Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Sun, 24 Dec 2017 14:52:48 -0800 

On 12/24/2017 12:59 PM, Tom Eastep wrote:

> After a bit of a hassle with certs, I got it working.
>
> a) I used the StrongSwan Simple CA
> (https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) to
> generate my certs, with a subjectAltName. The subjectAltName of the
> local endpoint is gateway.shorewall.net. On the Android, that must be
> placed in the Server Identity setting (Advanced Settings). I imported by
> CA cert separately (shows up under 'Imported' on the Android).
>
> b) Local Endpoint Configuration:
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=3
> keyexchange=ikev2
> authby=pubkey
>
> conn ipv4
> left=70.90.191.121
> leftid=gateway.shorewall.net
>
> leftsubnet=172.20.1.0/24,172.20.2.0/24,70.90.191.122/31,70.90.191.124/31
> leftcert=gatewayCert.der
> right=%any
> rightsourceip=172.20.3.0/24
> rightdns=172.20.1.253
> auto=add
>
> c) Android configuration:
>
> Server: 70.90.191.121
> VPN Type: IKEv2 Certificate
> User certificate: (CN=phone,O=Shorewall,C=US)
> Ca certificate: Imported CA cert
> Profile name: Shorewall IPv4
> Server Identity: gateway.shorewall.net
>
> -Tom

I'll be darned, it can actually work.  Thank you Tom.

I'm following the same track, and have now gone to the absurd lengths to 
manually gen certs.  It all distills down to these simple commands:
# cd /etc/strongswan/ipsec.d
# strongswan pki --gen --size 4096 > private/caKey.der
Self-sign a CA certificate using the generated key:
# strongswan pki --self --in private/caKey.der --dn "C=US, O=Quantum, 
CN=Quantum CA" --ca > certs/caCert.der
CA is ready to issue end-entity certificates.
For each peer, i.e. for all VPN clients and VPN gateways, generate an individual
Gen private key, and issue a matching certificate using new CA:
# strongswan pki --gen --size 4096 > private/quantumKey.der
# strongswan pki --pub --in private/quantumKey.der | strongswan pki --issue 
--cacert certs/caCert.der --cakey private/caKey.der --san quantum-equities.com 
--dn "C=US, O=Quantum, CN=quantum-equities.com" > certs/quantumCert.der

I'm now ready to try and set up the Android app.  I wasn't able to import a 
.pem cert, but maybe it'll let me import a .der cert.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to