I Google-ed a lot configuring IPSec VPN for iOS with OpenSwan, nothing useful but Iphone/Ipad/Mac OSX IPSEC VPN with Strongswan 5 on Centos/RHEL 6 which is on RHEL/CentOS and with strongswan found. I tried to configure openswan like strong swan, failed.
StrongSwan‘s official wiki helps a lot: http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/23
iOS 4 and newer supports native IPsec VPN via IKEv1 (otherwise referred to as Cisco IPSec in iOS) and is able to interoperate with strongSwan.
Environment
Work station
OS X 10.9
openssl from macports(OpenSSL 1.0.1f 6 Jan 2014).
Apple Configurator
VPN Server
Ubuntu 13.10
StrongSwan
Client
iPhone
iOS 7.0.5
Certificate Authority
Preparement
1 2 3 4 |
mkdir ~/Work/CA cd ~/Work/CA cp /opt/local/etc/openssl/misc/CA.sh . cp /opt/local/etc/openssl/openssl.cnf . |
# change CA.sh:
1 2 3 |
PKCS12="$OPENSSL pkcs12" ... if [ -z "$CATOP" ] ; then CATOP=./sskajeCA ; fi |
Create New CA
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758
sskajetekiMacBook-Pro:CA sskaje$ SSLEAY_CONFIG='-config openssl.cnf' ./CA.sh -newcaCA certificate filename (or enter to create) Making CA certificate ...Generating a 1024 bit RSA private key................................++++++...............................................++++++writing new private key to './sskajeCA/private/./cakey.pem'Enter PEM pass phrase:Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [Beijing]:Locality Name (eg, city) [Beijing]:Organization Name (eg, company) [sskaje]:Organizational Unit Name (eg, section) []:CACommon Name (e.g. server FQDN or YOUR name) []:ROOT CAEmail Address []:sskaje@gmail.com Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from openssl.cnfEnter pass phrase for ./sskajeCA/private/./cakey.pem:Check that the request matches the signatureSignature okCertificate Details: Serial Number: 17038692882132797139 (0xec7598e6c48086d3) Validity Not Before: Feb 2 14:18:33 2014 GMT Not After : Feb 1 14:18:33 2017 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = sskaje organizationalUnitName = CA commonName = ROOT CA emailAddress = sskaje@gmail.com X509v3 extensions: X509v3 Subject Key Identifier: 4E:C7:41:6A:D3:FB:5E:2E:61:93:A7:61:B4:12:57:66:A4:4A:1A:C5 X509v3 Authority Key Identifier: keyid:4E:C7:41:6A:D3:FB:5E:2E:61:93:A7:61:B4:12:57:66:A4:4A:1A:C5 X509v3 Basic Constraints: CA:TRUECertificate is to be certified until Feb 1 14:18:33 2017 GMT (1095 days) Write out database with 1 new entriesData Base Updated
Create new request
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
sskajetekiMacBook-Pro:CA sskaje$ SSLEAY_CONFIG='-config openssl.cnf' ./CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ................................++++++ ...............................................++++++ writing new private key to './sskajeCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Beijing]: Locality Name (eg, city) [Beijing]: Organization Name (eg, company) [sskaje]: Organizational Unit Name (eg, section) []:CA Common Name (e.g. server FQDN or YOUR name) []:ROOT CA Email Address []:sskaje@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from openssl.cnf Enter pass phrase for ./sskajeCA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 17038692882132797139 (0xec7598e6c48086d3) Validity Not Before: Feb 2 14:18:33 2014 GMT Not After : Feb 1 14:18:33 2017 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = sskaje organizationalUnitName = CA commonName = ROOT CA emailAddress = sskaje@gmail.com X509v3 extensions: X509v3 Subject Key Identifier: 4E:C7:41:6A:D3:FB:5E:2E:61:93:A7:61:B4:12:57:66:A4:4A:1A:C5 X509v3 Authority Key Identifier: keyid:4E:C7:41:6A:D3:FB:5E:2E:61:93:A7:61:B4:12:57:66:A4:4A:1A:C5 X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Feb 1 14:18:33 2017 GMT (1095 days) Write out database with 1 new entries Data Base Updated |
Create new request
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
sskajetekiMacBook-Pro:CA sskaje$ SSLEAY_CONFIG='-config openssl.cnf' ./CA.sh -newreq Generating a 1024 bit RSA private key .++++++ ...............++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Beijing]: Locality Name (eg, city) [Beijing]: Organization Name (eg, company) [sskaje]: Organizational Unit Name (eg, section) []:VPN Common Name (e.g. server FQDN or YOUR name) []:ipsec.sskaje.me Email Address []:sskaje@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem sskajetekiMacBook-Pro:CA sskaje$ ll total 56 -rwxr-xr-x 1 sskaje staff 5178 Feb 2 22:18 CA.sh -rw-r--r-- 1 sskaje staff 1041 Feb 2 22:27 newkey.pem -rw-r--r-- 1 sskaje staff 700 Feb 2 22:27 newreq.pem -rw-r--r-- 1 sskaje staff 10850 Feb 2 22:13 openssl.cnf drwxr-xr-x 14 sskaje staff 476 Feb 2 22:23 sskajeCA |
Sign the request
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 |
sskajetekiMacBook-Pro:CA sskaje$ SSLEAY_CONFIG='-config openssl.cnf' ./CA.sh -signreq Using configuration from openssl.cnf Enter pass phrase for ./sskajeCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 17038692882132797141 (0xec7598e6c48086d5) Validity Not Before: Feb 2 14:29:30 2014 GMT Not After : Feb 2 14:29:30 2015 GMT Subject: countryName = CN stateOrProvinceName = Beijing localityName = Beijing organizationName = sskaje organizationalUnitName = VPN commonName = ipsec.sskaje.me emailAddress = sskaje@gmail.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: AF:9A:DE:68:B7:FF:BF:88:56:EC:85:A6:B6:73:EA:0F:25:5B:DA:FE X509v3 Authority Key Identifier: keyid:4E:C7:41:6A:D3:FB:5E:2E:61:93:A7:61:B4:12:57:66:A4:4A:1A:C5 Certificate is to be certified until Feb 2 14:29:30 2015 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 17038692882132797141 (0xec7598e6c48086d5) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=Beijing, O=sskaje, OU=CA, CN=ROOT CA/emailAddress=sskaje@gmail.com Validity Not Before: Feb 2 14:29:30 2014 GMT Not After : Feb 2 14:29:30 2015 GMT Subject: C=CN, ST=Beijing, L=Beijing, O=sskaje, OU=VPN, CN=ipsec.sskaje.me/emailAddress=sskaje@gmail.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:f0:fa:e1:40:ab:29:21:fb:1f:a2:50:04:18:48: 26:65:4a:c1:5e:5f:4e:f2:ab:17:c0:02:99:94:47: 0b:3f:2a:e1:7a:5f:a9:37:64:87:64:01:49:39:59: b7:d4:be:51:fc:c1:67:a3:f7:8c:67:de:bb:f3:c1: 8e:5f:d2:7d:41:ec:87:c4:f3:07:a7:c8:bc:ef:9d: 10:02:86:39:e6:2a:bb:55:4a:60:31:76:87:17:99: 8e:ff:37:cc:9d:fd:2e:7f:53:99:39:ad:d4:c5:fa: 3d:70:04:a2:d1:b3:da:3f:f0:e8:46:86:2b:4a:bb: 09:c1:cc:8f:ad:e0:e6:dc:73 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: AF:9A:DE:68:B7:FF:BF:88:56:EC:85:A6:B6:73:EA:0F:25:5B:DA:FE X509v3 Authority Key Identifier: keyid:4E:C7:41:6A:D3:FB:5E:2E:61:93:A7:61:B4:12:57:66:A4:4A:1A:C5 Signature Algorithm: sha1WithRSAEncryption 45:0e:f8:1a:93:fb:18:1a:41:09:a6:0c:e4:52:42:2a:01:33: b5:94:63:71:41:1a:3c:c7:06:28:35:5f:bf:cd:52:1f:d2:6a: b2:1d:f0:1f:2c:56:33:5e:ab:10:ab:16:62:36:b7:2f:10:73: 99:01:71:4c:bf:eb:60:a0:d5:3f:07:6e:c2:f1:72:27:bf:0f: 16:93:65:5d:ac:7b:49:c2:46:76:7b:f4:8e:3a:f4:f7:e1:61: 38:0c:f2:0f:8f:e2:de:10:81:ef:0b:6f:7f:59:21:49:da:35: 50:fd:c5:f5:8c:d0:d6:0a:c9:40:ab:9d:72:bc:bc:d0:c3:5a: d3:b1 -----BEGIN CERTIFICATE----- MIIC9TCCAl6gAwIBAgIJAOx1mObEgIbVMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV BAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMQ8wDQYDVQQKDAZzc2thamUxCzAJBgNV BAsMAkNBMRAwDgYDVQQDDAdST09UIENBMR8wHQYJKoZIhvcNAQkBFhBzc2thamVA Z21haWwuY29tMB4XDTE0MDIwMjE0MjkzMFoXDTE1MDIwMjE0MjkzMFowgYsxCzAJ BgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ8w DQYDVQQKDAZzc2thamUxDDAKBgNVBAsMA1ZQTjEYMBYGA1UEAwwPaXBzZWMuc3Nr YWplLm1lMR8wHQYJKoZIhvcNAQkBFhBzc2thamVAZ21haWwuY29tMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDw+uFAqykh+x+iUAQYSCZlSsFeX07yqxfAApmU Rws/KuF6X6k3ZIdkAUk5WbfUvlH8wWej94xn3rvzwY5f0n1B7IfE8wenyLzvnRAC hjnmKrtVSmAxdocXmY7/N8yd/S5/U5k5rdTF+j1wBKLRs9o/8OhGhitKuwnBzI+t 4ObccwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUr5reaLf/v4hW7IWmtnPq DyVb2v4wHwYDVR0jBBgwFoAUTsdBatP7Xi5hk6dhtBJXZqRKGsUwDQYJKoZIhvcN AQEFBQADgYEARQ74GpP7GBpBCaYM5FJCKgEztZRjcUEaPMcGKDVfv81SH9Jqsh3w HyxWM16rEKsWYja3LxBzmQFxTL/rYKDVPwduwvFyJ78PFpNlXax7ScJGdnv0jjr0 9+FhOAzyD4/i3hCB7wtvf1khSdo1UP3F9YzQ1grJQKudcry80MNa07E= -----END CERTIFICATE----- Signed certificate is in newcert.pem |
Create The Server Certificate
As it’s said in the link:
Apple clients require that the servers certificate subjectAltName attribute contain either the server IP address or server DNS name. To ensure the server certificate contains the subjectAltName attribute edit the openssl.cnf and set it under the [ usr_cert ] section
1 |
cp openssl.cnf vpnserver.openssl.cnf |
And add
1 |
subjectAltName=DNS:ipsec.sskaje.me |
to vpnserver.openssl.cnf under [usr_cert]
Create certificate and sign like commands above
1 2 3 4 5 6 7 8 9 10 |
SSLEAY_CONFIG='-config vpnserver.openssl.cnf' ./CA.sh -newreq SSLEAY_CONFIG='-config vpnserver.openssl.cnf' ./CA.sh -signreq # rename mv newcert.pem ipsec.sskaje.me.pem mv newkey.pem ipsec.sskaje.me.key mv newreq.pem ipsec.sskaje.me.req # scp to server scp ipsec.sskaje.me.pem root@rst.im:/etc/ipsec.d/certs/ scp ipsec.sskaje.me.key root@rst.im:/etc/ipsec.d/private/ scp sskajeCA/cacert.pem root@rst.im:/etc/ipsec.d/cacerts/ |
Generate crl
1 2 3 |
echo 00 > sskajeCA/crlnumber openssl ca -gencrl -config openssl.cnf -out sskajeCA/crl/crl.pem scp sskajeCA/crl/crl.pem root@rst.im:/etc/ipsec.d/crls/ |
Add private key password to /etc/ipsec.secrets
1 |
: RSA /etc/ipsec.d/private/ipsec.sskaje.me.key "123456" |
replace “123456” with your private key password.
Error encountered: ‘“/etc/ipsec.secrets” line 12: error loading RSA private key file
Just remove the encryption of the private key:
1 |
openssl rsa -in /etc/ipsec.d/private/ipsec.sskaje.me.key -out /etc/ipsec.d/private/ipsec.sskaje.me.new.key |
and add this line:
1 |
: RSA /etc/ipsec.d/private/ipsec.sskaje.me.new.key |
Create Client Config
Create Client Certificates
Create another copy of openssl.cnf to vpnclient.openssl.cnf, use
1 |
subjectAltName=DNS:client.sskaje.me |
Then create certificates
1 2 3 4 5 6 7 8 9 10 |
SSLEAY_CONFIG='-config vpnclient.openssl.cnf' ./CA.sh -newreq SSLEAY_CONFIG='-config vpnclient.openssl.cnf' ./CA.sh -signreq mv newcert.pem client.sskaje.me.pem mv newkey.pem client.sskaje.me.key mv newreq.pem client.sskaje.me.req # create p12 for iOS openssl pkcs12 -export -in client.sskaje.me.pem -inkey client.sskaje.me.key -certfile sskajeCA/cacert.pem -out client.sskaje.me.p12 # upload client certs to server scp client.sskaje.me.pem root@rst.im:/etc/ipsec.d/certs/ scp client.sskaje.me.key root@rst.im:/etc/ipsec.d/private/ |
Deploy PKCS12 to iPhone
I tried iPhone Configuration Utility, but it seems IPCU does not support installing configurations to iOS 7. So let’s try Apple Configurator.
Run Apple Configurator, in this page choose Install Profiles…
Connect iPhone. Next
Click New… to create new profile
Add some descriptions
Scroll on the left, choose Certificates
Find the client certificate .p12 file, and fill the password
Configure VPN:
Connection Type=’IPSec (Cisco)’
Server=’ipsec.sskaje.me’
Leave ‘Account’ empty
Machine Authentication=’Certificate’
Choose previously uploaded certificate
Save profile, Save Anyway
Install Profile
Configure Username/Password from iPhone
Configure VPN Server
/etc/ipsec.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
config setup nat_traversal=yes charonstart=yes plutostart=yes conn %default left=%defaultroute conn ios_ipsec_vpn leftcert=ipsec.sskaje.me.pem leftid=@ipsec.sskaje.me keyexchange=ikev1 authby=xauthrsasig xauth=server left=%defaultroute leftsubnet=0.0.0.0/0 leftfirewall=yes right=%any rightsubnet=10.0.0.0/24 rightsourceip=10.0.0.0/24 rightcert=client.sskaje.me.pem pfs=no auto=add |
/etc/strongswan.conf
1 2 3 |
pluto { dns1 = 8.8.8.8 } |
Add User
Add a user/pass pair to /etc/ipsec.secrets
1 |
sskaje : XAUTH "12345678" |
/etc/sysctl.conf
1 |
net.ipv4.ip_forward = 1 |
Trouble Shooting
If you see this in iOS console log:
1 2 3 4 5 6 |
Feb 3 00:42:50 XXX racoon[4072] <Error>: Error evaluating certificate. Feb 3 00:42:50 XXX racoon[4072] <Error>: ---------------Returned error strings: ---------------. Feb 3 00:42:50 XXX racoon[4072] <Error>: type = error. Feb 3 00:42:50 XXX racoon[4072] <Error>: value = Root certificate is not trusted.. Feb 3 00:42:50 XXX racoon[4072] <Error>: -----------------------------------------------------. Feb 3 00:42:50 XXX racoon[4072] <Error>: the peer's certificate is not verified. |
copy cacert.pem to a web root and visit from iOS Safari, install your CA cert.