====== 04 Strongswan IKEv2 EAP ======

StrongswanでIKEv2 EAP 認証でWindowsから接続してみる。

===== Strongswanサーバ側 =====

==== 1.EAP認証には証明書が必須 ====

証明書自体は、こちらなどで用意[[06_virtualization:05_container:10_docker_let_s_encrypt]]

シンボリックリンクだけ貼る
<code>
cd /etc/strongswan/ipsec.d
ln -s /app/certs/vpn2.kumolabo.com.crt certs/cert.pem
ln -s /app/certs/vpn2.kumolabo.com.key private/privkey.pem
ln -s /app/certs/vpn2.kumolabo.com.chain.pem cacerts/chain.pem
</code>

==== 2.ipsec.conf ====


<code|ipsec.conf>
conn %default
    type=tunnel
    authby=psk
    keyingtries=3
    keyexchange=ikev2
    ike=aes256-sha256-modp2048
    esp=aes256-sha256-modp2048
conn IPSec-IKEv2-EAP
    leftsubnet=0.0.0.0/0
    leftid=vpn.hogehoge.com
    left=%any
    leftcert=cert.pem
    leftsendcert=always

    rightid=%any
    right=%any
    rightsourceip=192.168.100.0/24
    rightauth=eap-mschapv2
    eap_identity=%any
    auto=add
</code>


==== 3.ipsec.secrets ====

下記は、vpnuserを用意した場合。
|ユーザ|vpnuser|
|パスワード|hogehoge|

<code|ipsec.secrets>
: RSA privkey.pem
vpnuser : EAP hogehoge
</code>

==== 4.ポート開ける ====

=== iptables ===

<code>
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
</code>

=== firewalld ===

<code>
firewall-cmd --permanent --zone=public --add-service=ipsec
firewall-cmd --permanent --zone=public --add-port=4500/udp
firewall-cmd --reload
</code>

==== 5.forward ====

  sysctl -w net.ipv4.ip_forward=1



===== Windows側 =====

==== VPN接続作成 ====

{{:01_linux:10_network:2022-03-23_19h10_19.png?400|}}


==== PowerShellでIPsec 設定変更 ====

strongswan側に合わせて設定変更

|認証アルゴリズム|SHA256|
|暗号化アルゴリズム|AES256|
|DHグループ|Group14|

  Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN 接続" -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup NONE -DHGroup Group14 -Force


=== 設定の確認 ===
<code>
> Get-VpnConnection -Name 'VPN'| Select-Object -ExpandProperty IPsecCustomPolicy

AuthenticationTransformConstants : SHA256128
CipherTransformConstants         : AES256
DHGroup                          : Group14
IntegrityCheckMethod             : SHA256
PfsGroup                         : None
EncryptionMethod                 : AES256
</code>

===== Error =====

==== Error1 ====
<code>
Mar 18 21:26:39 vpn-test charon: 05[LIB]   opening '/etc/strongswan/ipsec.d/certs/cert.pem' failed: Permission denied
</code>

=== 対応 ===
  setenforce 0


{{tag>network strongswan}}