Install Strongswan
sudo apt-get install strongswan
Install haveged to speed up key generation later
sudo apt-get install haveged sudo systemctl enable haveged sudo systemctl start haveged
Enable route
sudo nano /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0
Troubleshooting
ipsec up CONN_NAME ipsec down CONN_NAME ipsec restart ipsec status ipsec statusall
Shows the policies and states of IPsec tunnel
ip xfrm state ip xfrm policy
Whenever you edit ipsec.secrets while strongSwan is running, you must reload
ipsec rereadsecrets
Check if any traffic flows through the tunnel
sudo tcpdump esp
Pre-shared key (Site-to-site) tunnel
sudo nano /etc/ipsec.secrets
Site A (ipsec.secrets) |
Site B (ipsec.secrets) |
SERVER_A SERVER_B : PSK 'password123' |
SERVER_B SERVER_A : PSK 'password123' |
sudo nano /etc/ipsec.conf
Site A (ipsec.conf) |
Site B (ipsec.conf) |
conn A_TO_B authby=secret left=SERVER_A_PUBLIC leftsubnet=192.168.32.0/24 right=SERVER_B_PUBLIC rightsubnet=192.168.1.0/24 ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! keyingtries=0 ikelifetime=1h lifetime=8h dpddelay=30 dpdtimeout=120 dpdaction=restart auto=start |
conn B_TO_A authby=secret left=SERVER_B_PUBLIC leftsubnet=192.168.1.0/24 right=SERVER_A_PUBLIC rightsubnet=192.168.32.0/24 ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! keyingtries=0 ikelifetime=1h lifetime=8h dpddelay=30 dpdtimeout=120 dpdaction=restart auto=start |
Do not NAT the packets you are tunnelling (from A to B)
sudo iptables -t nat -I POSTROUTING ! -d 192.168.1.0/24 -o wan -j MASQUERADE sudo iptables -t nat -I POSTROUTING -s 192.168.32.0/24 ! -d 192.168.1.0/24 -o wan -j MASQUERADE sudo iptables-restore < /etc/iptables/rules.v4
Do not NAT the packets you are tunnelling (from B to A)
sudo iptables -t nat -I POSTROUTING ! -d 192.168.32.0/24 -o wan -j MASQUERADE sudo iptables -t nat -I POSTROUTING -s 192.168.1.0/24 ! -d 192.168.32.0/24 -o wan -j MASQUERADE sudo iptables-restore < /etc/iptables/rules.v4
self-signed root CA certificate (Site-to-site) tunnel
Site-A(HQ)
Create a self-signed root CA certificate on the HQ
cd /etc/ipsec.d #Create private key: ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem chmod 600 private/strongswanKey.pem #Generate a self signed root CA certificate using above private key: ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=Kim, O=Kim, CN=Kim Root CA" --outform pem > cacerts/strongswanCert.pem # View the X.509 certificate properties ipsec pki --print --in cacerts/strongswanCert.pem
Create your VPN host certificate
#Generate private key for this VPN host server ipsec pki --gen --type rsa --size 4096 --outform pem > private/vpnHostKey.pem chmod 600 private/vpnHostKey.pem #Generate this VPN host server cert using earlier CA ipsec pki --pub --in private/vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=Kim, O=Kim, CN=vpn.example.com.sg" --san vpn.example.com.sg --san vpn2.example.com.sg --san xx.xxx.xxx.xxx --san @xx.xxx.xxx.xxx --flag serverAuth --flag ikeIntermediate --outform pem > certs/vpnHostCert.pem #View newly generated certificate ipsec pki --print --in certs/vpnHostCert.pem
Create a client certificate
#Genrate Private key for client cd /etc/ipsec.d ipsec pki --gen --type rsa --size 2048 --outform pem > private/KimKey.pem chmod 600 private/KimKey.pem #Generate Cert for client, signed by our root ca ipsec pki --pub --in private/KimKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=Kim, O=Kim, CN=kim@example.com" --san "kim@example.org" --san "kim@example.net" --san "kim@xxx.xx.xx.xx" --outform pem > certs/KimCert.pem #Construct .p12 to export client certificate openssl pkcs12 -export -inkey private/KimKey.pem -in certs/KimCert.pem -name "Kim's VPN Certificate" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out p12/Kim.p12
Summary keys and certs
# CA private key & certificate /etc/ipsec.d/private/strongswanKey.pem /etc/ipsec.d/cacerts/strongswanCert.pem # VPN host private key and certificate /etc/ipsec.d/private/vpnHostKey.pem /etc/ipsec.d/certs/vpnHostCert.pem # Client Kim private key & certificate /etc/ipsec.d/private/KimKey.pem /etc/ipsec.d/certs/KimCert.pem # Client Kim PKCS#12 file /etc/ipsec.d/Kim.p12 #View certificate subject for LEFTID or RIGHTID ipsec pki --print --in certs/xyzCert.pem
Convert required keys to PEM format (from DER to PEM)
openssl rsa -inform DER -in private/KimKey.der -out private/KimKey.pem -outform PEM openssl x509 -inform DER -in certs/KimCert.der -out certs/KimCert.pem -outform PEM #Requires only once for vpn host server openssl x509 -inform DER -in cacerts/strongswanCert.der -out cacerts/strongswanCert.pem -outform PEM
Revoking a certificate if client certificate is lost or stolen
cd /etc/ipsec.d ipsec pki --signcrl --reason key-compromise --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --cert certs/KimCert.pem --outform pem > crls/crl.pem ipsec restart
This generates the new certificate revocation list (CRL) crls/crl.pem
Config for (Site-to-site) tunnel with CA certificate
sudo nano /etc/ipsec.secrets
Site-A (HQ Gateway) |
Site-B (Remote Site) |
: RSA vpnHostKey.pem user1 : EAP "password123" user2 : XAUTH "password123" SERVER_HQ SERVER_REMOTE : PSK "password123" |
: RSA KimKey.pem |
sudo nano /etc/ipsec.conf
Site-A (HQ Gateway) |
Site-B (Remote Site) |
# IKEv2 + RSA certificate only (Site-to-site) conn HQ_TO_REMOTE keyexchange=ikev2 leftcert=vpnHostCert.pem left=202.xx.xx.xx # leftid=%any Can skip. Pulls from its cert leftsubnet=192.168.1.0/24 right=175.xxx.xxx.xx rightid="C=Kim, O=Kim, CN=userX@gmail.com" rightsubnet=192.168.32.0/24 auto=add |
# IKEv2 + RSA certificate only (Site-to-site) conn REMOTE_TO_HQ keyexchange=ikev2 leftcert=KimCert.pem left=175.xxx.xxx.xx leftid="C=Kim, O=Kim, CN=userX@gmail.com" leftsubnet=192.168.32.0/24 right=202.xx.xx.xx rightid=%any rightsubnet=192.168.1.0/24 auto=add |
| Required:
/etc/ipsec.d/cacerts/strongswanCert.pem /etc/ipsec.d/certs/vpnHostCert.pem /etc/ipsec.d/private/vpnHostKey.pem |
Required: /etc/ipsec.d/cacerts/strongswanCert.pem /etc/ipsec.d/certs/KimCert.pem /etc/ipsec.d/private/KimKey.pem |
conn %default keyexchange=ikev2 left=xxx.com.sg leftsubnet=x.x.x.x/24 right=%any rightdns=8.8.8.8,8.8.4.4 ############### Pre-shared key (Site-to-site) conn HQ_TO_SITE authby=secret left=HQ.SITE.com.sg leftsubnet=192.168.1.0/24 right=REMOTE.SITE.com.sg rightsubnet=192.168.32.0/24 ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! auto=route ################ IKEv2 + RSA certificate only (Site-to-client) conn IKEv2_CERT_ONLY leftcert=vpnHostCert.pem leftauth=pubkey rightsourceip=xxx.xx.xx.0/24 rightdns=8.8.8.8,2001:4860:4860::8888 auto=add #################### IKEv2 + EAP (Site-to-client) conn IKEv2_CERT_EAP leftcert=vpnHostCert.pem leftauth=pubkey rightsourceip=xxx.xx.xx.0/24 rightdns=8.8.8.8,2001:4860:4860::8888 rightauth=eap-mschapv2 rightsendcert=never eap_identity=%any ############### IKEv1 + Xauth RSA conn CiscoIPSec keyexchange=ikev1 rightauth=pubkey rightauth2=xauth auto=add
Different types of tunnel with StrongSwan
Site-A(HQ)
############### (Site-to-Site) Pre-shared key conn HQ_TO_SITE authby=secret left=HQ.xxx.com.sg leftsubnet=192.168.1.0/24 right=REMOTE.SITE.com.sg rightsubnet=192.168.32.0/24 ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! auto=route
########################## IKEv2 + RSA_Cert_ONLY (Site-to-client) conn IPSec_IKEv2_CERT_ONLY left=%any leftid=xxx.xx.xx.xx leftcert=vpnHostCert.der right=%any rightsourceip=10.42.94.0/24,2002:25f7:7489:3::/112 rightdns=8.8.8.8,2001:4860:4860::8888 keyexchange=ikev2 keyexchange=ikev2 leftauth=pubkey rightauth=pubkey leftsendcert=always auto=add
##################### IKEv2 + EAP (Site-to-client) conn _IKEv2_EAP_Win10 keyexchange=ikev2 dpdaction=clear dpddelay=300s rekey=no left=%any leftsubnet=192.168.1.0/24 leftcert=vpnHostCert.der leftauth=pubkey right=%any rightsourceip=10.2.94.0/24 rightdns=8.8.8.8,8.8.4.4 rightauth=eap-mschapv2 rightsendcert=never eap_identity=%any auto=add
############### IKEv1 + Xauth RSA conn CiscoIPSec keyexchange=ikev1 rightauth=pubkey rightauth2=xauth auto=add
conn Self_Signed_Cert leftsubnet=10.1.0.0/16 leftcert=selfCert.der leftsendcert=never right=192.168.0.2 rightsubnet=10.2.0.0/16 rightcert=peerCert.der auto=start
conn CA_Cert leftsubnet=10.1.0.0/16 leftcert=myCert.pem right=192.168.0.2 rightsubnet=10.2.0.0/16 rightid="C=CH, O=Linux strongSwan CN=peer name" auto=start
Very helpful post. Thank you.
AOA, I have two clients one remote and other is local but both on same LAN i.e (192.168.137.0/24), while the UBuntu servers in which strongswan is implemented are connected to each other with ethernet cable having port addresses 10.10.3.10 and 10.10.3.11 respectively, while connected to devices with port addresses 192.168.137.10 and 11 respectively.
But when tunnel is established the devices ping each other but the subnets cant.
Should I have to add some routes.
Config: Client1(192.168.137.19)—–(192.168.137.10)Device1(10.10.3.10)=====(10.10.3.11)Device2(192.168.137.11)——-Client2(192.168.137.20)
ipsec.conf-Device-01
`config setup
charondebug=”all”
uniqueids=yes
strictcrlpolicy=no
conn %default
conn TUFAAN
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=10.10.3.10
leftsubnet=192.168.137.0/24
right=10.10.3.11
rightsubnet=192.168.137.0/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart`
ipsec.conf-Device-02
`config setup
charondebug=”all”
uniqueids=yes
strictcrlpolicy=no
conn %default
conn TUFAAN
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=10.10.3.11
leftsubnet=192.168.137.0/24
right=10.10.3.10
rightsubnet=192.168.137.0/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart`