{"id":5055,"date":"2020-02-26T19:45:21","date_gmt":"2020-02-26T16:45:21","guid":{"rendered":"https:\/\/kifarunix.com\/?p=5055"},"modified":"2024-03-14T19:25:02","modified_gmt":"2024-03-14T16:25:02","slug":"configure-strongswan-vpn-client-on-ubuntu-18-04-centos-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-strongswan-vpn-client-on-ubuntu-18-04-centos-8\/","title":{"rendered":"Configure strongSwan VPN Client on Ubuntu 18.04\/CentOS 8"},"content":{"rendered":"\n<p>Follow through this tutorial to learn how to configure <a href=\"https:\/\/www.strongswan.org\/\" target=\"_blank\" rel=\"noopener\">strongSwan<\/a> VPN Client on Ubuntu\/CentOS. Our previous tutorial on provided a step by step guide on how to setup strongSwan VPN server on Debian 10 Buster. <\/p>\n\n\n\n<p>Follow the link below to learn how to install and setup strongSwan VPN server on Debian 10 Buster.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-ipsec-vpn-using-strongswan-on-debian-10\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Setup IPSEC VPN using StrongSwan on Debian 10<\/a><\/p>\n\n\n\n<p>Once you have the strongSwan VPN server setup, you can now proceed to test the IP assignment and local connection via the VPN server.<\/p>\n\n\n\n<p>In this demo, we are using Ubuntu 18.04 and CentOS 8 as our test strongSwan VPN clients.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configuring strongSwan VPN Client on Ubuntu\/CentOS<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Install strongSwan on Ubuntu 18.04<\/h3>\n\n\n\n<p>strongSwan and extra plugins can be installed on Ubuntu 18.04 by running the command  below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install strongswan libcharon-extra-plugins<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Install strongSwan on CentOS 8<\/h3>\n\n\n\n<p>strongSwan packages is provided by the EPEL repos on CentOS 8 and similar derivatives. Hence, begin by installing EPEL repos;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install epel-release<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install strongswan strongswan-charon-nm<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Install strongSwan VPN Server CA certificate on the Client<\/h3>\n\n\n\n<p><strong>Copy the strongSwan CA certificate generated above<\/strong>, <code>\/etc\/ipsec.d\/cacerts\/vpn_ca_cert.pem<\/code> to the client servers and;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>place it on the <code>\/etc\/ipsec.d\/cacerts\/<\/code> directory on Ubuntu 18.04 <\/li>\n\n\n\n<li>place it on the <code>\/etc\/strongswan\/ipsec.d\/cacerts<\/code>&nbsp;directory on CentOS 8.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring strongSwan VPN client<\/h3>\n\n\n\n<p>On Ubuntu 18.04;<\/p>\n\n\n\n<p>Update the <code>\/etc\/ipsec.conf<\/code> configuration file to define how connect to the strongSwan VPN server. See the configuration file below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/ipsec.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>conn ipsec-ikev2-vpn-client\n    auto=start\n    right=vpnsvr.kifarunix-demo.com\n    rightid=vpnsvr.kifarunix-demo.com\n    rightsubnet=0.0.0.0\/0\n    rightauth=pubkey\n    leftsourceip=%config\n    <strong>leftid=vpnsecure<\/strong>\n    leftauth=eap-mschapv2\n    eap_identity=%identity<\/code><\/pre>\n\n\n\n<p>Setup authentication secrets<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/ipsec.secrets<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\n<strong># user id : EAP secret<\/strong>\n<strong>vpnsecure : EAP \"P@sSw0Rd\"<\/strong>\n\n# this file is managed with debconf and will contain the automatically created private key\ninclude \/var\/lib\/strongswan\/ipsec.secrets.inc<\/code><\/pre>\n\n\n\n<p>Save the configuration file and restart the strongswan.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart strongswan<\/code><\/pre>\n\n\n\n<p>Disable strongSwan from running on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl disable strongswan<\/code><\/pre>\n\n\n\n<p>Check the status;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ipsec statusall<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Security Associations (1 up, 0 connecting):\nipsec-ikev2-vpn-client&#91;1]: ESTABLISHED 1 minutes ago, 10.0.2.15&#91;vpnsecure]...192.168.56.174&#91;vpnsvr.kifarunix-demo.com]\nipsec-ikev2-vpn-client{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cc36db97_i cb5ceb5b_o\nipsec-ikev2-vpn-client{1}:   172.16.7.1\/32 === 0.0.0.0\/0<\/code><\/pre>\n\n\n\n<p>On CentOS 8;<\/p>\n\n\n\n<p>Update the <code>\/etc\/strongswan\/ipsec.conf<\/code> configuration file to define how connect to the strongSwan VPN server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/strongswan\/ipsec.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>conn ipsec-ikev2-vpn-client\n    auto=start\n    right=vpnsvr.kifarunix-demo.com\n    rightid=vpnsvr.kifarunix-demo.com\n    rightsubnet=0.0.0.0\/0\n    rightauth=pubkey\n    leftsourceip=%config\n    <strong>leftid=koromicha<\/strong>\n    leftauth=eap-mschapv2\n    eap_identity=%identity<\/code><\/pre>\n\n\n\n<p>Next, open the <code>\/etc\/strongswan\/ipsec.secrets<\/code> configuration file and setup the EAP authentication details just as they are defined on the server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/strongswan\/ipsec.secrets<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong># user id : EAP secret<\/strong>\n<strong>koromicha : EAP \"mypassword\"<\/strong><\/code><\/pre>\n\n\n\n<p>Restart the strongswan.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart strongswan<\/code><\/pre>\n\n\n\n<p>Disable strongSwan from running on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl disable strongswan<\/code><\/pre>\n\n\n\n<p>Check the VPN connection status<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>strongswan statusall<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Security Associations (1 up, 0 connecting):\nipsec-ikev2-vpn-client&#91;1]: ESTABLISHED 2 minutes ago, 10.0.2.15&#91;vpnsecure]...192.168.56.174&#91;vpnsvr.kifarunix-demo.com]\nipsec-ikev2-vpn-client{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c573b6a1_i cd8306eb_o\nipsec-ikev2-vpn-client{1}:   172.16.7.2\/32 === 0.0.0.0\/0<\/code><\/pre>\n\n\n\n<p><strong>On the strongSwan VPN Server<\/strong>, check the status;<\/p>\n\n\n\n<p>In this demo, our strongSwan VPN server is running on Debian 10 Buster. Hence, you can check status as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ipsec status<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Security Associations (2 up, 0 connecting):\n ipsec-ikev2-vpn[4]: ESTABLISHED 18 seconds ago, 192.168.56.174[vpnsvr.kifarunix-demo.com]\u2026192.168.56.1[koromicha]\n ipsec-ikev2-vpn{4}:  INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: c4e5f1c2_i c8e1a02f_o\n <strong>ipsec-ikev2-vpn{4}:   0.0.0.0\/0 === 172.16.7.2\/32<\/strong>\n ipsec-ikev2-vpn[3]: ESTABLISHED 21 seconds ago, 192.168.56.174[vpnsvr.kifarunix-demo.com]\u2026192.168.56.1[vpnsecure]\n ipsec-ikev2-vpn{3}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c7a4ee1d_i c558073b_o\n<strong> ipsec-ikev2-vpn{3}:   0.0.0.0\/0 === 172.16.7.1\/32<\/strong><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Test VPN Clients Connection<\/h3>\n\n\n\n<p>Now that we have two clients assigned their individual addresses;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ubuntu 18.04: <strong>172.16.7.1<\/strong><\/li>\n\n\n\n<li>CentOS 8: <strong>172.16.7.2<\/strong><\/li>\n<\/ul>\n\n\n\n<p>To test the connection, you can simply run the ping test.<\/p>\n\n\n\n<p>From Ubuntu 18.04, ping CentOS 8;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ping 172.16.7.2<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>PING 172.16.7.2 (172.16.7.2) 56(84) bytes of data.\n64 bytes from 172.16.7.2: icmp_seq=1 ttl=64 time=3.18 ms\n64 bytes from 172.16.7.2: icmp_seq=2 ttl=64 time=4.15 ms\n64 bytes from 172.16.7.2: icmp_seq=3 ttl=64 time=3.47 ms\n64 bytes from 172.16.7.2: icmp_seq=4 ttl=64 time=3.61 ms\n\n--- 172.16.7.2 ping statistics --- \n4 packets transmitted, 4 received, 0% packet loss, time 10ms\nrtt min\/avg\/max\/mdev = 3.176\/3.602\/4.154\/0.360 ms<\/code><\/pre>\n\n\n\n<p>From CentOS 8, ping Ubuntu 18.04.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ping 172.16.7.1<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data.\n64 bytes from 172.16.7.1: icmp_seq=1 ttl=64 time=3.24 ms\n64 bytes from 172.16.7.1: icmp_seq=2 ttl=64 time=4.37 ms\n64 bytes from 172.16.7.1: icmp_seq=3 ttl=64 time=4.08 ms\n64 bytes from 172.16.7.1: icmp_seq=4 ttl=64 time=3.43 ms\n\n--- 172.16.7.1 ping statistics --- \n4 packets transmitted, 4 received, 0% packet loss, time 9ms\nrtt min\/avg\/max\/mdev = 3.237\/3.780\/4.371\/0.462 ms<\/code><\/pre>\n\n\n\n<p>Try to SSH both sides;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ssh koromicha@172.16.7.2<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>The authenticity of host '172.16.7.2 (172.16.7.2)' can't be established.\nECDSA key fingerprint is SHA256:wKoh\/MWvCicV6cEe6jY19AkcBgk1lyjZorQt3aqflJM.\nAre you sure you want to continue connecting (yes\/no)? yes\nWarning: Permanently added '172.16.7.2' (ECDSA) to the list of known hosts.\nkoromicha@172.16.7.2's password: \n&#91;koromicha@centos8 ~]$<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ssh koromicha@172.16.7.1<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>The authenticity of host '172.16.7.1 (172.16.7.1)' can't be established.\nECDSA key fingerprint is SHA256:v20whQz4a4zpTJQfny\/CGG56fRnP3Dpx8g5CkeCtFpo.\nAre you sure you want to continue connecting (yes\/no)? yes\nWarning: Permanently added '172.16.7.1' (ECDSA) to the list of known hosts.\nkoromicha@172.16.7.1's password: \nLinux debian 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Wed Feb 26 00:54:04 2020 from 172.16.7.2\nkoromicha@debian:~$<\/code><\/pre>\n\n\n\n<p>That marks the end of our guide on how to configuring strongSwan VPN Client on Ubuntu\/CentOS.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/connect-to-cisco-vpn-using-pcf-file-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Connect to Cisco VPN Using PCF file on Ubuntu<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-configure-ipsec-vpn-using-strongswan-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Configure IPSEC VPN using StrongSwan on Ubuntu 18.04<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-setup-openvpn-server-on-fedora-29-centos-7\/\" target=\"_blank\">Install and Setup OpenVPN Server on Fedora 29\/CentOS 7<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-cisco-anyconnect-client-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Install Cisco AnyConnect Client on CentOS 8<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Follow through this tutorial to learn how to configure strongSwan VPN Client on Ubuntu\/CentOS. Our previous tutorial on provided a step by step guide on<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,282,34,321],"tags":[1142,1289,324,1290,67,323],"class_list":["post-5055","post","type-post","status-publish","format-standard","hentry","category-howtos","category-openvpn","category-security","category-vpn","tag-centos-8","tag-ipsec-vpn-client","tag-strongswan","tag-strongswan-client","tag-ubuntu-18-04","tag-vpn","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5055"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=5055"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5055\/revisions"}],"predecessor-version":[{"id":21328,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5055\/revisions\/21328"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=5055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=5055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=5055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}