Set up an IPSec VPN Site with Strongswan on Ubuntu
👨💻
Today we are going to setup a Site to Site ipsec VPN with Strongswan, which will be configured with PreShared Key Authentication.
After creating our tunnels, we will be able to access private ips via vpn tunnels.
Get dependencies:
Update your repositories indexes and install strongswan:
$ apt && sudo apt Upgrade -y $ apt install strongswan -y
Set the following kernel parameters:
$cat >> /etc/sysctl.conf << EOF echo net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 EOF $sysctl -p / etc /sysctl.conf
Generate a pre-shared key:
We will need a pre-shared key used by both servers:
$ openssl rand -base64 64 87zRQqylaoeF5I8o4lRhwvmUzf + pYdDpsCOlesIeFA / 2xrtxKXJTbCPZgqplnXgPX5uprL + aRgxD8ua7MmdWaQ
Our 2 locations details:
Location A:
Location: Paris, France External IP: 51.15.139.201 Internal IP: 10.10.27.1/24
Location B:
Location: Amsterdam, Netherlands External IP: 51.15.44.48 Internal IP: 10.9.141.1/24
Site Configuration A:
We will setup our VPN gateway in location A (Paris), first to setup the /etc/ipsec.secrets file:
$ cat /etc/ipsec.secrets # source destination 51.15.139.201 51.15.44.48: PSK “87zRQqylaoeF5I8o4lRhwvmUzf + pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL +”
Now to set up our VPN configuration in /etc/ipsec.conf:
cat /etc/ipsec.conf # set basic config configuration charondebug = “all” uniqueids = yes strictcrlpolicy = no # connect to Amsterdam data center conn paris-to-amsterdam authby = Secret left = % defaultroute leftid = 51.15.139.201 leftsubnet = 10.10. 27.1 / 24 right = 51.15.44.48 rightsubnet = 10.9.141.1 / 24 ike = aes256-sha2_256-modp1024! esp = aes256-sha2_256! keyingtries = 0 ikelifetime = 1 hour lifetime = 8 hours dpddelay = 30 dpdtimeout = 120 dpdaction = auto restart = start
Firewall rules:
$ sudo iptables -t nat -A POSTROUTING -s 10.9.141.0/24 -d 10.10.27.0/24 -j MASQUERADE
Site Configuration B:
We will setup our VPN gateway in location B (Amsterdam), and setup the /etc/ipsec.secrets file:
cat /etc/ipsec.secrets 51.15.44.48 51.15.139.201: PSK “87zRQqylaoeF5I8o4lRhwvmUzf + pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL + aRgxdWaQ7”
After setting up our VPN configuration:
cat /etc/ipsec.conf # setup base config configuration charondebug = “all” uniqueids = yes strictcrlpolicy = no # connect to paris data center conn amsterdam-to-paris authby = Secret left =% defaultroute leftid = 51.15.44.48 leftsubnet = 10.9. 141.1 / 24 right = 51.15.139.201 network rights = 10.10.27.1 / 24 ike = aes256-sha2_256-modp1024! esp = aes256-sha2_256! keyingtries = 0 ikelifetime = 1 hour lifetime = 8 hours dpddelay = 30 dpdtimeout = 120 dpdaction = auto restart = start
Firewall rules:
$ sudo iptables -t nat -A POSTROUTING -s 10.10.27.0/24 -d 10.9.41.0/24 -J MASQUERADE
Start VPN:
Start the VPN from both ends:
restart sudo ipsec
Get the state of the tunnel, in this case we log into our site A (Paris) server:
State security associations $sudo ipsec (1 up, 0 connection): paris-to-amsterdam[2]: Founded 14 minutes ago, 10.10.27.161[51.15.139.201]… 51.15.44.48[51.15.44.48]
Paris-to-amsterdam 1: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c8c868ee_i c9d58dbd_o paris-to-amsterdam 1: 10.10.27.1/24 === 10.9.141.1/24
Test if we can see the far end in its own scope:
$ping 10.9.141.97 PING 10.9.141.97 (10.9.141.97) 56 (84) bytes of data. 64 bytes from 10.9.141.97: icmp_seq = 1 ttl = 64 times = 14.6 milliseconds
Set the service to start:
sudo systemctl $ enable strongswan
Then your VPN must be set up properly.
Other useful commands:
start/stop/status:
$ sudo ipsec up connection-name $ sudo ipsec down connect-name $ sudo ipsec rebec $ sudo ipsec status $ sudo ipsec statusall
Get IPsec Tunnel Policies and Status:
sudo ip xfrm state $ sudo ip xfrm policy
Reload secrets while the service is running:
Re-read secrets $ sudo ipsec
Check if traffic is flowing through the tunnel:
$ sudo tcpdump esp
Add more connections to your config:
If you have to add another site to your config, the ipsec.secrets example would look like this:
$ /Etc/ipsec.secrets cat 51.15.139.201 51.15.44.48: PSK “87zRQqylaoeF5I8o4lRhwvmUzf + pYdDpsCOlesIeFA / 2xrtxKXJTbCPZgqplnXgPX5uprL + aRgxD8ua7MmdWaQ” 51.15.139.201 51.15.87.41: PSK “87zRQqylaoeF5I8o4lRhwvmUzf + pYdDpsCOlesIeFA / 2xrtxKXJTbCPZgqplnXgPX5uprL + aRgxD8ua7MmdWaQ”
and ipsec.conf:
cat /etc/ipsec.conf # set basic config configuration charondebug = “all” uniqueids = yes strictcrlpolicy = no # connect to Amsterdam data center conn paris-to-amsterdam authby = Secret left = % defaultroute leftid = 51.15.139.201 leftsubnet = 10.10. 27.161 / 32 right = 51.15.44.48 rightsubnet = 10.9.141.97 / 32 ike = aes256-sha2_256-modp1024! esp = aes256-sha2_256! keyingtries = 0 ikelifetime = 1 hour life = 8 hours dpddelay = 30 dpdtimeout = 120 dpdaction = auto restart = start #connection to Frankfurt data center conn paris-to-frankfurt authby = Secret left =% defaultroute leftid = 51.15.139.201 leftsubnet = 10.10 .27.1 / 24 right = 51.15.87.41 rightsubnet = 10.9.137.1 / 24 ike = aes256-sha2_256-modp1024! esp = aes256-sha2_256! keyingtries = 0 ikelifetime = 1 hour lifetime = 8 hours dpddelay = 30 dpdtimeout = 120 dpdaction = auto restart = start
Just remember to configure the configuration on Frankfurt VPN Gateway, and the case output example would look like this:
sudo ipsec status for security associations (2 up, 0 connect): paris-to-frankfurt[2]: Created 102 seconds ago, 10.10.27.161[51.15.139.201]… 51.15.87.41[51.15.87.41]
Paris-to-frankfurt 1: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cbc62a1f_i c95b8f78_o paris-to-frankfurt 1: 10.10.27.1/24 === 10.9.137.1/24 Paris to Amsterdam[1]: Created 102 seconds ago, 10.10.27.161[51.15.139.201]… 51.15.44.48[51.15.44.48]
Paris-to-amsterdam 2: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7b36756_i cc54053c_o Paris-to-amsterdam 2: 10.10.27.1/24 === 10.9.141.1/24
[ad_1]
Don’t forget to share this post with friends !