Dial in IPSEC (Site to Site) VPN on Ubuntu 16.04 with StrongSwan

STEP 1

Install Strongswan

sudo apt-get install strongswan strongswan-plugin-af-alg strongswan-plugin-agent strongswan-plugin-certexpire strongswan-plugin-coupling strongswan-plugin-curl strongswan-plugin-dhcp strongswan-plugin-duplicheck strongswan-plugin-eap-aka strongswan-plugin-eap-aka-3gpp2 strongswan-plugin-eap-dynamic strongswan-plugin-eap-gtc strongswan-plugin-eap-mschapv2 strongswan-plugin-eap-peap strongswan-plugin-eap-radius strongswan-plugin-eap-tls strongswan-plugin-eap-ttls strongswan-plugin-error-notify strongswan-plugin-farp strongswan-plugin-fips-prf strongswan-plugin-gcrypt strongswan-plugin-gmp strongswan-plugin-ipseckey strongswan-plugin-kernel-libipsec strongswan-plugin-ldap strongswan-plugin-led strongswan-plugin-load-tester strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pgp strongswan-plugin-pkcs11 strongswan-plugin-pubkey strongswan-plugin-radattr strongswan-plugin-sshkey strongswan-plugin-systime-fix strongswan-plugin-whitelist strongswan-plugin-xauth-eap strongswan-plugin-xauth-generic strongswan-plugin-xauth-noauth strongswan-plugin-xauth-pam

 

STEP 2

Setup Certificates

haveged to speed up the key generation process:

sudo apt-get install haveged
sudo systemctl enable haveged
sudo systemctl start haveged

Create a self signed root CA private key:

cd /etc/ipsec.d/ 
mkdir p12

ipsec pki --gen --type rsa --size 4096 --outform der > private/strongswanKey.der
chmod 600 private/strongswanKey.der

 

STEP 3

Generate a self signed root CA certificate of the above private key:

ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.der --type rsa --dn "C=Kim, O=Kim, CN=Kim Root CA" --outform der > cacerts/strongswanCert.der

View the certificate properties

ipsec pki --print --in cacerts/strongswanCert.der

 

STEP 4

Generate private key for this VPN host server

ipsec pki --gen --type rsa --size 4096 --outform der > private/vpnHostKey.der 
chmod 600 private/vpnHostKey.der

 

Generate Cert for this VPN host server using earlier created root CA

ipsec pki --pub --in private/vpnHostKey.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --dn "C=Kim, O=Kim, CN=vpn.example.com.sg" --san vpn.example.com.sg --san vpn2.example.com.sg --san xx.xxx.xxx.xxx --san @xx.xxx.xxx.xxx --flag serverAuth --flag ikeIntermediate --outform der > certs/vpnHostCert.der

 

View the certificate:

ipsec pki --print --in certs/vpnHostCert.der
or
openssl x509 -inform DER -in certs/vpnHostCert.der -noout -text

 

STEP 5

The private key /etc/ipsec.d/private/strongswanKey.der must be kept safely. Use only to generate client certificates when required.

This key needs to be added into /etc/ipsec.secrets for StrongSwan to function properly. 

sudo nano /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: RSA vpnHostKey.der

 

Check if StrongSwan has the private key available

sudo ipsec listcerts

STEP 6 Client certificate

Genrate Private key for client

cd /etc/ipsec.d
ipsec pki --gen --type rsa --size 2048 --outform der > private/KimKey.der
chmod 600 private/KimKey.der

 

Generate Cert for client, signed by our root ca

ipsec pki --pub --in private/KimKey.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --dn "C=Kim, O=Kim, CN=kim@example.com" --san "kim@example.org" --san "kim@example.net" --san "kim@xxx.xx.xx.xx" --outform der > certs/KimCert.der

 

Convert the required keys to PEM formt

openssl rsa -inform DER -in private/KimKey.der -out private/KimKey.pem -outform PEM
openssl x509 -inform DER -in certs/KimCert.der -out certs/KimCert.pem -outform PEM

#Requires only once for vpn host server
openssl x509 -inform DER -in cacerts/strongswanCert.der -out cacerts/strongswanCert.pem -outform PEM

 

Construct the .p12:

openssl pkcs12 -export -inkey private/KimKey.pem -in certs/KimCert.pem -name "Kim's VPN Certificate" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out p12/Kim.p12

 Repeat STEP 6 for another client

 

STEP 7

Revoking a certificate if a certificate is lost or stolen

cd /etc/ipsec.d/ 

ipsec pki --signcrl --reason key-compromise --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --cert certs/KimCert.der --outform der > crls/crl.der

ipsec restart

This generates the new certificate revocation list (CRL) crls/crl.der

 

STEP 8

IPSEC Configuration

sudo nano /etc/ipsec.conf

 

# ipsec.conf - strongSwan IPsec configuration file

config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"

conn %default
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!

dpdaction=clear
dpddelay=300s
authby=pubkey
left=%any
leftid=vpn.example.org
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.der
leftsendcert=always
right=%any
rightsourceip=10.42.42.0/24,2002:25f7:7489:3::/112
rightdns=8.8.8.8,2001:4860:4860::8888

conn IPSec-IKEv2
keyexchange=ikev2
auto=add

 

STEP 9

Enable packet routing

echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf 
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf
sysctl -p

 

STEP 10

systemctl enable strongswan
systemctl start strongswan

Troubleshooting

ipsec up CONN_NAME
ipsec down CONN_NAME
ipsec status
ipsec statusall
ipsec restart

shows the policies and states of IPsec tunnel

ip xfrm state
ip xfrm policy

1 Comment

  1. Silas
    April 19, 2017

    Thank you for this procedure, but I seem to be stuck on step 5, the “ipsec listcerts” comes up empty. Am I missing something?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top