====== Openswan and Nokia Mobile VPN ======
This article adds some findings and cleanups to the [[nokia:vpn | previous VPN article]].
===== Bugs, at least I think that are bugs =====
* The NAT patch is still required for the latest firmware/mobile client. NAT-T acccording to RFC 3947 is not [[errror_nat|working properly]].
* Tested with E71 and Openswan 2.4.12. Bothj sides behind NAT
* IKE SA rekeying seems not to work. Doesn't matter who initiates it.
* IPSec SA rekeying seems to work, when the mobile initiate it, while the IPSec SA is still valid at openswan. If the IPSec SA is expired there, the connection won't recover after the lifetime expires.
* soft_lifetime* settings seems to be ignored.
====== Mobile configuration ======
I tried to simplify and clean up the config. I've also imported and exported the configuration file with the Nokia Policy Manager.
SECURITY_FILE_VERSION: 1
[INFO]
ipsec-demeter
[POLICY]
sa ipsec_1 = {
esp
encrypt_alg 12
max_encrypt_bits 256
auth_alg 3
identity_remote 0.0.0.0/0
src_specific
hard_lifetime_bytes 0
hard_lifetime_addtime 28800
hard_lifetime_usetime 28800
soft_lifetime_bytes 0
soft_lifetime_addtime 28800
soft_lifetime_usetime 28800
replay_win_len 0
pfs
}
remote 0.0.0.0 0.0.0.0 = { ipsec_1(91.143.80.246) }
inbound = { }
outbound = { }
[IKE]
ADDR: 91.143.80.246 255.255.255.255
IKE_VERSION:
MODE: MAIN
SEND_NOTIFICATION: TRUE
ID_TYPE: 9
GROUP_DESCRIPTION_II: MODP_1536
USE_COMMIT: FALSE
IPSEC_EXPIRE: FALSE
SEND_CERT: FALSE
INITIAL_CONTACT: FALSE
RESPONDER_LIFETIME: TRUE
REPLAY_STATUS: FALSE
USE_INTERNAL_ADDR: FALSE
USE_NAT_PROBE: FALSE
ESP_UDP_PORT: 0
NAT_KEEPALIVE: 60
USE_XAUTH: FALSE
USE_MODE_CFG: TRUE
REKEYING_THRESHOLD: 90
DPD_HEARTBEAT: 60
OWN_CERT_TYPE: DEVICE
PROPOSALS: 1
ENC_ALG: AES256-CBC
AUTH_METHOD: RSA_SIGNATURES
HASH_ALG: SHA1
GROUP_DESCRIPTION: MODP_1536
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 86400
PRF: NONE
CAs: 1
FORMAT: BIN
DATA: ca.cer
OWN_CERTS:
FORMAT: BIN
DATA: user-1.cer
PRIVATE_KEY_FORMAT: BIN
PRIVATE_KEY_DATA: user-1.key
Changes:
* removed: FQDN unecessary
* changed: REPLAY_STATUS to FALSE. Openswan ignores this message
* changed: USE_XAUTH to FALSE. It's not necessary anymore and doesn't add much security anyway.
* added: DPD_HEARTBEAT: 60, maybe helpfull to detect broken connections. Don't know yet if it's useful.
* added: OWN_CERT_TYPE: DEVICE. No passphrase is necessary to access the private key. It's quite risky, you should use the phone password. But I prefere a connection without user interaction.
* changed: LIFETIME_SECONDS: 86400 set to the maxium. I assume that rekeying that doesn't work. 24h should be enough for mobile clients.
* changes: hard_lifetime_*time 28800 and soft_lifetime_*time 28800. Cause there is a small interruption during rekeying, I've increased this value to 8h.
The rest is pretty much unchanged. **For upgrade I propose to remove all old certificates and vpn policies, restart the phone, install the new policy and restart the phone again** I've seen several strange issues, until I restarted the phone.
====== Openswan =====
Global config:
version 2.0
config setup
nat_traversal=yes
nhelpers=0
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
#Include all roadwarriors
include /etc/ipsec.d/clients/rw/*.conf
#Options common to all warriors.
include /etc/ipsec.d/clients/rw-default.conf
default:
conn rw-default
authby=rsasig
rekey=no
ikelifetime=86400s
keylife=86400s
left=10.0.0.8
leftsubnet=0.0.0.0/0
leftmodecfgserver=yes
right=%any
rightmodecfgclient=yes
modecfgpull=yes
type=tunnel
leftcert=ipsec-gw.cert
rightrsasigkey=%cert
rightca=%same
auto=add
dpddelay=300
dpdtimeout=120
dpdaction=clear
roadwarrior:
conn e71-demeter
rightsourceip=
rightsubnet=/32
rightid=""
also=rw-default