Domain alexandersfeld.de |
Alexandersfeld in Oldenburg (i.O.) Impressum |
|
Needed Certs must be suitable for Use as VPN (especialy no passord for key). You have to spread the certs to Phone and to racoon-gateway. You must have: CA-Of-TunnelCerts.pem --> This is the CA. If there are Sub-CA'S they must be imported also. Import on both sides. Android-Client-Cert.crt --> The Client public Cert. This must be imported on Racoon-Gateway. Android-Client-Cert.pfx --> Includes Android-Client-Cert.crt and Android-Client-Cert.key and must be imported on Android-Client. Racoon-Gateway-Cert.crt --> The Gateway public Cert. This must be imported on Racoon-Gateway. Racoon-Gateway-Cert.key --> The Gateway private Cert. This must be imported on Racoon-Gateway. Android will only import the Certs if given as .pfx (p12). Firewall action must be taken to allow Network used in mode_cfg (network4). all Trafic will come through Interface to which tunnel was established. But there will be no interface nor routing visible in ip route/ip addr Try "ip xfrm policy list" to see SA's. There will be no SA's on Tunnelstart. You have to establish trafic from Phone to establish SA's Users must be part of a Group (in this tutorial "IPSecVPN") mentioned in auth_groups at mode_cfg and in group at sainfo. Users are identified through system passwd. So you have to add User for this. /etc/racoon/psk.txt will not be used by this type of connection. I used useradd --gid IPSecVPN -M -N --shell /bin/false Username; passwd Username; addgroup Username IPSecVPN to create Users without HomeDir or shell (change "Username" to your username). On Andriod-Phone: First! put Certs on Phone (use Config -> security -> import Certs from flashcard) There must be CA, Cert and key to use by phone (see above). If asked for a Name any name could be given. Only needed for listings. So choose a Name you can associate. After this, create vpn-profile. In Dialog "VPN-Profil bearbeiten" ( edit VPN ) Fields mean: Name = choose one you like, not used anywhere except in listing of profiles on Phone Typ = "IPSec Xauth RSA" (others not mentioned here) Serveradresse = Address of IPSec-Gateway. Must be IP-Address if tunnel should be "durchgehend aktiv" (always on). There must also be an IP for DNS at "DNS-Server", check "erweiterte Optionen einblenden" (show additional options) for this option. You have to put this in if you want always on tunnel, otherwise no nameservice will be usable. Choose Certs to use from Drop-Down. Make sure to chose the right certs. For Gateway-Cert you could either choose "vom Server erhalten" (given by server) or install the .crt of the gateway to the phone. Remember only .pfx can be imported. If no routing is configured, defaultrouting will be used. On "verbinden" (connect) put the User of Group "IPSecVPN" you created on Gateway and the password of this user in "Kennwort" (password). Remember to check "save settings". TO_Do: Try IPv6 with Android-Phone, figure out how to get CRL working Dump of Configfiles used: /etc/racoon/racoon.conf : listen { isakmp myipv4 [500]; isakmp_natt myipv4 [4500]; strict_address; # adminsock disabled; } path script "/etc/racoon/scripts/"; path certificate "/etc/racoon/certs"; include "/etc/racoon/racoon.conf.d/mode_cfg.racoon"; include "/etc/racoon/racoon.conf.d/remote.racoon"; include "/etc/racoon/racoon.conf.d/sa.racoon"; /etc/racoot/certs/ : lrwxrwxrwx 1 root root myca.crt -> /etc/ssl/certs/CA_of_Certs_used.ca.pem lrwxrwxrwx 1 root root myserver.crt -> /etc/ssl/private/This_Gateway.crt lrwxrwxrwx 1 root root myserver.key -> /etc/ssl/private/This_Gateway.key -rw-r--r-- 1 root root Cert_of_Handy.crt /etc/racoon/racoon.conf.d/mode_cfg.racoon : # ISAKMP mode configuration settings mode_cfg { group_source system; auth_groups "IPSecVPN"; auth_source system; conf_source local; accounting system; banner "/etc/racoon/motd_empty"; pfs_group 2; pool_size 30; network4 10.10.8.32; netmask4 255.255.255.224; dns4 10.10.254.230; default_domain "home.local"; } /etc/racoon/racoon.conf.d/remote.racoon : # IKE phase 1 parameters # suitable for Android 5.1.1 (IPSec Xauth RSA) remote anonymous { # IPSec XAuth RSA -> Android 5.1.1 exchange_mode aggressive,main; nat_traversal on; passive on; proposal_check obey; generate_policy unique; dpd_delay 20; my_identifier asn1dn; ike_frag on; mode_cfg on; certificate_type x509 "myserver.crt" "myserver.key"; ca_type x509 "myca.crt"; proposal_check strict; proposal { encryption_algorithm aes256; hash_algorithm sha1; authentication_method xauth_rsa_server; dh_group modp1024; lifetime time 28800 seconds; } } remote "AnDroid1" inherit "anonymous" { # you can put any name you like above. this will be choosen by peers_identifier peers_certfile x509 "Cert_of_AnDroid1.crt"; peers_identifier asn1dn " |