iOS IPSec VPN Server on Ubuntu

By @sskaje
Link: https://sskaje.me/2014/02/ios-ipsec-vpn-server-on-ubuntu/

I Google-ed a lot configuring IPSec VPN for iOS with OpenSwan, nothing useful but Iphone/Ipad/Mac OSX IPSEC VPN with Strongswan 5 on Centos/RHEL 6 which is on RHEL/CentOS and with strongswan found. I tried to configure openswan like strong swan, failed.

StrongSwan‘s official wiki helps a lot: http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)/23

iOS 4 and newer supports native IPsec VPN via IKEv1 (otherwise referred to as Cisco IPSec in iOS) and is able to interoperate with strongSwan.

Environment

Work station

OS X 10.9
openssl from macports(OpenSSL 1.0.1f 6 Jan 2014).
Apple Configurator

VPN Server

Ubuntu 13.10
StrongSwan

Client

iPhone
iOS 7.0.5

Certificate Authority

Preparement

mkdir ~/Work/CA
cd ~/Work/CA
cp /opt/local/etc/openssl/misc/CA.sh . 
cp /opt/local/etc/openssl/openssl.cnf .

mkdir ~/Work/CA

cd ~/Work/CA

cp /opt/local/etc/openssl/misc/CA.sh .

cp /opt/local/etc/openssl/openssl.cnf .

# change CA.sh:

PKCS12="$OPENSSL pkcs12"
...
if [ -z "$CATOP" ] ; then CATOP=./sskajeCA ; fi

PKCS12="$OPENSSL pkcs12"

...

if [ -z "$CATOP" ] ; then CATOP=./sskajeCA ; fi

Create New CA

sskajetekiMacBook-Pro:CA sskaje$ SSLEAY_CONFIG='-config openssl.cnf' ./CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ................................++++++ ...............................................++++++ writing new private key to './sskajeCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Beijing]: Locality Name (eg, city) [Beijing]: Organization Name (eg, company) [sskaje]: Organizational Unit Name (eg, section) []:CA Common Name (e.g. server FQDN or YOUR name) []:ROOT CA Email Address []:sskaje@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from openssl.cnf Enter pass phrase for ./sskajeCA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 17038692882132797139 (0xec7598e6c48086d3) Validity Not Before: Feb 2 14:18:33 2014 GMT Not After : Feb 1 14:18:33 2017 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = sskaje organizationalUnitName = CA commonName = ROOT CA emailAddress = sskaje@gmail.com X509v3 extensions: X509v3 Subject Key Identifier: 4E:C7:41:6A:D3:FB:5E:2E:61:93:A7:61:B4:12:57:66:A4:4A:1A:C5 X509v3 Authority Key Identifier: keyid:4E:C7:41:6A:D3:FB:5E:2E:61:93:A7:61:B4:12:57:66:A4:4A:1A:C5 X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Feb 1 14:18:33 2017 GMT (1095 days) Write out database with 1 new entries Data Base Updated

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

sskajetekiMacBook-Pro:CA sskaje$ SSLEAY_CONFIG='-config openssl.cnf' ./CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
................................++++++
...............................................++++++
writing new private key to './sskajeCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [sskaje]:
Organizational Unit Name (eg, section) []:CA
Common Name (e.g. server FQDN or YOUR name) []:ROOT CA
Email Address []:sskaje@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Enter pass phrase for ./sskajeCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 17038692882132797139 (0xec7598e6c48086d3)
        Validity
            Not Before: Feb  2 14:18:33 2014 GMT
            Not After : Feb  1 14:18:33 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = sskaje
            organizationalUnitName    = CA
            commonName                = ROOT CA
            emailAddress              = sskaje@gmail.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                4E:C7:41:6A:D3:FB:5E:2E:61:93:A7:61:B4:12:57:66:A4:4A:1A:C5
            X509v3 Authority Key Identifier:
                keyid:4E:C7:41:6A:D3:FB:5E:2E:61:93:A7:61:B4:12:57:66:A4:4A:1A:C5

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Feb  1 14:18:33 2017 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Create new request

sskajetekiMacBook-Pro:CA sskaje$ SSLEAY_CONFIG='-config openssl.cnf' ./CA.sh -newreq
Generating a 1024 bit RSA private key
.++++++
...............++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [sskaje]:
Organizational Unit Name (eg, section) []:VPN
Common Name (e.g. server FQDN or YOUR name) []:ipsec.sskaje.me
Email Address []:sskaje@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
sskajetekiMacBook-Pro:CA sskaje$ ll
total 56
-rwxr-xr-x   1 sskaje  staff   5178 Feb  2 22:18 CA.sh
-rw-r--r--   1 sskaje  staff   1041 Feb  2 22:27 newkey.pem
-rw-r--r--   1 sskaje  staff    700 Feb  2 22:27 newreq.pem
-rw-r--r--   1 sskaje  staff  10850 Feb  2 22:13 openssl.cnf
drwxr-xr-x  14 sskaje  staff    476 Feb  2 22:23 sskajeCA

sskajetekiMacBook-Pro:CA sskaje$ SSLEAY_CONFIG='-config openssl.cnf' ./CA.sh -newreq

Generating a 1024 bit RSA private key

.++++++

...............++++++

writing new private key to 'newkey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [Beijing]:

Locality Name (eg, city) [Beijing]:

Organization Name (eg, company) [sskaje]:

Organizational Unit Name (eg, section) []:VPN

Common Name (e.g. server FQDN or YOUR name) []:ipsec.sskaje.me

Email Address []:sskaje@gmail.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Request is in newreq.pem, private key is in newkey.pem

sskajetekiMacBook-Pro:CA sskaje$ ll

total 56

-rwxr-xr-x 1 sskaje staff 5178 Feb 2 22:18 CA.sh

-rw-r--r-- 1 sskaje staff 1041 Feb 2 22:27 newkey.pem

-rw-r--r-- 1 sskaje staff 700 Feb 2 22:27 newreq.pem

-rw-r--r-- 1 sskaje staff 10850 Feb 2 22:13 openssl.cnf

drwxr-xr-x 14 sskaje staff 476 Feb 2 22:23 sskajeCA

Sign the request

sskajetekiMacBook-Pro:CA sskaje$ SSLEAY_CONFIG='-config openssl.cnf' ./CA.sh -signreq
Using configuration from openssl.cnf
Enter pass phrase for ./sskajeCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 17038692882132797141 (0xec7598e6c48086d5)
        Validity
            Not Before: Feb  2 14:29:30 2014 GMT
            Not After : Feb  2 14:29:30 2015 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            localityName              = Beijing
            organizationName          = sskaje
            organizationalUnitName    = VPN
            commonName                = ipsec.sskaje.me
            emailAddress              = sskaje@gmail.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                AF:9A:DE:68:B7:FF:BF:88:56:EC:85:A6:B6:73:EA:0F:25:5B:DA:FE
            X509v3 Authority Key Identifier: 
                keyid:4E:C7:41:6A:D3:FB:5E:2E:61:93:A7:61:B4:12:57:66:A4:4A:1A:C5

Certificate is to be certified until Feb  2 14:29:30 2015 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 17038692882132797141 (0xec7598e6c48086d5)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=Beijing, O=sskaje, OU=CA, CN=ROOT CA/emailAddress=sskaje@gmail.com
        Validity
            Not Before: Feb  2 14:29:30 2014 GMT
            Not After : Feb  2 14:29:30 2015 GMT
        Subject: C=CN, ST=Beijing, L=Beijing, O=sskaje, OU=VPN, CN=ipsec.sskaje.me/emailAddress=sskaje@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:f0:fa:e1:40:ab:29:21:fb:1f:a2:50:04:18:48:
                    26:65:4a:c1:5e:5f:4e:f2:ab:17:c0:02:99:94:47:
                    0b:3f:2a:e1:7a:5f:a9:37:64:87:64:01:49:39:59:
                    b7:d4:be:51:fc:c1:67:a3:f7:8c:67:de:bb:f3:c1:
                    8e:5f:d2:7d:41:ec:87:c4:f3:07:a7:c8:bc:ef:9d:
                    10:02:86:39:e6:2a:bb:55:4a:60:31:76:87:17:99:
                    8e:ff:37:cc:9d:fd:2e:7f:53:99:39:ad:d4:c5:fa:
                    3d:70:04:a2:d1:b3:da:3f:f0:e8:46:86:2b:4a:bb:
                    09:c1:cc:8f:ad:e0:e6:dc:73
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                AF:9A:DE:68:B7:FF:BF:88:56:EC:85:A6:B6:73:EA:0F:25:5B:DA:FE
            X509v3 Authority Key Identifier: 
                keyid:4E:C7:41:6A:D3:FB:5E:2E:61:93:A7:61:B4:12:57:66:A4:4A:1A:C5

    Signature Algorithm: sha1WithRSAEncryption
         45:0e:f8:1a:93:fb:18:1a:41:09:a6:0c:e4:52:42:2a:01:33:
         b5:94:63:71:41:1a:3c:c7:06:28:35:5f:bf:cd:52:1f:d2:6a:
         b2:1d:f0:1f:2c:56:33:5e:ab:10:ab:16:62:36:b7:2f:10:73:
         99:01:71:4c:bf:eb:60:a0:d5:3f:07:6e:c2:f1:72:27:bf:0f:
         16:93:65:5d:ac:7b:49:c2:46:76:7b:f4:8e:3a:f4:f7:e1:61:
         38:0c:f2:0f:8f:e2:de:10:81:ef:0b:6f:7f:59:21:49:da:35:
         50:fd:c5:f5:8c:d0:d6:0a:c9:40:ab:9d:72:bc:bc:d0:c3:5a:
         d3:b1
-----BEGIN CERTIFICATE-----
MIIC9TCCAl6gAwIBAgIJAOx1mObEgIbVMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
BAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMQ8wDQYDVQQKDAZzc2thamUxCzAJBgNV
BAsMAkNBMRAwDgYDVQQDDAdST09UIENBMR8wHQYJKoZIhvcNAQkBFhBzc2thamVA
Z21haWwuY29tMB4XDTE0MDIwMjE0MjkzMFoXDTE1MDIwMjE0MjkzMFowgYsxCzAJ
BgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ8w
DQYDVQQKDAZzc2thamUxDDAKBgNVBAsMA1ZQTjEYMBYGA1UEAwwPaXBzZWMuc3Nr
YWplLm1lMR8wHQYJKoZIhvcNAQkBFhBzc2thamVAZ21haWwuY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDw+uFAqykh+x+iUAQYSCZlSsFeX07yqxfAApmU
Rws/KuF6X6k3ZIdkAUk5WbfUvlH8wWej94xn3rvzwY5f0n1B7IfE8wenyLzvnRAC
hjnmKrtVSmAxdocXmY7/N8yd/S5/U5k5rdTF+j1wBKLRs9o/8OhGhitKuwnBzI+t
4ObccwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUr5reaLf/v4hW7IWmtnPq
DyVb2v4wHwYDVR0jBBgwFoAUTsdBatP7Xi5hk6dhtBJXZqRKGsUwDQYJKoZIhvcN
AQEFBQADgYEARQ74GpP7GBpBCaYM5FJCKgEztZRjcUEaPMcGKDVfv81SH9Jqsh3w
HyxWM16rEKsWYja3LxBzmQFxTL/rYKDVPwduwvFyJ78PFpNlXax7ScJGdnv0jjr0
9+FhOAzyD4/i3hCB7wtvf1khSdo1UP3F9YzQ1grJQKudcry80MNa07E=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

sskajetekiMacBook-Pro:CA sskaje$ SSLEAY_CONFIG='-config openssl.cnf' ./CA.sh -signreq

Using configuration from openssl.cnf

Enter pass phrase for ./sskajeCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 17038692882132797141 (0xec7598e6c48086d5)

Validity

Not Before: Feb 2 14:29:30 2014 GMT

Not After : Feb 2 14:29:30 2015 GMT

Subject:

countryName = CN

stateOrProvinceName = Beijing

localityName = Beijing

organizationName = sskaje

organizationalUnitName = VPN

commonName = ipsec.sskaje.me

emailAddress = sskaje@gmail.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

AF:9A:DE:68:B7:FF:BF:88:56:EC:85:A6:B6:73:EA:0F:25:5B:DA:FE

X509v3 Authority Key Identifier:

keyid:4E:C7:41:6A:D3:FB:5E:2E:61:93:A7:61:B4:12:57:66:A4:4A:1A:C5

Certificate is to be certified until Feb 2 14:29:30 2015 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 17038692882132797141 (0xec7598e6c48086d5)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=CN, ST=Beijing, O=sskaje, OU=CA, CN=ROOT CA/emailAddress=sskaje@gmail.com

Validity

Not Before: Feb 2 14:29:30 2014 GMT

Not After : Feb 2 14:29:30 2015 GMT

Subject: C=CN, ST=Beijing, L=Beijing, O=sskaje, OU=VPN, CN=ipsec.sskaje.me/emailAddress=sskaje@gmail.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (1024 bit)

Modulus:

00:f0:fa:e1:40:ab:29:21:fb:1f:a2:50:04:18:48:

26:65:4a:c1:5e:5f:4e:f2:ab:17:c0:02:99:94:47:

0b:3f:2a:e1:7a:5f:a9:37:64:87:64:01:49:39:59:

b7:d4:be:51:fc:c1:67:a3:f7:8c:67:de:bb:f3:c1:

8e:5f:d2:7d:41:ec:87:c4:f3:07:a7:c8:bc:ef:9d:

10:02:86:39:e6:2a:bb:55:4a:60:31:76:87:17:99:

8e:ff:37:cc:9d:fd:2e:7f:53:99:39:ad:d4:c5:fa:

3d:70:04:a2:d1:b3:da:3f:f0:e8:46:86:2b:4a:bb:

09:c1:cc:8f:ad:e0:e6:dc:73

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

AF:9A:DE:68:B7:FF:BF:88:56:EC:85:A6:B6:73:EA:0F:25:5B:DA:FE

X509v3 Authority Key Identifier:

keyid:4E:C7:41:6A:D3:FB:5E:2E:61:93:A7:61:B4:12:57:66:A4:4A:1A:C5

Signature Algorithm: sha1WithRSAEncryption

45:0e:f8:1a:93:fb:18:1a:41:09:a6:0c:e4:52:42:2a:01:33:

b5:94:63:71:41:1a:3c:c7:06:28:35:5f:bf:cd:52:1f:d2:6a:

b2:1d:f0:1f:2c:56:33:5e:ab:10:ab:16:62:36:b7:2f:10:73:

99:01:71:4c:bf:eb:60:a0:d5:3f:07:6e:c2:f1:72:27:bf:0f:

16:93:65:5d:ac:7b:49:c2:46:76:7b:f4:8e:3a:f4:f7:e1:61:

38:0c:f2:0f:8f:e2:de:10:81:ef:0b:6f:7f:59:21:49:da:35:

50:fd:c5:f5:8c:d0:d6:0a:c9:40:ab:9d:72:bc:bc:d0:c3:5a:

d3:b1

-----BEGIN CERTIFICATE-----

MIIC9TCCAl6gAwIBAgIJAOx1mObEgIbVMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV

BAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMQ8wDQYDVQQKDAZzc2thamUxCzAJBgNV

BAsMAkNBMRAwDgYDVQQDDAdST09UIENBMR8wHQYJKoZIhvcNAQkBFhBzc2thamVA

Z21haWwuY29tMB4XDTE0MDIwMjE0MjkzMFoXDTE1MDIwMjE0MjkzMFowgYsxCzAJ

BgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ8w

DQYDVQQKDAZzc2thamUxDDAKBgNVBAsMA1ZQTjEYMBYGA1UEAwwPaXBzZWMuc3Nr

YWplLm1lMR8wHQYJKoZIhvcNAQkBFhBzc2thamVAZ21haWwuY29tMIGfMA0GCSqG

SIb3DQEBAQUAA4GNADCBiQKBgQDw+uFAqykh+x+iUAQYSCZlSsFeX07yqxfAApmU

Rws/KuF6X6k3ZIdkAUk5WbfUvlH8wWej94xn3rvzwY5f0n1B7IfE8wenyLzvnRAC

hjnmKrtVSmAxdocXmY7/N8yd/S5/U5k5rdTF+j1wBKLRs9o/8OhGhitKuwnBzI+t

4ObccwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM

IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUr5reaLf/v4hW7IWmtnPq

DyVb2v4wHwYDVR0jBBgwFoAUTsdBatP7Xi5hk6dhtBJXZqRKGsUwDQYJKoZIhvcN

AQEFBQADgYEARQ74GpP7GBpBCaYM5FJCKgEztZRjcUEaPMcGKDVfv81SH9Jqsh3w

HyxWM16rEKsWYja3LxBzmQFxTL/rYKDVPwduwvFyJ78PFpNlXax7ScJGdnv0jjr0

9+FhOAzyD4/i3hCB7wtvf1khSdo1UP3F9YzQ1grJQKudcry80MNa07E=

-----END CERTIFICATE-----

Signed certificate is in newcert.pem

Create The Server Certificate

As it’s said in the link:

Apple clients require that the servers certificate subjectAltName attribute contain either the server IP address or server DNS name. To ensure the server certificate contains the subjectAltName attribute edit the openssl.cnf and set it under the [ usr_cert ] section

cp openssl.cnf vpnserver.openssl.cnf

1	cp openssl.cnf vpnserver.openssl.cnf

And add

subjectAltName=DNS:ipsec.sskaje.me

1	subjectAltName=DNS:ipsec.sskaje.me

to vpnserver.openssl.cnf under [usr_cert]
Create certificate and sign like commands above

SSLEAY_CONFIG='-config vpnserver.openssl.cnf' ./CA.sh -newreq
SSLEAY_CONFIG='-config vpnserver.openssl.cnf' ./CA.sh -signreq
# rename 
mv newcert.pem ipsec.sskaje.me.pem
mv newkey.pem ipsec.sskaje.me.key
mv newreq.pem ipsec.sskaje.me.req
# scp to server
scp ipsec.sskaje.me.pem root@rst.im:/etc/ipsec.d/certs/
scp ipsec.sskaje.me.key root@rst.im:/etc/ipsec.d/private/
scp sskajeCA/cacert.pem root@rst.im:/etc/ipsec.d/cacerts/

SSLEAY_CONFIG='-config vpnserver.openssl.cnf' ./CA.sh -newreq

SSLEAY_CONFIG='-config vpnserver.openssl.cnf' ./CA.sh -signreq

# rename

mv newcert.pem ipsec.sskaje.me.pem

mv newkey.pem ipsec.sskaje.me.key

mv newreq.pem ipsec.sskaje.me.req

# scp to server

scp ipsec.sskaje.me.pem root@rst.im:/etc/ipsec.d/certs/

scp ipsec.sskaje.me.key root@rst.im:/etc/ipsec.d/private/

scp sskajeCA/cacert.pem root@rst.im:/etc/ipsec.d/cacerts/

Generate crl

echo 00 > sskajeCA/crlnumber
openssl ca -gencrl -config openssl.cnf -out sskajeCA/crl/crl.pem
scp sskajeCA/crl/crl.pem root@rst.im:/etc/ipsec.d/crls/

echo 00 > sskajeCA/crlnumber

openssl ca -gencrl -config openssl.cnf -out sskajeCA/crl/crl.pem

scp sskajeCA/crl/crl.pem root@rst.im:/etc/ipsec.d/crls/

Add private key password to /etc/ipsec.secrets

: RSA /etc/ipsec.d/private/ipsec.sskaje.me.key "123456"

1	: RSA /etc/ipsec.d/private/ipsec.sskaje.me.key "123456"

replace “123456” with your private key password.
Error encountered: ‘“/etc/ipsec.secrets” line 12: error loading RSA private key file
Just remove the encryption of the private key:

openssl rsa -in /etc/ipsec.d/private/ipsec.sskaje.me.key -out /etc/ipsec.d/private/ipsec.sskaje.me.new.key

1	openssl rsa -in /etc/ipsec.d/private/ipsec.sskaje.me.key -out /etc/ipsec.d/private/ipsec.sskaje.me.new.key

and add this line:

: RSA /etc/ipsec.d/private/ipsec.sskaje.me.new.key

1	: RSA /etc/ipsec.d/private/ipsec.sskaje.me.new.key

Create Client Config

Create Client Certificates

Create another copy of openssl.cnf to vpnclient.openssl.cnf, use

subjectAltName=DNS:client.sskaje.me

1	subjectAltName=DNS:client.sskaje.me

Then create certificates

SSLEAY_CONFIG='-config vpnclient.openssl.cnf' ./CA.sh -newreq
SSLEAY_CONFIG='-config vpnclient.openssl.cnf' ./CA.sh -signreq
mv newcert.pem client.sskaje.me.pem
mv newkey.pem client.sskaje.me.key
mv newreq.pem client.sskaje.me.req
# create p12 for iOS
openssl pkcs12 -export -in client.sskaje.me.pem -inkey client.sskaje.me.key -certfile sskajeCA/cacert.pem -out client.sskaje.me.p12
# upload client certs to server
scp client.sskaje.me.pem root@rst.im:/etc/ipsec.d/certs/
scp client.sskaje.me.key root@rst.im:/etc/ipsec.d/private/

SSLEAY_CONFIG='-config vpnclient.openssl.cnf' ./CA.sh -newreq

SSLEAY_CONFIG='-config vpnclient.openssl.cnf' ./CA.sh -signreq

mv newcert.pem client.sskaje.me.pem

mv newkey.pem client.sskaje.me.key

mv newreq.pem client.sskaje.me.req

# create p12 for iOS

openssl pkcs12 -export -in client.sskaje.me.pem -inkey client.sskaje.me.key -certfile sskajeCA/cacert.pem -out client.sskaje.me.p12

# upload client certs to server

scp client.sskaje.me.pem root@rst.im:/etc/ipsec.d/certs/

scp client.sskaje.me.key root@rst.im:/etc/ipsec.d/private/

Deploy PKCS12 to iPhone

I tried iPhone Configuration Utility, but it seems IPCU does not support installing configurations to iOS 7. So let’s try Apple Configurator.

Run Apple Configurator, in this page choose Install Profiles…

Connect iPhone. Next

Click New… to create new profile

Add some descriptions

Scroll on the left, choose Certificates

Find the client certificate .p12 file, and fill the password

Configure VPN:

Connection Type=’IPSec (Cisco)’
Server=’ipsec.sskaje.me’
Leave ‘Account’ empty
Machine Authentication=’Certificate’
Choose previously uploaded certificate

Save profile, Save Anyway

Install Profile

Configure Username/Password from iPhone

Configure VPN Server

/etc/ipsec.conf

config setup
    nat_traversal=yes
    charonstart=yes
    plutostart=yes

conn %default
    left=%defaultroute

conn ios_ipsec_vpn
    leftcert=ipsec.sskaje.me.pem
    leftid=@ipsec.sskaje.me
    keyexchange=ikev1
    authby=xauthrsasig
    xauth=server
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    right=%any
    rightsubnet=10.0.0.0/24
    rightsourceip=10.0.0.0/24
    rightcert=client.sskaje.me.pem
    pfs=no
    auto=add

config setup

nat_traversal=yes

charonstart=yes

plutostart=yes

conn %default

left=%defaultroute

conn ios_ipsec_vpn

leftcert=ipsec.sskaje.me.pem

leftid=@ipsec.sskaje.me

keyexchange=ikev1

authby=xauthrsasig

xauth=server

left=%defaultroute

leftsubnet=0.0.0.0/0

leftfirewall=yes

right=%any

rightsubnet=10.0.0.0/24

rightsourceip=10.0.0.0/24

rightcert=client.sskaje.me.pem

pfs=no

auto=add

/etc/strongswan.conf

pluto {
    dns1 = 8.8.8.8
}

pluto {

dns1 = 8.8.8.8

}

Add User

Add a user/pass pair to /etc/ipsec.secrets

sskaje : XAUTH "12345678"

1	sskaje : XAUTH "12345678"

/etc/sysctl.conf

net.ipv4.ip_forward = 1

1	net.ipv4.ip_forward = 1

Trouble Shooting

If you see this in iOS console log:

Feb  3 00:42:50 XXX racoon[4072] <Error>: Error evaluating certificate.
Feb  3 00:42:50 XXX racoon[4072] <Error>: ---------------Returned error strings: ---------------.
Feb  3 00:42:50 XXX racoon[4072] <Error>: type = error.
Feb  3 00:42:50 XXX racoon[4072] <Error>: value = Root certificate is not trusted..
Feb  3 00:42:50 XXX racoon[4072] <Error>: -----------------------------------------------------.
Feb  3 00:42:50 XXX racoon[4072] <Error>: the peer's certificate is not verified.

Feb 3 00:42:50 XXX racoon[4072] <Error>: Error evaluating certificate.

Feb 3 00:42:50 XXX racoon[4072] <Error>: ---------------Returned error strings: ---------------.

Feb 3 00:42:50 XXX racoon[4072] <Error>: type = error.

Feb 3 00:42:50 XXX racoon[4072] <Error>: value = Root certificate is not trusted..

Feb 3 00:42:50 XXX racoon[4072] <Error>: -----------------------------------------------------.

Feb 3 00:42:50 XXX racoon[4072] <Error>: the peer's certificate is not verified.

copy cacert.pem to a web root and visit from iOS Safari, install your CA cert.

iOS IPSec VPN Server on Ubuntu by @sskaje: https://sskaje.me/2014/02/ios-ipsec-vpn-server-on-ubuntu/