Saturday, September 16, 2017

strongSwan with PureVPN (IKEv2/IPsec)

For those who prefer IPSec over OpenVPN, here's a quick guide on setting strongSwan up with PureVPN.

Note: While PureVPN only has 3DES enabled for IPSec tunnels, we are mitigating Sweet32 (birthday attack) by rekeying every <32GB.

Installing strongSwan

sudo apt-get -y install strongswan strongswan-plugin-eap-mschapv2

Installing Certificates

curl "https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/970/821027" | openssl x509 | sudo tee /etc/ipsec.d/cacerts/comodo-rsa-domain-validation-secure-server-ca.pem | openssl x509 -text
curl "https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/969/821026" | openssl x509 | sudo tee /etc/ipsec.d/cacerts/comodo-rsa-certification-authority.pem | openssl x509 -text

/etc/ipsec.secrets

# ADD USERNAME AND PASSWORD ON LINE BELOW
purevpn0sXXXXXXX : EAP "PUT_YOUR_PASSWORD_HERE"

 # https://wiki.strongswan.org/projects/strongswan/wiki/EapSecret

/etc/ipsec.conf

config setup
uniqueids=yes
charondebug="ike 2, knl 1, cfg 1, net 1, esp 1, dmn 1, mgr 1"

 conn %default
fragmentation=yes
rekey=yes
keyingtries=%forever
keyexchange=ikev2
compress=no
dpddelay=30s
dpdtimeout=90s
dpdaction=restart
closeaction=restart
# leftfirewall=yes

 conn purevpn
# ADD USERNAME ON LINE BELOW
eap_identity=purevpn0sXXXXXXX

 # ADD SERVER ON LINE BELOW
right=cato.pointtoserver.com
# https://support.purevpn.com/vpn-servers

 # ADD RANDOM UNIQUE USERNAME ID ON LINE BELOW
[email protected]

left=%any
leftsourceip=%config4
leftsubnet=%dynamic
leftauth=eap-mschapv2
leftsendcert=never

 rightid="OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=PointtoServer.com"
rightauth=pubkey
rightsendcert=never
rightsubnet=0.0.0.0/0

 # Ciphers for Windows Server 2008
ike=3des-sha1-modp1024!
esp=3des-sha1!
# Source: https://technet.microsoft.com/en-us/library/dd125380(v=ws.10).aspx

 # Do not send more than 32GB without rekeying due to SWEET32.
lifebytes=32000000000
# Sources:
# https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/Information-on-Sweet32-for-Palo-Alto-Networks-Customers/ta-p/128526
# https://sweet32.info/

 # 8GB
marginbytes=80000000000
# This should be raised for >10Gbps connections

 # 2^32
lifepackets=4294967296
# Note: This situation shouldn't be possible if lifebytes is correctly set.

 # 2^28
marginpackets=268435456
# This should be raised for >10Gbps connections

 # Don't waste bandwidth rekeying when it's not needed
lifetime=0
ikelifetime=0
reauth=no

# We cannot use auto=route with leftsourceip.
auto=start


Posted by at

4 comments:

  1. UnknownMay 17, 2018 at 6:46 PM

    David, I used your configuration above to get pureVPN running on a Linux box (ubuntu) what I can't seem to get right are the iptables to allow it to be used as a gateway router for the rest of my home network. Do you have a working example of iptables used in this way with this ipsec vpn client connection ?

    ReplyDelete
  2. seri irfanJune 4, 2018 at 10:10 PM

    This comment has been removed by a blog administrator.

    ReplyDelete
  3. for IT theDecember 7, 2018 at 6:13 PM

    This comment has been removed by a blog administrator.

    ReplyDelete
  4. Aruna RamApril 3, 2019 at 11:45 PM

    Really this is very superb! I like the post and the explanation is very great. Keeping your great work.
    Primavera Training in Chennai
    Primavera Course in Chennai
    Corporate Training in Chennai
    Embedded System Course Chennai
    Oracle Training in Chennai
    Tableau Training in Chennai
    Spark Training in Chennai
    Excel Training in Chennai
    Power BI Training in Chennai

    ReplyDelete

Subscribe to: Post Comments (Atom)