509 -inform DES -in DigiCert_Assured_ID_Root_CA.crt -out DigiCert_Assured_ID_Root_CA.pem -text
 +
openssl x509 -inform DES -in TERENA_SSL_CA_3.crt -out TERENA_SSL_CA_3.pem -text
 +
 
 +
cp DigiCert_Assured_ID_Root_CA.pem /etc/strongswan/ipsec.d/cacerts
 +
cp TERENA_SSL_CA_3.pem /etc/strongswan/ipsec.d/certs
 +
 
 +
strongswan rereadall
 +
</pre>
  
[[Bestand:vpnsec_linux_5|e]]
+
[en]To overcome problems with DNS, I had to stop service `libvirtd`. Yet to be resolved.[/en]
 +
[nl]Zoals ook hierboven beschreven, houd ik problement met DNS. Stoppen van service `libvirtd` lost het op, maar een echte oplossing moet ik nog vinden.[/nl]

Latest revision as of 10:00, 17 January 2018

Installation with NetworkManager on Ubuntu 16.04.1 LTS

Ubuntu 16.04: There is a known bug people are trying to fix, see: msg4923789.

With Ubuntu 16.04.1 LTS it is now possible to use ipsec. However some manual configuration has to be performed, editting the connection using the VPN applet is not possible,

  • Install required software:

$ sudo apt install strongswan-nm network-manager-strongswan libstrongswan-standard-plugins strongswan-plugin-eap-mschapv2 

  • Copy the contents below to /etc/NetworkManager/system-connections/VPN-science:

[connection]
id=vpnsec.science.ru.nl
uuid=1e0ab541-e051-41c2-819f-a005b296c53b
type=vpn
autoconnect=false
permissions=
secondaries=
timestamp=1465384551

[vpn]
virtual=yes
encap=yes
address=vpnsec.science.ru.nl
user=USERNAME
method=eap
password-flags=0
ipcomp=no
service-type=org.freedesktop.NetworkManager.strongswan

[vpn-secrets]
password=

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto

  • Change USERNAME to your science login.
  • Change the permissions to -rw------- (owner rw permisions, group and other no permissions):
  chmod u=rw,go= /etc/NetworkManager/system-connections/VPN-science
  ls -la /etc/NetworkManager/system-connections/
  • Reboot the machine before trying to use the VPN connection.

Starting the connection is identical to Ubuntu 14.04. (When starting the VPN connection, your science password is requested)
NB: The password will be stored in plain text in the file mentioned above!

Installation with NetworkManager on Ubuntu 14.04 LTS

This procedure assumes using NetworkManager. See below for a manual procedure.

Install the required software:

$ sudo apt-get install network-manager-strongswan strongswan-plugin-eap-mschapv2
The following NEW packages will be installed:
  libstrongswan{a} network-manager-strongswan strongswan-ike{a} strongswan-nm{a}
  strongswan-plugin-eap-mschapv2 strongswan-plugin-openssl{a} 
...

$ sudo service network-manager stop
network-manager stop/waiting
$ sudo service network-manager start
network-manager start/running, process 29031

Configuration:

Select the NetworkManager applet and after that Edit Connections...

Vpnsec linux 2.png

Click Add, select IPsec/IKEv2 in the section VPN, click Create

Vpnsec linux 3.png

Enter data at:Connection name, Address (vpnsec.science.ru.nl), loginname, etc. and check the marks where needed.

Vpnsec linux 4.png

Save: (Save and Close)

Vpnsec linux 5.png

Start the VPN. Select the NetworkManager applet, next VPN Connections and finally the connection created.

Vpnsec linux 6.png

Known problems

If the VPN connection has been established, but ping ns1.science.ru.nl doesn't work, while ping 131.174.224.4 does work, then probably dnsmasq is the culprit. This can be solved bij disabling the dnsmasq DNS cache, as is described in Ask Ubuntu: DNS problem when connected to a VPN:

First make sure that there are no lines beginning with nameserver in any files in /etc/resolvconf/resolv.conf.d.
If /etc/resolvconf/resolv.conf.d/tail is a symbolic link to target original, make it point to /dev/null.

Second, disconnect from the VPN. Edit /etc/NetworkManager/NetworkManager.conf

$ sudo gedit /etc/NetworkManager/NetworkManager.conf

and comment out

dns=dnsmasq

(i.e., add a # so that it looks like the following)

#dns=dnsmasq

and then

sudo service network-manager restart

Installation with NetworkManager on Debian Jessie

Unfortunately, the strongswan-network-manager package did not make it to Debian Jessie (and as of writing, is not in jessie-backports either). Nevertheless, backporting the current version of the package appears to work fine. The steps involved in achieving this were taken almost verbatim from this guide.

First you have to install the debian packaging tools:

sudo apt-get install packaging-dev debian-keyring devscripts equivs

Afterwards you have to download the debian source package:

dget -x http://http.debian.net/debian/pool/main/n/network-manager-strongswan/network-manager-strongswan_1.3.1-1.dsc

Install potentially missing dependencies:

cd network-manager-strongswan-1.3.1/
sudo mk-build-deps --install --remove

Add a backport revision number:

dch --local ~bpo80+ --distribution jessie-backports "Rebuild for jessie-backports."

Build the package (without package signing)

dpkg-buildpackage -us -uc

Install the newly built package:

sudo dpkg -i ../network-manager-strongswan_1.3.1-1~bpo80+1_amd64.deb

Install potentially missing dependencies, just to be sure:

sudo apt-get install -f

Install additional plugins (most notably the eap-mschapv2 plugin):

sudo apt-get install libcharon-extra-plugins

Restart network manager

sudo systemctl restart network-manager.service

Installation without NetworkManager

Note: Below some remarks on doing this for Fedora Core (FC23).

Install strongswan, including the curl, eap-identity, eap-mschapv2 and eap-md5 (required for eap-mschapv2) plugins. When you compile strongswan from source, make sure to pass the right parameters to the configure script.

$ ./configure --enable-curl --enable-md5 --enable-openssl --enable-xauth-eap --enable-eap-md5 --enable-eap-gtc --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-mschapv2 --enable-eap-identify
$ make
$ sudo make install

You can test which plugins are loaded with sudo ipsec statusall or sudo ipsec listplugins. If necessary you can load plugins manually by editing strongswan.conf.

Make sure your ipsec.conf, probably located in /etc or in /usr/local/etc, looks like this:

config setup
    strictcrlpolicy=yes

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2

conn science
    left=%defaultroute
    leftfirewall=yes
    leftsourceip=%config
    leftauth=eap-mschapv2
    leftid=mysciencelogin        <-- edit this
    eap_identity=mysciencelogin  <-- edit this
    right=vpnsec.science.ru.nl
    rightauth=pubkey
    rightid=@vpnsec.science.ru.nl
    rightsubnet=0.0.0.0/0
    forceencaps=yes
    auto=start

And your ipsec.secrets as follows, where you enter your own Science account name and password. Watch out that this file cannot be read by everyone, as it contains your password! It is typically owned by root:root with -rw------- (600) permissions.

mysciencelogin : EAP "mypassword"

Everything should work now:

$ sudo ipsec start
$ sudo ipsec up science

It can be necessary to put the root certificate in the right folder manually:

$ sudo ln -s /etc/ca-certificates/extracted/cadir/DigiCert_Assured_ID_Root_CA.pem [/usr/local]/etc/ipsec.d/cacerts/DigiCert_Assured_ID_Root_CA.pem

Fedora (FC23)

Work in progress... [Gebruiker:Arjen], FC23, 4/3/2016:

On Fedora (tested on FC23), replace command ipsec by strongswan in the instructions above.

To get the newest SELinux policies, you need to issue:

dnf update --enablerepo=updates-testing selinux-policy

Edit /etc/strongswan/strongswan.d/charon/resolve.conf to include a line:

file = /etc/resolv.conf

To resolve errors about certificate CN=TERENA SSL CA 3 not being trusted:

Navigate to [2] Download DigiCert_Assured_ID_Root_CA.crt and TERENA_SSL_CA_3.crt.

Next, extract the .pem files, copy these to the strongswan config directories, and reread the certificates, like this:

openssl x509 -inform DES -in DigiCert_Assured_ID_Root_CA.crt -out DigiCert_Assured_ID_Root_CA.pem -text
openssl x509 -inform DES -in TERENA_SSL_CA_3.crt -out TERENA_SSL_CA_3.pem -text

cp DigiCert_Assured_ID_Root_CA.pem /etc/strongswan/ipsec.d/cacerts
cp TERENA_SSL_CA_3.pem /etc/strongswan/ipsec.d/certs

strongswan rereadall

To overcome problems with DNS, I had to stop service `libvirtd`. Yet to be resolved.