StrongSwan IPsec VPN with pre shared key and certificates

Install Strongswan

sudo apt-get install strongswan

Install haveged to speed up key generation later

sudo apt-get install haveged
sudo systemctl enable haveged
sudo systemctl start haveged

Enable route

sudo nano /etc/sysctl.conf

net.ipv4.ip_forward = 1 
net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.all.send_redirects = 0

 

Troubleshooting

ipsec up CONN_NAME
ipsec down CONN_NAME

ipsec restart
ipsec status
ipsec statusall

Shows the policies and states of IPsec tunnel

ip xfrm state
ip xfrm policy

Whenever you edit ipsec.secrets while strongSwan is running, you must reload

ipsec rereadsecrets

Check if any traffic flows through the tunnel

sudo tcpdump esp

 


Pre-shared key (Site-to-site) tunnel

sudo nano /etc/ipsec.secrets

Site A (ipsec.secrets)

Site B (ipsec.secrets)

SERVER_A SERVER_B : PSK 'password123'
SERVER_B SERVER_A : PSK 'password123'

 

sudo nano /etc/ipsec.conf

Site A (ipsec.conf)

Site B (ipsec.conf)

conn A_TO_B
 authby=secret
 left=SERVER_A_PUBLIC
 leftsubnet=192.168.32.0/24
 right=SERVER_B_PUBLIC
 rightsubnet=192.168.1.0/24
 ike=aes256-sha2_256-modp1024!
 esp=aes256-sha2_256!
 keyingtries=0
 ikelifetime=1h
 lifetime=8h
 dpddelay=30
 dpdtimeout=120
 dpdaction=restart
 auto=start
conn B_TO_A
 authby=secret
 left=SERVER_B_PUBLIC
 leftsubnet=192.168.1.0/24
 right=SERVER_A_PUBLIC
 rightsubnet=192.168.32.0/24
 ike=aes256-sha2_256-modp1024!
 esp=aes256-sha2_256!
 keyingtries=0
 ikelifetime=1h
 lifetime=8h
 dpddelay=30
 dpdtimeout=120
 dpdaction=restart
 auto=start

 

Do not NAT the packets you are tunnelling (from A to B)

sudo iptables -t nat -I POSTROUTING ! -d 192.168.1.0/24 -o wan -j MASQUERADE
sudo iptables -t nat -I POSTROUTING -s 192.168.32.0/24 ! -d 192.168.1.0/24 -o wan -j MASQUERADE
sudo iptables-restore < /etc/iptables/rules.v4

 

Do not NAT the packets you are tunnelling (from B to A)

sudo iptables -t nat -I POSTROUTING ! -d 192.168.32.0/24 -o wan -j MASQUERADE
sudo iptables -t nat -I POSTROUTING -s 192.168.1.0/24 ! -d 192.168.32.0/24 -o wan -j MASQUERADE
sudo iptables-restore < /etc/iptables/rules.v4

 

 


 

 

self-signed root CA certificate (Site-to-site) tunnel

Site-A(HQ)

Create a self-signed root CA certificate on the HQ 

cd /etc/ipsec.d

#Create private key:
ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem
chmod 600 private/strongswanKey.pem

#Generate a self signed root CA certificate using above private key:
ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=Kim, O=Kim, CN=Kim Root CA" --outform pem > cacerts/strongswanCert.pem

# View the X.509 certificate properties
ipsec pki --print --in cacerts/strongswanCert.pem

 

Create your VPN host certificate

#Generate private key for this VPN host server
ipsec pki --gen --type rsa --size 4096 --outform pem > private/vpnHostKey.pem
chmod 600 private/vpnHostKey.pem

#Generate this VPN host server cert using earlier CA
ipsec pki --pub --in private/vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=Kim, O=Kim, CN=vpn.example.com.sg" --san vpn.example.com.sg --san vpn2.example.com.sg --san xx.xxx.xxx.xxx --san @xx.xxx.xxx.xxx --flag serverAuth --flag ikeIntermediate --outform pem > certs/vpnHostCert.pem

#View newly generated certificate
ipsec pki --print --in certs/vpnHostCert.pem

 

Create a client certificate

#Genrate Private key for client
cd /etc/ipsec.d
ipsec pki --gen --type rsa --size 2048 --outform pem > private/KimKey.pem
chmod 600 private/KimKey.pem

#Generate Cert for client, signed by our root ca
ipsec pki --pub --in private/KimKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=Kim, O=Kim, CN=kim@example.com" --san "kim@example.org" --san "kim@example.net" --san "kim@xxx.xx.xx.xx" --outform pem > certs/KimCert.pem

#Construct .p12 to export client certificate
openssl pkcs12 -export -inkey private/KimKey.pem -in certs/KimCert.pem -name "Kim's VPN Certificate" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out p12/Kim.p12

 

Summary keys and certs

# CA private key & certificate
/etc/ipsec.d/private/strongswanKey.pem 
/etc/ipsec.d/cacerts/strongswanCert.pem 

# VPN host private key and certificate
/etc/ipsec.d/private/vpnHostKey.pem
/etc/ipsec.d/certs/vpnHostCert.pem

# Client Kim private key & certificate
/etc/ipsec.d/private/KimKey.pem
/etc/ipsec.d/certs/KimCert.pem

# Client Kim PKCS#12 file
/etc/ipsec.d/Kim.p12 



#View certificate subject for LEFTID or RIGHTID
ipsec pki --print --in certs/xyzCert.pem

 

Convert required keys to PEM format (from DER to PEM)

openssl rsa -inform DER -in private/KimKey.der -out private/KimKey.pem -outform PEM
openssl x509 -inform DER -in certs/KimCert.der -out certs/KimCert.pem -outform PEM

#Requires only once for vpn host server
openssl x509 -inform DER -in cacerts/strongswanCert.der -out cacerts/strongswanCert.pem -outform PEM

 

Revoking a certificate if client certificate is lost or stolen

cd /etc/ipsec.d

ipsec pki --signcrl --reason key-compromise --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --cert certs/KimCert.pem --outform pem > crls/crl.pem

ipsec restart

This generates the new certificate revocation list (CRL) crls/crl.pem

 

 

Config for (Site-to-site) tunnel with CA certificate

sudo nano /etc/ipsec.secrets

Site-A (HQ Gateway)

Site-B (Remote Site)

: RSA vpnHostKey.pem
user1 : EAP "password123"
user2 : XAUTH "password123"
SERVER_HQ SERVER_REMOTE : PSK "password123"
: RSA KimKey.pem



 

sudo nano /etc/ipsec.conf

Site-A (HQ Gateway)

Site-B (Remote Site)

# IKEv2 + RSA certificate only (Site-to-site)
conn HQ_TO_REMOTE
 keyexchange=ikev2
 leftcert=vpnHostCert.pem
 left=202.xx.xx.xx
# leftid=%any  Can skip. Pulls from its cert
 leftsubnet=192.168.1.0/24
 right=175.xxx.xxx.xx
 rightid="C=Kim, O=Kim, CN=userX@gmail.com"
 rightsubnet=192.168.32.0/24
 auto=add

# IKEv2 + RSA certificate only (Site-to-site)
conn REMOTE_TO_HQ
 keyexchange=ikev2
 leftcert=KimCert.pem
 left=175.xxx.xxx.xx
 leftid="C=Kim, O=Kim, CN=userX@gmail.com"
 leftsubnet=192.168.32.0/24
 right=202.xx.xx.xx
 rightid=%any
 rightsubnet=192.168.1.0/24
 auto=add

Required:

/etc/ipsec.d/cacerts/strongswanCert.pem

/etc/ipsec.d/certs/vpnHostCert.pem

/etc/ipsec.d/private/vpnHostKey.pem

Required:

/etc/ipsec.d/cacerts/strongswanCert.pem

/etc/ipsec.d/certs/KimCert.pem

/etc/ipsec.d/private/KimKey.pem

 

 

 

conn %default
 keyexchange=ikev2
 left=xxx.com.sg
 leftsubnet=x.x.x.x/24
 right=%any
 rightdns=8.8.8.8,8.8.4.4

############### Pre-shared key (Site-to-site)
conn HQ_TO_SITE
 authby=secret
 left=HQ.SITE.com.sg
 leftsubnet=192.168.1.0/24
 right=REMOTE.SITE.com.sg
 rightsubnet=192.168.32.0/24
 ike=aes256-sha2_256-modp1024!
 esp=aes256-sha2_256!
 auto=route

################ IKEv2 + RSA certificate only (Site-to-client)
conn IKEv2_CERT_ONLY
 leftcert=vpnHostCert.pem
 leftauth=pubkey
 rightsourceip=xxx.xx.xx.0/24
 rightdns=8.8.8.8,2001:4860:4860::8888
 auto=add

#################### IKEv2 + EAP (Site-to-client)
conn IKEv2_CERT_EAP
 leftcert=vpnHostCert.pem
 leftauth=pubkey
 rightsourceip=xxx.xx.xx.0/24
 rightdns=8.8.8.8,2001:4860:4860::8888
 rightauth=eap-mschapv2
 rightsendcert=never
 eap_identity=%any

############### IKEv1 + Xauth RSA
conn CiscoIPSec
 keyexchange=ikev1
 rightauth=pubkey
 rightauth2=xauth
 auto=add

 

Different types of tunnel with StrongSwan

Site-A(HQ)

############### (Site-to-Site) Pre-shared key
conn HQ_TO_SITE
 authby=secret
 left=HQ.xxx.com.sg
 leftsubnet=192.168.1.0/24
 right=REMOTE.SITE.com.sg
 rightsubnet=192.168.32.0/24
 ike=aes256-sha2_256-modp1024!
 esp=aes256-sha2_256!
 auto=route
########################## IKEv2 + RSA_Cert_ONLY (Site-to-client)
conn IPSec_IKEv2_CERT_ONLY
 left=%any
 leftid=xxx.xx.xx.xx
 leftcert=vpnHostCert.der
 right=%any
 rightsourceip=10.42.94.0/24,2002:25f7:7489:3::/112
 rightdns=8.8.8.8,2001:4860:4860::8888
 keyexchange=ikev2
 keyexchange=ikev2
 leftauth=pubkey
 rightauth=pubkey
 leftsendcert=always
 auto=add
##################### IKEv2 + EAP (Site-to-client)
conn _IKEv2_EAP_Win10
 keyexchange=ikev2
 dpdaction=clear
 dpddelay=300s
 rekey=no
 left=%any
 leftsubnet=192.168.1.0/24
 leftcert=vpnHostCert.der
 leftauth=pubkey
 right=%any
 rightsourceip=10.2.94.0/24
 rightdns=8.8.8.8,8.8.4.4
 rightauth=eap-mschapv2
 rightsendcert=never
 eap_identity=%any
 auto=add
############### IKEv1 + Xauth RSA
conn CiscoIPSec
 keyexchange=ikev1
 rightauth=pubkey
 rightauth2=xauth
 auto=add
conn Self_Signed_Cert
 leftsubnet=10.1.0.0/16
 leftcert=selfCert.der
 leftsendcert=never
 right=192.168.0.2
 rightsubnet=10.2.0.0/16
 rightcert=peerCert.der
 auto=start
conn CA_Cert
 leftsubnet=10.1.0.0/16
 leftcert=myCert.pem
 right=192.168.0.2
 rightsubnet=10.2.0.0/16
 rightid="C=CH, O=Linux strongSwan CN=peer name"
 auto=start

1 Comment

  1. Nathan
    April 11, 2018

    Very helpful post. Thank you.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top