mdpuma · February 1, 2020 18:31
diff --git a/androidv2 conn b/androidv2 conn
 conn %default
        keyexchange=ikev2
        type=tunnel
        auto=add
 #       ike=aes256-sha1-modp1024!
 #       esp=aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        fragmentation=yes
        left=%any
        leftsubnet=0.0.0.0/0
        right=%any
        rightdns=192.168.5.205 # push DNS server to roadwarrior
        rightsourceip=10.9.0.0/24
 	ike = aes256-sha1-modp1024

 conn androidv1
 	authby=xauthpsk
 	xauth = server
 	keyexchange=ikev1

 conn androidv2
        leftauth=pubkey
        leftcert=/etc/ipsec.d/issued/46.102.154.5.crt
        leftid=46.102.154.5
        rightauth=pubkey
        rightauth2=eap-mschapv2

        eap_identity=%any

 conn win7
        leftauth=pubkey # authenticate gateway to roadwarrior by public key
        leftcert=/etc/ipsec.d/issued/46.102.154.5.crt # pubkey
        leftid=46.102.154.5 # pubkey id
        rightauth=eap-mschapv2 # how roadwarrior do authentication at gateway

        eap_identity=%any # allow any EAP identity
        rekey=no # do not do rekey
 	ike = aes256-sha1-modp1024
diff --git a/check_modules.sh b/check_modules.sh
 #!/bin/sh

 if [ -f "/boot/config-`uname -r`" ]; then
      grep '\<CONFIG_XFRM_USER\>' /boot/config-`uname -r`
      grep '\<CONFIG_NET_KEY\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET\>' /boot/config-`uname -r`
      grep '\<CONFIG_IP_ADVANCED_ROUTER\>' /boot/config-`uname -r`
      grep '\<CONFIG_IP_MULTIPLE_TABLES\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET_AH\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET_ESP\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET_IPCOMP\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET_XFRM_MODE_TRANSPORT\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET_XFRM_MODE_TUNNEL\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET_XFRM_MODE_BEET\>' /boot/config-`uname -r`
      grep '\<CONFIG_IPV6\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET6_AH\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET6_ESP\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET6_IPCOMP\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET6_XFRM_MODE_TRANSPORT\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET6_XFRM_MODE_TUNNEL\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET6_XFRM_MODE_BEET\>' /boot/config-`uname -r`
      grep '\<CONFIG_IPV6_MULTIPLE_TABLES\>' /boot/config-`uname -r`
      grep '\<CONFIG_NETFILTER\>' /boot/config-`uname -r`
      grep '\<CONFIG_NETFILTER_XTABLES\>' /boot/config-`uname -r`
      grep '\<CONFIG_NETFILTER_XT_MATCH_POLICY\>' /boot/config-`uname -r`
 fi

 if [ -f "/proc/config.gz" ]; then
      zgrep '\<CONFIG_XFRM_USER\>' /proc/config.gz
      zgrep '\<CONFIG_NET_KEY\>' /proc/config.gz
      zgrep '\<CONFIG_INET\>' /proc/config.gz
      zgrep '\<CONFIG_IP_ADVANCED_ROUTER\>' /proc/config.gz
      zgrep '\<CONFIG_IP_MULTIPLE_TABLES\>' /proc/config.gz
      zgrep '\<CONFIG_INET_AH\>' /proc/config.gz
      zgrep '\<CONFIG_INET_ESP\>' /proc/config.gz
      zgrep '\<CONFIG_INET_IPCOMP\>' /proc/config.gz
      zgrep '\<CONFIG_INET_XFRM_MODE_TRANSPORT\>' /proc/config.gz
      zgrep '\<CONFIG_INET_XFRM_MODE_TUNNEL\>' /proc/config.gz
      zgrep '\<CONFIG_INET_XFRM_MODE_BEET\>' /proc/config.gz
      zgrep '\<CONFIG_IPV6\>' /proc/config.gz
      zgrep '\<CONFIG_INET6_AH\>' /proc/config.gz
      zgrep '\<CONFIG_INET6_ESP\>' /proc/config.gz
      zgrep '\<CONFIG_INET6_IPCOMP\>' /proc/config.gz
      zgrep '\<CONFIG_INET6_XFRM_MODE_TRANSPORT\>' /proc/config.gz
      zgrep '\<CONFIG_INET6_XFRM_MODE_TUNNEL\>' /proc/config.gz
      zgrep '\<CONFIG_INET6_XFRM_MODE_BEET\>' /proc/config.gz
      zgrep '\<CONFIG_IPV6_MULTIPLE_TABLES\>' /proc/config.gz
      zgrep '\<CONFIG_NETFILTER\>' /proc/config.gz
      zgrep '\<CONFIG_NETFILTER_XTABLES\>' /proc/config.gz
      zgrep '\<CONFIG_NETFILTER_XT_MATCH_POLICY\>' /proc/config.gz
 fi
diff --git a/gen server key b/gen server key
 #!/bin/bash

 NAME=46.102.154.5
 CA=/etc/ipsec.d/ca.crt
 CAKEY=/etc/ipsec.d/private/ca.key
 CRL=/etc/ipsec.d/crls/crl.pem

 # begin generate & sign ca
 ipsec pki --gen --outform pem > $CAKEY
 ipsec pki --self --in $CAKEY --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca --outform pem > $CA
 ipsec pki --signcrl --cacert $CA --cakey $CAKEY --outform pem > $CRL
 # end generate & sign ca

 # begin generate server key
 ipsec pki --gen --outform pem > /etc/ipsec.d/private/$NAME.key
 ipsec pki --pub --in /etc/ipsec.d/private/$NAME.key | ipsec pki --issue --cacert $CA --cakey $CAKEY --dn "C=MD, O=strongSwan, CN=$NAME" --san $NAME --flag serverAuth --outform pem > /etc/ipsec.d/issued/$NAME.crt
 # end generate server key

 # begin generate client key
 NAME=client1
 CERT=/etc/ipsec.d/issued/$NAME.crt
 PRIVATE=/etc/ipsec.d/private/$NAME.key
 CA=/etc/ipsec.d/ca.crt
 CAKEY=/etc/ipsec.d/private/ca.key
 P12=/etc/ipsec.d/$NAME.p12

 ipsec pki --gen --outform pem > $PRIVATE
 ipsec pki --pub --in $PRIVATE | ipsec pki --issue --cacert $CA --cakey $CAKEY --dn "C=MD, O=strongSwan, CN=$NAME" --outform pem > $CERT
 # end generate client key

 # export p12 with client cert,key and ca key
 openssl pkcs12 -export -inkey $PRIVATE -in $CERT -name "$NAME" -certfile $CA -caname "strongSwan Root CA" -out $P12
diff --git a/generate_user.sh b/generate_user.sh
 #!/bin/bash

 source config.sh

 if [ -z $1 ] || [ -z $2 ]; then
 	echo "usage $0 username password"
 	exit 1
 fi

 NAME=$1
 CERT=/etc/ipsec.d/issued/$NAME.crt
 PRIVATE=/etc/ipsec.d/private/$NAME.key
 CA=/etc/ipsec.d/ca.crt
 CAKEY=/etc/ipsec.d/private/ca.key
 P12=/etc/ipsec.d/$NAME.p12

 ipsec pki --gen --outform pem > $PRIVATE
 ipsec pki --pub --in $PRIVATE | ipsec pki --issue --cacert $CA --cakey $CAKEY --dn "C=MD, O=strongSwan, CN=$NAME" --outform pem > $CERT


 echo "Insert:"
 echo
 echo $1 : EAP \"$2\"
 echo $1 : XAUTH \"$2\"
 echo 
 echo "in to /etc/ipsec.secrets"
diff --git a/ipsec.secrets b/ipsec.secrets
 # This file holds shared secrets or RSA private keys for authentication.

 # RSA private key for this host, authenticating it to any other host
 # which knows the public part.

 : RSA /etc/ipsec.d/private/185.181.228.161.key
 : PSK 7ab91da3cffab70dd25191e7a81edc3c

 test : EAP "test"
 test : XAUTH "test"
diff --git a/linux client act as windows7 b/linux client act as windows7
 conn icinga
  left=local
  leftsourceip=%config
  leftauth=eap
  leftfirewall=yes
  right=46.102.154.5
  rightauth=pubkey
  rightsubnet=0.0.0.0/0
  eap_identity=puma
  auto=add
  fragmentation=yes
  
  
 Also, you need to have present EAP password for selected eap_identity and ca.crt from server, located in /etc/ipsec.d/cacerts
diff --git a/rc.local b/rc.local
 #!/bin/bash


 iptables -t nat -F
 iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -s 10.9.0.0/24  -j TCPMSS --set-mss 1360
 iptables -t nat -I POSTROUTING -s 10.9.0.0/24 --match policy --pol none --dir out -o ens18 -j MASQUERADE
 iptables -t nat -I POSTROUTING -s 10.9.0.0/24 --match policy --pol none --dir out -o ens19 -j MASQUERADE
 sysctl -w net.ipv4.ip_forward=1
 sysctl -w net.ipv4.ip_no_pmtu_disc=1
	conn %default
	keyexchange=ikev2
	type=tunnel
	auto=add
	# ike=aes256-sha1-modp1024!
	# esp=aes256-sha1!
	dpdaction=clear
	dpddelay=300s
	fragmentation=yes
	left=%any
	leftsubnet=0.0.0.0/0
	right=%any
	rightdns=192.168.5.205 # push DNS server to roadwarrior
	rightsourceip=10.9.0.0/24
	ike = aes256-sha1-modp1024

	conn androidv1
	authby=xauthpsk
	xauth = server
	keyexchange=ikev1

	conn androidv2
	leftauth=pubkey
	leftcert=/etc/ipsec.d/issued/46.102.154.5.crt
	leftid=46.102.154.5
	rightauth=pubkey
	rightauth2=eap-mschapv2

	eap_identity=%any

	conn win7
	leftauth=pubkey # authenticate gateway to roadwarrior by public key
	leftcert=/etc/ipsec.d/issued/46.102.154.5.crt # pubkey
	leftid=46.102.154.5 # pubkey id
	rightauth=eap-mschapv2 # how roadwarrior do authentication at gateway

	eap_identity=%any # allow any EAP identity
	rekey=no # do not do rekey
	ike = aes256-sha1-modp1024
	#!/bin/sh

	if [ -f "/boot/config-`uname -r`" ]; then
	grep '\<CONFIG_XFRM_USER\>' /boot/config-`uname -r`
	grep '\<CONFIG_NET_KEY\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET\>' /boot/config-`uname -r`
	grep '\<CONFIG_IP_ADVANCED_ROUTER\>' /boot/config-`uname -r`
	grep '\<CONFIG_IP_MULTIPLE_TABLES\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET_AH\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET_ESP\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET_IPCOMP\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET_XFRM_MODE_TRANSPORT\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET_XFRM_MODE_TUNNEL\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET_XFRM_MODE_BEET\>' /boot/config-`uname -r`
	grep '\<CONFIG_IPV6\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET6_AH\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET6_ESP\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET6_IPCOMP\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET6_XFRM_MODE_TRANSPORT\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET6_XFRM_MODE_TUNNEL\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET6_XFRM_MODE_BEET\>' /boot/config-`uname -r`
	grep '\<CONFIG_IPV6_MULTIPLE_TABLES\>' /boot/config-`uname -r`
	grep '\<CONFIG_NETFILTER\>' /boot/config-`uname -r`
	grep '\<CONFIG_NETFILTER_XTABLES\>' /boot/config-`uname -r`
	grep '\<CONFIG_NETFILTER_XT_MATCH_POLICY\>' /boot/config-`uname -r`
	fi

	if [ -f "/proc/config.gz" ]; then
	zgrep '\<CONFIG_XFRM_USER\>' /proc/config.gz
	zgrep '\<CONFIG_NET_KEY\>' /proc/config.gz
	zgrep '\<CONFIG_INET\>' /proc/config.gz
	zgrep '\<CONFIG_IP_ADVANCED_ROUTER\>' /proc/config.gz
	zgrep '\<CONFIG_IP_MULTIPLE_TABLES\>' /proc/config.gz
	zgrep '\<CONFIG_INET_AH\>' /proc/config.gz
	zgrep '\<CONFIG_INET_ESP\>' /proc/config.gz
	zgrep '\<CONFIG_INET_IPCOMP\>' /proc/config.gz
	zgrep '\<CONFIG_INET_XFRM_MODE_TRANSPORT\>' /proc/config.gz
	zgrep '\<CONFIG_INET_XFRM_MODE_TUNNEL\>' /proc/config.gz
	zgrep '\<CONFIG_INET_XFRM_MODE_BEET\>' /proc/config.gz
	zgrep '\<CONFIG_IPV6\>' /proc/config.gz
	zgrep '\<CONFIG_INET6_AH\>' /proc/config.gz
	zgrep '\<CONFIG_INET6_ESP\>' /proc/config.gz
	zgrep '\<CONFIG_INET6_IPCOMP\>' /proc/config.gz
	zgrep '\<CONFIG_INET6_XFRM_MODE_TRANSPORT\>' /proc/config.gz
	zgrep '\<CONFIG_INET6_XFRM_MODE_TUNNEL\>' /proc/config.gz
	zgrep '\<CONFIG_INET6_XFRM_MODE_BEET\>' /proc/config.gz
	zgrep '\<CONFIG_IPV6_MULTIPLE_TABLES\>' /proc/config.gz
	zgrep '\<CONFIG_NETFILTER\>' /proc/config.gz
	zgrep '\<CONFIG_NETFILTER_XTABLES\>' /proc/config.gz
	zgrep '\<CONFIG_NETFILTER_XT_MATCH_POLICY\>' /proc/config.gz
	fi
	#!/bin/bash

	NAME=46.102.154.5
	CA=/etc/ipsec.d/ca.crt
	CAKEY=/etc/ipsec.d/private/ca.key
	CRL=/etc/ipsec.d/crls/crl.pem

	# begin generate & sign ca
	ipsec pki --gen --outform pem > $CAKEY
	ipsec pki --self --in $CAKEY --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca --outform pem > $CA
	ipsec pki --signcrl --cacert $CA --cakey $CAKEY --outform pem > $CRL
	# end generate & sign ca

	# begin generate server key
	ipsec pki --gen --outform pem > /etc/ipsec.d/private/$NAME.key
	ipsec pki --pub --in /etc/ipsec.d/private/$NAME.key \| ipsec pki --issue --cacert $CA --cakey $CAKEY --dn "C=MD, O=strongSwan, CN=$NAME" --san $NAME --flag serverAuth --outform pem > /etc/ipsec.d/issued/$NAME.crt
	# end generate server key

	# begin generate client key
	NAME=client1
	CERT=/etc/ipsec.d/issued/$NAME.crt
	PRIVATE=/etc/ipsec.d/private/$NAME.key
	CA=/etc/ipsec.d/ca.crt
	CAKEY=/etc/ipsec.d/private/ca.key
	P12=/etc/ipsec.d/$NAME.p12

	ipsec pki --gen --outform pem > $PRIVATE
	ipsec pki --pub --in $PRIVATE \| ipsec pki --issue --cacert $CA --cakey $CAKEY --dn "C=MD, O=strongSwan, CN=$NAME" --outform pem > $CERT
	# end generate client key

	# export p12 with client cert,key and ca key
	openssl pkcs12 -export -inkey $PRIVATE -in $CERT -name "$NAME" -certfile $CA -caname "strongSwan Root CA" -out $P12
	#!/bin/bash

	source config.sh

	if [ -z $1 ] \|\| [ -z $2 ]; then
	echo "usage $0 username password"
	exit 1
	fi

	NAME=$1
	CERT=/etc/ipsec.d/issued/$NAME.crt
	PRIVATE=/etc/ipsec.d/private/$NAME.key
	CA=/etc/ipsec.d/ca.crt
	CAKEY=/etc/ipsec.d/private/ca.key
	P12=/etc/ipsec.d/$NAME.p12

	ipsec pki --gen --outform pem > $PRIVATE
	ipsec pki --pub --in $PRIVATE \| ipsec pki --issue --cacert $CA --cakey $CAKEY --dn "C=MD, O=strongSwan, CN=$NAME" --outform pem > $CERT


	echo "Insert:"
	echo
	echo $1 : EAP \"$2\"
	echo $1 : XAUTH \"$2\"
	echo
	echo "in to /etc/ipsec.secrets"
	# This file holds shared secrets or RSA private keys for authentication.

	# RSA private key for this host, authenticating it to any other host
	# which knows the public part.

	: RSA /etc/ipsec.d/private/185.181.228.161.key
	: PSK 7ab91da3cffab70dd25191e7a81edc3c

	test : EAP "test"
	test : XAUTH "test"
	conn icinga
	left=local
	leftsourceip=%config
	leftauth=eap
	leftfirewall=yes
	right=46.102.154.5
	rightauth=pubkey
	rightsubnet=0.0.0.0/0
	eap_identity=puma
	auto=add
	fragmentation=yes


	Also, you need to have present EAP password for selected eap_identity and ca.crt from server, located in /etc/ipsec.d/cacerts
	#!/bin/bash


	iptables -t nat -F
	iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -s 10.9.0.0/24 -j TCPMSS --set-mss 1360
	iptables -t nat -I POSTROUTING -s 10.9.0.0/24 --match policy --pol none --dir out -o ens18 -j MASQUERADE
	iptables -t nat -I POSTROUTING -s 10.9.0.0/24 --match policy --pol none --dir out -o ens19 -j MASQUERADE
	sysctl -w net.ipv4.ip_forward=1
	sysctl -w net.ipv4.ip_no_pmtu_disc=1