samedi 11 décembre 2021

Strongswan routed FQDN IPSec Ikev2 with certificates auth with a Fortigate

EDIT : I've updated with this tutorial from Google, with the updown script on strongswan:
https://cloud.google.com/community/tutorials/using-cloud-vpn-with-strongswan


The VPN is between :
- localsite.domain.com
    debian buster with strongswan 5.7.2-1
- remotesite.domain.com
    Fortigate 6.2.3


Important :

This will not work if the Kernel does not have the CONFIG_NET_IPVTI module enabled.
On OVH you have to upgrade to debian Buster that has a Kernel 4.19 (as of today)

create a PKI :


CA.crt
local.crt
local.pem
remote.crt

Configure IPSEC :

ipsec.conf

 config setup
        #charondebug="ike 3, net 2, esp 2, chd 2, pts 3, cfg 0, asn 0"
        uniqueids=yes
        strictcrlpolicy=no

conn %default
        # keyexchange=ikev2 # now ikev2 is default
        forceencaps=yes
        ike=aes256-sha256-modp2048!
        ikelifetime=24h
        # lifetime=43200s # default is 1h
        esp=aes256-sha256-modp2048,aes256gcm128-sha256
        leftauth=pubkey
        rightauth=pubkey
        closeaction=restart

conn homesite
        #here
        left=localsite.domain.com  
        # left|rightcert in /etc/ipsec.d/certs
        leftcert=local.crt
        # left|rightca in /etc/ipsec.d/cacerts
        leftca=CA.crt
leftsubnet=0.0.0.0/0

#remote
right=remote.domain.com
rightid="<remote site certificate DN>" # TODO check if it can be taken from cert

rightcert=remote.crt
rightca=%same
rightsubnet=0.0.0.0/0

auto=route
mark = 42

/etc/ipsec.secrets 

# cert has to be in /etc/ipsec.d/private/
: RSA local.pem

trust the CA

 cp CA.crt /etc/ipsec.d/cacerts/CA.crt


check that the certificates are recognized with 'ipsec listcerts'.

The flag 'has private key' needs to be present for the certificates with a private key provided.



modify apparmor charon to install DNS provided by tunnel

 I had an issue with apparmor that was not able to accept the dns settings, as the resolv.conf could not be modified in the charon apparmor module, so add at the bottom of the list, before the } in /etc/apparmor.d/usr.lib.ipsec.charon :
/etc/resolv.conf          rwk,

modify the /etc/hosts to resolve to your external IP

1.2.3.4    cloud.domain.com

Configure Route-based VPN :

In my case the local has a static IP. Otherwise, you have to use a script.

/etc/network/interfaces.d/ipsec0.conf

auto ipsec0
iface ipsec0 inet manual
        pre-up ip tunnel add ipsec0 local <ip of the localsite> remote 0.0.0.0 mode vti key 42
        up ip link set ipsec0 up
        up ip address add 10.2.0.2/24 dev ipsec0
        up ip route add 192.168.1.0/24 dev ipsec0 via 10.2.0.1
        up sysctl -w "net.ipv4.conf.ipsec0.disable_policy=1"

        down ip route del 192.168.0.0./24 dev ipsec0
        down ip address del 10.2.0.2/24 dev ipsec0
        post-down ip tunnel del ipsec0

/etc/strongswan.d/charon.conf :

install_routes = no
install_virtual_ip = no


Fortigate config 


Key exchange :


config vpn ipsec phase1-interface
    edit "VPNikev2"
        set type ddns
        set interface "wan1"
        set ike-version 2
        set authmethod signature
        set net-device disable
        set proposal aes256-sha256
        set remotegw-ddns "localsite.domain.com"
        set certificate "remote.crt"
        set peer "remote_side"
    next
end

ChildSA :

config vpn ipsec phase2-interface
    edit "VPNikev2p2"
        set phase1name "VPNikev2"
        set proposal aes256-sha256 aes256gcm
        set keylifeseconds 3600
    next
end

User config:

config user peer
    edit "remote_side"
        set ca "Root_CA"
        set subject "<DN to match localsite cert>"
    next
end

static route for RPF check:


config router static
     edit 0
         set dst 10.2.0.0 255.255.255.0
         set device "VPNikev2"
     next
end

Aucun commentaire:

Enregistrer un commentaire