Description

Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).


Milesight router supports connecting variety of IPsec clients to router, including ios. In this article, we will use one Milesight router as IPsec server and the topology graph is as below:


Requirement

Any Milesight Router at latest version of firmware

iPhone with ios14

Ubuntu System (Take version 20.04 as example)


Configuration


1. Generate Certificates 

Step 1. Install strongSwan and openssl:

sudo apt install strongswan strongswan-pki libstrongswan-extra-plugins openssl -y

Step 2. Run below command:

#Generate CA root private key

ipsec pki --gen --outform pem > ca.key.pem 

#Self-sign a CA root certificate based on this private key

ipsec pki --self --in ca.key.pem --dn "C=CN, O=milesight, CN=192.168.22.105" --ca --lifetime 3650 --outform pem > ca.crt  

 //--self: self-signed certifcate

--lifetime: term of validity, unit is day

--dn: distinguish name

  • stands for country name
  • stands for organization name
  • CN stands for common name for user-friendly display, in ios, it must be your router ip or server domain name

#Generate server private key

ipsec pki --gen --outform pem > server.key


#Generate public key from private key

ipsec pki --pub --in server.key --outform pem > server.pub.pem

#Sign a server certificate based on this public key

ipsec pki --issue --lifetime 3600 --cacert ca.crt --cakey ca.key.pem --in server.pub.pem --dn "C=CN, O=milesight, CN=192.168.22.105" --san="192.168.22.105" --flag serverAuth --flag ikeIntermediate --outform pem > server.crt

//--san: serverAltName, in ios, it must be your router ip or server domain name


 #Generate client private key

ipsec pki --gen --outform pem > client.key.pem

#Generate public key from private key

ipsec pki --pub --in client.key.pem --outform pem > client.pub.pem

#Sign a client certificate based on this public key

ipsec pki --issue --lifetime 1200 --cacert ca.crt --cakey ca.key.pem --in client.pub.pem --dn "C=CN, O=milesight, CN=192.168.22.105" --outform pem > client.cert.pem

#Packaging certificates to pkcs12

openssl pkcs12 -export -inkey client.key.pem -in client.cert.pem -name "Milesight ios Client Cert" -certfile ca.crt -caname "192.168.22.105" -out client.cert.p12

//Define export password

 

Step 3. Download ca.crt, server.key, server.crt, client.cert.p12 from server.


 


2.Configuration of Router

Step 1. Navigate to Network -> VPN -> IPsec Server to set up IPsec server.

Some important settings for ios client:

IKE Parameter:

IKE Version:IKEv1

Encryption Algorithm:AES256

Authentication Algorithm:SHA1

DH Group:MODP1024-2

Local Authentication:CA

XAUTH:enable


SA Parameter:

SA Algorithm:AES256-SHA1

PFS Group:MODP1024-2

Expert Options: rightauth=pubkey;rightauth2=xauth;rightsourceip=172.16.0.1


Click save and apply


Step 2. Navigate to Network -> VPN -> Certifications -> IPsec Server

Import ca.crt into CA

Import server.crt into Local Certificate

Import server.key into Private Key



3.Configuration of Iphone

Step 1. Send ca.crt and client.cert.p12 to Iphone by Email or other way.

Step 2. Install two certificates.


Step 3.Configure VPN on iPhone.

Server: Milesight router IPsec server address

Username/password: defined in Milesight router XAUTH list.

Use Certificate: Enable and select correct certificate.


 
4.Check Connection

After IPsec VPN is established, you can see the connection status on Status -> VPN, and ios VPN info.

Iphone Lan IP and Wan IP:


Router:


Go to Maintenance -> Tools -> Ping to ping the ios Lan IP. Ping success means successful data transmission thought VPN.


--End--