Configure IPSEC VPN with StrongSwan on Ubuntu 18.04
👨💻
In this guide, we will learn how to configure IPSEC VPN using StrongSwan on Ubuntu 18.04. We have covered similar guides on how to install OpenVPN server on Fedora 29 and FreeBSD 12. You can check it out by following the links below;
Well, the main purpose of a VPN is to create a secure, encrypted tunnel between two or more remote networks. This ensures that the connection that occurs over an unsecured network, the Internet in this case, is secured. IPSEC is a VPN application that provides encryption and authentication services at the IP (Internet Protocol) level. While its implementation is mandatory for IPv6 stacks, it is optional for IPv4 stacks.
On the other hand, StrongSwan is an open source VPN software for Linux that implements IPSec. It supports various IPsec protocols and extensions such as IKE, X.509 digital certificates, NAT Traversal…
Configure IPSEC VPN with StrongSwan on Ubuntu 18.04
Install strongSwan on Ubuntu 18.04
Fortunately, strongSwan is available in the default Ubuntu 18.04 repositories and so it can be installed simply by running the command below;
apt install strongswan libcharon-extra-plugins
Set up a CA with the strongSwan PKI
In order for the VPN client to verify the authentication of the VPN server, you need to create a key and certificate for the VPN server. Before you can generate the server certificate and key, you must create a local CA to sign them. stronSwan provides a PKI tool that facilitates this process. However, you need to install this tool by running the command below;
Suitable for strongswan-pki لتثبيت
Once the installation is done, proceed to create the CA. To get started, create a private key to self-sign the CA certificate.
ipsec pki – gen – size 4096 – type rsa –outform pem> vpn-ca.key.pem
Make sure to give this key the absolute privacy it deserves.
Create a VPN CA server and self-sign using the key generated above.
ipsec pki –self –in vpn-ca.key.pem –type rsa –dn “CN = VPN Server root CA” –ca –lifetime 3650 –outform pem> vpn-ca.cert.pem
Next, create a private key for the VPN server and issue a matching certificate using the CA created above.
ipsec pki –gen – size 4096 – type rsa –outform pem> vpn-server.key.pem
Once you have the server key in place, create the server certificate by running the command below. Make sure to replace DN and SAN accordingly.
ipsec pki –pub – in vpn-server.key.pem – type rsa | ipsec pki – version – lifetime 2750 –cacert vpn-ca.cert.pem –cakey vpn-ca.key.pem –dn “CN = vpnsvr.example.com” –san = ” vpnsvr .example.com ” – server signal
Install Certificates
Now that you have all the certificates, you can install them by moving them to the respective IPSec certificate directories under /etc/ipsec.d.
mv vpn-ca.cert.pem /etc/ipsec.d/cacerts/ mv vpn-server.cert.pem /etc/ipsec.d/certs/ mv vpn-ca.key.pem, vpn-server.key. pem /etc/ipsec.d/private/
Configure StrongSwan on Ubuntu 18.04
The /etc/ipsec.conf configuration file defines most of the configuration and control information for the strongSwan IPsec subsystem, and it consists of three different types of partitions:
- Configuration sections (configuration setup)
Define general configuration parameters - contact sections (conn
)
– The Connection section contains a connection specification that defines the network connection to be made using IPsec. - CA Department (ca
)
– Specify the certification authority.
Before you can configure this file, back it up.
cp /etc/ipsec.conf /etc/ipsec.conf.bakvim /etc/ipsec.conf
Define configuration parameters;
config setup charondebug = “ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2” strictcrlpolicy = no unique units = yes cachecrls = no
- The parameter specifies charondebug =
loggin debug charon where debug list can be dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv, dots. Recording levels can be one of -1, 0, 1, 2, 3, 4 (silent, audit, control, more control, raw, private). By default, the level is set to 1 for all types. For a description of debug menus, check out the Registry Configuration section on the strongswan.conf website (5). - The strictcrlpolicy parameter specifies whether a fresh CRL must be provided for peer authentication based on RSA signatures to succeed.
- Unique determines whether a particular participant identifier should be kept unique
- cachecrls determines whether or not to cache Certificate Revocation Lists (CRLs) fetched over HTTP or LDAP.
Define CONNECTION parameters;
conn ipsec-ikev2-vpn auto = add compression = no type = tunnel # Specifies the type of connection, the tunnel. keyexchange = hash ikev2 = yes forceencaps = yes dpdaction = clear dpddelay = 300 seconds rekey = no remaining = % any
[email protected] # If using IP, specify it without the @leftcert = vpn-server.cert.pem # Reads VPN server certificate in /etc/ipsec.d/certs leftsendcert = always leftsubnet = 0.0.0.0 / 0 right =% any rightid =% any rightauth = eap-mschapv2 rightsourceip = 10.10.7.0 / 24 # IP address pool to be assigned to clients rightdns = 8.8.8.8 # DNS to be assigned to clients endcert rights = never eap_identity = % Identity # Specifies the identity of the client used to respond to the EAP identity request.
For a comprehensive description of the connection parameters and values used in the above configuration, see man ipsec.conf.
Next, you need to configure the client and server authentication credentials. The authentication credentials are set in the /etc/ipsec.secrets configuration file. So open this file and select RSA private keys for authentication. You can also set up EAP user credentials by selecting a random username and password for it. Note the spacing.
vim /etc/ipsec.secrets# This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # Knows the public part.
: RSA vpn-server.key.pem # VPN server key created above # <معرف المستخدم>: EAP
vpnsecure: EAP”[email protected]# random
Save the configuration file and restart strongSwan for the changes to take effect.
restart systemctl strongswan
To verify that strongSwan has the private key in place, run the command below;
ipsec listcertsList of X.509 End Entity Certificates Subject: “CN = vpnsvpnsvr.example.com” Source: “CN = VPN Server root CA” Validity: Not before Feb 09 20:27:18 2019 , well not after Aug 21 20: 27:18 2026 OK (Expires in 2749 days) Serial: 56: e5: 08: a6: db: f6: 6b: d0 alt Names: vpnsvr.example.com Flags: serverAuth ike Intermediate authkeyId: 68:40:92 :5b:53:c4:99:18:3e:7e:cb:6b:5b:32:d5:05:f7:de:88:74 subjkeyId:09:2f:bd:61:bd:47:1b: c8:13 :e0:2f:65:c0:9f:12:7b:0e:e8:c4:9b pubkey:RSA 4096 bit,has private key for key:75:72:19:89:62:97:27: 55: a0 : 4f: 68: be: 6a: c9: 14: 98: 04: 87: be: a3 subjkey: 09: 2f: bd: 61: bd: 47: 1b: c8: 13: e0: 2f: 65 : c0: 9f: 12: 7b: 0e: e8: c4: 9b
Configure the firewall and routing
Set UFW to allow and forward VPN traffic. In order for IPsec to work through the firewall, you need to open UDP ports 500 and 4500.
ufw allow 500 / udp # allows redirection of Internet Security Association and Key Management Protocol (ISAKMP) traffic ufw allows 4500 / udp # allows IPsec handling between natted devices
Find the default routing interface;
Shows ip defaultdefault path via 10.0.2.2 dev enp0s3
So the interface, enp0s3 is the default routing interface.
Next, edit the file /etc/ufw/before.rules So your configuration looks like below. Replace the IP pool and default route interface accordingly. See the added highlighted lines right before and after the filter *.
… # Do not delete these required lines, otherwise there will be errors
* nat
-A POSTROUTING -s 10.10.7.0/24 -o enp0s3 -m policy –pol IPSec –dir out -j ACCEPT
-A POSTROUTING -s 10.10.7.0/24 -o enp0s3 -j MASQUERADE
commit
*mess
-A FORWARD – Match Policy – pol ipsec –dir in -s 10.10.7.0/24 -o enp0s3 -p tcp -m tcp –tcp-flags SYN and RST SYN -m tcpmss –mss 1361:1536 -j TCPMSS – mss group 1360
commit
* filter: ufw-before-input – [0:0]
: ufw before output – [0:0]
: ufw-before-forward – [0:0]
: ufw-not-local – [0:0]
# End the required lines
-A ufw-before-forward –match policy –pol IPSec –dir in –proto esp -s 10.10.7.0/24 -j ACCEPT -A ufw-before-forward –match policy –pol IPSec – dir out –proto esp -d 10.10.7.0/24 -j ACCEPT
Disable and enable ufw for the changes to take effect.
ufw disable && enable ufw
Configure Kernel IP Forwarding.
vim /etc/ufw/sysctl.conf# Uncomment the next line to enable packet forwarding for IPv4 net / ipv4 / ip_forward = 1 … # Do not accept ICMP (MITM attack prevention) redirects net / ipv4 / conf / all / Accept_redirects = 0 … # Do not send ICMP redirects (we are not a router) net / ipv4 / conf / all / send_redirects = 0 … disable MTU detection of the path to prevent packet fragmentation by adding the line under net / ipv4 / ip_no_pmtu_disc = 1
Restart StrongSwan and enable it to run on boot.
restart systemctl strongswan systemctl enable strongswan
You can check the status.
systemctl status strongswan ● strongswan.service – strongSwan IPsec daemon IKEv1 / IKEv2 using ipsec.conf Loaded: Loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled) Active: Active (running) since Sunday 2019-02-10 10:15:44 UTC; 11 seconds ago master pid: 9168 (start) tasks: 18 (threshold: 2325) group block: / system.slice/strongswan.service ├─9168 / usr / lib / ipsec / starter –daemon charon –nofork └─ 9193 / usr / lib / ipsec / charon –debug-ike 2 –debug-knl 2 –debug-cfg 2 –debug-net 2 –debug-esp 2 –debug-dmn 2 –debug-mgr 2
You can also check the status using the ipsec command.
ipsec statusallStatus of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, x86_64): uptime: 2 minutes, since Feb 10 10:15:44 2019 malloc: sbrk 1486848, mmap 0, used 501040, free 985808 Threads working: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 extensions loaded: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink solution-default connmark stroke updown eap-mschapv2 xauth-generic xauth.generic counters 10/connected pools default IP7.0. /24:254/0/0 Listening IP Addresses: 192.168.43.85 Connections: ipsec-ikev2-vpn: %any … %any IKEv2, dpddelay = 300s ipsec-ikev2-vpn: local: [vpnsvr.example.com] uses public key authentication ipsec-ikev2-vpn: cert: “CN=vpnsvr.example.com” ipsec-ikev2-vpn: remote: uses EAP_MSCHAPV2 authentication with EAP identity ‘%ie’ ipsec-ikev2-vpn: child: 0.0.0.0 /0 === dynamic TUNNEL, dpdaction = clear security associations (0 up, 0 connection): none
VPN connection test
Now that we’ve configured IPSEC VPN with strongSwan on Ubuntu 18.04, let’s test if remote clients can connect to it. In this guide, we are testing the connection from an Ubuntu 18.04 client.
Launch the Ubuntu 18.04 client and install the following packages.
update apt apt install strongswan libcharon-extra-plugins
Once the installation is finished, disable strongswan from starting automatically at system boot.
systemctl disable strongswan
Log in to the VPN server and copy the CA certificate of the VPN server to the VPN client. Put the CA certificate under /etc/ipsec.d/cacerts.
Configure the VPN client authentication exactly as you did in configuring the server.
cat /etc/ipsec.secrets# This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # Knows the public part. vpnsecure: EAP”[email protected]”
Define VPN client configuration parameters.
vim /etc/ipsec.confconn ipsec-ikev2-vpn-client auto = start right = vpnsvr.example.com rightid = vpnsvr.example.com rightsubnet = 0.0.0.0 / 0 rightauth = pubkey leftsourceip =% config leftid = vpnsecure.. .
[ad_1]
Don’t forget to share this post with friends !
