Connect with us

Hi, what are you looking for?

Internet

Set up an IPSec VPN Site with Strongswan on Ubuntu

Set up an IPSec VPN Site with Strongswan on Ubuntu

👨‍💻

Today we are going to setup a Site to Site ipsec VPN with Strongswan, which will be configured with PreShared Key Authentication.

After creating our tunnels, we will be able to access private ips via vpn tunnels.

Get dependencies:

Update your repositories indexes and install strongswan:

$ apt && sudo apt Upgrade -y $ apt install strongswan -y

Set the following kernel parameters:

$cat >> /etc/sysctl.conf << EOF echo net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 EOF $sysctl -p / etc /sysctl.conf

Generate a pre-shared key:

We will need a pre-shared key used by both servers:

$ openssl rand -base64 64 87zRQqylaoeF5I8o4lRhwvmUzf + pYdDpsCOlesIeFA / 2xrtxKXJTbCPZgqplnXgPX5uprL + aRgxD8ua7MmdWaQ

Our 2 locations details:

Location A:

Location: Paris, France External IP: 51.15.139.201 Internal IP: 10.10.27.1/24

Location B:

Location: Amsterdam, Netherlands External IP: 51.15.44.48 Internal IP: 10.9.141.1/24

Site Configuration A:

We will setup our VPN gateway in location A (Paris), first to setup the /etc/ipsec.secrets file:

$ cat /etc/ipsec.secrets # source destination 51.15.139.201 51.15.44.48: PSK “87zRQqylaoeF5I8o4lRhwvmUzf + pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL +”

Now to set up our VPN configuration in /etc/ipsec.conf:

cat /etc/ipsec.conf # set basic config configuration charondebug = “all” uniqueids = yes strictcrlpolicy = no # connect to Amsterdam data center conn paris-to-amsterdam authby = Secret left = % defaultroute leftid = 51.15.139.201 leftsubnet = 10.10. 27.1 / 24 right = 51.15.44.48 rightsubnet = 10.9.141.1 / 24 ike = aes256-sha2_256-modp1024! esp = aes256-sha2_256! keyingtries = 0 ikelifetime = 1 hour lifetime = 8 hours dpddelay = 30 dpdtimeout = 120 dpdaction = auto restart = start

Firewall rules:

$ sudo iptables -t nat -A POSTROUTING -s 10.9.141.0/24 -d 10.10.27.0/24 -j MASQUERADE

Site Configuration B:

We will setup our VPN gateway in location B (Amsterdam), and setup the /etc/ipsec.secrets file:

cat /etc/ipsec.secrets 51.15.44.48 51.15.139.201: PSK “87zRQqylaoeF5I8o4lRhwvmUzf + pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL + aRgxdWaQ7”

After setting up our VPN configuration:

cat /etc/ipsec.conf # setup base config configuration charondebug = “all” uniqueids = yes strictcrlpolicy = no # connect to paris data center conn amsterdam-to-paris authby = Secret left =% defaultroute leftid = 51.15.44.48 leftsubnet = 10.9. 141.1 / 24 right = 51.15.139.201 network rights = 10.10.27.1 / 24 ike = aes256-sha2_256-modp1024! esp = aes256-sha2_256! keyingtries = 0 ikelifetime = 1 hour lifetime = 8 hours dpddelay = 30 dpdtimeout = 120 dpdaction = auto restart = start

Firewall rules:

$ sudo iptables -t nat -A POSTROUTING -s 10.10.27.0/24 -d 10.9.41.0/24 -J MASQUERADE

Start VPN:

Start the VPN from both ends:

restart sudo ipsec

Get the state of the tunnel, in this case we log into our site A (Paris) server:

State security associations $sudo ipsec (1 up, 0 connection): paris-to-amsterdam[2]: Founded 14 minutes ago, 10.10.27.161[51.15.139.201]… 51.15.44.48[51.15.44.48]
Paris-to-amsterdam 1: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c8c868ee_i c9d58dbd_o paris-to-amsterdam 1: 10.10.27.1/24 === 10.9.141.1/24

Test if we can see the far end in its own scope:

$ping 10.9.141.97 PING 10.9.141.97 (10.9.141.97) 56 (84) bytes of data. 64 bytes from 10.9.141.97: icmp_seq = 1 ttl = 64 times = 14.6 milliseconds

Set the service to start:

sudo systemctl $ enable strongswan

Then your VPN must be set up properly.

Other useful commands:

start/stop/status:

$ sudo ipsec up connection-name $ sudo ipsec down connect-name $ sudo ipsec rebec $ sudo ipsec status $ sudo ipsec statusall

Get IPsec Tunnel Policies and Status:

sudo ip xfrm state $ sudo ip xfrm policy

Reload secrets while the service is running:

Re-read secrets $ sudo ipsec

Check if traffic is flowing through the tunnel:

$ sudo tcpdump esp

Add more connections to your config:

If you have to add another site to your config, the ipsec.secrets example would look like this:

$ /Etc/ipsec.secrets cat 51.15.139.201 51.15.44.48: PSK “87zRQqylaoeF5I8o4lRhwvmUzf + pYdDpsCOlesIeFA / 2xrtxKXJTbCPZgqplnXgPX5uprL + aRgxD8ua7MmdWaQ” 51.15.139.201 51.15.87.41: PSK “87zRQqylaoeF5I8o4lRhwvmUzf + pYdDpsCOlesIeFA / 2xrtxKXJTbCPZgqplnXgPX5uprL + aRgxD8ua7MmdWaQ”

and ipsec.conf:

cat /etc/ipsec.conf # set basic config configuration charondebug = “all” uniqueids = yes strictcrlpolicy = no # connect to Amsterdam data center conn paris-to-amsterdam authby = Secret left = % defaultroute leftid = 51.15.139.201 leftsubnet = 10.10. 27.161 / 32 right = 51.15.44.48 rightsubnet = 10.9.141.97 / 32 ike = aes256-sha2_256-modp1024! esp = aes256-sha2_256! keyingtries = 0 ikelifetime = 1 hour life = 8 hours dpddelay = 30 dpdtimeout = 120 dpdaction = auto restart = start #connection to Frankfurt data center conn paris-to-frankfurt authby = Secret left =% defaultroute leftid = 51.15.139.201 leftsubnet = 10.10 .27.1 / 24 right = 51.15.87.41 rightsubnet = 10.9.137.1 / 24 ike = aes256-sha2_256-modp1024! esp = aes256-sha2_256! keyingtries = 0 ikelifetime = 1 hour lifetime = 8 hours dpddelay = 30 dpdtimeout = 120 dpdaction = auto restart = start

Just remember to configure the configuration on Frankfurt VPN Gateway, and the case output example would look like this:

sudo ipsec status for security associations (2 up, 0 connect): paris-to-frankfurt[2]: Created 102 seconds ago, 10.10.27.161[51.15.139.201]… 51.15.87.41[51.15.87.41]
Paris-to-frankfurt 1: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cbc62a1f_i c95b8f78_o paris-to-frankfurt 1: 10.10.27.1/24 === 10.9.137.1/24 Paris to Amsterdam[1]: Created 102 seconds ago, 10.10.27.161[51.15.139.201]… 51.15.44.48[51.15.44.48]
Paris-to-amsterdam 2: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7b36756_i cc54053c_o Paris-to-amsterdam 2: 10.10.27.1/24 === 10.9.141.1/24

[ad_1]
Don’t forget to share this post with friends !

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related

Internet

AnyConnect certificate-based authentication. Cisco community 👨‍💻 The information in this document is based on the following software and hardware versions: ASA 5510 running software...

Internet

AnyConnect: Install a self-signed certificate as a trusted source 👨‍💻 kmgmt-2879-cbs-220-config-security-port objective The goal of this article is to walk you through creating and...

Internet

Top 5 Free AV Packages – 👌 Bitdefender Antivirus Free Edition best interface Positives Works on Windows 7 and 8.1 Very easy to use...

Internet

Download antivirus for free. Best antivirus protection 👨‍💻 Protecting your identity, banking information and privacy Cybercriminals want your credit card details, passwords and other...