Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[gentoo-user] (Free|Open|Strong)Swan and Gentoo as a client

91 views
Skip to first unread message

Daniel Quinn

unread,
Feb 19, 2016, 10:00:05 AM2/19/16
to

Hello all, I’ve been asked to connect my Gentoo box to a StrongSwan VPN and was offered a .mobileconfig file as means to connect. Unfortunately, this appears to be a special-Apple-only-format and I can’t make heads or tails of the contents. I understand that the server is Ubuntu running StrongSwan using a shared secret, but that’s all I know at this point, so my questions are:

  • Can I use NetworkManager (and as I understand it, LibreSwan) to connect?
    • If so, how do I translate the fields in the .mobileconfig to gateway, group name, user password, group password, user name, phase 1 algorithms, phase 2 algorithms, and domain? (The fields presented in GNOME’s NetworkManager dialogue for an OpenSwan VPN).
  • If I can’t (or shouldn’t?) use NetworkManager, what’s the right way to handle this? Is there a utility for handling .mobileconfig files in Linux?

Mick

unread,
Feb 19, 2016, 10:40:03 AM2/19/16
to
On Friday 19 Feb 2016 14:51:40 Daniel Quinn wrote:
> Hello all, I’ve been asked to connect my Gentoo box to a StrongSwan VPN
> and was offered a .mobileconfig file as means to connect. Unfortunately,
> this appears to be a special-Apple-only-format and I can’t make heads or
> tails of the contents.

As I understand it this is a file in XML format to pass on to the apple client
(iPhone and the like) the configuration parameters for the VPN connection.


> I understand that the server is Ubuntu running
> StrongSwan using a shared secret, but that’s all I know at this point,
> so my questions are:
>
> * Can I use NetworkManager (and as I understand it, LibreSwan) to
> connect?
> o If so, how do I translate the fields in the .mobileconfig to
> gateway, group name, user password, group password, user name,
> phase 1 algorithms, phase 2 algorithms, and domain? (The fields
> presented in GNOME’s NetworkManager dialogue for an OpenSwan VPN).

Have you tried using strongswan instead? It has a plugin for networkmanager,
so I guess the configuration file will translate to what you see in the NM
GUI.

I do not have access to a .mobileconfig file to know what it looks like, but
if you can obfuscate anything private and share the rest I can try to guess
how it corresponds to the strongswan configuration file.


> * If I can’t (or shouldn’t?) use NetworkManager, what’s the right way
> to handle this? Is there a utility for handling .mobileconfig files
> in Linux?

I don't know of a utility that can parse the .mobileconfig file, other than
trying it in an iPhone to see what settings it applies. However, once you
find out what these settings are you can enter them in the strongswan
configuration file and NM ought to just use them.

--
Regards,
Mick
signature.asc

Mick

unread,
Feb 19, 2016, 11:10:04 AM2/19/16
to
I found this reference for IKEv2, IKEv1 would be similar:

https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile


--
Regards,
Mick
signature.asc

Daniel Quinn

unread,
Feb 19, 2016, 11:30:04 AM2/19/16
to

The problem is that the names of the fields on iThings are different from the fields I see in NetworkManager, so I don’t know what correlates to what.

I have just uninstalled libreswan and installed strongswan, but I can’t find evidence of a networkmanager plugin for strongswan in Portage. eix stronswan only returns one record: net-misc/strongswan, which is installed. Can I use it without NetworkManager while using NetworkManager for basic connectivity?

Here’s the .mobileconfig file, with the juicy-bits redacted:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!-- Read more: https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile -->
<plist version="1.0">
    <dict>
        <!-- Set the name to whatever you like, it is used in the profile list on the device -->
        <key>PayloadDisplayName</key>
        <string>My IKEv2 VPN Profile</string>
        <!-- This is a reverse-DNS style unique identifier used to detect duplicate profiles -->
        <key>PayloadIdentifier</key>
        <string>REDACTED</string>
        <!-- A globally unique identifier, use uuidgen on Linux/Mac OS X to generate it -->
        <key>PayloadUUID</key>
        <string>REDACTED</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadContent</key>
        <array>
            <!-- It is possible to add multiple VPN payloads with different identifiers/UUIDs and names -->
            <dict>
                <!-- This is an extension of the identifier given above -->
                <key>PayloadIdentifier</key>
                <string>REDACTED</string>
                <!-- A globally unique identifier for this payload -->
                <key>PayloadUUID</key>
                <string>REDACTED</string>
                <key>PayloadType</key>
                <string>com.apple.vpn.managed</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <!-- This is the name of the VPN connection as seen in the VPN application later -->
                <key>UserDefinedName</key>
                <string>My IKEv2 VPN</string>
                <key>VPNType</key>
                <string>IKEv2</string>
                <key>IKEv2</key>
                <dict>
                    <!-- Hostname or IP address of the VPN server -->
                    <key>RemoteAddress</key>
                    <string>REDACTED</string>
                    <!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty.
                     IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN -->
                    <key>RemoteIdentifier</key>
                    <string>REDACTED</string>
                    <!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used -->
                    <key>LocalIdentifier</key>
                    <string></string>
                    <!--
                    OnDemand references:
                    http://www.v2ex.com/t/137653
                    https://developer.apple.com/library/mac/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html

                    Continue reading:
                    https://github.com/iphoting/ovpnmcgen.rb
                    -->
                    <key>OnDemandEnabled</key>
                    <integer>1</integer>
                    <key>OnDemandRules</key>
                    <array>
                        <dict>
                            <key>Action</key>
                            <string>Connect</string>
                        </dict>
                    </array>
                    <!-- The server is authenticated using a certificate -->
                    <key>AuthenticationMethod</key>
                    <string>SharedSecret</string>
                    <key>SharedSecret</key>
                    <string>REDACTED</string>
                    <!-- Turn off EAP -->
                    <key>ExtendedAuthEnabled</key>
                    <integer>0</integer>
                    <!-- AuthName key is required to dismiss the Enter Username screen on iOS 9, even if ExtendedAuthEnabled is false -->
                    <key>AuthName</key>
                    <string></string>
                    <!-- AuthPassword key is required to dismiss the Enter Password screen on iOS 9, even if ExtendedAuthEnabled is false -->
                    <key>AuthPassword</key>
                    <string></string>
                </dict>
            </dict>
        </array>
    </dict>
</plist>

Mick

unread,
Feb 19, 2016, 1:00:05 PM2/19/16
to
On Friday 19 Feb 2016 16:23:22 Daniel Quinn wrote:
> The problem is that the names of the fields on iThings are different
> from the fields I see in NetworkManager, so I don’t know what correlates
> to what.
>
> I have just uninstalled libreswan and installed strongswan, but I can’t
> find evidence of a networkmanager plugin for strongswan in Portage. |eix
> stronswan| only returns one record: |net-misc/strongswan|, which is
> installed. Can I use it without NetworkManager while using
> NetworkManager for basic connectivity?

I don't know for sure because I don't use NM. The strongswan plugin is called
... "networkmanager" and you install this with the flag USE="networkmanager",
which I assume is already set in your system.


> Here’s the .mobileconfig file, with the juicy-bits redacted:
> |<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC
>
> "-//Apple//DTD PLIST 1.0//EN"
> "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <!-- Read more:
> https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
> --> <plist version="1.0"> <dict> <!-- Set the name to whatever you like,
> it is used in the profile list on the device -->
> <key>PayloadDisplayName</key> <string>My IKEv2 VPN Profile</string>

"My IKEv2 VPN Profile"

is used as the name of these VPN settings. In strongswan's /etc/ipsec.conf
you would set it as:

conn "My IKEv2 VPN Profile"


> <!--
> This is a reverse-DNS style unique identifier used to detect duplicate
> profiles --> <key>PayloadIdentifier</key> <string>REDACTED</string>

This would be the domain name of the server, or relevant domain name which
will be queried on a reverse-DNS resolution to match the remote IP address to
domain name. Not sure if this is needed by strongswan.


> <!--
> A globally unique identifier, use uuidgen on Linux/Mac OS X to generate
> it --> <key>PayloadUUID</key> <string>REDACTED</string>
> <key>PayloadType</key> <string>Configuration</string>
> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadContent</key>
> <array> <!-- It is possible to add multiple VPN payloads with different
> identifiers/UUIDs and names --> <dict> <!-- This is an extension of the
> identifier given above --> <key>PayloadIdentifier</key>
> <string>REDACTED</string> <!-- A globally unique identifier for this
> payload --> <key>PayloadUUID</key> <string>REDACTED</string>
> <key>PayloadType</key> <string>com.apple.vpn.managed</string>
> <key>PayloadVersion</key> <integer>1</integer> <!-- This is the name of
> the VPN connection as seen in the VPN application later -->
> <key>UserDefinedName</key> <string>My IKEv2 VPN</string>
> <key>VPNType</key> <string>IKEv2</string> <key>IKEv2</key>

This tells you that you should configure IKEv2 in strongswan/NM. IKEv2 is the
default, or you can set:

keyexchange=ike ##will initate a connection as IKEv2 but will accept both
IKEv1 and IKEv2 as a response. If you only want IKEv2 use:

keyexchange=ikev2


> <dict> <!--
> Hostname or IP address of the VPN server --> <key>RemoteAddress</key>
> <string>REDACTED</string>

The above is the IP address of the Ubuntu VPN gateway. In strongswan terms
you would set it as:

right=123.456.78.9 ##Replace the digits with the Ubuntu public IP address


> <!-- Remote identity, can be a FQDN, a
> userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be
> empty. IMPORTANT: DNs are currently not handled correctly, they are
> always sent as identities of type FQDN --> <key>RemoteIdentifier</key>
> <string>REDACTED</string>

FQDN used as the VPN gateway identifier. In strongswan:

rightid=REDACTED ##use here the RemoteIdentifier above.


> <!-- Local IKE identity, same restrictions as
> above. If it is empty the client's IP address will be used -->
> <key>LocalIdentifier</key> <string></string> <!-- OnDemand references:
> http://www.v2ex.com/t/137653

If there is no LocalIdentifier provided in the .mobileconfig, then it will use
the IP address of the client. Set it as:

left=%defaultroute


> https://developer.apple.com/library/mac/featuredarticles/iPhoneConfiguration
> ProfileRef/Introduction/Introduction.html Continue reading:
> https://github.com/iphoting/ovpnmcgen.rb -->
> <key>OnDemandEnabled</key> <integer>1</integer> <key>OnDemandRules</key>
> <array> <dict> <key>Action</key> <string>Connect</string> </dict>
> </array> <!-- The server is authenticated using a certificate -->
> <key>AuthenticationMethod</key> <string>SharedSecret</string>
> <key>SharedSecret</key> <string>REDACTED</string>

authby=psk

The value of the secret passphrase you will need to add in /etc/ipsec.secrets:

<your_client_ID_goes_here> 123.456.78.9 : PSK "xY9LLZvwj4qCC2o/gGrWD"


> <!-- Turn off EAP -->
> <key>ExtendedAuthEnabled</key> <integer>0</integer> <!-- AuthName key is
> required to dismiss the Enter Username screen on iOS 9, even if
> ExtendedAuthEnabled is false --> <key>AuthName</key> <string></string>
> <!-- AuthPassword key is required to dismiss the Enter Password screen
> on iOS 9, even if ExtendedAuthEnabled is false -->
> <key>AuthPassword</key> <string></string> </dict> </dict> </array>
> </dict> </plist> |

I can't tell from the above if the server has XAUTH configured. If it does
then you need to add this in your /etc/ipsec.secrets file:

Daniel : XAUTH "Daniel's account passwd"

I also can't see above any ciphers set by the server, so I guess all that have
been compiled in the client's OS kernel will be tried out in turn.

The strongswan documentation and ipsec.conf man page has the rest you will
need to configure your client. Keep an eye in the logs for errors so that you
can find out what settings you should experiment with and if you got the
syntax correct.

--
Regards,
Mick
signature.asc
0 new messages