iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
📶

Using SIM Authentication for IKEv2 IPsec VPN (Part 2): Certificates and Signatures

に公開
certificate
strongSwan
ikev2
tech

Overview

This article documents the setup and creation procedures for the certificates and signatures used in the PoC mentioned in the title.
Note that this article assumes the use of OpenWrt 25.12.2 on a Raspberry Pi 4B and the use of the strongSwan package. Please adjust commands and execution directories accordingly if using different hardware or operating systems.

Preparation: Certificates and Signatures

Since this is a PoC, we will use a private CA and its self-signed certificate. This is the commonly known "self-signed certificate." While the CA should ideally be separated from the PoC node group, it is troublesome for a PoC. Since we are using strongSwan, we will utilize its official pki tool to create the keys and certificates.

List of Items to Create

These filenames are not fixed. They are chosen to clarify their roles, so feel free to change them to suit your needs.

  • caKey.pem
    • The private key for the private CA. It is used to self-sign caCert.pem and issue gatewayCert.pem.
    • Since it is not ideal to keep this file on the PoC nodes, you should isolate it on a separate PC or in the cloud once you have finished creating the other files.
  • caCert.pem
    • The public key certificate for the private CA, used in two places:
      • First, placed in /etc/swanctl/x509ca/ of the strongSwan VPN server.
      • Second, used as the source material for creating caCert.cer, which is registered in the Windows 11 certificate store.
  • caCert.cer
    • A file for registration in the Windows 11 certificate store. This is simply caCert.pem converted to DER format. The PEM file could not be registered in the certificate store via the Windows 11 Certificate Manager. Therefore, we use OpenSSL for the conversion (the command is described later).
  • gatewayKey.pem
    • The private key for the VPN server. It is used to create the CSR (gatewayReq.pem) and for the server's own authentication in strongSwan.
    • The file should be placed in /etc/swanctl/private/ on the strongSwan VPN server.
  • gatewayReq.pem
    • The CSR (Certificate Signing Request) used to get the VPN server's public key certificate gatewayCert.pem issued. It has no other use.
  • gatewayCert.pem
    • The public key certificate for the VPN server, used by strongSwan to prove its identity as an IKEv2 server.
    • The file should be placed in /etc/swanctl/x509/ on the strongSwan VPN server.

Creation Procedure

  1. Creating Working Directories

As mentioned, we will use the official strongSwan pki tool. Log in to OpenWrt and create two workspaces for file creation. I have named the folders for clarity.

mkdir -p ~/certificates/ca

mkdir -p ~/certificates/gateway

cd ~/certificates

.
2. Creating the Private CA Private Key

Change the working directory to ~/certificates/ca and create the private CA private key using the pki command. The key generation algorithm should work fine if it is acceptable to Windows 11, but I am using ECDSA P-256 here.

cd ~/certificates/ca

pki --gen --type ecdsa --size 256 --outform pem > caKey.pem

.
3. Creating the Private CA Public Key Certificate (Self-Signed)

Create the private CA public key certificate in the same directory.
It is self-signed, and I have set the expiration date to about 10 years for now. The distinguished name (DN) is arbitrary, but keep in mind that you will reuse C (Country) and O (Organization) when creating the CSR later.

pki --self --ca --lifetime 3652 \
  --in caKey.pem \
  --dn "C=JP, O=Anonymous PoC, CN=Anonymous PoC Root CA" \
  --outform pem > caCert.pem

.
4. Creating the VPN Server Private Key

Since we are now creating files for the VPN server, change the working directory to ~/certificates/gateway.
Then, create the private key using the pki command just as we did for the private CA private key.
Again, the ECDSA P-256 key generation algorithm is used.

cd ~/certificates/gateway

pki --gen --type ecdsa --size 256 --outform pem > gatewayKey.pem

.

  1. Creating the VPN Server Public Key Certificate CSR

We will create a CSR to issue the certificate. Note that the CN and san set in this pki command will become the "name used by Windows 11 as the connection destination."

pki --req --type priv --in gatewayKey.pem \
  --dn "C=JP, O=Anonymous PoC, CN=simauth.vpn.jp" \
  --san simauth.vpn.jp \
  --outform pem > gatewayReq.pem

For this PoC, I have arbitrarily set it to simauth.vpn.jp, but name resolution for this name will be required later when starting the VPN connection from Windows. On OpenWrt, you should be able to link your own IP address (which will be 192.168.50.1 in this PoC environment) to Hostname: simauth.vpn.jp using dnsmasq.
.
6. Issuing the VPN Server Public Key Certificate

The last one is the issuance of the server certificate gatewayCert.pem.
The command is quite long and includes options specifying two private CA files, so please adjust the file paths accordingly if you have changed working directories or folder names.

cd ~/certificates/gateway

pki --issue \
  --cacert ../ca/caCert.pem \
  --cakey  ../ca/caKey.pem \
  --type pkcs10 \
  --in gatewayReq.pem \
  --serial 01 \
  --lifetime 1825 \
  --dn "C=JP, O=Anonymous PoC, CN=simauth.vpn.jp" \
  --san simauth.vpn.jp \
  --flag serverAuth \
  --flag ikeIntermediate \
  --outform pem > gatewayCert.pem

There are two things to note about the above:
First, make sure to enter the same CN and san you set in the CSR.
Second, according to the official strongSwan page below, --flag serverAuth and --flag ikeIntermediate are required if the peer is Windows.
https://docs.strongswan.org/docs/latest/interop/windowsCertRequirements.html
.
7. Processing the Private CA Public Key Certificate for Windows

As mentioned in the "List of Items to Create," I want to register caCert.pem in the Windows 11 certificate store, but it will not be accepted as-is. Therefore, we convert it to DER format caCert.cer using the following OpenSSL command.
By the way, if you follow the creation steps in order, your current folder should be ~/certificates/gateway, so let's move to the working directory first.

cd ~/certificates/ca

openssl x509 -in caCert.pem -outform DER -out caCert.cer

Afterward, move this file from OpenWrt to your Windows 11 PC using SCP or a similar command.

As a final check, execute the following pki commands:

pki --print --in ~/certificates/ca/caCert.pem

pki --print --in ~/certificates/gateway/gatewayCert.pem
  • Check that caCert.pem is a self-signed CA.
  • Check that gatewayCert.pem contains the subjectAltName you set.
  • Check that gatewayCert.pem has serverAuth enabled.

You should verify these three points.

Summary of File Placement

You can complete the tasks in this article by placing and registering the (partially) created files as follows:

  • strongSwan (OpenWrt)
    • Simply use mv or cp to place them as follows:
    • /etc/swanctl/x509ca/caCert.pem
    • /etc/swanctl/x509/gatewayCert.pem
    • /etc/swanctl/private/gatewayKey.pem
  • Windows 11 PC
    • Register caCert.cer in the certificate store as a "Trusted Root Certification Authority."
    • Specific registration steps...
      1. Search for Certmgr.msc in the Start menu to launch the Certificate Manager.
      2. In the menu bar, go to "Action" -> "All Tasks" -> "Import."
      3. When the "Certificate Import Wizard" window appears, click "Next."
      4. You will be prompted to specify the file to import; set it to caCert.cer and click "Next."
      5. You will be asked to specify the certificate store; select "Place all certificates in the following store" and choose "Trusted Root Certification Authorities" as the store.
      6. Click "Next" to complete the wizard and finish the import.

Next is Trying SIM Authentication for IKEv2 IPsec VPN (3) [OpenWrt].

Discussion