Ipsec Hybrid with RSA

This article describes a configuration of a roadwarrior scenario, where a d-200 phone connects to a COMmander 6000 via a strongswan VPN Server.

The Strongswan configuration is based on the following document. In our example, the d-200 is located in the 192.168.1.0/24 subnet. The pbx is located in the 192.168.21.0/24 subnet. The Strongswan server uses the ip 192.168.1.239

The Strongswan server uses a certificate chain, that was created using the ipsec pki tool. It is helpful to used the –outform pem. This allows the user to use the certificates directly for the phone configuration. Also make sure all plugins needed are installed and were loaded, some StrongSwan installations (e.g. raspian's package) need additional packages like `libstrongswan-extra-plugins` or `libcharon-extra-plugins` to be installed before supporting things like Xauth.

After configuring your VPN tunnel, you need to specify the interfaceType in your identity configuration
ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
 
# basic configuration
 
config setup
 
conn rw 
    left=192.168.1.239
    leftcert=server.pem
    leftid="C=DE, O=myVPN, CN=192.168.1.239"
    leftsubnet=192.168.21.0/24
    leftauth=pubkey
    leftfirewall=yes
    right=%any
    rightauth=xauth
    rightsourceip = 192.168.1.0/24
    auto=add
    ike="aes256-sha384-modp1024"
/etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
 
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
 
 : RSA server.pem
 
theUserName  : XAUTH "secretXauthPassword" 

Troubleshooting: be sure that the server has ip forward enabled. If a NAT is used, the Phone will require a STUN Server to correctly setup a RTP Connection.

configurationHybridRSA.xml
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <network>
    <vpn>
      <active>true</active>
      <vpnType>IpsecHybridRSA</vpnType>
      <name>xauthRSA</name>
      <server>192.168.1.239</server>
      <username>theUserName</username>
      <password>secretXauthPassword</password>
      <routes>192.168.21.0/24</routes>
      <dnsServers>192.168.21.44</dnsServers>
      <searchDomains></searchDomains>
      <ipsecUserCert>-----BEGIN CERTIFICATE-----
MIIECDCCAfCgAwIBAgIIV2e5OjpmO/cwDQYJKoZIhvcNAQEMBQAwLzELMAkGA1UE
...
KzTACM76B9Lp696U1+0ZkigfvTYd90jP8gZ21H2ovG3WnP67mvLDxog5O8VCwdqv
Tdbtd2oADuEWtgU0mhbcV4xDIU/3Z5umyG4djw==
-----END CERTIFICATE-----</ipsecUserCert>
      <ipsecUserPrivateKey>-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAuIsnvr78JsLcvOO1/TpR9/i0MxA8qibab+zl5lg2QnNRhvu1
...
28kvUT6mS9wRPQv8aHS15sVo0S8F1rhcV5omexTJHnr/1IGTsKYs/eoWD/aOk2Tu
/5sVRDmI3/ZCCDh8P7Ze/Wl7swg0TcMVz7fRwJiGydaNx7EFgeQ=
-----END RSA PRIVATE KEY-----</ipsecUserPrivateKey>
         <ipsecCaCert>
-----BEGIN CERTIFICATE-----
MIIFVDCCAzygAwIBAgIIathgW2F9FK0wDQYJKoZIhvcNAQEMBQAwSDELMAkGA1UE
[...]
eVFk0ppvntZWPWyi9bkyMFsvPcnKLReA
-----END CERTIFICATE-----
         </ipsecCaCert>
         <ipsecServerCert>
-----BEGIN CERTIFICATE-----
MIIEVjCCAj6gAwIBAgIIbv82bUNvoQ8wDQYJKoZIhvcNAQEMBQAwSDELMAkGA1UE
[...]
tCQX/JZ7e9AAdw==
-----END CERTIFICATE-----
         </ipsecServerCert>
    </vpn>
  </network>
    <identities>
      <identity>
        <active>true</active>
        <displayname>COMmander 6000</displayname> 
        <username>70</username>
        <host>192.168.21.100</host>
        <password>AccountPassword</password>
        <frameSize>20</frameSize>
        <audiocodecs>
          <audiocodec>G.722</audiocodec>
          <audiocodec>G.711</audiocodec>
        </audiocodecs>
        <clir>displayAnonymous</clir>
        <localmoh>false</localmoh>
        <secureConnection>false</secureConnection>
        <srtp>disabled</srtp>
        <ipVersion>IpV4</ipVersion>
        <checkHostname>true</checkHostname>
        <pickupCode>##06</pickupCode>
        <interfaceType>vpn</interfaceType>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
   </identities>
</configuration>

The identity specifies the networkType vpn and the registration is performed after the tunnel has been connected.