Azure VPN Point To Site on Linux(RHEL 7, Ubuntu 16.04) and Mac OS

A webpage to check questions and latest deployments for linux in the cloud.

Azure VPN Point To Site on Linux(RHEL 7, Ubuntu 16.04) and Mac OS

 

 

 

In this topic, I won’t explain how to create a VPN, for that already exists documentation about that and is moderately well done (You know what I mean)… https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal

If you don’t know how to create it, first follow the above documentation but… If you want connect your Linux/MacOs users to the VPN keep reading.

The connection was successfully on Linux RHEL 7.5, Ubuntu 16.04 and Mac Os High sierra

According to Azure the method to connect the Unix users is enable the IKEV2. “The strongSwan client on Android and Linux and the native IKEv2 VPN client on iOS and OSX will use only IKEv2 tunnel to connect.”

 

The scheme is the following:

 

 
IKEv2/IPSec:

Internet Key Exchange Version 2 (IKEv2) is a key management protocol standard that is used in conjunction with the IPsec standard. IPSec is a security protocol that provides data security by tunnel and transport mode.

IP Security (IPsec) provides confidentiality, data integrity, access control, and data source authentication to IP datagrams.  These services are provided by maintaining a shared state between the source and the sink of an IP datagram. This state defines, among other things, the specific services provided to the datagram, which cryptographic algorithms will be used to provide the services, and the keys used as input to the cryptographic algorithms.

IKE performs mutual authentication between two parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish SAs for Encapsulating Security Payload (ESP) [ESP] or Authentication Header (AH) [AH] and a set of cryptographic algorithms to be used by the SAs to protect the traffic that they carry.

Linux Deploy:
RHEL 7 Requirements:

Will install the EPEL repo:

#yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Apply update

#yum update -y

Install the client strongswan and libreswan to create the certificates

#yum install -y strongswan libreswan strongswan-sqlite strongswan-tnc-imcvs

Certificates deploy:

This certificates can be used for Linux and Mac OS users

Execute the ipsec command to create the .pem certificate

$ipsec pki --gen --outform pem > caKey.pem
$ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem

Print the certificate in base64 in order to create the x509 certificate. The Output will add to the Azure portal (https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#uploadfile)

$openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo

In the following commands you will set the name certificate and the password of your client:

$export PASSWORD="password"
$export USERNAME="client"
$ipsec pki --gen --outform pem > "${USERNAME}Key.pem"
$ipsec pki --pub --in "${USERNAME}Key.pem" | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "CN=${USERNAME}" --san "${USERNAME}" --flag clientAuth --outform pem > "${USERNAME}Cert.pem

Finally create the .P12 certificate:

#openssl pkcs12 -in "${USERNAME}Cert.pem" -inkey "${USERNAME}Key.pem" -certfile caCert.pem -export -out "${USERNAME}.p12" -password "pass:${PASSWORD}"
#ll client.p12

Client configuration:

Download your client ZIP from the Azure Portal.

Inside the zip in the Generic path, you will find the VpnServerRoot.cer certificate.

$mkdir client/
$unzip -d client/ vpn.zip #cp client/vpn/Generic/VpnServerRoot.cer /etc/strongswan/ipsec.d/cacerts/ #cp client.p12 /etc/strongswan/ipsec.d/private

Open VpnSettings.xml file and copy the value azuregateway-$UUID.cloudapp.net

Open the /etc/strongswan/ipsec.conf and paste the following (replace the $UUID with the VpnSettings.xml Value: (VpnServer):

conn azure
keyexchange=ikev2
type=tunnel
leftfirewall=yes
left=%any
leftauth=eap-tls
leftid=%client
right=azuregateway-$UUID.cloudapp.net
rightid=%azuregateway-$UUID.cloudapp.net
rightsubnet=0.0.0.0/0
leftsourceip=%config
auto=add

Add the follwing in the /etc/strongwan/ipsec.secrets

: P12 client.p12 'password'

Finally, execute the following commands:

#strongswan restart 
#strongswan up azure

Final result:

 

MacOS Deploy

You can follow the Microsoft Documentation to install the client but is very important use the same certificate that you created with IPsec on Linux:

Azure Official Documentatio for MacOS Users

The certificate P12 should be installed in the local system:

 

Client Final configuration 

Leave a Reply

Your email address will not be published. Required fields are marked *

Translate »