Connect with us

Hi, what are you looking for?

Internet

Configure strongSwan VPN Client on Ubuntu 18.04 / CentOS 8

Configure strongSwan VPN Client on Ubuntu 18.04 / CentOS 8

– đź‘Ś

Follow this tutorial to learn how to configure strongSwan VPN Client on Ubuntu 18.04 / CentOS 8. Our previous tutorial provided a step-by-step guide on how to setup strongSwan VPN Server on Debian 10 Buster.

Follow the link below to learn how to install and setup strongSwan VPN Server on Debian 10 Buster.

Set up IPSEC VPN with StrongSwan on Debian 10

Once you have the strongSwan VPN server setup, you can now proceed to test the IP assignment and the local connection via the VPN server.

In this demo, we are using Ubuntu 18.04 and CentOS 8 as powerful test clients for our VPN.

Configure strongSwan VPN Client on Ubuntu 18.04 / CentOS 8

Install strongSwan on Ubuntu 18.04

strongSwan and add-ons can be installed on Ubuntu 18.04 by running the command below;

apt updateapt install strongswan libcharon-extra-plugins

Install strongSwan on CentOS 8

strongSwan packages are provided by EPEL repositories on CentOS 8 and similar derivatives. Hence, start by installing EPEL repos;

dnf install epel-releasenf updatednf install strongswan strongswan-charon-nm

Install a strongSwan VPN Server CA certificate on the client

Copy the strongSwan CA certificate generated above, /etc/ipsec.d/cacerts/vpn_ca_cert.pem for client servers and ;

  • Put it in the /etc/ipsec.d/cacerts/ directory on Ubuntu 18.04
  • Put it in the /etc/strongswan/ipsec.d/cacerts directory on CentOS 8.

Configure strongSwan VPN Client on Ubuntu 18.04 / CentOS 8

on Ubuntu 18.04;

Update the /etc/ipsec.conf configuration file to specify how to connect to the strongSwan VPN server. See configuration file below;

Discover  mac catalina VPN connection - Cisco community

vim /etc/ipsec.confconn ipsec-ikev2-vpn-client auto = start right = vpnsvr.kifarunix-demo.com rightid = vpnsvr.kifarunix-demo.com rightsubnet = 0.0.0.0 / 0 rightauth = pubkey leftsourceip =% config
left = vpnsecure
left = eap-mschapv2 eap_identity = %identity

Setup authentication secrets

vim /etc/ipsec.secrets …
# User ID: EAP secret
vpnsecure: EAP”[email protected]”

# This file is managed with debconf and will contain the auto-generated private key including /var/lib/strongswan/ipsec.secrets.inc

Save the configuration file and restart the strongswan file.

restart systemctl strongswan

disable strongSwan from running on system boot;

systemctl disable strongswan

Check Status

ipsec statusall security associations (1 up, 0 connection): ipsec-ikev2-vpn-client[1]: Founded 1 minute ago, 10.0.2.15[vpnsecure]… 192.168.56.174[vpnsvr.kifarunix-demo.com]
ipsec-ikev2-vpn-client 1: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cc36db97_i cb5ceb5b_o ipsec-ikev2-vpn-client 1: 172.16.7.1/32 === 0.0.0.0/0

on CentOS 8;

Update the /etc/strongswan/ipsec.conf configuration file to specify how to connect to the strongSwan VPN server.

vim /etc/strongswan/ipsec.confconn ipsec-ikev2-vpn-client auto = start right = vpnsvr.kifarunix-demo.com rightid = vpnsvr.kifarunix-demo.com rightsubnet = 0.0.0.0 / 0 rightauth = pubkey leftsourceip =% configuration
left = koromicha
left = eap-mschapv2 eap_identity = %identity

Next, open the /etc/strongswan/ipsec.secrets configuration file and set up the EAP authentication details exactly as they are specified on the server.

vim /etc/strongswan/ipsec.secrets# User ID: EAP secret
koromicha: EAP “mypassword”

Restart the mighty swan.

restart systemctl strongswan

disable strongSwan from running on system boot;

systemctl disable strongswan

Check VPN connection status

Security Assemblies (1 up, 0 connection): ipsec-ikev2-vpn-client[1]: Founded 2 minutes ago, 10.0.2.15[vpnsecure]… 192.168.56.174[vpnsvr.kifarunix-demo.com]
ipsec-ikev2-vpn-client 1: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c573b6a1_i cd8306eb_o ipsec-ikev2-vpn-client 1: 172.16.7.2/32 === 0.0.0.0/0

On a powerful VPN server, check status;

Discover  Cisco Anyconnect Secure Mobility Client Mac Os Catalina

In this demo, our strongSwan VPN server is running on Debian 10 Buster. Hence, you can check the status as shown below;

Security associations (2 up, 0 connected): ipsec-ikev2-vpn[4]: Founded 18 seconds ago, 192.168.56.174[vpnsvr.kifarunix-demo.com]… 192.168.56.1[koromicha]
ipsec-ikev2-vpn 4: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: c4e5f1c2_i c8e1a02f_o
ipsec-ikev2-vpn 4: 0.0.0.0/0 === 172.16.7.2/32
ipsec-ikev2-vpn[3]: founded 21 seconds ago, 192.168.56.174[vpnsvr.kifarunix-demo.com]… 192.168.56.1[vpnsecure]
ipsec-ikev2-vpn 3: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c7a4ee1d_i c558073b_o
ipsec-ikev2-vpn 3: 0.0.0.0/0 === 172.16.7.1/32

VPN Client Connection Test

Now that we have two clients we have assigned their individual addresses;

  • Ubuntu 18.04 OS: 172.16.7.1
  • CentOS 8: 172.16.7.2

To test the connection, you can simply run a ping test.

From Ubuntu 18.04, ping CentOS 8;

ping 172.16.7.2 PING 172.16.7.2 (172.16.7.2) 56 (84) bytes of data. 64 bytes of 172.16.7.2: icmp_seq = 1 ttl = 64 time = 3.18 ms 64 bytes of 172.16.7.2: icmp_seq = 2 ttl = 64 time = 4.15 ms 64 bytes of 172.16.7.2: icmp_seq = 3 ttl = 64 time = 3.47 ms 64 bytes of 172.16.7.2: icmp_seq = 4 ttl = 64 Time = 3.61 ms – 172.16.7.2 ping stats – 4 packets sent, 4 received, 0% packet loss, time 10ms rtt min / avg / max / mdev = 3.176 / 3.602 / 4.154 / 0.360 milliseconds

From CentOS 8, ping Ubuntu 18.04.

ping 172.16.7.1 PING 172.16.7.1 (172.16.7.1) 56 (84) bytes of data. 64 bytes of 172.16.7.1: icmp_seq = 1 ttl = 64 time = 3.24 ms 64 bytes of 172.16.7.1: icmp_seq = 2 ttl = 64 time = 4.37 ms 64 bytes of 172.16.7.1: icmp_seq = 3 ttl = 64 time = 4.08 ms 64 bytes of 172.16.7.1: icmp_seq = 4 ttl = 64 Time = 3.43 ms — 172.16.7.1 ping statistics – 4 packets sent, 4 received, 0% packet loss, time 9ms rtt min / avg / max / mdev = 3.237 / 3.780 / 4.371 / 0.462 ms

Discover  Private Internet Access (Free Version) Download for PC

Tried SSH both sides;

ssh [email protected]The “172.16.7.2 (172.16.7.2)” host cannot be authenticated. The ECDSA key fingerprint is SHA256: wKoh / MWvCicV6cEe6jY19AkcBgk1lyjZorQt3aqflJM. Are you sure you want to continue the connection (Yes / No)? Yes Warning: “172.16.7.2” (ECDSA) has been permanently added to the list of known hosts.
[email protected]Password for:
[[email protected] ~]$ssh [email protected]The “172.16.7.1 (172.16.7.1)” host cannot be authenticated. The ECDSA key fingerprint is SHA256: v20whQz4a4zpTJQfny / CGG56fRnP3Dpx8g5CkeCtFpo. Are you sure you want to continue the connection (Yes / No)? Yes Warning: “172.16.7.1” (ECDSA) has been permanently added to the list of known hosts.
[email protected]Linux password debian 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 Software included with Debian GNU/Linux are freeware; Exact distribution terms for each program are described in the individual files at /usr/share/doc/*/copyright. Debian GNU/Linux is available absolutely without warranty, to the extent permitted by applicable law. Last login: Wed Feb 26 00:54:04 2020 from 172.16.7.2
[email protected]: ~ $

That marks the end of our guide on how to configure strongSwan VPN Client on Ubuntu 18.04 / CentOS 8.

Related tutorials

Connect to Cisco VPN with PCF File on Ubuntu

Configure IPSEC VPN with StrongSwan on Ubuntu 18.04

Install and setup an OpenVPN server on Fedora 29 / CentOS 7

Install Cisco AnyConnect Client on CentOS 8


Don’t forget to share this post with friends !

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related

Internet

AnyConnect: Install a self-signed certificate as a trusted source 👨‍💻 kmgmt-2879-cbs-220-config-security-port objective The goal of this article is to walk you through creating and...

Internet

ITProPortal . Portal 👨‍💻 We live in a dynamic moment in terms of technology. Even criminals are becoming more technically savvy and are using...

Internet

Avira Free Antivirus Review for Mac / Windows and Android are the most common targets for malware programmers, but that doesn’t mean macOS is...

Internet

Avira Free Security Review You need antivirus protection on all of your devices, whether you’ve budgeted for it or not. If ready cash is...