Site to site IPsec VPN using Openswan shared secret password on Ubuntu 14.04

Install Openswan

apt-get install openswan

You may wish to run reconfig in future for change of setting

dpkg-reconfigure openswan

Below are required for forwarding. Execute line by line

sudo vim -c '%s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/gc' -c 'wq' /etc/sysctl.conf
sudo vim -c '%s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/gc' -c 'wq' /etc/sysctl.conf
sudo vim -c '%s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/gc' -c 'wq' /etc/sysctl.conf
sudo vim -c '%s/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=0/gc' -c 'wq' /etc/sysctl.conf
sudo echo "net.ipv4.conf.default.accept_source_route = 0" | sudo tee -a /etc/sysctl.conf
sudo echo "net.ipv4.conf.default.send_redirects = 0" | sudo tee -a /etc/sysctl.conf
sudo echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

 

Configuration file for ipsec

sudo nano /etc/ipsec.conf

 Add the following at the end to create “conn kim”

conn kim
authby=secret
pfs=no
auto=start
keyingtries=%forever
ikelifetime=8h
keylife=1h
ike=3des-md5;modp1024
phase2alg=3des-md5
type=tunnel

left=xx.xx.xx.xx
leftsubnet=192.168.1.0/24
leftsourceip=192.168.1.242 # this is required for routing later with static route entry

aggrmode=no

right=xx.xx.xx.xx
rightsubnet=192.168.32.0/24

dpddelay=10
dpdtimeout=3600
dpdaction=restart

left=public ip of site A
leftsubnet=local subnet of site A
right=public ip of site B
rightsubnet=local subnet of site B

 

The password must be the same for both Site A & Site B

sudo nano /etc/ipsec.secrets

# <Site A> <Site B> Must be Public IPs
#xx.xx.xx.xx xx.xx.xx.xx : PSK "Password"

#If you only have 1 site to site, use below
%any %any : PSK "Password"

 

Restart IPsec service

sudo service ipsec restart

Check connection

sudo ipsec auto --up $CONN_NAME

Add static route for both sites

sudo route add -net 192.168.x.x netmask 255.255.255.0 gw $SITE_B_LOCAL_IP

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top