Howto: Use an ER-X as VPN Remote Access Server (IKEv1 + PSK)

Hi,

Fisrst of all, I want to say that I am not an expert on Strongswan or Debian. I am not able to help you on debug or troubleshouting this configuration. Sorry !

Recently Apple decide to remove the PPTP support from is operating systems iOS 10 and Mac Sierra. Article here.

I start to find a solution to replace it, and I find a way to use the integrated Cisco IPSEC client with ER-X in version 1.9  as VPN Remote Access server, using Strongswan and Charon plugin.

I test this configuration with success on iOS v9.3.5, OSX 10.11.6 and Android v6.01

HOWTO

# Configure Internet access in your EdgeMax.

I have connected the WAN at eth0 and after made https access I have use the Wizard WAN+2LAN to configure it.

# Use your prefered terminal and enter in client mode

ssh ubnt@192.168.1.1

Note: 192.168.1.1 is your LAN IP of EdgeMax router.

# Enter in root mode

ubnt@edgex:~$ sudo su
root@edgex:/home/ubnt#

#Configure Debian Repository

configure
set system package repository wheezy components 'main contrib non-free'
set system package repository wheezy distribution wheezy
set system package repository wheezy url http://ftp.debian.org/debian
set system package repository wheezy-updates components 'main contrib non-free'
set system package repository wheezy-updates distribution wheezy
set system package repository wheezy-updates url http://ftp.debian.org/debian
set system package repository wheezy-backports components 'main contrib non-free'
set system package repository wheezy-backports distribution wheezy
set system package repository wheezy-backports url http://ftp.debian.org/debian
commit
save
exit

# Update repository cache

apt-get update

# Search a package to ensure repository works

apt-cache search wget

# Install packages

sudo apt-get install wget
sudo apt-get install nano

Note: I use nano to edit files, but you can use VI or your prefered editor.

# Download libcharon-extra-plugins

wget http://ftp.ch.debian.org/debian/pool/main/s/strongswan/libcharon-extra-plugins_5.2.1-6+deb8u2~bpo70+1_mips.deb

# install the package

apt-get install libcharon-extra-plugins_5.2.1-6+deb8u2~bpo70+1_mips.deb

#Edit /etc/strongswan.conf to add DNS of clients

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        load_modular = yes
  dns1 = 8.8.8.8
  dns2 = 8.8.4.4
        plugins {
                 include strongswan.d/charon/*.conf
        }
}
include strongswan.d/*.conf

# Edit /etc/ipsec.conf to configure server parameters

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration

config setup
    cachecrls=yes
    uniqueids=yes

conn ios
    keyexchange=ikev1
    ike=aes256-sha1;modp1024
    esp=aes256-sha1
    authby=xauthpsk
    xauth=server
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    right=%any
    rightsubnet=10.0.0.0/24
    rightsourceip=10.0.0.2/24
    rightdns=4.2.2.1
    auto=add

# Edit /etc/ipsec.secrets to add PSK and users

192.168.2.1 %any : PSK "YourSecretkeyHere"

user : XAUTH "password"
ubnt : XAUTH "ubnt"

Notes:
Replace 192.168.2.1 by your own WAN IP address.
Replace YourSecretkeyHere sentence by your preffered passphrase (leave quotes)
Add users and passwords as you want following the samples.

# Edit /etc/sysctl.conf and find this line then remove the hashtag in front of

net.ipv4.ip_forward=1

# Validate the change of sysctl.conf

sysctl -p

# Edit /etc/rc.local and add the following to the bottom, before exit0

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE

exit 0

Notes:

The edit of file make a persistent NAT for IPsec server. with 10.0.0.0/8 as NAT range. The subnet must include the size of range of  rightsubnet= parameter on ipsec.conf file.

The interface eth0 is considered your WAN interface.

# Made changes on IPSEC with following commands

update-rc.d -f ipsec remove

update-rc.d -f ipsec start 41 2 3 4 5 . stop 91 1 . start 34 0 6 .

# Before start service reboot

reboot

---

Done !

After the reboot you are ready to use Remote Acess with IKEv1+PSK client.

Note: In the client side configuration, leave empty "Groupe Name" field.

# VPN service can be start/stop with ipsec command

ipsec start

ipsec stop

ipsec restart

ipsec status

#You must set-up iptables to allow VPN port forwarding 500 and 4500, etc.

Based on the second reference article, here are commands that you can use to setup the firewall, but is also possible to made it by the GUI interface of ER-X.

# Show firewall configuration
iptables -L -v -n
iptables -t nat -L -n -v

# Flush old rules, old custom tables
/sbin/iptables --flush
/sbin/iptables --flush -t nat
/sbin/iptables --delete-chain
 
# Set default policies for all three default chains
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
 
# Enable free use of loopback interfaces
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
 
# Allow VPN forwarding
/sbin/iptables -A FORWARD -i tun+ -j ACCEPT
/sbin/iptables -A FORWARD -o tun+ -j ACCEPT
/sbin/iptables -A FORWARD -i dns+ -j ACCEPT
/sbin/iptables -A FORWARD -o dns+ -j ACCEPT
 
# Accept limited inbound ICMP messages
/sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m recent --set
/sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 5 --hitcount 10 -j DROP
/sbin/iptables -A INPUT -p icmp -j ACCEPT
 
# All TCP sessions should begin with SYN
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 0/0 -j DROP
 
# Accept inbound TCP packets
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
 
# Accept inbound UDP packets
/sbin/iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
 
# Accept IPSEC packets
/sbin/iptables -A INPUT -p esp -j ACCEPT
/sbin/iptables -A INPUT -p 50 -j ACCEPT
/sbin/iptables -A INPUT -p 51 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT

Reference articles:

https://community.ubnt.com/t5/EdgeMAX-Beta/1-8-0-IKEv2-VPN-Remote-Access-Server/m-p/1360103#M11921

https://trick77.com/strongswan-5-vpn-ubuntu-14-04-lts-psk-xauth

https://www.raspberrypi.org/forums/viewtopic.php?t=101673

That's all. Enjoy !