Saturday, September 16, 2017

strongSwan with PureVPN (IKEv2/IPsec)

For those who prefer IPSec over OpenVPN, here's a quick guide on setting strongSwan up with PureVPN.

Note: While PureVPN only has 3DES enabled for IPSec tunnels, we are mitigating Sweet32 (birthday attack) by rekeying every <32GB.

Installing strongSwan

sudo apt-get -y install strongswan strongswan-plugin-eap-mschapv2

Installing Certificates

curl "https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/970/821027" | openssl x509 | sudo tee /etc/ipsec.d/cacerts/comodo-rsa-domain-validation-secure-server-ca.pem | openssl x509 -text
curl "https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/969/821026" | openssl x509 | sudo tee /etc/ipsec.d/cacerts/comodo-rsa-certification-authority.pem | openssl x509 -text

/etc/ipsec.secrets

# ADD USERNAME AND PASSWORD ON LINE BELOW
purevpn0sXXXXXXX : EAP "PUT_YOUR_PASSWORD_HERE"

# https://wiki.strongswan.org/projects/strongswan/wiki/EapSecret

/etc/ipsec.conf

config setup
uniqueids=yes
charondebug="ike 2, knl 1, cfg 1, net 1, esp 1, dmn 1, mgr 1"

conn %default
fragmentation=yes
rekey=yes
keyingtries=%forever
keyexchange=ikev2
compress=no
dpddelay=30s
dpdtimeout=90s
dpdaction=restart
closeaction=restart
# leftfirewall=yes

conn purevpn
# ADD USERNAME ON LINE BELOW
eap_identity=purevpn0sXXXXXXX

# ADD SERVER ON LINE BELOW
right=cato.pointtoserver.com
# https://support.purevpn.com/vpn-servers

# ADD RANDOM UNIQUE USERNAME ID ON LINE BELOW
leftid=@tXzjX7rLpXjT

left=%any
leftsourceip=%config4
leftsubnet=%dynamic
leftauth=eap-mschapv2
leftsendcert=never

rightid="OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=PointtoServer.com"
rightauth=pubkey
rightsendcert=never
rightsubnet=0.0.0.0/0

# Ciphers for Windows Server 2008
ike=3des-sha1-modp1024!
esp=3des-sha1!
# Source: https://technet.microsoft.com/en-us/library/dd125380(v=ws.10).aspx

# Do not send more than 32GB without rekeying due to SWEET32.
lifebytes=32000000000
# Sources:
# https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/Information-on-Sweet32-for-Palo-Alto-Networks-Customers/ta-p/128526
# https://sweet32.info/

# 8GB
marginbytes=80000000000
# This should be raised for >10Gbps connections

# 2^32
lifepackets=4294967296
# Note: This situation shouldn't be possible if lifebytes is correctly set.

# 2^28
marginpackets=268435456
# This should be raised for >10Gbps connections

# Don't waste bandwidth rekeying when it's not needed
lifetime=0
ikelifetime=0
reauth=no

# We cannot use auto=route with leftsourceip.
auto=start


1 comment:

  1. David, I used your configuration above to get pureVPN running on a Linux box (ubuntu) what I can't seem to get right are the iptables to allow it to be used as a gateway router for the rest of my home network. Do you have a working example of iptables used in this way with this ipsec vpn client connection ?

    ReplyDelete