Tag Archives: Ipsec

Quick Walkthrough For IPSec – DD-WRT

Note: This feature is currently only available using my personal ipq/northstar builds.

1. Enable Freeradius

It will be used to for server and client certificate generation. Later on can be disabled, as we don’t need freeradius daemon in order to connect to the ipsec server.

Make sure the router already has the correct time set, otherwise cert dates will not be correct and certs invalid.

Important: Common Certificate Name will be used for DNS field in the cert.

2.Create a new user with password

Next click Gen Cert, after the client cert is created you will be able to download two certs to your device.

Strongswan Private Key: Clients private cert , either directly click on the cert download button twice (iOS) in order to download and import it or place it on a website where you can download it.

On import you will be asked to supply the password that you specified in freeradius client section.

Strongswan Router CA: Your unique generated Root CA which is used to sign the clients cert. You also need to import this on your device and trust it.

3.Imported certs

Make sure you have trusted the Root CA. Otherwise client cert cannot be validated.

4.Enable IPSec

Choose network access level. WAN and LAN means all connections from your iOS will be sent through the router.

WAN only means, internet traffic goes through router, no lan access to your home network. LAN only, means Internet traffic will not be sent to the router, but you can access your home lan.

5.Create a new IPSec profile

Where server and remote ID equals the common certificate name you used to create the certs. Local ID is the user name you used for client cert creation.

For authentication you can now choose the client cert you imported.

 

6. Done

You should now be able to connect to your router from your iOS.

P.S. It works the same way if you use a Windows client, only thing different is how to import certs and setup connection details. So far I have tested Win7 + current iOS.

The used dns name is no real dyndns account in was just chosen as an example:-)