-
Startseite
-
Impressum
Datenschutzerklärung
-
Noch eine interessante Seite:
www.baumbasteln.de -
Anleitung:
Android IpSec Xauth rSA NAT-T zu racoon
Needed Certs must be suitable for Use as VPN (especialy no passord for key).
You have to spread the certs to Phone and to racoon-gateway.
You must have:
CA-Of-TunnelCerts.pem --> This is the CA.
If there are Sub-CA'S they must be
imported also. Import on both sides.
Android-Client-Cert.crt --> The Client public Cert. This must be
imported on Racoon-Gateway.
Android-Client-Cert.pfx --> Includes Android-Client-Cert.crt and
Android-Client-Cert.key and must be
imported on Android-Client.
Racoon-Gateway-Cert.crt --> The Gateway public Cert. This must be
imported on Racoon-Gateway.
Racoon-Gateway-Cert.key --> The Gateway private Cert. This must be
imported on Racoon-Gateway.
Android will only import the Certs if given as .pfx (p12).
Firewall action must be taken to allow Network used in mode_cfg (network4).
all Trafic will come through Interface to which tunnel was established.
But there will be no interface nor routing visible in ip route/ip addr
Try "ip xfrm policy list" to see SA's. There will be no SA's on Tunnelstart.
You have to establish trafic from Phone to establish SA's
Users must be part of a Group (in this tutorial "IPSecVPN") mentioned in
auth_groups at mode_cfg and in group at sainfo.
Users are identified through system passwd. So you have to add User for this.
/etc/racoon/psk.txt will not be used by this type of connection.
I used
useradd --gid IPSecVPN -M -N --shell /bin/false Username;
passwd Username; addgroup Username IPSecVPN
to create Users without HomeDir or shell (change "Username" to your username).
On Andriod-Phone:
First! put Certs on Phone (use Config -> security -> import Certs from flashcard)
There must be CA, Cert and key to use by phone (see above). If asked for a Name
any name could be given. Only needed for listings. So choose a Name you can associate.
After this, create vpn-profile. In Dialog "VPN-Profil bearbeiten" ( edit VPN )
Fields mean:
Name = choose one you like, not used anywhere except in listing of profiles on Phone
Typ = "IPSec Xauth RSA" (others not mentioned here)
Serveradresse = Address of IPSec-Gateway.
Must be IP-Address if tunnel should be "durchgehend aktiv" (always on).
There must also be an IP for DNS at "DNS-Server", check "erweiterte
Optionen einblenden" (show additional options) for this option.
You have to put this in if you want always on tunnel, otherwise no
nameservice will be usable.
Choose Certs to use from Drop-Down. Make sure to chose the right certs. For Gateway-Cert
you could either choose "vom Server erhalten" (given by server) or install the .crt of
the gateway to the phone. Remember only .pfx can be imported.
If no routing is configured, defaultrouting will be used.
On "verbinden" (connect) put the User of Group "IPSecVPN" you created on Gateway and
the password of this user in "Kennwort" (password). Remember to check "save settings".
TO_Do: Try IPv6 with Android-Phone, figure out how to get CRL working
Dump of Configfiles used:
/etc/racoon/racoon.conf :
listen {
isakmp myipv4 [500];
isakmp_natt myipv4 [4500];
strict_address;
# adminsock disabled;
}
path script "/etc/racoon/scripts/";
path certificate "/etc/racoon/certs";
include "/etc/racoon/racoon.conf.d/mode_cfg.racoon";
include "/etc/racoon/racoon.conf.d/remote.racoon";
include "/etc/racoon/racoon.conf.d/sa.racoon";
/etc/racoot/certs/ :
lrwxrwxrwx 1 root root myca.crt -> /etc/ssl/certs/CA_of_Certs_used.ca.pem
lrwxrwxrwx 1 root root myserver.crt -> /etc/ssl/private/This_Gateway.crt
lrwxrwxrwx 1 root root myserver.key -> /etc/ssl/private/This_Gateway.key
-rw-r--r-- 1 root root Cert_of_Handy.crt
/etc/racoon/racoon.conf.d/mode_cfg.racoon :
# ISAKMP mode configuration settings
mode_cfg {
group_source system;
auth_groups "IPSecVPN";
auth_source system;
conf_source local;
accounting system;
banner "/etc/racoon/motd_empty";
pfs_group 2;
pool_size 30;
network4 10.10.8.32;
netmask4 255.255.255.224;
dns4 10.10.254.230;
default_domain "home.local";
}
/etc/racoon/racoon.conf.d/remote.racoon :
# IKE phase 1 parameters
# suitable for Android 5.1.1 (IPSec Xauth RSA)
remote anonymous {
# IPSec XAuth RSA -> Android 5.1.1
exchange_mode aggressive,main;
nat_traversal on;
passive on;
proposal_check obey;
generate_policy unique;
dpd_delay 20;
my_identifier asn1dn;
ike_frag on;
mode_cfg on;
certificate_type x509 "myserver.crt" "myserver.key";
ca_type x509 "myca.crt";
proposal_check strict;
proposal {
encryption_algorithm aes256;
hash_algorithm sha1;
authentication_method xauth_rsa_server;
dh_group modp1024;
lifetime time 28800 seconds;
}
}
remote "AnDroid1" inherit "anonymous" {
# you can put any name you like above. this will be choosen by peers_identifier
peers_certfile x509 "Cert_of_AnDroid1.crt";
peers_identifier asn1dn ""
}
/etc/racoon/racoon.conf.d/sa.racoon :
sainfo anonymous group "IPSecVPN" {
# Defines the parameters of the IKE phase 2 (IPsec-SA establishment).
lifetime time 28800 seconds;
encryption_algorithm aes256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Debugging: Start racoon with debuglevel. Do not expect higher levels of verbosity
or debug to be more precise. It could be frustating to search for errors
shown in debuglog that are not relevant for your config. Racoon will go
through many stages step by step checking every part of config for match
to the actual step. and putting errors to logs if it does not match.
Nothing you do to either side of the tunnel will change this. You will
only be able to get no errors or warnings if you have a configuration
that matches exactly what racoon is checking at its first step and its
first configuration. And even then: only if you have only one configuration.
So, do focus on something like
"INFO: ISAKMP-SA established " which states that Phase1 was sucessfull,
or "INFO: IPsec-SA established:" which shows established Phase2.
Be carefull of useless warnings and irritating debugphrases:
"DEBUG2: Etype mismatch: got 2, expected 4."
This means "ID-Type processed is asn1dn but racoon would rather have Ip-Adress"
Frustrating. Neither the first(2) nor the second(4) value of ID will ever be
printed out. No matter how high your debuglevel will be. You will be seeking
at every detail of your config, digging deeper to strace or something. But
nothing will make the error disapear. Because it is not an error at all.
Its just "Hey, my default asume of your config is different to your config".
Also there are multiple warnings
"WARNING: No ID match."
which only states some checks done by racoon on all configs to find which one
to use. This is not belonging to your actual tunnel config.
Something i figured out:
Despite the fact that "inherit" is working, it seems to be better to put
all "anonymous" to the remote part and do not use any anonymous. the tunnel
config will be choosen faster (due to debug) established quicker.
Something i havent figured out yet:
there is a message stating that racoon could not load the CRL of the cert.
Not sure how racoon is checking for this. There is also no documentation of
this. I tried many diffent things i found at other documents in web.
But i did not get this message to disapear. So there seems to be no way to
revoke a cert and to stop the tunnel using it from working yet. Maybe i figure
this out sometimes. If anyone knows: drop me a line to make this working.