Using strongswan ipsec pki, ssh, rsync, owncloud,...
This project helps you manage your x.509 certificates created by the ipsec pki. The idea is that you install a separate server that serves as a Certificate Authority (CA). This server will be your highly confidential site. All created certificates are then sent to an IPSEC Gateway. There is also an owncloud instance installed for Out of Band key distribution on this gateway. We use a combination of 2 armbian devices but you can also use it with other linux distributions.
First you have to build the latest strongswan version on both devices. https://blog.rothirsch.tech/strongswan/.
If you want to set up the ipsec gateway you also have to install owncloud. https://blog.rothirsch.tech/owncloud/
apt install openssh-server rsync pwgen
And you should allow the CA to login to the IPSEC gateway via SSH without password. https://blog.rothirsch.tech/security/#!secure-ssh
-
Simply clone the git repository
-
Start the initialisation
./createCA
-
Change into the newly created directory CAs/yourDomain/yourCA/ and start
# Create certificate
./cert-create
# or with config
./cert-create CONFIGS/your.config.configs
./cert-revoke STORE/certs/your.cert.pem
./cert-transfer STORE/certs/your.cert.pem
./cert-info STORE/certs/your.cert.pem
The scripts are all self-explaining an create configuration files inside CONFIGS
- https://www.danballard.com/references/strongswan/www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/index.html
- https://www.armbian.com
- https://strongswan.org
- and all other free and opensource software used for this project