Difference between revisions of "Vpnsec Linux install"
m (apt-get ipv aptitude) |
(sudo ipv root shell (vind ik wat mooier)) |
||
| Line 8: | Line 8: | ||
[/en] | [/en] | ||
<pre> | <pre> | ||
| − | + | $ sudo apt-get install network-manager-strongswan strongswan-plugin-eap-mschapv2 | |
The following NEW packages will be installed: | The following NEW packages will be installed: | ||
libstrongswan{a} network-manager-strongswan strongswan-ike{a} strongswan-nm{a} | libstrongswan{a} network-manager-strongswan strongswan-ike{a} strongswan-nm{a} | ||
| Line 14: | Line 14: | ||
... | ... | ||
| − | + | $ sudo service network-manager stop | |
network-manager stop/waiting | network-manager stop/waiting | ||
| − | + | $ sudo service network-manager start | |
network-manager start/running, process 29031 | network-manager start/running, process 29031 | ||
</pre> | </pre> | ||
Revision as of 23:45, 7 March 2016
This procedure assumes using NetworkManager. See below for a manual procedure.
Install the required software:
$ sudo apt-get install network-manager-strongswan strongswan-plugin-eap-mschapv2
The following NEW packages will be installed:
libstrongswan{a} network-manager-strongswan strongswan-ike{a} strongswan-nm{a}
strongswan-plugin-eap-mschapv2 strongswan-plugin-openssl{a}
...
$ sudo service network-manager stop
network-manager stop/waiting
$ sudo service network-manager start
network-manager start/running, process 29031
Configuration:
Select the NetworkManager applet and after that Edit Connections...
Click Add, select IPsec/IKEv2 in the section VPN, click Create
Enter data at:Connection name, Address (vpnsec.science.ru.nl), loginname, etc. and check the marks where needed.
Save: (Save and Close)
Start the VPN. Select the NetworkManager applet, next VPN Connections and finally the connection created.
Known problems
If the VPN connection has been established, but ping ns1.science.ru.nl doesn't work, while ping 131.174.224.4 does work, then probably dnsmasq is the culprit. This can be solved bij disabling the dnsmasq DNS cache, as is described in Ask Ubuntu: DNS problem when connected to a VPN:
First make sure that there are no lines beginning with nameserver in any files in /etc/resolvconf/resolv.conf.d. If /etc/resolvconf/resolv.conf.d/tail is a symbolic link to target original, make it point to /dev/null. Second, disconnect from the VPN. Edit /etc/NetworkManager/NetworkManager.conf $ sudo gedit /etc/NetworkManager/NetworkManager.conf and comment out dns=dnsmasq (i.e., add a # so that it looks like the following) #dns=dnsmasq and then sudo service network-manager restart
Installation without NetworkManager
Note: Below some remarks on doing this for Fedora Core (FC23).
Install strongswan, including the curl, eap-identity, eap-mschapv2 and eap-md4 (required for eap-mschapv2) plugins. When you compile strongswan from source, make sure to pass the right parameters to the configure script.
$ ./configure --enable-curl --enable-md4 --enable-openssl --enable-xauth-eap --enable-eap-md5 --enable-eap-gtc --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-mschapv2 --enable-eap-identify $ make $ sudo make install
You can test which plugins are loaded with sudo ipsec statusall or sudo ipsec listplugins. If necessary you can load plugins manually by editing strongswan.conf.
Make sure your ipsec.conf, probably located in /etc or in /usr/local/etc, looks like this:
config setup
strictcrlpolicy=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn science
left=%defaultroute
leftfirewall=yes
leftsourceip=%config
leftauth=eap-mschapv2
leftid=mysciencelogin <-- edit this
eap_identity=mysciencelogin <-- edit this
right=vpnsec.science.ru.nl
rightauth=pubkey
rightid=@vpnsec.science.ru.nl
rightsubnet=0.0.0.0/0
forceencaps=yes
auto=start
And your ipsec.secrets as follows, where you enter your own Science account name and password. Watch out that this file cannot be read by everyone, as it contains your password! It is typically owned by root:root with -rw------- (600) permissions.
mysciencelogin : EAP "mypassword"
Everything should work now:
$ sudo ipsec start $ sudo ipsec up science
It can be necessary to put the root certificate in the right folder manually:
$ sudo ln -s /etc/ca-certificates/extracted/cadir/DigiCert_Assured_ID_Root_CA.pem [/usr/local]/etc/ipsec.d/cacerts/DigiCert_Assured_ID_Root_CA.pem
Fedora (FC23)
Work in progress... [Gebruiker:Arjen], FC23, 4/3/2016:
On Fedora (tested on FC23), replace command ipsec by strongswan in the instructions above.
To get the newest SELinux policies, you need to issue:
dnf update --enablerepo=updates-testing selinux-policy
Edit /etc/strongswan/strongswan.d/charon/resolve.conf to include a line:
file = /etc/resolv.conf
To resolve errors about certificate CN=TERENA SSL CA 3 not being trusted:
Navigate to [2] Download DigiCert_Assured_ID_Root_CA.crt and TERENA_SSL_CA_3.crt.
Next, extract the .pem files, copy these to the strongswan config directories, and reread the certificates, like this:
openssl x509 -inform DES -in DigiCert_Assured_ID_Root_CA.crt -out DigiCert_Assured_ID_Root_CA.pem -text openssl x509 -inform DES -in TERENA_SSL_CA_3.crt -out TERENA_SSL_CA_3.pem -text cp DigiCert_Assured_ID_Root_CA.pem /etc/strongswan/ipsec.d/cacerts cp TERENA_SSL_CA_3.pem /etc/strongswan/ipsec.d/certs strongswan rereadall
To overcome problems with DNS, I had to stop service `libvirtd`. Yet to be resolved.