Fortunately, strongSwan is available on the default Ubuntu 18.04 repositories and thus can simply be installed by running the command below;<\/p>\n
apt install strongswan libcharon-extra-plugins<\/code><\/pre>\nSetup CA Using the strongSwan PKI Tool<\/h3>\n
In order for the VPN client to verify the authenticity of the VPN server, you need to generate the VPN server certificate and key. Before you can generate the server certificate and the key, you have to create a local CA for signing them. stronSwan provides a PKI utility that eases this process. However you need to install this utility by running the command below;<\/p>\n
apt install strongswan-pki<\/code><\/pre>\nOnce the installation is done, proceed to create the CA. To begin with, generate a private key for self-signing the CA certificate.<\/p>\n
ipsec pki --gen --size 4096 --type rsa --outform pem > vpn-ca.key.pem<\/code><\/pre>\nEnsure that you accord this key the absolute privacy it deserves.<\/p>\n
Generate the VPN server CA and self-sign with the key generated above.<\/p>\n
ipsec pki --self --in vpn-ca.key.pem --type rsa --dn \"CN=VPN Server root CA\" --ca --lifetime 3650 --outform pem > vpn-ca.cert.pem<\/code><\/pre>\nNext, generate a VPN server private key and issue a matching certificate using the CA created above.<\/p>\n
ipsec pki --gen --size 4096 --type rsa --outform pem > vpn-server.key.pem<\/code><\/pre>\nOnce you have the server key in place, generate the server certificate by running the command below. Be sure to replace the DN and SAN accordingly.<\/p>\n
ipsec pki --pub --in vpn-server.key.pem --type rsa \\ |\nipsec pki --issue --lifetime 2750 \\\n--cacert vpn-ca.cert.pem \\\n--cakey vpn-ca.key.pem \\\n--dn \"CN=vpnsvr.example.com\" \\\n--san=\"vpnsvr.example.com\" \\\n--flag serverAuth --flag ikeIntermediate --outform pem > vpn-server.cert.pem<\/code><\/pre>\nInstall the certificates<\/h3>\n
Now that you got all certificates, you can install them by moving them to the respective IPSec certificates directories under \/etc\/ipsec.d<\/code>.<\/p>\nmv vpn-ca.cert.pem \/etc\/ipsec.d\/cacerts\/\nmv vpn-server.cert.pem \/etc\/ipsec.d\/certs\/\nmv {vpn-ca.key.pem,vpn-server.key.pem} \/etc\/ipsec.d\/private\/<\/code><\/pre>\nConfigure StrongSwan on Ubuntu 18.04<\/h3>\n
\/etc\/ipsec.conf<\/code> configuration file specifies most configuration and control information for the strongSwan IPsec subsystem.It consists of three different section types:<\/p>\n\n- CONFIG SECTIONS (config setup)
\n– It defines general configuration parameters<\/li>\n - CONN SECTIONS (conn <name>)
\n– A conn section contains a connection specification, defining a network connection to be made using IPsec.<\/li>\n - CA SECTION (ca <name>)
\n– It defines a certification authority.<\/li>\n<\/ul>\nBefore you can configure this file, make a backup of it.<\/p>\n
cp \/etc\/ipsec.conf \/etc\/ipsec.conf.bak<\/code><\/pre>\nvim \/etc\/ipsec.conf<\/code><\/pre>\nDefine the CONFIGURATION parameters;<\/p>\n
config setup\n charondebug=\"ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2\"\n strictcrlpolicy=no\n uniqueids=yes\n cachecrls=no<\/code><\/pre>\n
\n- The
charondebug = <debug list><\/code>\u00a0 parameter defines the charon debug loggin where the debug list can be dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv, pts. The logging levels can one of -1, 0, 1, 2, 3, 4 (for silent, audit, control, controlmore, raw, private). By default, the level is set to 1 for all types. For a description of the debug lists, check the LOGGER CONFIGURATION section on strongswan.conf(5)<\/code>.<\/li>\nstrictcrlpolicy<\/code> parameter defines if a fresh CRL must be available in order for the peer authentication based on RSA signatures to succeed.<\/li>\nuniqueids<\/code> defines whether a particular participant ID should be kept unique<\/li>\ncachecrls<\/code> defines whether to or not cache the certificate revocation lists (CRLs) fetched via HTTP or LDAP.<\/li>\n<\/ul>\nDefine the CONNECTION parameters;<\/p>\n
conn ipsec-ikev2-vpn\n auto=add\n compress=no\n type=tunnel # defines the type of connection, tunnel.\n keyexchange=ikev2\n fragmentation=yes\n forceencaps=yes\n dpdaction=clear\n dpddelay=300s\n rekey=no\n left=%any\n leftid=@vpnsvr.example.com # if using IP, define it without the @ sign\n leftcert=vpn-server.cert.pem # reads the VPN server cert in \/etc\/ipsec.d\/certs\n leftsendcert=always\n leftsubnet=0.0.0.0\/0\n right=%any\n rightid=%any\n rightauth=eap-mschapv2\n rightsourceip=10.10.7.0\/24 # IP address Pool to be assigned to the clients\n rightdns=8.8.8.8 # DNS to be assigned to clients\n rightsendcert=never\n eap_identity=%identity # defines the identity the client uses to reply to an EAP Identity request.<\/code><\/pre>\nTo see a comprehensive description of the connection parameters and the values used in the above configuration, see man ipsec.conf<\/code>.<\/p>\nNext, you need to configure client-server authentication credentials. The authentication credentials\u00a0 are set in the \/etc\/ipsec.secrets<\/code> configuration file. Thus open this file and define the RSA private keys for authentication. You can also setup the EAP user credentials by defining a random username and its password. Note the Spacing<\/code><\/strong>.<\/p>\nvim \/etc\/ipsec.secrets<\/code><\/pre>\n# This file holds shared secrets or RSA private keys for authentication.\n \n# RSA private key for this host, authenticating it to any other host\n# which knows the public part.\n: RSA vpn-server.key.pem # <\/strong>VPN server key generated above\n# <user id> : EAP <secret>\nvpnsecure : EAP \"P@sSw0Rd\" # <\/strong>Random<\/code><\/pre>\nSave the configuration file and restart strongSwan for the changes to take effect.<\/p>\n
systemctl restart strongswan<\/code><\/pre>\nTo verify that strongSwan has the private key in place, run the command below;<\/p>\n
ipsec listcerts<\/code><\/pre>\nList of X.509 End Entity Certificates\n\n subject: \"CN=vpnsvpnsvr.example.com\"\n issuer: \"CN=VPN Server root CA\"\n validity: not before Feb 09 20:27:18 2019, ok\n not after Aug 21 20:27:18 2026, ok (expires in 2749 days)\n serial: 56:e5:08:a6:db:f6:6b:d0\n altNames: vpnsvr.example.com\n flags: serverAuth ikeIntermediate \n authkeyId: 68:40:92:5b:53:c4:99:18:3e:7e:cb:6b:5b:32:d5:05:f7:de:88:74\n subjkeyId: 09:2f:bd:61:bd:47:1b:c8:13:e0:2f:65:c0:9f:12:7b:0e:e8:c4:9b\n pubkey: RSA 4096 bits, has private key\n keyid: 75:72:19:89:62:97:27:55:a0:4f:68:be:6a:c9:14:98:04:87:be:a3\n subjkey: 09:2f:bd:61:bd:47:1b:c8:13:e0:2f:65:c0:9f:12:7b:0e:e8:c4:9b<\/code><\/pre>\nConfigure Firewall and Routing<\/h3>\n
Set UFW to allow and forward the VPN traffic. For IPsec to work through firewall, you need to open UDP ports 500 and 4500.<\/p>\n
ufw allow 500\/udp # Allows Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded\nufw allow 4500\/udp # Allows handling of IPsec between natted devices\n<\/code><\/pre>\nFind the default routing interface;<\/p>\n
ip route show default<\/code><\/pre>\ndefault via 10.0.2.2 dev enp0s3<\/code><\/pre>\nSo the interface,\u00a0enp0s3 is the default routing interface.<\/p>\n
Next, edit the \/etc\/ufw\/before.rules<\/strong> such that your configuration looks like below. Replace the IP pool and the default route interface accordingly<\/strong>. See the highlighted lines added immediately before and after the *filter<\/code>.<\/p>\n...\n# Don't delete these required lines, otherwise there will be errors\n*nat<\/strong>\n-A POSTROUTING -s 10.10.7.0\/24 -o enp0s3 -m policy --pol ipsec --dir out -j ACCEPT<\/strong>\n-A POSTROUTING -s 10.10.7.0\/24 -o enp0s3 -j MASQUERADE<\/strong>\nCOMMIT<\/strong>\n*mangle<\/strong>\n-A FORWARD --match policy --pol ipsec --dir in -s 10.10.7.0\/24 -o enp0s3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 13<\/strong>60<\/strong>\nCOMMIT<\/strong>\n*filter\n:ufw-before-input - [0:0]\n:ufw-before-output - [0:0]\n:ufw-before-forward - [0:0]\n:ufw-not-local - [0:0]\n# End required lines\n-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.7.0\/24 -j ACCEPT\n-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.7.0\/24 -j ACCEPT<\/strong><\/code><\/pre>\nDisable and enable ufw for the changes to take effect.<\/p>\n
ufw disable && ufw enable<\/code><\/pre>\nConfigure Kernel IP forwarding.<\/p>\n
vim \/etc\/ufw\/sysctl.conf<\/code><\/pre>\n# Uncomment the next line to enable packet forwarding for IPv4\nnet\/ipv4\/ip_forward=1\n...\n# Do not accept ICMP redirects (prevent MITM attacks)\nnet\/ipv4\/conf\/all\/accept_redirects = 0\n...\n# Do not send ICMP redirects (we are not a router)\nnet\/ipv4\/conf\/all\/send_redirects = 0\n...\nDisble Path MTU discovery to prevent packet fragmentation by adding the line below\nnet\/ipv4\/ip_no_pmtu_disc=1<\/code><\/pre>\nRestart StrongSwan and enable it to run on boot.<\/p>\n
systemctl restart strongswan\nsystemctl enable strongswan<\/code><\/pre>\nYou can check the status.<\/p>\n
systemctl status strongswan\n\u25cf<\/span> strongswan.service - strongSwan IPsec IKEv1\/IKEv2 daemon using ipsec.conf\n Loaded: loaded (\/lib\/systemd\/system\/strongswan.service; enabled; vendor preset: enabled)\n Active: active (running)<\/span> since Sun 2019-02-10 10:15:44 UTC; 11s ago\n Main PID: 9168 (starter)\n Tasks: 18 (limit: 2325)\n CGroup: \/system.slice\/strongswan.service\n \u251c\u25009168 \/usr\/lib\/ipsec\/starter --daemon charon --nofork\n \u2514\u25009193 \/usr\/lib\/ipsec\/charon --debug-ike 2 --debug-knl 2 --debug-cfg 2 --debug-net 2 --debug-esp 2 --debug-dmn 2 --debug-mgr 2<\/code><\/pre>\nYou can also check the status using the ipsec<\/code> command.<\/p>\nipsec statusall<\/code><\/pre>\nStatus of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, x86_64):\n uptime: 2 minutes, since Feb 10 10:15:44 2019\n malloc: sbrk 1486848, mmap 0, used 501040, free 985808\n worker threads: 11 of 16 idle, 5\/0\/0\/0 working, job queue: 0\/0\/0\/0, scheduled: 0\n loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters\nVirtual IP pools (size\/online\/offline):\n 10.10.7.0\/24: 254\/0\/0\nListening IP addresses:\n 192.168.43.85\nConnections:\nipsec-ikev2-vpn: %any...%any IKEv2, dpddelay=300s\nipsec-ikev2-vpn: local: [vpnsvr.example.com] uses public key authentication\nipsec-ikev2-vpn: cert: \"CN=vpnsvr.example.com\"\nipsec-ikev2-vpn: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'\nipsec-ikev2-vpn: child: 0.0.0.0\/0 === dynamic TUNNEL, dpdaction=clear\nSecurity Associations (0 up, 0 connecting):\n none<\/code><\/pre>\nTesting VPN Connection<\/h3>\n
Now that we have configured\u00a0 IPSEC VPN using strongSwan on Ubuntu 18.04, let us test if the remote clients can connect to it. In this guide, we are testing the connection from an Ubuntu 18.04 client.<\/p>\n
Fire up an Ubuntu 18.04 client and install the following packages.<\/p>\n
apt update\napt install strongswan libcharon-extra-plugins<\/code><\/pre>\nOnce the installation is done, disable strongswan from starting automatically on system boot.<\/p>\n
systemctl disable strongswan<\/code><\/pre>\nLogin to VPN server and copy the VPN server CA certificate to the VPN client. Put the CA certificate under \/etc\/ipsec.d\/cacerts<\/code>.<\/p>\nConfigure VPN client authentication just like you did in the server configuration.<\/p>\n
cat \/etc\/ipsec.secrets<\/code><\/pre>\n# This file holds shared secrets or RSA private keys for authentication.\n\n# RSA private key for this host, authenticating it to any other host\n# which knows the public part.\nvpnsecure : EAP \"P@sSw0Rd\"<\/code><\/pre>\nDefine the VPN client configuration parameters.<\/p>\n
vim \/etc\/ipsec.conf<\/code><\/pre>\nconn ipsec-ikev2-vpn-client\n auto=start\n right=vpnsvr.example.com\n rightid=vpnsvr.example.com\n rightsubnet=0.0.0.0\/0\n rightauth=pubkey\n leftsourceip=%config\n leftid=vpnsecure\n leftauth=eap-mschapv2\n eap_identity=%identity<\/code><\/pre>\nSave the configuration file and restart the strongswan.<\/p>\n
systemctl restart strongswan<\/code><\/pre>\nCheck the VPN connection status.<\/p>\n
ipsec status\nSecurity Associations (1 up, 0 connecting):\nipsec-ikev2-vpn-client[1]: ESTABLISHED 2 minutes ago, 10.0.2.15[vpnsecure]...192.168.43.85[vpnsvr.example.com]\nipsec-ikev2-vpn-client{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c80ec31a_i cb406749_o\nipsec-ikev2-vpn-client{1}: 10.10.7.1\/32 === 0.0.0.0\/0<\/code><\/pre>\nGreat. If you are using CentOS 7 as VPN client, install strongSwan as shown below and follow;<\/p>\n
yum install strongswan strongswan-charon-nm<\/code><\/pre>\nCopy the VPN server CA certificate to the \/etc\/strongswan\/ipsec.d\/cacerts<\/code> directory.<\/p>\nConfigure the VPN client. Replace the value of the leftid with a different username.<\/p>\n
vim \/etc\/strongswan\/ipsec.conf<\/code><\/pre>\nconn ipsec-ikev2-vpn-client\n auto=start\n right=vpnsvr.example.com\n rightid=vpnsvr.example.com\n rightsubnet=0.0.0.0\/0\n rightauth=pubkey\n leftsourceip=%config\n leftid=amos\n leftauth=eap-mschapv2\n eap_identity=%identity<\/code><\/pre>\nConfigure VPN Authentication details.<\/p>\n
vim \/etc\/strongswan\/ipsec.secrets<\/code><\/pre>\namos : EAP \"P@sSw0Rda\"<\/code><\/pre>\nSave the configuration file and restart the strongswan.<\/p>\n
systemctl restart strongswan<\/code><\/pre>\nCheck the VPN connection status.<\/p>\n
strongswan status\nSecurity Associations (1 up, 0 connecting):\nipsec-ikev2-vpn-client[1]: ESTABLISHED 1 minutes ago, 10.0.2.15[vpnsecure]...192.168.43.85[vpnsvr.example.com]\nipsec-ikev2-vpn-client{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c68a242b_i cf82c13c_o\nipsec-ikev2-vpn-client{1}: 10.10.7.2\/32 === 0.0.0.0\/0<\/code><\/pre>\nWell, try to test SSH connections between the two VPN clients and you should be able to login.<\/p>\n
Want to use Debian 10 Buster instead as strongSwan VPN Server instead? Follow the link below;<\/p>\n
Setup IPSEC VPN using StrongSwan on Debian 10<\/a><\/p>\nThat is all about how to configure IPSEC VPN using strongSwan on Ubuntu 18.04. Enjoy<\/p>\n","protected":false},"excerpt":{"rendered":"
In this guide, we are going to learn how to configure IPSEC VPN using StrongSwan on Ubuntu 18.04. We covered similar guides on how to<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,321],"tags":[322,324,1286,67,323],"class_list":["post-2213","post","type-post","status-publish","format-standard","hentry","category-security","category-vpn","tag-ipsec","tag-strongswan","tag-strongswan-ubuntu-18-04","tag-ubuntu-18-04","tag-vpn","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2213"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=2213"}],"version-history":[{"count":17,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2213\/revisions"}],"predecessor-version":[{"id":5127,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2213\/revisions\/5127"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=2213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=2213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=2213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}