{"id":5034,"date":"2020-02-26T19:26:43","date_gmt":"2020-02-26T16:26:43","guid":{"rendered":"https:\/\/kifarunix.com\/?p=5034"},"modified":"2024-03-14T19:25:45","modified_gmt":"2024-03-14T16:25:45","slug":"setup-ipsec-vpn-using-strongswan-on-debian-10","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/setup-ipsec-vpn-using-strongswan-on-debian-10\/","title":{"rendered":"Setup IPSEC VPN using StrongSwan on Debian 10"},"content":{"rendered":"\n

In this guide, we are going to learn how to setup IPSec VPN using StrongSwan on Debian 10. StrongSwan<\/a> is an opensource VPN software for Linux that implements IPSec. It supports various IPsec protocols and extensions such IKE, X.509 Digital Certificates, NAT Traversal\u2026<\/p>\n\n\n\n

Setting up IPSEC VPN using StrongSwan on Debian<\/h2>\n\n\n\n

Run System Update<\/h3>\n\n\n\n

To update your Debian 10 system packages, run the command below;<\/p>\n\n\n\n

apt update<\/code><\/pre>\n\n\n\n
Install strongSwan on Debian 10 Buster<\/h3>\n\n\n\n
strongSwan is available on the default Debian 10 Buster repositories. Thus, the command below can be executed to install it and other required tools;<\/p>\n\n\n\n
apt install strongswan strongswan-pki libcharon-extra-plugins<\/code><\/pre>\n\n\n\n
Generate VPN Certificate and Key<\/h3>\n\n\n\n
For VPN clients to verify the authenticity of the VPN server, you need to generate the VPN server certificate and key and sign them using your CA.<\/p>\n\n\n\n
Generate Local CA Certificate<\/h4>\n\n\n\n
In this demo, we will be singing our VPN Certificates with a self-signed CA. Thus the local CA can be generated using the strongSwan PKI utility installed above.<\/p>\n\n\n\n
Generate a Private Key<\/h4>\n\n\n\n
The first step is to generate a private key for creating the self-signed CA certificate.<\/p>\n\n\n\n
ipsec pki --gen --size 4096 --type rsa --outform pem > vpn_ca_key.pem<\/code><\/pre>\n\n\n\n
Keep the key as private as possible.<\/p>\n\n\n\n
Generate the self-signed CA Certificate<\/h4>\n\n\n\n
Next, generate the VPN server CA and self-sign with the key generated above.<\/p>\n\n\n\n
ipsec pki --self --in vpn_ca_key.pem --type rsa \\\n--dn \"C=US, O=Kifarunix-Demo, CN=Kifarunix VPN Server Root CA\" \\\n--ca --lifetime 365 --outform pem > vpn_ca_cert.pem<\/code><\/pre>\n\n\n\n
Generate VPN server private key<\/h4>\n\n\n\n
Next, generate your VPN server private key by running the command below;<\/p>\n\n\n\n
ipsec pki --gen --size 4096 --type rsa --outform pem > vpn_server_key.pem<\/code><\/pre>\n\n\n\n
Generate VPN server Certificate<\/h4>\n\n\n\n
To generate the VPN Certificate, you need to extract the public key from the VPN private generated above. The public key will be included in the certificate to be generated.<\/p>\n\n\n\n
ipsec pki --pub --in vpn_server_key.pem --type rsa > vpn_server_pub_key.pem<\/code><\/pre>\n\n\n\n
Next, generate the certificate.<\/p>\n\n\n\n
ipsec pki --issue --in vpn_server_pub_key.pem --lifetime 365 \\\n--cacert vpn_ca_cert.pem \\\n--cakey vpn_ca_key.pem \\\n--dn \"CN=vpnsvr.kifarunix-demo.com\" \\\n--san=\"vpnsvr.kifarunix-demo.com\" \\\n--flag serverAuth --flag ikeIntermediate --outform pem > vpn_server_cert.pem<\/code><\/pre>\n\n\n\n
Adjust the distinguished name (dn), subjectAltName(san) and flags accordingly. Refer to man pki –issue<\/strong>.<\/p>\n\n\n\n
Install the VPN Certificates and Keys<\/h2>\n\n\n\n
Install the VPN certificates and keys in their respective IPSec directory locations.<\/p>\n\n\n\n
mv vpn_ca_cert.pem \/etc\/ipsec.d\/cacerts\/\nmv vpn_server_cert.pem \/etc\/ipsec.d\/certs\/\nmv {vpn_ca_key.pem,vpn_server_key.pem} \/etc\/ipsec.d\/private\/<\/code><\/pre>\n\n\n\n
Configure strongSwan on Debian 10<\/h2>\n\n\n\n
The next step is to configure strongSwan on Debian 10. The main default configuration file is \/etc\/ipsec.conf<\/code>. Edit this file and make any relevant changes based on your environment setup.<\/p>\n\n\n\n
Create a backup copy of the original file before you can proceed.<\/p>\n\n\n\n
cp \/etc\/ipsec.conf \/etc\/ipsec.conf.old<\/code><\/pre>\n\n\n\n
Open the configuration file for editing;<\/p>\n\n\n\n
vi \/etc\/ipsec.conf<\/code><\/pre>\n\n\n\n
The configuration file contains three sections;<\/p>\n\n\n\n
    \n
  • CONFIG SECTIONS<\/code> (config setup)<\/strong>
    \u2013 Defines general configuration parameters<\/li>\n\n\n\n
  • CONN SECTIONS<\/code> (conn <name>)<\/strong>
    \u2013 Contains a connection specification, defining a network connection to be made using IPsec.<\/li>\n\n\n\n
  • CA SECTION<\/code> (ca <name>)<\/strong>
    \u2013 Defines a certification authority.<\/li>\n<\/ul>\n\n\n\n
    Define the CONFIGURATION parameters;<\/p>\n\n\n\n
    config setup\n        charondebug=\"ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2\"\n        strictcrlpolicy=no\n        uniqueids=yes\n        cachecrls=no<\/code><\/pre>\n\n\n\n
      \n
    • The charondebug = <debug list><\/code>  parameter defines the charon debug loggin where the debug list can be dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv, pts. The logging levels can one of -1, 0, 1, 2, 3, 4 (for silent, audit, control, controlmore, raw, private). By default, the level is set to 1 for all types. For a description of the debug lists, check the LOGGER CONFIGURATION section on strongswan.conf(5)<\/code>.<\/li>\n\n\n\n
    • strictcrlpolicy<\/code> parameter defines if a fresh CRL must be available in order for the peer authentication based on RSA signatures to succeed.<\/li>\n\n\n\n
    • uniqueids<\/code> defines whether a particular participant ID should be kept unique<\/li>\n\n\n\n
    • cachecrls<\/code> defines whether to or not cache the certificate revocation lists (CRLs) fetched via HTTP or LDAP.<\/li>\n<\/ul>\n\n\n\n
      Define the CONNECTION parameters;<\/p>\n\n\n\n
      conn ipsec-ikev2-vpn\n      auto=add\n      compress=no\n      type=tunnel  # defines the type of connection, tunnel.\n      keyexchange=ikev2\n      fragmentation=yes\n      forceencaps=yes\n      dpdaction=clear\n      dpddelay=300s\n      rekey=no\n      left=%any\n      leftid=@vpnsvr.kifarunix-demo.com    #If using IP, define it without the @ sign<\/strong>\n      leftcert=vpn_server_cert.pem  #Reads the VPN server cert in \/etc\/ipsec.d\/certs<\/strong>\n      leftsendcert=always\n      leftsubnet=0.0.0.0\/0\n      right=%any\n      rightid=%any\n      rightauth=eap-mschapv2\n      rightsourceip=172.16.7.0\/24  #IP address Pool to be assigned to the clients<\/strong>\n      rightdns=8.8.8.8  # DNS to be assigned to clients\n      rightsendcert=never\n      eap_identity=%identity  #Defines the identity the client uses to reply to an EAP Identity request.<\/strong><\/code><\/pre>\n\n\n\n
      To see a comprehensive description of the connection parameters and the values used in the above configuration, see man ipsec.conf<\/strong><\/code>.<\/p>\n\n\n\n
      Setup Secrets for IKE\/IPsec authentication<\/h3>\n\n\n\n
      Next, setup the secrets to be used by the strongSwan Internet Key Exchange (IKE) daemons to authenticate other hosts. These credentials are set in the \/etc\/ipsec.secrets<\/code> configuration file.<\/p>\n\n\n\n
      Thus open this file and define the RSA private keys for authentication. You can also setup the EAP user credentials by defining a random username and its password. Note the Spacing<\/code><\/strong>.<\/p>\n\n\n\n
      vim \/etc\/ipsec.secrets<\/code><\/pre>\n\n\n\n
      # This file holds shared secrets or RSA private keys for authentication.\n\n# RSA private key for this host, authenticating it to any other host which knows the public part.\n\n: RSA vpn_server_key.pem ## Specify the VPN Server Key<\/strong>\n\n# Define the list of IDs followed by a secret for authentication\n# user id : EAP secret<\/strong>\nvpnsecure : EAP \"P@sSw0Rd\"   # Random<\/strong><\/secret><\/user>\nkoromicha : EAP \"mypassword\"<\/strong>\n\n# this file is managed with debconf and will contain the automatically created private key\ninclude \/var\/lib\/strongswan\/ipsec.secrets.inc<\/secret><\/user><\/code><\/pre>\n\n\n\n
      Running strongSwan<\/h4>\n\n\n\n
      Save the configuration file above and restart strongswan for the changes above to take effect.<\/p>\n\n\n\n
      systemctl restart strongswan<\/code><\/pre>\n\n\n\n
      To check the status;<\/p>\n\n\n\n
      systemctl status strongswan<\/code><\/pre>\n\n\n\n
      \u25cf strongswan.service - strongSwan IPsec IKEv1\/IKEv2 daemon using ipsec.conf\n   Loaded: loaded (\/lib\/systemd\/system\/strongswan.service; enabled; vendor preset: enabled)\n   Active: active (running) since Mon 2020-02-24 13:37:50 EST; 1min 11s ago\n Main PID: 2667 (starter)\n    Tasks: 18 (limit: 1149)\n   Memory: 3.0M\n   CGroup: \/system.slice\/strongswan.service\n           \u251c\u25002667 \/usr\/lib\/ipsec\/starter --daemon charon --nofork\n           \u2514\u25002681 \/usr\/lib\/ipsec\/charon --debug-ike 2 --debug-knl 2 --debug-cfg 2 --debug-net 2 --debug-esp 2 --debug-dmn 2 --debug-mgr 2\n\nFeb 24 13:37:50 debian charon[2681]: 05[CFG]   eap_identity=%identity\nFeb 24 13:37:50 debian charon[2681]: 05[CFG]   dpddelay=300\nFeb 24 13:37:50 debian charon[2681]: 05[CFG]   dpdtimeout=150\nFeb 24 13:37:50 debian charon[2681]: 05[CFG]   dpdaction=1\nFeb 24 13:37:50 debian charon[2681]: 05[CFG]   sha256_96=no\nFeb 24 13:37:50 debian charon[2681]: 05[CFG]   mediation=no\nFeb 24 13:37:50 debian charon[2681]: 05[CFG]   keyexchange=ikev2\nFeb 24 13:37:50 debian charon[2681]: 05[CFG] adding virtual IP address pool 172.16.7.0\/24\nFeb 24 13:37:50 debian charon[2681]: 05[CFG]   loaded certificate \"CN=vpnsvr.kifarunix-demo.com\" from 'vpn_server_cert.pem'\nFeb 24 13:37:50 debian charon[2681]: 05[CFG] added configuration 'ipsec-ikev2-vpn'<\/code><\/pre>\n\n\n\n
      Configure VPN Server Firewall and Routing<\/h3>\n\n\n\n
      If UFW is enabled and running, configure it to allow and forward the VPN traffic. For IPsec to work through firewall, you need to open UDP ports 500 and 4500.<\/p>\n\n\n\n