Differences

This shows you the differences between two versions of the page.

Link to this comparison view

ipsec_server [2011/08/30 15:34] (current)
Line 1: Line 1:
 +This article describes the installation of an IPsec server
 +
 +====== installation ======
 +
 +  * install [[IPsec_strongswan|strongswan]]
 +  * configure strongswan (femto clients need DNS)
 +
 +  sudo sed -i '/charon {/ a\
 +    plugins {
 +      attr {
 +        address = 172.19.0.254
 +        netmask = 16
 +        dns = 172.19.0.254
 +        nbns = 172.19.0.254
 +        subnet = 172.19.0.0/16
 +      }
 +    }' /etc/strongswan.conf
 +
 +  * configure connection ([[http://www.strongswan.org/uml/testresults/ikev2/rw-eap-sim-rsa/|example]])
 +
 +  sudo tee -a /etc/ipsec.conf << EOF
 +  conn sfr
 +    left=192.168.0.1
 +    leftsubnet=172.19.0.0/16
 +    leftid=@ipsec.sfr.com
 +    leftcert=sfrCert.pem
 +    leftauth=pubkey
 +    leftfirewall=yes
 +    right=%any
 +    rightid=*@gan.mnc010.mcc208.3gppnetwork.org
 +    rightauth=eap-sim
 +    rightsourceip=172.19.0.0/16
 +    rightsubnet=172.19.0.0/16
 +    rightsendcert=never
 +    auto=add
 +  EOF
 +
 +  * install SIM triplets (data for femto SIM 1 and 2). **ipsec** femtocell binary tries pseudonym with 1 before IMSI, then with 0
 +
 +  sudo tee /etc/ipsec.d/triplets.dat << EOF
 +  0<IMSI>@gan.mnc010.mcc208.3gppnetwork.org,<RAND>,<RES>,<KC>
 +  1<IMSI>@gan.mnc010.mcc208.3gppnetwork.org,<RAND>,<RES>,<KC>
 +  EOF
 +
 +  * install {{:ipsecert.tar.xz|certificates}} (don't forget **operator/gwcert.der**)
 +
 +  sudo cp sfrCert.pem /etc/ipsec.d/certs/
 +  sudo cp sfrKey.pem /etc/ipsec.d/private/
 +  sudo cp cacert.pem /etc/ipsec.d/cacerts/
 +  sudo tee /etc/ipsec.secrets << EOF
 +  # /etc/ipsec.secrets - strongSwan IPsec secrets file
 +  
 +  : RSA sfrKey.pem
 +  EOF
 +
 +  * restart ipsec
 +
 +  sudo ipsec restart
 +
 +====== certificates ======
 +
 +to generate the certificates used by IPsec client/server :
 +  * configure openSSL to use subjectAltName v3 extension ([[http://therowes.net/~greg/2008/01/08/creating-a-certificate-with-multiple-hostnames/|inspiration]],[[http://www.mail-archive.com/openssl-users@openssl.org/msg47644.html|help]])
 +
 +  sudo sed -i '/^RANDFILE\s\+=/ a\
 +  ALTNAME = "email:noc@example.com"' /etc/ssl/openssl.cnf
 +  sudo sed -i 's/# req_extensions = v3_req/req_extensions = v3_req/' /etc/ssl/openssl.cnf
 +  sudo sed -i '/^# Extensions to add to a certificate request$/ a\
 +  \
 +  subjectAltName=$ENV::ALTNAME' /etc/ssl/openssl.cnf
 +  sudo sed -i 's/# copy_extensions = copy/copy_extensions = copy/' /etc/ssl/openssl.cnf
 +
 +  * generate the Certificate Authority (C=FR, O=SFR, CN=SFR CA)
 +
 +  openssl req -new -x509 -extensions v3_ca -nodes -keyout cakey.pem -out cacert.pem -days 365
 +
 +  * convert the CA certificate for the femtocell (**operator/gwcert.der**).
 +
 +  openssl x509 -in cacert.pem -inform PEM -out gwcert.der -outform DER
 +
 +  * create CA facility to sign certs (for "openssl ca" because "openssl x509" does not handle v3 extensions)
 +
 +  mkdir demoCA
 +  mkdir demoCA/newcerts
 +  mkdir demoCA/private
 +  touch demoCA/index.txt
 +  echo "01" > demoCA/serial
 +  mv cacert.pem demoCA/
 +  mv cakey.pem demoCA/private/
 +
 +  * create IPsec server key and certificate request (C=FR, O=SFR IPsec SeGW, CN=ipsec.sfr.com)
 +
 +  ALTNAME="DNS:ipsec.sfr.com" \
 +  openssl req -new -extensions v3_req -nodes -keyout sfrKey.pem -out sfrCSR.pem
 +
 +  * sign certificate request
 +
 +  openssl ca -in sfrCSR.pem -out sfrCert.pem
  
ipsec_server.txt · Last modified: 2011/08/30 15:34 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki