API tools faq
paste
sa_drug

[MT]: Move from PSK to PUBKEY auth in L2TP/IPSec case

sa_drug
Apr 5th, 2019
234
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.28 KB | None | 0 0
raw download clone embed print report
  1. # Using PUBKEY AUTH instead of PSK (L2TP)
  2. # Link: https://dn42.net/howto/IPsecWithPublicKeys/strongSwan5Example
  3. # 0. Assume you allready have ipsec-psk config:
  4. # MT Side
  5. interface l2tp-client add add-default-route=yes allow=mschap2 allow-fast-path=yes comment="=TEST=" connect-to=<rem-hostname> dial-on-demand=no disabled=no keepalive-timeout=25 max-mru=1424 \
  6. max-mtu=1424 mrru=1618 name=vpn0 profile=default use-ipsec=yes ipsec-secret="very-big-psk-key" user=l2tp-user password="l2tp-password"
  7.  
  8. # 1. Generate keys
  9. # 1.1 Linux side
  10. ipsec pki --gen -t rsa -f pem -s 2048 > /etc/ipsec.d/private/ipsec-host-rsa-key.pem
  11. ipsec pki --pub --in /etc/ipsec.d/private/ipsec-host-rsa-key.pem --outform pem > /etc/ipsec.d/public/ipsec-host-rsa-pub.pem
  12. echo "<LOCAL-IP> %any : RSA ipsec-host-rsa-key.pem" >> /etc/ipsec.secrets
  13. # MT side
  14. # Generate private key
  15. ip ipsec key generate-key name=ipsec-host-rsa-key key-size=2048
  16. # 1.2 Export public key
  17. ip ipsec key export-pub-key key=ipsec-host-rsa-key file-name=pub/ipsec-host-rsa-pub.pem
  18.  
  19. # 2. Pubkey exchange
  20. # 2.1 Linux side
  21. # Copy local pubkey to MT
  22. scp /etc/ipsec.d/public/ipsec-host-rsa-key.pem user@172.16.1.20:/pub/ipsec-our-hostname-pub.pem
  23. # Copy remote pubkey from MT
  24. scp user@172.16.1.20:/pub/ipsec-host-rsa-pub.pem /etc/ipsec.d/public/ipsec-rem-hostname.pem
  25. # 2.2 Check
  26. ls -1 /etc/ipsec.d/public/
  27. ipsec-host-rsa-key.pem
  28. ipsec-rem-hostname-key.pem
  29.  
  30. # 2.3 MT Side
  31. # Import remote side keys
  32. ip ipsec key import pub/ipsec-vc.gw.lt-pub.pem name=ipsec-rem-hostname-pub
  33. # 2.4 Check
  34. ip ipsec key print
  35. Flags: P - private-key, R - rsa
  36. #    NAME                       KEY-SIZE
  37. 0 PR ipsec-host-rsa-key         2048-bit
  38. 1  R ipsec-rem-hostname-pub     2048-bit
  39.  
  40. # 3. Ipsec peer / policy
  41. # 3.1 MT Side - copy dynamic peer (policy will be generated automaticaly), because we're lazy.
  42. # ip ipsec peer print detail & get config for required peer
  43. # Change l2tp-client configuration to: use-ipsec=yes ipsec-secret=""
  44. interface l2tp-client disable vpn0
  45. interface l2tp-client set vpn0 ipsec-secret=""
  46. # Add static ipsec peer where:
  47. # - key = our private key;
  48. # - remote-key = remote public key.  
  49. ip ipsec peer add address=<REMOTE-IP>/32 auth-method=rsa-key disabled=no exchange-mode=main generate-policy=port-strict key=ipsec-host-rsa-key policy-template-group=default profile=default remote-key=ipsec-rem-hostname-pub send-initial-contact=yes
  50. interface l2tp-client enable vpn0
  51. # 3.2 Linux side
  52. # I won't show my config to you - but, I will :)
  53. cat /etc/ipsec.conf
  54. # ipsec.conf - strongSwan IPsec configuration file
  55. # man 5 ipsec.conf
  56. # GLOBAL
  57. config setup
  58.         strictcrlpolicy=yes
  59.         uniqueids = yes
  60. # CONNCETIONS
  61. # DEFAULTS FOR IKEv1/L2TP (PSK)
  62. conn ikev1-L2TP
  63.         # PHASE #1
  64.         keyexchange = ikev1     # ike - both / ikev1 / ikev2
  65.         aggressive = no
  66.         authby = psk
  67.         ike = aes256-sha512-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes256-sha512-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128-sha512-modp2048,aes128-sha256-modp2048,aes128-sha1-modp2048,aes128-sha512-modp1024,aes128-sha256-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
  68.         ikelifetime = 3h
  69.         dpdaction = clear       # none / hold / restart
  70.         dpddelay = 30s
  71.         dpdtimeout = 120s       # 150s
  72.         inactivity = 1200s      # should be < CHILD_SA rekeying
  73.         # PHASE #2
  74.         esp = aes256-sha512-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes256-sha512-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128-sha512-modp2048,aes128-sha256-modp2048,aes128-sha1-modp2048,aes128-sha512-modp1024,aes128-sha256-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
  75.         lifetime = 30m
  76.         type = transport
  77.         sha256_96 = yes
  78.         # POLICY
  79.         left = <LOCAL-IP>
  80.         leftsubnet = <LOCAL-IP>[udp/1701]
  81.         right = %any
  82.         rightsourceip = %config
  83.         rightsubnet = 0.0.0.0/0[udp/1701]
  84.         # START
  85.         auto = add              # route / start
  86.         rekey = yes
  87. # PEERS
  88. conn ikev1-L2TP-peer-LOCATION
  89.         # INCLUDE
  90.         also = ikev1-L2TP
  91.         # PHASE #1
  92.         authby = pubkey
  93.         leftrsasigkey=/etc/ipsec.d/public/ipsec-host-rsa-key.pem
  94.         rightrsasigkey=/etc/ipsec.d/public/ipsec-<location>-key.pem
  95.         # POLICY
  96.         right = <REMOTE-IP>
  97. # END
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!