Configure strongSwan VPN Client on Ubuntu 18.04 / CentOS 8
– đź‘Ś
Follow this tutorial to learn how to configure strongSwan VPN Client on Ubuntu 18.04 / CentOS 8. Our previous tutorial provided a step-by-step guide on how to setup strongSwan VPN Server on Debian 10 Buster.
Follow the link below to learn how to install and setup strongSwan VPN Server on Debian 10 Buster.
Set up IPSEC VPN with StrongSwan on Debian 10
Once you have the strongSwan VPN server setup, you can now proceed to test the IP assignment and the local connection via the VPN server.
In this demo, we are using Ubuntu 18.04 and CentOS 8 as powerful test clients for our VPN.
Configure strongSwan VPN Client on Ubuntu 18.04 / CentOS 8
Install strongSwan on Ubuntu 18.04
strongSwan and add-ons can be installed on Ubuntu 18.04 by running the command below;
apt updateapt install strongswan libcharon-extra-plugins
Install strongSwan on CentOS 8
strongSwan packages are provided by EPEL repositories on CentOS 8 and similar derivatives. Hence, start by installing EPEL repos;
dnf install epel-releasenf updatednf install strongswan strongswan-charon-nm
Install a strongSwan VPN Server CA certificate on the client
Copy the strongSwan CA certificate generated above, /etc/ipsec.d/cacerts/vpn_ca_cert.pem for client servers and ;
- Put it in the /etc/ipsec.d/cacerts/ directory on Ubuntu 18.04
- Put it in the /etc/strongswan/ipsec.d/cacerts directory on CentOS 8.
Configure strongSwan VPN Client on Ubuntu 18.04 / CentOS 8
on Ubuntu 18.04;
Update the /etc/ipsec.conf configuration file to specify how to connect to the strongSwan VPN server. See configuration file below;
vim /etc/ipsec.confconn ipsec-ikev2-vpn-client auto = start right = vpnsvr.kifarunix-demo.com rightid = vpnsvr.kifarunix-demo.com rightsubnet = 0.0.0.0 / 0 rightauth = pubkey leftsourceip =% config
left = vpnsecure
left = eap-mschapv2 eap_identity = %identity
Setup authentication secrets
vim /etc/ipsec.secrets …
# User ID: EAP secret
vpnsecure: EAP”[email protected]”
# This file is managed with debconf and will contain the auto-generated private key including /var/lib/strongswan/ipsec.secrets.inc
Save the configuration file and restart the strongswan file.
restart systemctl strongswan
disable strongSwan from running on system boot;
systemctl disable strongswan
Check Status
ipsec statusall security associations (1 up, 0 connection): ipsec-ikev2-vpn-client[1]: Founded 1 minute ago, 10.0.2.15[vpnsecure]… 192.168.56.174[vpnsvr.kifarunix-demo.com]
ipsec-ikev2-vpn-client 1: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cc36db97_i cb5ceb5b_o ipsec-ikev2-vpn-client 1: 172.16.7.1/32 === 0.0.0.0/0
on CentOS 8;
Update the /etc/strongswan/ipsec.conf configuration file to specify how to connect to the strongSwan VPN server.
vim /etc/strongswan/ipsec.confconn ipsec-ikev2-vpn-client auto = start right = vpnsvr.kifarunix-demo.com rightid = vpnsvr.kifarunix-demo.com rightsubnet = 0.0.0.0 / 0 rightauth = pubkey leftsourceip =% configuration
left = koromicha
left = eap-mschapv2 eap_identity = %identity
Next, open the /etc/strongswan/ipsec.secrets configuration file and set up the EAP authentication details exactly as they are specified on the server.
vim /etc/strongswan/ipsec.secrets# User ID: EAP secret
koromicha: EAP “mypassword”
Restart the mighty swan.
restart systemctl strongswan
disable strongSwan from running on system boot;
systemctl disable strongswan
Check VPN connection status
Security Assemblies (1 up, 0 connection): ipsec-ikev2-vpn-client[1]: Founded 2 minutes ago, 10.0.2.15[vpnsecure]… 192.168.56.174[vpnsvr.kifarunix-demo.com]
ipsec-ikev2-vpn-client 1: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c573b6a1_i cd8306eb_o ipsec-ikev2-vpn-client 1: 172.16.7.2/32 === 0.0.0.0/0
On a powerful VPN server, check status;
In this demo, our strongSwan VPN server is running on Debian 10 Buster. Hence, you can check the status as shown below;
Security associations (2 up, 0 connected): ipsec-ikev2-vpn[4]: Founded 18 seconds ago, 192.168.56.174[vpnsvr.kifarunix-demo.com]… 192.168.56.1[koromicha]
ipsec-ikev2-vpn 4: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: c4e5f1c2_i c8e1a02f_o
ipsec-ikev2-vpn 4: 0.0.0.0/0 === 172.16.7.2/32
ipsec-ikev2-vpn[3]: founded 21 seconds ago, 192.168.56.174[vpnsvr.kifarunix-demo.com]… 192.168.56.1[vpnsecure]
ipsec-ikev2-vpn 3: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c7a4ee1d_i c558073b_o
ipsec-ikev2-vpn 3: 0.0.0.0/0 === 172.16.7.1/32
VPN Client Connection Test
Now that we have two clients we have assigned their individual addresses;
- Ubuntu 18.04 OS: 172.16.7.1
- CentOS 8: 172.16.7.2
To test the connection, you can simply run a ping test.
From Ubuntu 18.04, ping CentOS 8;
ping 172.16.7.2 PING 172.16.7.2 (172.16.7.2) 56 (84) bytes of data. 64 bytes of 172.16.7.2: icmp_seq = 1 ttl = 64 time = 3.18 ms 64 bytes of 172.16.7.2: icmp_seq = 2 ttl = 64 time = 4.15 ms 64 bytes of 172.16.7.2: icmp_seq = 3 ttl = 64 time = 3.47 ms 64 bytes of 172.16.7.2: icmp_seq = 4 ttl = 64 Time = 3.61 ms – 172.16.7.2 ping stats – 4 packets sent, 4 received, 0% packet loss, time 10ms rtt min / avg / max / mdev = 3.176 / 3.602 / 4.154 / 0.360 milliseconds
From CentOS 8, ping Ubuntu 18.04.
ping 172.16.7.1 PING 172.16.7.1 (172.16.7.1) 56 (84) bytes of data. 64 bytes of 172.16.7.1: icmp_seq = 1 ttl = 64 time = 3.24 ms 64 bytes of 172.16.7.1: icmp_seq = 2 ttl = 64 time = 4.37 ms 64 bytes of 172.16.7.1: icmp_seq = 3 ttl = 64 time = 4.08 ms 64 bytes of 172.16.7.1: icmp_seq = 4 ttl = 64 Time = 3.43 ms — 172.16.7.1 ping statistics – 4 packets sent, 4 received, 0% packet loss, time 9ms rtt min / avg / max / mdev = 3.237 / 3.780 / 4.371 / 0.462 ms
Tried SSH both sides;
ssh [email protected]The “172.16.7.2 (172.16.7.2)” host cannot be authenticated. The ECDSA key fingerprint is SHA256: wKoh / MWvCicV6cEe6jY19AkcBgk1lyjZorQt3aqflJM. Are you sure you want to continue the connection (Yes / No)? Yes Warning: “172.16.7.2” (ECDSA) has been permanently added to the list of known hosts.
[email protected]Password for:
[[email protected] ~]$ssh [email protected]The “172.16.7.1 (172.16.7.1)” host cannot be authenticated. The ECDSA key fingerprint is SHA256: v20whQz4a4zpTJQfny / CGG56fRnP3Dpx8g5CkeCtFpo. Are you sure you want to continue the connection (Yes / No)? Yes Warning: “172.16.7.1” (ECDSA) has been permanently added to the list of known hosts.
[email protected]Linux password debian 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 Software included with Debian GNU/Linux are freeware; Exact distribution terms for each program are described in the individual files at /usr/share/doc/*/copyright. Debian GNU/Linux is available absolutely without warranty, to the extent permitted by applicable law. Last login: Wed Feb 26 00:54:04 2020 from 172.16.7.2
[email protected]: ~ $
That marks the end of our guide on how to configure strongSwan VPN Client on Ubuntu 18.04 / CentOS 8.
Related tutorials
Connect to Cisco VPN with PCF File on Ubuntu
Configure IPSEC VPN with StrongSwan on Ubuntu 18.04
Install and setup an OpenVPN server on Fedora 29 / CentOS 7
Install Cisco AnyConnect Client on CentOS 8
[ad_1]
Don’t forget to share this post with friends !
