IPSec

As of 2016/2017 have moved to strongswan as it supports ikev2 for the IPv6 in IP tunnel.

Firstly, need some certificates.

/var/lib/strongswan/ipsec.conf.inc

Because android is to be considered proprietary it can be considered reasonable to use tricks for interoperability with the builtin vpn client.

For the strongswan app, after importing the .p12 file, newer releases of Android may generate constant your connection may be monitored errors, while there is anything in the user certificate store, making it functionally useless. 😕

To deal with this, import the gateway certificates directly into strongswan, and clear them from the "user" certificate store in Android.

The inbuilt VPN client doesn't have a dedicated certificate library, so it is further necessary, to use the same certificate for both ends of connection to vpn server "gate".

This does mean the phone "knows" the server private key, though as it is expected to be possible to use independent server keys for each tunnel, a compromised phone is expected to not facilitate interception of another tunnel.

All the examples can go in the file together, so method can be switched in the event a phone update breaks a method.

First, example for is l2tp, requires an l2tpd setup as well

  1. conn ipsec-xauth-rsa-l2tp
  2. dpdaction=clear
  3. type = transport
  4. left=your,gateway,ip,addresses
  5. right=%any
  6. leftcert=phone-by-gate.crt
  7. rightcert=phone-by-gate.crt
  8. keyexchange=ike
  9. auto=add
  10. leftfirewall=yes
  11. rightfirewall=yes
  12. leftauth=pubkey
  13. rightauth=pubkey

Example for xauth

  1. conn ipsec-xauth-rsa
  2. dpdaction=clear
  3. left=your,gateway,ip,addresses
  4. right=%any
  5. leftcert=phone-by-gate.crt
  6. rightcert=phone-by-gate.crt
  7. leftsubnet=::/0,0.0.0.0/0
  8. rightsourceip=your_guest_ipv6::/120,%dhcp
  9. rightdns=your_dns_resolver_ipv6,your_dns_resolver_ipv4
  10. keyexchange=ike
  11. auto=add
  12. leftfirewall=yes
  13. rightfirewall=yes
  14. leftauth=pubkey
  15. rightauth=pubkey
  16. rightauth2=xauth

Example for hybrid

  1. conn xauth-hybrid-rsa
  2. dpdaction=clear
  3. left=your,gateway,ip,addresses
  4. right=%any
  5. leftcert=phone-by-gate.crt
  6. #rightcert=phone-by-gate.crt
  7. leftsubnet=::/0,0.0.0.0/0
  8. rightsourceip=your_guest_ipv6::/96,%dhcp
  9. rightdns=your_dns_resolver_ipv6,your_dns_resolver_ipv4
  10. keyexchange=ike
  11. auto=add
  12. leftfirewall=yes
  13. rightfirewall=yes
  14. leftauth=pubkey
  15. rightauth=xauth

Example for strongswan app with ikev2, in this case done normally with the certificates. The strongswan app supports tunnelling ipv6 and ipv4 together in ipv4 at the small expense of a security warning.

  1. conn ipsec-app
  2. dpdaction=clear
  3. left=your,gateway,ip,addresses
  4. right=%any
  5. leftcert=gate-by-phone.crt
  6. rightcert=phone-by-gate.crt
  7. leftsubnet=::/0,0.0.0.0/0
  8. rightsourceip=your_guest_ipv6::/96,%dhcp
  9. rightdns=your_dns_resolver_ipv6,your_dns_resolver_ipv4
  10. keyexchange=ikev2
  11. auto=add
  12. leftfirewall=yes
  13. rightfirewall=yes

/var/lib/strongswan/ipsec.secrets.inc

Contains at least an instructions to use files found in /etc/ipsec.d/private/ regardless of the key is a power moduli (RSA) or elliptic curve type.

And add some preshared keys as hybrid or xauth modes requires it, though certs are preferred as the main protection

DHCP

Configured strongswan to allocate inner ipv4 address from a server, especially if using public ip as we do not have very many of those!

Add a file /etc/strongswan.d/charon/example.conf named after oneself

It needs the interface directed at, or on which the dhcp server is serving addresses, and the ipv4 subnet, broadcast address, though 255.255.255.255 and multicast addresses found to not work

  1. dhcp {
  2. force_server_address = yes
  3. identity_lease = yes
  4. interface = interface
  5. server = ipv4_broadcast_address
  6. }

Also needed is an iptables rules, to calc udp checksum where isc dhcpd and strongswan are on the same pc, which dhcpd ignores when it sees 0xBADD