Running a StrongSwan IKEv2 VPN on a Raspberry Pi behind a NAT gateway to provide EAP MSCHAPv2 authentication for a Windows 8.1 client and a Windows Phone 8.1

© Thomas Irmscher, Nov. 2015

You are running a Raspberry Pi or something like this in your home network and you want to use it as a VPN gateway? I had the same idea, so I started to discover the options how a Pi can be used in a NAT-ed home network to serve as a VPN gateway that can be accessed from "outside", i.e. the internet. There are some alternatives like SoftEhter VPN but the most promissing option for me was the open-source StrongSwan project.

Having spent a lot of time reading articles about the StrongSwan project and after many tries and failures I finally found a way how to get the Pi working as a VPN gateway accessible from the internet. The main goal is, to get the Pi serving as a VPN gateway endpoint to integrate remote devices like a Windows Phone 8.1 and a normal PC (Windows 8.1) accessing the home network from the internet with the new IKEv2 protocol (because WP8.1 wants it). The gateway of the home network was in my case a normal FritzBox that simply forwards the VPN requests from the internet to the Pi (VPN gateway with the internal IP address 192.168.178.100).

With this article, I want to share my expierence and knowledge, helping you to realise a similar scenario. First have a look at the network layout and the previously described situation:

Overview of involved components and software:

Having had a look at the network layout and the involved components, we now start with the needed steps to achieve the goal. At first, the StrongSwan library should be installed on the VPN gateway machine (the Pi) with the local IP address 192.168.178.100. After this we create the needed x509 certificates for authenticating the VPN gateway to the clients. The next step will be the configuration of the StrongSwan ipsec service running on the Pi. Having done this we open the needed ports on the firewall and forward them to the Pi. By configuring the remote devices, WP8.1 and myPC, the projects ends up.

 

I. Installing the StrongSwan library on the VPN gateway (Pi):

In my setting I used the StrongSwan IKEv2 daemon with version 5.3.3 which can be downloaded from this page.

The StrongSwan ipsec service comes along with a whole bunch of options and plugins that can be enabled. Most of the plugins are disabled for standard, so we have to take care that we integrate all relevant plugins. This is a really important fact, because in this scenario we have to enable all relevant plugins to provide the EAP MSCHAPv2 authentication method for the Windows clients.

Make sure that you build the StrongSwan IKEv2 daemon with those options:

./configure --enable-md4 --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc \ 
--enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-addrblock --enable-unity --enable-certexpire --enable-radattr \
--enable-tools --disable-gmp --enable-kernel-libipsec --prefix=/usr --sysconfdir=/etc

After running the configure script proceed with make && make install to finish the installation of StrongSwan on the Pi.

Make sure that nothing went wrong with the installation by checking it with:

$ ipsec version

You should see the correct installed version of your StrongSwan daemon.

At first we need the ipsec command of the library which should be availible under /usr/sbin/ipsec for creating the needed x509 certificates.

 

II. Creating x509 certificates for the CA and the VPN gateway

The VPN gateway (Pi) needs a x509 certificate in order to authentice itself to myPC and WP8.1. So we first have to create a new Certification Authority (CA) certificate and then a certificate for the VPN gateway itself. If you already have a CA certificate existing in your infrastructure you can skip the following step.

First create a private key for the CA:

$ ipsec pki --gen --type rsa --size 4096 --outform pem > CAKey.pem
$ chmod 600 CAKey.pem

Copy the created Key to the directory /etc/ipsec.d/private. Now we generate a self-signed certificate for the new CA:

$ ipsec pki --self --ca --lifetime 3650 --in CAKey.pem --type rsa --dn "C=DE, O=Home Network, CN=Root CA" --outform pem > CACert.pem

The recently generated certificate CAKey.pem has a validity duration of 10 years and uses the RSA key CAKey.pem. So make sure that you keep this key secret, otherwise unauthorised persons can sign their certificates with your CA. That would be a big security leak in your network. Move the CACert.pem to the location /etc/ipsec.d/cacerts/

We now have our own CA ready to create and sign the essential x509 certificate for our VPN gateway (Pi). Like before, we create a private key for our VPN host certificate at first with this command:

$ ipsec pki --gen --type rsa --size 2048 --outform pem > VPNHostKey.pem  
$ chmod 600 VPNHostKey.pem

Also move this key to the directory /etc/ipsec.d/private/. With this recently created private key, the private key and the certificate of the CA we generate and sign the new x509 certificate for the VPN gateway:

$ ipsec pki --pub --in /etc/ipsec.d/private/VPNHostKey.pem --type rsa | ipsec pki --issue --lifetime 3650 --cacert /etc/ipsec.d/cacerts/CACert.pem \ 
--cakey /etc/ipsec.d/private/CAKey.pem --dn "C=DE, O=Home VPN, CN=gate.way.com" --san gate.way.com --flag serverAuth --flag ikeIntermediate --outform pem > VPNHostCert.pem

ATTENTION! Make sure that you use the correct FQDN by which the VPN gateway is accessible from the internet (in this case: gate.way.com). It should be the (dynamic) DNS name that points to the global IP address of your NAT-router (FritzBox) and which is the server address that is used by the remote clients. Compare the value with the network layout at the beginning of this article. Also make sure that the flag --san also uses this FQDN! Otherwise Windows will throw an authentication error on your remote clients.

Copy the VPNHostCert.pem to the directory /etc/ipsec.d/certs

We are now ready with creating the needed certificates.

 

III. Configuring the StrongSwan daemon

StrongSwan provides several options to carry out the authentication between a client and its VPN gateway. The following link provides possible configurations of StrongSwan. In our scenario we use the MSCHAPv2 EAP for authentication between the clients and the VPN gateway.

Let's have a look on the relevant configuration files of StrongSwan:

We first start with the file /etc/ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration config setup

# global configuration settings for all connection instances
conn %default ikelifetime=60m keylife=20m
rekeymargin=3m keyingtries=1
keyexchange=ikev2 # connection instance for this special scenario
conn win
left=%defaultroute
leftsubnet=0.0.0.0/0 leftauth=pubkey leftcert=VPNHostCert.pem leftid=@gate.way.com   leftfirewall=yes   right=%any   rightsourceip=10.0.0.0/16   rightauth=eap-mschapv2   rightsendcert=never   rightdns=192.168.178.1   eap_identity=%any   auto=add

I won't go into detail and will not explain each line of the ipsec.conf. For more detailled information I refer to the documentation for the connection options on the StrongSwan website.

What you see in the ipsec.conf is a %default connection setting and a specific connection setting (win). Every option contained in the %default section affects all connection instances. In this scenario, the specific authentication options were made in the "win" section.

Lets have a look at the most important options of "win":

Now we state all the relevant identities that are allowed to connect to the VPN gateway in the /etc/ipsec.secrets:

# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. # this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc : RSA VPNKey.pem alice : EAP "myPassword"
"Windows Phone\johndoe" : EAP "myPassword"

We see three entries in the /etc/ipsec.secrets:

The last configuration file /etc/strongswan.conf should be edited in this way:

# strongswan.conf - strongSwan configuration file
# # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown }

In the variable "load" are some plugins stated that will be used for the EAP MSCHAPv2 authentication method.

Having changed the config files of StrongSwan we need to start or restart the daemon with the specific command:

$ ipsec start
$ ipsec restart

To see if the configurations are correctly loaded, you can view the status of the StrongSwan service with:

$ ipsec statusall

 

We've now finished the StrongSwan related part for the VPN gateway (Pi) configuration. What is still missing are the entries on the Pi in order to forward the connected VPN clients to the FritzBox, so they can have access to the internet. This is needed, because after establishing a connection with the VPN gateway the clients were assigned a virtual IP address of the VPN network 10.0.0.0/16. To do so, we have to enable the routing function on the Pi and make some entries to IPTABLES.

Activate (temporary) routing on the Pi:

$ echo 1 > /proc/sys/net/ipv4/ip_forward

OR make it permanent (after restart) by setting following the option in /etc/sysctl.conf:

net.ipv4.ip_forward=1

Now we do some adjustments to IPTABLES, so that the Pi maps the traffic of the VPN network to its physical network adapter:

$ iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
$ iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o eth0 -j MASQUERADE

We are ready with the Pi and proceed with the configuration of the home networks gateway, the FritzBox.

IV. Let the FritzBox forward the VPN traffic

Log in to the user interface (GUI) of your FritzBox, normally by typing http://192.168.178.1 in the address bar of your browser.

Navigate to Internet >> Permit Access >> Port Forwarding and make the entries according to the network layout.

Make sure that UDP-traffic with destination ports 500 and 4500 is being forwarded by the NAT router (FritzBox) to your Pi (192.168.178.100).

This is all that has to be done on the router.

 

V. Configuration of the clients (WP8.1 and myPC)

1. Windows 8.1 (myPC) settings

We start with the configuration of myPC, where we will install the certificates (CA and VPN-Gateway) and add a new VPN connection to the network profile.

The most convenient way to get the certificates from the Pi to the myPC or WP8.1 is by email or by web access. You don't have to worry for the confidentiality of the certificates, because we only need the public keys on the clients.

We need those certificates on the myPC/WP8.1:

Having stored both x509 certificates for CA and VPN gateway on the myPC/WP8.1 start a new Microsoft Management Console (Start >> run: mmc). Import the Certificate Snap-In and import both certificates to your Computer account. Make sure that the certificate of the CA is stored in the directory of the other trusted CA certificates. Here is a nice documentation for storing the certificates. After this, a reboot of windows makes sure that all changes were activated.

To add a new VPN connection to your myPC proceed as it is presented in this documentation. But be sure that during the last step you make the choice for the authentication method as it is proposed in the following screenshot. This will activate EAP MSCHAPv2:

After you made all settings, you should be able to establish a VPN connection to your VPN gateway by using one of the identities you defined in the /etc/ipsec.secrets, e.g. alice.

2. Windows Phone 8.1

Like you did on the myPC you also have to install on your WP the certificates for the CA and the VPN host. Do this e.g. via email. There is an App called "Certificates" that can be used for viewing installed certificates on your WP. Unfortunately listing the certificates and their details is the only capability of this App. Hopefully some more emphasis will be put in this App in the future.

After this, go to the settings page of your WP and add a new VPN profile.

Type in the fields your connection data like the FQDN of the VPN gateway, which should point to the global IP address of your home network / router. Also choose as VPN type IKEv2 and select "username + password" as the authentication method. As the username and password you have to use the identities stated in the /etc/ipsec.secrets. Be aware that users connecting to VPN via WP are authenticated in conjunction with the phone's name "Windows Phone\". See for this the example configuration in section III of this article.

Save your configuration and try to connect to your VPN gateway. Good luck!

 

VI. Troubleshooting, Questions and Feedback

During my tests and tries with StrongSwan I discovered really many situations where I faced problems I didn't have a clue where the reason for it had to be found. On the one side there exists a quite good documentation and mailing list about the StrongSwan software, which also contains many example configurations of VPN scenarios. Take your time and read through the examples. They can give you a better idea of how to realise your intentions.

On the other side not all problems can be solved by reading the StrongSwan Wiki or asking Google, but in some cases the log files of your Pi play a very big role. The main starting point should be the logs stored in /var/log/syslog where StrongSwan also writes the sequences and exchanged information during establishing a VPN connection. If you read the lines carefully you will get a good hint of what went wrong.

If you got some questions or feedback on this article for me or you need some help with realising a similar scenario, don't hesitate to contact me.

Contact Details

XING: https://www.xing.com/profile/Thomas_Irmscher2
Mail: irmscher (dot) thomas (at) gmail (dot) com
My PGP Public-Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.5
Comment: Hostname: pgp.mit.edu

mQENBFH8td0BCADW2/ZaKNgW03+J20evxMRsnfJAKcKIVnFv0Npw8cqeNLhao4IsxCuTDTlY
1OGYHF5akC39GSx6qkMCshcKM8zMOeltnNfsT5jdEV/1CSBdb2ai1yqehUDi3QSGZ+7EGBbO
oOiIawaorx3BYw9ciRj77lP2kqPYc9AB0Xhp0c14OL87Xz5Iaj9HaRvq7X+F3KcXWM8ZA/5a
U9a8iJ/UrDl83HfQQhOqqJUSYA+wfqOTWX2wXz+3RUQ4UzzU5Ajq6G68f+H1K979JJ2KDN2l
/tn9jCvIO5sVWa0I4SYUrUsdYVoPNhRnOvU9B5EW4TlySy+OjIuChigwL2rVJJL2u+KVABEB
AAG0K1Rob21hcyBJcm1zY2hlciA8aXJtc2NoZXIudGhvbWFzQGdtYWlsLmNvbT6JATkEEwEC
ACMFAlH8td0CGw8HCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRBpIE46vzndB8TiCACT
/fxlRie2RXHLbVC7eryhU15TyKpW/nHWBGk5cE6z/9Jqv6r4Pa7tfoeX0ITJQ/MOeqxJYyUx
LfpPhMcstD9bXeIgvj9mOe+E8DRUXSgJT6yVi6m2g4JgGS4bzJFjatfAZPw5QWQIeBQGzY9W
CLu0mExYG0JVOoKF6OPZ7RtvjhGt5mEB4zFyggHBkv+9WW093FC4EpiyQW6EdufL+ozNErOT
9L5MtDhSNs3uhwIWYV31YF3XDSfpgR1iMBLSORXNNserjxrHZJgjhdMSLwtJ5Z462ifQ/TiO
QZzfLn61Cw+iKuZkDQ8fDebXE9g9MVrRWPmyWr+VXjrUfy3LHG7v
=1xlz
-----END PGP PUBLIC KEY BLOCK-----