« Back
in strongswan ipsec CA [Certificate Authority] read.

Strongswan certificate creation and configuration with POC work.

These lines make certificate creation and configuration work for strongswan with 5.2.1 version
Currently Mahmut.p12 is a PKCS12 container format for general distribution of user Mahmut's secure connection initiator. Following file can be renamed to creator.sh and should be run in /etc/ipsec.d it will do all the work that needed to make ipsec work for just one specific user at that time. creator.sh should be in the same directory with cleaner.sh which is given below. Feel free to contribute or even change these snippets.

Creator script does the following:

  • IMPORTANT: Before running scripts make sure that you have configured the Charon daemon, strongswan and ipsec configuration. Networks[both left and right] should have been defined and checked for proper masking bits/CIDR.
  • Starts with deleting existing keypairs and containers [Cleaner script's work]
  • creates key for strongswan itself and creates CA (certificate authority) - normal PKI based cert distribution
  • Be careful about the CN section this field is normally for domain name attribute but if you don't have DNS server in the right hand side network[which is the front of the VPN] just pass IP here.
  • After all those work Host certification for VPN gateway[the initiator] complete.
  • Create and sign a certificate for a client named Mahmut. Ice cold!
  • Copy that to Downloads directory [I was trying those connection between NATted two workstations, because of that I was copying this container file to my client machine, bad testing method i know :/]
  • restart daemon; ipsec rereadsecrets also does the same thing but i prefer full restart daemon and conns.


txtylw='\e[0;33m' # Yellow  
txtrst='\e[0m'    # Text Reset  
HANSOLO="==================================================" # some line sep for you

echo -e "$txtylw Cleaning previous configuration... $txtrst"  

echo -e "$txtylw Starting... $txtrst"

ipsec pki --gen --type rsa --size 4096 \  
    --outform pem \
    > private/strongswanKey.pem

chmod 600 private/strongswanKey.pem

ipsec pki --self --ca --lifetime 3650 \  
    --in private/strongswanKey.pem --type rsa \
    --dn "C=TR, O=Vertexclique, CN=Vertexclique Root CA" \
    --outform pem \
    > cacerts/strongswanCert.pem

ipsec pki --print --in cacerts/strongswanCert.pem

echo $HANSOLO  

ipsec pki --gen --type rsa --size 2048 \  
    --outform pem \
    > private/vpnHostKey.pem

chmod 600 private/vpnHostKey.pem

ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \  
    ipsec pki --issue --lifetime 730 \
    --cacert cacerts/strongswanCert.pem \
    --cakey private/strongswanKey.pem \
    --dn "C=TR, O=Vertexclique, CN=" \
    --san \
    --flag serverAuth --flag ikeIntermediate \
    --outform pem > certs/vpnHostCert.pem

ipsec pki --print --in certs/vpnHostCert.pem

echo $HANSOLO  

ipsec pki --gen --type rsa --size 2048 \  
    --outform pem \
    > private/MahmutKey.pem

chmod 600 private/MahmutKey.pem

ipsec pki --pub --in private/MahmutKey.pem --type rsa | \  
    ipsec pki --issue --lifetime 730 \
    --cacert cacerts/strongswanCert.pem \
    --cakey private/strongswanKey.pem \
    --dn "C=TR, O=Vertexclique, CN=vertexclique@gmail.com" \
    --san vertexclique@gmail.com \
    --outform pem > certs/MahmutCert.pem

echo -e "$txtylw Private key created. $txtrst"

cd /etc/ipsec.d/

openssl pkcs12 -export -inkey private/MahmutKey.pem \  
    -in certs/MahmutCert.pem -name "Mahmut's VPN Certificate" \
    -certfile cacerts/strongswanCert.pem \
    -caname "Vertexclique Root CA" \
    -out Mahmut.p12

echo -e "$txtylw Certificate exported as PKCS12 $txtrst"

cp Mahmut.p12 /home/user/Downloads

echo -e "$txtylw Certificate copied to Downloads folder $txtrst"

ipsec restart

echo -e "$txtylw"  
echo $HANSOLO  

echo -e "IPSec restarting... $txtrst"

Cleaner does the cleaning of CA, certs, keys and container.


rm private/*  
rm cacerts/*  
rm certs/*  
rm Mahmut.p12

See: https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/

comments powered by Disqus