As I wrote in the above, I succeeded in connecting to Kyoto University's VPN system KUINS-III using PPTP on Ubuntu. However, there is a security problem with PPTP connection, and IKEv2 connection is recommended on the Official Page. ing. On the other hand, the setting method by Linux is not shown, and until now it was not possible to connect with IKEv2. After tasting the previous success and searching variously, I found the [https://blog.kmconner.net/archives/201] site (how to connect to IKEv2 VPN of Kyoto University from Linux). For reference, try VPN connection by IKEv2.
The OS is assumed to be Ubuntu 20.04 LTS, but I think it will work with 18.04 LTS as well. Since IKEv2 is set using a package called strongswan, the necessary packages are installed by the package manager.
$ sudo apt-get install strongswan libcharon-extra-plugins
When strongswan is installed, a file called /etc/ipsec.conf should be created, so describe the VPN settings to connect to that file.
$ sudo cat << EOF >> /etc/ipsec.conf
conn KUINS
auto=start
right=<IKEv2 server>
rightid=<IKEv2 server>
rightsubnet=10.0.0.0/8
rightauth=never
left=%defaultroute
leftsourceip=%config
leftid=<ECS-ID>
leftauth=eap-mschapv2
eap_identity=%identity
keyexchange=ikev2
type=tunnel
ike=aes128-sha256-modp3072
EOF
The part of \ <IKEv2 server > is Official page
You can check from.
To connect to KUINS-II, use ikev2.kuins.kyoto-u.ac.jp. For a fixed VLAN connection (KUINS-III), select the host name of the campus to connect to. Also, leftid = <ECS-ID @ vlan number> must be set.
Next, add the password for EAP authentication to /etc/ipsec.secrets.
$ sudo cat << EOF >> /etc/ipsec.secrets
ECS-ID : EAP "ECS-Directly type the ID password"
EOF
The settings for client authentication are completed with the above settings. After that, you need to set Certificate to authenticate the route to the server.
$ sudo curl https://www.secomtrust.net/service/ninsyo/cer/scrootca2.txt >> /etc/ipsec.d/cacerts/key.pem
$ sudo chmod 600 /etc/ipsec.d/cacerts/key.pem
After various settings, it is necessary to reflect the changes before the first connection.
$ sudo ipsec restart #Restart strongswan
$ sudo ipsec reload #Reload the settings
$ sudo ipsec listcacerts #Display the set certificate
List of X.509 CA Certificates
subject: "C=JP, O=National Institute of Informatics, CN=NII Open Domain CA - G5"
issuer: "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2"
validity: not before Mar 22 15:33:29 2018, ok
not after Mar 22 15:33:29 2028, ok (expires in 2793 days)
serial: 22:b9:b1 ...
flags: CA CRLSign
CRL URIs: http://repository.secomtrust.net/SC-Root2/SCRoot2CRL.crl
OCSP URIs: http://scrootca2.ocsp.secomtrust.net
pathlen: 0
certificatePolicies:
1.2.392.200091.100.901.4
CPS: https://repository.secomtrust.net/SC-Root2/
authkeyId: 0a:85:a9 ...
subjkeyId: 67:3a:3a ...
pubkey: RSA 2048 bits
keyid: 8e:c0:9a ...
subjkey: 67:3a:3a ...
subject: "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2"
issuer: "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2"
validity: not before May 29 14:00:39 2009, ok
not after May 29 14:00:39 2029, ok (expires in 3225 days)
serial: 00
flags: CA CRLSign self-signed
subjkeyId: 0a:85:a9 ...
pubkey: RSA 2048 bits
keyid: 3b:37:c0 ...
subjkey: 0a:85:a9 ...
If the above display is displayed, the preparation is OK.
You can connect / disconnect with the following command.
$ sudo ipsec up KUINS #Connect to VPN
$ sudo ipsec down KUINS #Disconnect from VPN
On the official page, I feel that I understand the meaning of making tea muddy, saying "Linux does not support iKEv2". There are many text-based settings, and if this method is made public, it will be difficult to deal with problems. However, when you think about it, KUINS itself is built with strongswan, so there is no reason why you can not connect with Linux lol
Recommended Posts