Note: While PureVPN only has 3DES enabled for IPSec tunnels, we are mitigating Sweet32 (birthday attack) by rekeying every <32GB.
Installing strongSwan
sudo apt-get -y install strongswan strongswan-plugin-eap-mschapv2Installing Certificates
curl "https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/970/821027" | openssl x509 | sudo tee /etc/ipsec.d/cacerts/comodo-rsa-domain-validation-secure-server-ca.pem | openssl x509 -textcurl "https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/969/821026" | openssl x509 | sudo tee /etc/ipsec.d/cacerts/comodo-rsa-certification-authority.pem | openssl x509 -text
/etc/ipsec.secrets
# ADD USERNAME AND PASSWORD ON LINE BELOWpurevpn0sXXXXXXX : EAP "PUT_YOUR_PASSWORD_HERE"
# https://wiki.strongswan.org/projects/strongswan/wiki/EapSecret
/etc/ipsec.conf
config setupuniqueids=yes
charondebug="ike 2, knl 1, cfg 1, net 1, esp 1, dmn 1, mgr 1"
conn %default
fragmentation=yes
rekey=yes
keyingtries=%forever
keyexchange=ikev2
compress=no
dpddelay=30s
dpdtimeout=90s
dpdaction=restart
closeaction=restart
# leftfirewall=yes
conn purevpn
# ADD USERNAME ON LINE BELOW
eap_identity=purevpn0sXXXXXXX
# ADD SERVER ON LINE BELOW
right=cato.pointtoserver.com
# https://support.purevpn.com/vpn-servers
# ADD RANDOM UNIQUE USERNAME ID ON LINE BELOW
[email protected]
left=%any
leftsourceip=%config4
leftsubnet=%dynamic
leftauth=eap-mschapv2
leftsendcert=never
rightid="OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=PointtoServer.com"
rightauth=pubkey
rightsendcert=never
rightsubnet=0.0.0.0/0
# Ciphers for Windows Server 2008
ike=3des-sha1-modp1024!
esp=3des-sha1!
# Source: https://technet.microsoft.com/en-us/library/dd125380(v=ws.10).aspx
# Do not send more than 32GB without rekeying due to SWEET32.
lifebytes=32000000000
# Sources:
# https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/Information-on-Sweet32-for-Palo-Alto-Networks-Customers/ta-p/128526
# https://sweet32.info/
# 8GB
marginbytes=80000000000
# This should be raised for >10Gbps connections
# 2^32
lifepackets=4294967296
# Note: This situation shouldn't be possible if lifebytes is correctly set.
# 2^28
marginpackets=268435456
# This should be raised for >10Gbps connections
# Don't waste bandwidth rekeying when it's not needed
lifetime=0
ikelifetime=0
reauth=no
auto=start
David, I used your configuration above to get pureVPN running on a Linux box (ubuntu) what I can't seem to get right are the iptables to allow it to be used as a gateway router for the rest of my home network. Do you have a working example of iptables used in this way with this ipsec vpn client connection ?
ReplyDeleteVery interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. Thank you very much, this is really a large amount of information content-rich articles, I am glad that the author could get out to share with you It is very useful. Try to keep on posting these kind of things. Thanks for sharing. download Total Commander
ReplyDeleteWow, amazing block structure! How long
ReplyDeleteHave you written a blog before? Working on a blog seems easy.
The overview of your website is pretty good, not to mention what it does.
In the content!
vstkey.com
PureVPN Crack
I guess I am the only one who came here to share my very own experience. Guess what!?
ReplyDeleteI am using my laptop for almost the past 2 years, but I had no idea of solving some basic issues.
I do not know how to Crack Softwares Free Download
But thankfully, I recently visited a website named
vstkey.com
PureVPN Crack