Skip to content

Ipsec Hybrid with RSA#

This article describes a configuration of a roadwarrior scenario, where a d-200 phone connects to a COMmander 6000 via a strongswan VPN Server.

The Strongswan configuration is based on the following document. In our example, the D-200 is located in the 192.168.1.0/24 subnet. The pbx is located in the 192.168.21.0/24 subnet. The Strongswan server uses the ip 192.168.1.239.

The Strongswan server uses a certificate chain, that was created using the ipsec pki tool. It is helpful to used the --outform pem. This allows the user to use the certificates directly for the phone configuration. Also make sure all plugins needed are installed and were loaded, some StrongSwan installations (e.g. raspian's package) need additional packages like libstrongswan-extra-plugins or libcharon-extra-plugins to be installed before supporting things like Xauth.

Info

After configuring your VPN tunnel, you need to specify the interfaceType in your identity configuration

ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup

conn rw
    left=192.168.1.239
    leftcert=server.pem
    leftid="C=DE, O=myVPN, CN=192.168.1.239"
    leftsubnet=192.168.21.0/24
    leftauth=pubkey
    leftfirewall=yes
    right=%any
    rightauth=xauth
    rightsourceip = 192.168.1.0/24
    auto=add
    ike="aes256-sha384-modp1024"
/etc/ipsec.secrets
1
2
3
4
5
6
7
8
9
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host

# which knows the public part.

 : RSA server.pem

theUserName  : XAUTH "secretXauthPassword"

Troubleshooting: be sure that the server has ip forward enabled. If a NAT is used, the Phone will require a STUN Server to correctly setup a RTP Connection.

configurationHybridRSA.xml
<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <network>
    <vpn>
      <active>true</active>
      <vpnType>IpsecHybridRSA</vpnType>
      <name>xauthRSA</name>
      <server>192.168.1.239</server>
      <username>theUserName</username>
      <password>secretXauthPassword</password>
      <routes>192.168.21.0/24</routes>
      <dnsServers>192.168.21.44</dnsServers>
      <searchDomains></searchDomains>
      <ipsecUserCert>-----BEGIN CERTIFICATE-----
MIIECDCCAfCgAwIBAgIIV2e5OjpmO/cwDQYJKoZIhvcNAQEMBQAwLzELMAkGA1UE
...
KzTACM76B9Lp696U1+0ZkigfvTYd90jP8gZ21H2ovG3WnP67mvLDxog5O8VCwdqv
Tdbtd2oADuEWtgU0mhbcV4xDIU/3Z5umyG4djw==
-----END CERTIFICATE-----</ipsecUserCert>
      <ipsecUserPrivateKey>-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAuIsnvr78JsLcvOO1/TpR9/i0MxA8qibab+zl5lg2QnNRhvu1
...
28kvUT6mS9wRPQv8aHS15sVo0S8F1rhcV5omexTJHnr/1IGTsKYs/eoWD/aOk2Tu
/5sVRDmI3/ZCCDh8P7Ze/Wl7swg0TcMVz7fRwJiGydaNx7EFgeQ=
-----END RSA PRIVATE KEY-----</ipsecUserPrivateKey>
         <ipsecCaCert>
-----BEGIN CERTIFICATE-----
MIIFVDCCAzygAwIBAgIIathgW2F9FK0wDQYJKoZIhvcNAQEMBQAwSDELMAkGA1UE
[...]
eVFk0ppvntZWPWyi9bkyMFsvPcnKLReA
-----END CERTIFICATE-----
         </ipsecCaCert>
         <ipsecServerCert>
-----BEGIN CERTIFICATE-----
MIIEVjCCAj6gAwIBAgIIbv82bUNvoQ8wDQYJKoZIhvcNAQEMBQAwSDELMAkGA1UE
[...]
tCQX/JZ7e9AAdw==
-----END CERTIFICATE-----
         </ipsecServerCert>
    </vpn>
    </network>
    <identities>
      <identity>
        <active>true</active>
        <displayname>COMmander 6000</displayname>
        <username>70</username>
        <host>192.168.21.100</host>
        <password>AccountPassword</password>
        <frameSize>20</frameSize>
        <audiocodecs>
          <audiocodec>G.722</audiocodec>
          <audiocodec>G.711</audiocodec>
        </audiocodecs>
        <clir>displayAnonymous</clir>
        <localmoh>false</localmoh>
        <secureConnection>false</secureConnection>
        <srtp>disabled</srtp>
        <ipVersion>IpV4</ipVersion>
        <checkHostname>true</checkHostname>
        <pickupCode>##06</pickupCode>
        <interfaceType>vpn</interfaceType>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
   </identities>
</configuration>

The identity specifies the networkType vpn and the registration is performed after the tunnel has been connected.