Ipsec RSA with XAuth authentication
This article describes a configuration of a roadwarrior scenario, where a d-200 phone connects to a COMmander 6000 via a strongswan VPN Server.
The Strongswan configuration is based on the following document.
In our example, the d-200 is located in the 192.168.1.0/24 subnet. The pbx is located in the 192.168.21.0/24 subnet. The Strongswan server uses the ip 192.168.1.239
The Strongswan server uses a certificate chain, that was created using the ipsec pki tool.
It is helpful to used the --outform pem.
This allows the user to use the certificates directly for the phone configuration.
Also make sure all plugins needed are installed and were loaded, some StrongSwan installations (e.g. raspian's package) need additional packages like libstrongswan-extra-plugins or libcharon-extra-plugins to be installed before supporting things like Xauth.
Info
After configuring your VPN tunnel, you need to specify the interfaceType in your identity configuration
| ipsec.conf |
|---|
| # ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
conn rw
keyexchange=ikev1
left=192.168.1.239
leftcert=server.pem
leftid="C=DE, O=myVPN, CN=192.168.1.239"
leftsendcert=always
leftauth=pubkey
leftsubnet=192.168.21.0/24
leftfirewall=yes
right=%any
rightauth=pubkey
rightauth2=xauth
rightsourceip = 192.168.1.0/24
rightsendcert=ifasked
auto=add
ike="aes256-sha384-modp1024"
|
| /etc/ipsec.secrets |
|---|
| # This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: RSA server.pem
theUserName : XAUTH "secretXauthPassword"
|
Troubleshooting: be sure that the server has ip forward enabled. If a NAT is used, the Phone will require a STUN Server to correctly setup a RTP Connection.
| configurationXauthRSA.xml |
|---|
| <?xml version="1.0" encoding="utf-8"?>
<configuration>
<network>
<vpn>
<active>true</active>
<vpnType>IpsecXauthRSA</vpnType>
<name>xauthRSA</name>
<server>192.168.1.239</server>
<username>theUserName</username>
<password>secretXauthPassword</password>
<routes>192.168.21.0/24</routes>
<dnsServers>192.168.21.44</dnsServers>
<searchDomains></searchDomains>
<ipsecUserCert>-----BEGIN CERTIFICATE-----
MIIECDCCAfCgAwIBAgIIV2e5OjpmO/cwDQYJKoZIhvcNAQEMBQAwLzELMAkGA1UE
...
KzTACM76B9Lp696U1+0ZkigfvTYd90jP8gZ21H2ovG3WnP67mvLDxog5O8VCwdqv
Tdbtd2oADuEWtgU0mhbcV4xDIU/3Z5umyG4djw==
-----END CERTIFICATE-----</ipsecUserCert>
<ipsecUserPrivateKey>-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAuIsnvr78JsLcvOO1/TpR9/i0MxA8qibab+zl5lg2QnNRhvu1
...
28kvUT6mS9wRPQv8aHS15sVo0S8F1rhcV5omexTJHnr/1IGTsKYs/eoWD/aOk2Tu
/5sVRDmI3/ZCCDh8P7Ze/Wl7swg0TcMVz7fRwJiGydaNx7EFgeQ=
-----END RSA PRIVATE KEY-----</ipsecUserPrivateKey>
<ipsecCaCert>
-----BEGIN CERTIFICATE-----
MIIFVDCCAzygAwIBAgIIathgW2F9FK0wDQYJKoZIhvcNAQEMBQAwSDELMAkGA1UE
[...]
eVFk0ppvntZWPWyi9bkyMFsvPcnKLReA
-----END CERTIFICATE-----
</ipsecCaCert>
<ipsecServerCert>
-----BEGIN CERTIFICATE-----
MIIEVjCCAj6gAwIBAgIIbv82bUNvoQ8wDQYJKoZIhvcNAQEMBQAwSDELMAkGA1UE
[...]
tCQX/JZ7e9AAdw==
-----END CERTIFICATE-----
</ipsecServerCert>
</vpn>
</network>
<identities>
<identity>
<active>true</active>
<displayname>COMmander 6000</displayname>
<username>70</username>
<host>192.168.21.100</host>
<password>AccountPassword</password>
<frameSize>20</frameSize>
<audiocodecs>
<audiocodec>G.722</audiocodec>
<audiocodec>G.711</audiocodec>
</audiocodecs>
<clir>displayAnonymous</clir>
<localmoh>false</localmoh>
<secureConnection>false</secureConnection>
<srtp>disabled</srtp>
<ipVersion>IpV4</ipVersion>
<checkHostname>true</checkHostname>
<pickupCode>##06</pickupCode>
<interfaceType>vpn</interfaceType>
</identity>
<identity>
<active>false</active>
</identity>
<identity>
<active>false</active>
</identity>
<identity>
<active>false</active>
</identity>
<identity>
<active>false</active>
</identity>
<identity>
<active>false</active>
</identity>
</identities>
</configuration>
|
The identity specifies the networkType vpn and the registration is performed after the tunnel has been connected.