On 12/24/2017 02:51 PM, Colony.three via Shorewall-users wrote: > On 12/24/2017 12:59 PM, Tom Eastep wrote: >> >> >> After a bit of a hassle with certs, I got it working. >> >> a) I used the StrongSwan Simple CA >> (https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) to >> generate my certs, with a subjectAltName. The subjectAltName of the >> local endpoint is gateway.shorewall.net >> <http://gateway.shorewall.net>. On the Android, that must be >> placed in the Server Identity setting (Advanced Settings). I >> imported by >> CA cert separately (shows up under 'Imported' on the Android). >> >> b) Local Endpoint Configuration: >> >> conn %default >> ikelifetime=60m >> keylife=20m >> rekeymargin=3m >> keyingtries=3 >> keyexchange=ikev2 >> authby=pubkey >> >> conn ipv4 >> left=70.90.191.121 >> leftid=gateway.shorewall.net <http://leftid=gateway.shorewall.net> >> >> leftsubnet=172.20.1.0/24,172.20.2.0/24,70.90.191.122/31,70.90.191.124/31 >> leftcert=gatewayCert.der >> right=%any >> rightsourceip=172.20.3.0/24 >> rightdns=172.20.1.253 >> auto=add >> >> c) Android configuration: >> >> Server: 70.90.191.121 >> VPN Type: IKEv2 Certificate >> User certificate: (CN=phone,O=Shorewall,C=US) >> Ca certificate: Imported CA cert >> Profile name: Shorewall IPv4 >> Server Identity: gateway.shorewall.net <http://gateway.shorewall.net> >> >> -Tom >> > > I'll be darned, it can actually work. Thank you Tom. > > I'm following the same track, and have now gone to the absurd lengths to > manually gen certs. It all distills down to these simple commands: > # cd /etc/strongswan/ipsec.d > # strongswan pki --gen --size 4096 > private/caKey.der > Self-sign a CA certificate using the generated key: > # strongswan pki --self --in private/caKey.der --dn "C=US, O=Quantum, > CN=Quantum CA" --ca > certs/caCert.der > CA is ready to issue end-entity certificates. > For each peer, i.e. for all VPN clients and VPN gateways, generate an > individual > Gen private key, and issue a matching certificate using new CA: > # strongswan pki --gen --size 4096 > private/quantumKey.der > # strongswan pki --pub --in private/quantumKey.der | strongswan pki > --issue --cacert certs/caCert.der --cakey private/caKey.der --san > quantum-equities.com --dn "C=US, O=Quantum, CN=quantum-equities.com" > > certs/quantumCert.der > > I'm now ready to try and set up the Android app. I wasn't able to > import a .pem cert, but maybe it'll let me import a .der cert.
I successfully imported both the .pem CA cert and the .p12 bundle. The former ended up in User Certificates and the latter in Imported. I was also able to get the builtin Android VPN to connect, but it wouldn't pass traffic for some reason. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
