First of, a BIG thank you to my friend Luca Ferrarotti who inspired, actively contributed and helped me with this HowTo.
Then, something I wanted to write since a very long time. Other articles in this blog instruct about how to use OS X or iOS to build a native client to site IPSec VPN terminated on McAfee (formerly Stonesoft) Next Generation Firewall. Since I joined Stonesoft many years ago, lots of people enquired me and Support and my SE colleagues about how to build this configuration… here you are. Your voice has been listened!
I wrote this article using McAfee Next Generation Firewall version 5.5.6 and McAfee Security Management Center 5.7.0, while on client side I am on Ubuntu 12.04.4 LTS.
Let’s start from client side by installing a free (for Linux) IPSec VPN Client: Shrew Soft. Because no standard Ubuntu package seems to exist at the time of this writing, let’s compile it.
- download the package from the web using command: wget https://www.shrew.net/download/ike/ike-2.2.1-release.tgz
- extract the packet into a directory of your choice. I’ll just use “ike”. Type the command:
sudo tar xzvf ike-2.2.1-release.tgz ; cd ike - to successfully compile this package you need to ensure you have the right components installed on the system, which are checkinstall, cmake, libedit, libssl-dev and qt4. Install them with the command:
apt-get install cmake libqt4-core libqt4-dev libqt4-gui libedit-dev libssl-dev checkinstall
this command will install only the relevant packages in case you already have some of them - compile and install the software using the command:
cmake -DCMAKE_INSTALL_PREFIX=/usr -DQTGUI=YES -DETCDIR=/etc -DNATT=YES
The ouput should be similar to the following:-- The C compiler identification is GNU -- The CXX compiler identification is GNU -- Check for working C compiler: /usr/bin/gcc -- Check for working C compiler: /usr/bin/gcc -- works -- Detecting C compiler ABI info -- Detecting C compiler ABI info - done -- Check for working CXX compiler: /usr/bin/c++ -- Check for working CXX compiler: /usr/bin/c++ -- works -- Detecting CXX compiler ABI info -- Detecting CXX compiler ABI info - done -- Using install prefix /usr ... -- Using etc install path /etc ... -- Using bin install path /usr/bin ... -- Using sbin install path /usr/sbin ... -- Using lib install path /usr/lib ... -- Using man install path /usr/local/man ... -- Looking for crypt in crypt -- Looking for crypt in crypt - found -- Looking for include files CMAKE_HAVE_PTHREAD_H -- Looking for include files CMAKE_HAVE_PTHREAD_H - found -- Looking for pthread_create in pthreads -- Looking for pthread_create in pthreads - not found -- Looking for pthread_create in pthread -- Looking for pthread_create in pthread - found -- Found Threads: TRUE -- Using library -lpthread -- Looking for pthread_mutex_timedlock in -lpthread -- Looking for pthread_mutex_timedlock in -lpthread - found -- Using binary /usr/bin/flex ... -- Using binary /usr/bin/bison ... -- Performing Test NATT_FOUND -- Performing Test NATT_FOUND - Success -- Enabled NAT Traversal support ... -- Looking for Q_WS_X11 -- Looking for Q_WS_X11 - found -- Looking for Q_WS_WIN -- Looking for Q_WS_WIN - not found. -- Looking for Q_WS_QWS -- Looking for Q_WS_QWS - not found. -- Looking for Q_WS_MAC -- Looking for Q_WS_MAC - not found. -- Found Qt4: /usr/bin/qmake (found version "4.8.1") -- Enabled Client QT GUI support ... -- Configuring done -- Generating done -- Build files have been written to: /root/Desktop/ike
- use checkinstall install the application. Checkinstall is a special command that will install the application keeping track of the installed files. As part of the process it will also create a .deb package. Use the command:
sudo checkinstall -y
It will produce extensive logs and will conclude with a meaningful:********************************************************************** Done. The new package has been installed and saved to /root/Desktop/ike/ike_20140401-1_i386.deb You can remove it from your system anytime using: dpkg -r ike **********************************************************************
- create a valid config file starting from the sample one with the command: sudo cp /etc/iked.conf.sample /etc/iked.conf
Congratulations, you’re ready to start the most exciting part: configuration and test 🙂
Let’s launch the IPSec daemon with the command: sudo iked
This will produce an output like the one reported below:
root@testbox:~/Desktop/ike# sudo iked
ii : created ike socket 0.0.0.0:500
ii : created natt socket 0.0.0.0:4500
## : IKE Daemon, ver 2.2.1
## : Copyright 2013 Shrew Soft Inc.
## : This product linked OpenSSL 1.0.1 14 Mar 2012
We can now access the graphical interface using the command: qikea
The following window appears:
Click on Add and fill the screens as shown below:
The tab authentication is almost all defaults, except for the credentials tab where you have to load the public certificate of the CA which issued your VPN Gateway certificate:
For additional details about how to create CA and optionally client digital certificates, please refer to my post about this.
The settings for Phase I and Phase II should match what is configured in your VPN gateway:
In the last tab, you need to specify the IP addresses range of the protection. Again, this setting should match what configured at VPN gateway.
That’s pretty much it.
To configure the gateway side, and if you want to implement a strong authentication system based on SecurePASS, please refer to my previous post about this.
Enjoy, and don’t forget to share the love using comments 🙂
Hi,
first of all I want to thank you for your post, it’s really interesting. I’m trying to configure an IPSec VPN from Ubuntu following the steps you provided but a problem appears when I try to configure authentication with “Hybrid PSK+XAuth”: I don’t know what may I tape in “Local Identity” and an error message appears. I’m trying to configure with this authentication method because for my user I only have PSK and user+password.
The appeared message is a very recurrent one: “detached from key daemon”. Could you please tell me if there is a configuration tested by you for “Hybrid PSK+XAuth” authentication?
Best regards,
Hello!
The overall rule of thumb when configuring IPSec, both client-to-site and site-to-site, is to match what is defined on both sides of the VPN.
Local Identity is about how the client should identify itself to the VPN Gateway it is connecting to.
Although I have not tested specifically the PSK+XAuth configuration, I do not see any particular difficulty in it. The conf name should derive from PreSharedKey and eXtended Authentication, which means that you need to ensure that a pre shared key is defined also on the gateway side.
The authentication part should just proceed as in my example.
Hope the above helps… what gateway are you try to connect to?
Thank you for your reply! The Gateway that we have is an Stonegate 1040/1060 with 5.4 Engine.
Regards,
Could you try it? Thank you for your comments,
Regards,