Description
Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).
Milesight router supports connecting variety of IPsec clients to router, including ios. In this article, we will use one Milesight router as IPsec server and the topology graph is as below:
Requirement
Any Milesight Router at latest version of firmware
iPhone with ios14
Ubuntu System (Take version 20.04 as example)
Configuration
1. Generate Certificates
Step 1. Install strongSwan and openssl:
sudo apt install strongswan strongswan-pki libstrongswan-extra-plugins openssl -y
Step 2. Run below command:
#Generate CA root private key
ipsec pki --gen --outform pem > ca.key.pem
#Self-sign a CA root certificate based on this private key
ipsec pki --self --in ca.key.pem --dn "C=CN, O=milesight, CN=192.168.22.105" --ca --lifetime 3650 --outform pem > ca.crt
//--self: self-signed certifcate
--lifetime: term of validity, unit is day
--dn: distinguish name
- C stands for country name
- O stands for organization name
- CN stands for common name for user-friendly display, in ios, it must be your router ip or server domain name
#Generate server private key
ipsec pki --gen --outform pem > server.key
#Generate public key from private key
ipsec pki --pub --in server.key --outform pem > server.pub.pem
#Sign a server certificate based on this public key
ipsec pki --issue --lifetime 3600 --cacert ca.crt --cakey ca.key.pem --in server.pub.pem --dn "C=CN, O=milesight, CN=192.168.22.105" --san="192.168.22.105" --flag serverAuth --flag ikeIntermediate --outform pem > server.crt
//--san: serverAltName, in ios, it must be your router ip or server domain name
#Generate client private key
ipsec pki --gen --outform pem > client.key.pem
#Generate public key from private key
ipsec pki --pub --in client.key.pem --outform pem > client.pub.pem
#Sign a client certificate based on this public key
ipsec pki --issue --lifetime 1200 --cacert ca.crt --cakey ca.key.pem --in client.pub.pem --dn "C=CN, O=milesight, CN=192.168.22.105" --outform pem > client.cert.pem
#Packaging certificates to pkcs12
openssl pkcs12 -export -inkey client.key.pem -in client.cert.pem -name "Milesight ios Client Cert" -certfile ca.crt -caname "192.168.22.105" -out client.cert.p12
//Define export password
Step 3. Download ca.crt, server.key, server.crt, client.cert.p12 from server.
2.Configuration of Router
Step 1. Navigate to Network -> VPN -> IPsec Server to set up IPsec server.
Some important settings for ios client:
IKE Parameter:
IKE Version:IKEv1
Encryption Algorithm:AES256
Authentication Algorithm:SHA1
DH Group:MODP1024-2
Local Authentication:CA
XAUTH:enable
SA Parameter:
SA Algorithm:AES256-SHA1
PFS Group:MODP1024-2
Expert Options: rightauth=pubkey;rightauth2=xauth;rightsourceip=172.16.0.1
Click save and apply
Step 2. Navigate to Network -> VPN -> Certifications -> IPsec Server
Import ca.crt into CA
Import server.crt into Local Certificate
Import server.key into Private Key
3.Configuration of Iphone
Step 1. Send ca.crt and client.cert.p12 to Iphone by Email or other way.
Step 2. Install two certificates.
Step 3.Configure VPN on iPhone.
Server: Milesight router IPsec server address
Username/password: defined in Milesight router XAUTH list.
Use Certificate: Enable and select correct certificate.
4.Check Connection
After IPsec VPN is established, you can see the connection status on Status -> VPN, and ios VPN info.
Iphone Lan IP and Wan IP:
Router:
Go to Maintenance -> Tools -> Ping to ping the ios Lan IP. Ping success means successful data transmission thought VPN.
--End--