Saturday, September 16, 2017

strongSwan with PureVPN (IKEv2/IPsec)

For those who prefer IPSec over OpenVPN, here's a quick guide on setting strongSwan up with PureVPN.

Note: While PureVPN only has 3DES enabled for IPSec tunnels, we are mitigating Sweet32 (birthday attack) by rekeying every <32GB.

Installing strongSwan

sudo apt-get -y install strongswan strongswan-plugin-eap-mschapv2

Installing Certificates

curl "https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/970/821027" | openssl x509 | sudo tee /etc/ipsec.d/cacerts/comodo-rsa-domain-validation-secure-server-ca.pem | openssl x509 -text
curl "https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/969/821026" | openssl x509 | sudo tee /etc/ipsec.d/cacerts/comodo-rsa-certification-authority.pem | openssl x509 -text

/etc/ipsec.secrets

# ADD USERNAME AND PASSWORD ON LINE BELOW
purevpn0sXXXXXXX : EAP "PUT_YOUR_PASSWORD_HERE"

# https://wiki.strongswan.org/projects/strongswan/wiki/EapSecret

/etc/ipsec.conf

config setup
uniqueids=yes
charondebug="ike 2, knl 1, cfg 1, net 1, esp 1, dmn 1, mgr 1"

conn %default
fragmentation=yes
rekey=yes
keyingtries=%forever
keyexchange=ikev2
compress=no
dpddelay=30s
dpdtimeout=90s
dpdaction=restart
closeaction=restart
# leftfirewall=yes

conn purevpn
# ADD USERNAME ON LINE BELOW
eap_identity=purevpn0sXXXXXXX

# ADD SERVER ON LINE BELOW
right=cato.pointtoserver.com
# https://support.purevpn.com/vpn-servers

# ADD RANDOM UNIQUE USERNAME ID ON LINE BELOW
[email protected]

left=%any
leftsourceip=%config4
leftsubnet=%dynamic
leftauth=eap-mschapv2
leftsendcert=never

rightid="OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=PointtoServer.com"
rightauth=pubkey
rightsendcert=never
rightsubnet=0.0.0.0/0

# Ciphers for Windows Server 2008
ike=3des-sha1-modp1024!
esp=3des-sha1!
# Source: https://technet.microsoft.com/en-us/library/dd125380(v=ws.10).aspx

# Do not send more than 32GB without rekeying due to SWEET32.
lifebytes=32000000000
# Sources:
# https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/Information-on-Sweet32-for-Palo-Alto-Networks-Customers/ta-p/128526
# https://sweet32.info/

# 8GB
marginbytes=80000000000
# This should be raised for >10Gbps connections

# 2^32
lifepackets=4294967296
# Note: This situation shouldn't be possible if lifebytes is correctly set.

# 2^28
marginpackets=268435456
# This should be raised for >10Gbps connections

# Don't waste bandwidth rekeying when it's not needed
lifetime=0
ikelifetime=0
reauth=no

# We cannot use auto=route with leftsourceip.
auto=start


3 comments:

  1. David, I used your configuration above to get pureVPN running on a Linux box (ubuntu) what I can't seem to get right are the iptables to allow it to be used as a gateway router for the rest of my home network. Do you have a working example of iptables used in this way with this ipsec vpn client connection ?

    ReplyDelete
  2. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. Thank you very much, this is really a large amount of information content-rich articles, I am glad that the author could get out to share with you It is very useful. Try to keep on posting these kind of things. Thanks for sharing. download Total Commander

    ReplyDelete
  3. Wow, amazing block structure! How long
    Have you written a blog before? Working on a blog seems easy.
    The overview of your website is pretty good, not to mention what it does.
    In the content!
    vstkey.com
    PureVPN Crack

    ReplyDelete