Site to site IPsec VPN using Openswan RSA key pair on Ubuntu 14.04

Install Openswan

apt-get install openswan

You may wish to run reconfig in future for change of setting

dpkg-reconfigure openswan

Below are required for forwarding. Execute line by line

sudo vim -c '%s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/gc' -c 'wq' /etc/sysctl.conf
sudo vim -c '%s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/gc' -c 'wq' /etc/sysctl.conf
sudo vim -c '%s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/gc' -c 'wq' /etc/sysctl.conf
sudo vim -c '%s/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=0/gc' -c 'wq' /etc/sysctl.conf
sudo echo "net.ipv4.conf.default.accept_source_route = 0" | sudo tee -a /etc/sysctl.conf
sudo echo "net.ipv4.conf.default.send_redirects = 0" | sudo tee -a /etc/sysctl.conf
sudo echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | sudo tee -a /etc/sysctl.conf
sudo echo "net.ipv4.conf.default.accept_redirects = 0" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Configuration file for ipsec

sudo nano /etc/ipsec.conf

 Assuming Site to Site with both PUBLIC IP (noone behind NAT router)

conn kim
authby=rsasig
pfs=no
auto=start
keyingtries=%forever
ikelifetime=8h
keylife=1h
ike=3des-md5;modp1024
phase2alg=3des-md5
type=tunnel

left=xx.xx.xx.xx # Site A Public IP
leftsubnet=192.168.1.0/24 # Site A LAN address
leftsourceip=192.168.1.242 # Site A LAN IP. Required for routing later with static route entry
leftrsasigkey= # Site A PUBLIC KEY


aggrmode=no

right=xx.xx.xx.xx # Site B Public IP
rightsubnet=192.168.32.0/24 # Site B LAN
rightrsasigkey= # Site B PUBLIC KEY


dpddelay=10
dpdtimeout=3600
dpdaction=restart

 

Create a RSA key pair

sudo ipsec newhostkey --output /etc/ipsec.secrets --random /dev/urandom

Show hostkeys

ipsec showhostkey --left
ipsec showhostkey --right

You may see the rsa key manually at /etc/ipsec.secrets 

sudo cat /etc/ipsec.secrets

Restart IPsec service

sudo service ipsec restart

 

Check connection

sudo ipsec auto --up $CONN_NAME

Add static route for both sites (Tested. This step is not required if configured correctly)

sudo route add -net 192.168.x.x netmask 255.255.255.0 gw $SITE_B_LOCAL_IP

 

!! IMPORTANT STEP !!

On Site A, replace

sudo iptables -t nat -A POSTROUTING -o wan -s 172.168.1.0/24 -j MASQUERADE

to

sudo iptables -t nat -A POSTROUTING -o wan -s 172.168.1.0/24 ! -d 10.0.0.0/24 -j MASQUERADE

 

On Site B, replace

sudo iptables -t nat -A POSTROUTING -o wan -s 10.0.0.0/24 -j MASQUERADE

to 

sudo iptables -t nat -A POSTROUTING -o wan -s 10.0.0.0/24 ! -d 172.168.1.0/24 -j MASQUERADE

 

Troubleshooting

route
sudo ipsec auto --status
sudo ipsec verify
sudo ipsec auto --up $CONN_NAME

Leave a Comment

Your email address will not be published. Required fields are marked *