Tugriceri Web Notes

StrongSwan

StrongSwan and Android configs

by on Apr.27, 2013, under Linux, Security, StrongSwan

root@six #cat ipsec.conf

conn tugriceri.com
leftsubnet=0.0.0.0/0
left=209.208.63.204
leftcert=/cert/strongswan.pem
leftauth=pubkey
leftsendcert=yes
leftid=six.tugriceri.com
right=%any
rightid=%any
rightsourceip=10.0.5.0/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add

root@six #cat ipsec.secrets

# strongSwan IPsec secrets file
: RSA /cert/strongswan.key
six.tugriceri.com : RSA /cert/strongswan.key
testuser : EAP "secretpass"

root@six #cat openssl-req.cfg

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no

[ v3_req ]

# Extensions to add to a certificate request

#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = "DNS:six.tugriceri.com,DNS:www.tugriceri.com,IP:209.208.63.204,DNS:tugriceri.com"
#subjectAltName = @alt_names

[alt_names]
DNS.1 = six.tugriceri.com
DNS.2 = www.tugriceri.com

[ req_distinguished_name ]
CN = six.tugriceri.com
GN = six.tugriceri.com
OU = Tugriceri.com
O = Tugriceri.com
L = Istanbul
ST = Istanbul
C = TR
emailAddress = root@tugriceri.com
subjectAltName = six.tugriceri.com

subjectAltName is importend point of configuration. Your certificate must be have this.

root@six #cat certyarat.sh

rm -f strongswan.req
rm -f strongswan.pem
openssl req -new -out strongswan.req -key strongswan.key -config openssl-req.cfg
openssl ca -batch -notext -in strongswan.req -out strongswan.pem -config ca.conf

root@six #cat showcert

openssl x509 -in strongswan.pem -text -noout
Command Output :
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:six.tugriceri.com, DNS:www.tugriceri.com, IP Address:209.208.63.204, DNS:tugriceri.com

root@six #cat ca.conf

[ ca ]
default_ca = tugricerica
[ tugricerica ]
copy_extensions = copy
#Removed lines

copy_extension must be in your ca.conf

Comments Off on StrongSwan and Android configs more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...