Home / Linux / How to Set Up IPsec-based VPN with Strongswan on Debian and Ubuntu

How to Set Up IPsec-based VPN with Strongswan on Debian and Ubuntu

How to Set Up IPsec-based VPN with Strongswan on Debian and Ubuntu

strongSwan is an open-source, cross-platform, full-featured and widely-used IPsec-based VPN (Virtual Private Network) implementation that runs on Linux, FreeBSD, OS X, Windows, Android, and iOS. It is primarily a keying daemon that helps the Internet Key Exchange protocols (IKEv1 and IKEv2) to set up safety associations (SA) between two friends.

This article describes how to arrange a site-to-site IPSec VPN gateways utilizing strongSwan on Ubuntu and Debian servers. By site-to-site we imply every safety gateway has a sub-net behind it. Besides, the friends will authenticate one another utilizing a pre-shared key (PSK).

Testing Environment

Remember to change the next IPs with your real-world IPs to configure your setting.

Site 1 Gateway (tecmint-devgateway)

OS 1: Debian or Ubuntu
Public IP: 10.20.20.1
Private IP: 192.168.zero.101/24
Private Subnet: 192.168.zero.zero/24

Site 2 Gateway (tecmint-prodgateway)

OS 2: Debian or Ubuntu
Public IP:  10.20.20.three
Private IP: 10.zero.2.15/24
Private Subnet: 10.zero.2.zero/24

Step 1: Enabling Kernel Packet Forwarding

1. First, you want to configure the kernel to allow packet forwarding by including the suitable system variables in /and so on/sysctl.conf configuration file on each safety gateways.

$ sudo vim /and so on/sysctl.conf

Look for the next traces and uncomment them and set their values as proven (learn feedback within the file for extra data).

web.ipv4.ip_forward = 1 
web.ipv6.conf.all.forwarding = 1 
web.ipv4.conf.all.accept_redirects = zero 
web.ipv4.conf.all.send_redirects = zero 

2. Next, load the brand new settings by operating the next command.

$ sudo sysctl -p
Load Sysctl Kernel SettingsLoad Sysctl Kernel Settings

Load Sysctl Kernel Settings

three. If you may have a UFW firewall service enabled, you want to add the next guidelines to the /and so on/ufw/earlier than.guidelines configuration file simply earlier than the filter guidelines in both safety gateways.

Site 1 Gateway (tecmint-devgateway)

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.zero.2.zero/24  -d 192.168.zero.zero/24 -j MASQUERADE
COMMIT

Site 2 Gateway (tecmint-prodgateway)

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING  -s 192.168.zero.zero/24 -d 10.zero.2.zero/24 -j MASQUERADE
COMMIT

four. Once firewall guidelines have been added, then apply the brand new modifications by restarting UFW as proven.

$ sudo ufw disable 
$ sudo ufw allow

Step 2: Installing strongSwan in Debian and Ubuntu

5. Update your package deal cache on each safety gateways and set up the strongswan package deal utilizing the APT package deal supervisor.

$ sudo apt replace
$ sudo apt set up strongswan 

6. Once the set up is full, the installer script will begin the strongswan service and allow it to routinely begin at system boot. You can verify its standing and whether or not it’s enabled utilizing the next command.

$ sudo systemctl standing strongswan.service
$ sudo systemctl is-enabled strongswan.service

Step three: Configuring Security Gateways

7. Next, you want to configure the safety gateways utilizing the /and so on/ipsec.conf configuration file.

Site 1 Gateway (tecmint-devgateway)

$ sudo cp /and so on/ipsec.conf /and so on/ipsec.conf.orig
$ sudo nano /and so on/ipsec.conf 

Copy and paste the next configuration within the file.

config setup
        charondebug="all"
        uniqueids=sure
conn devgateway-to-prodgateway
        kind=tunnel
        auto=begin
        keyexchange=ikev2
        authby=secret
        left=10.20.20.1
        leftsubnet=192.168.zero.101/24
        proper=10.20.20.three
        rightsubnet=10.zero.2.15/24
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%ceaselessly
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart

Site 2 Gateway (tecmint-prodgateway)

$ sudo cp /and so on/ipsec.conf /and so on/ipsec.conf.orig
$ sudo cp /and so on/ipsec.conf 

Copy and paste the next configuration within the file.

config setup
        charondebug="all"
        uniqueids=sure
conn prodgateway-to-devgateway
        kind=tunnel
        auto=begin
        keyexchange=ikev2
        authby=secret
        left=10.20.20.three
        leftsubnet=10.zero.2.15/24
        proper=10.20.20.1
        rightsubnet=192.168.zero.101/24 
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%ceaselessly
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart

Here is the that means of every configuration parameter:

  • config setup – specifies basic configuration data for IPSec which applies to all connections.
  • charondebug – defines how a lot Charon debugging output ought to be logged.
  • uniqueids – specifies whether or not a specific participant ID ought to be saved distinctive.
  • conn prodgateway-to-devgateway – defines connection title.
  • kind – defines connection kind.
  • auto – how to deal with connection when IPSec is began or restarted.
  • keyexchange – defines the model of the IKE protocol to use.
  • authby – defines how friends ought to authenticate one another.
  • left – defines the IP deal with of the left participant’s public-network interface.
  • leftsubnet – states the non-public subnet behind the left participant.
  • proper – specifies the IP deal with of the proper participant’s public-network interface.
  • rightsubnet – states the non-public subnet behind the left participant.
  • ike – defines a listing of IKE/ISAKMP SA encryption/authentication algorithms to be used. You can add a comma-separated checklist.
  • esp – defines a listing of ESP encryption/authentication algorithms to be used for the connection. You can add a comma-separated checklist.
  • aggressive – states whether or not to use Aggressive or Main Mode.
  • keyingtries – states the variety of makes an attempt that ought to be made to negotiate a connection.
  • ikelifetime – states how lengthy the keying channel of a connection ought to final earlier than being renegotiated.
  • lifetime – defines how lengthy a specific occasion of a connection ought to final, from profitable negotiation to expiry.
  • dpddelay – specifies the time interval with which R_U_THERE messages/INFORMATIONAL exchanges are despatched to the peer.
  • dpdtimeout – specifies the timeout interval, after which all connections to a peer are deleted in case of inactivity.
  • dpdaction – defines how to use the Dead Peer Detection(DPD) protocol to handle the connection.

For extra details about the above configuration parameters, learn the ipsec.conf man web page by operating the command.

$ man ipsec.conf

Step four: Configuring PSK for Peer-to-Peer Authentication

eight. After configuring each safety gateways, generate a safe PSK to be utilized by the friends utilizing the next command.

$ head -c 24 /dev/urandom | base64
Generate PSK KeyGenerate PSK Key

Generate PSK Key

9. Next, add the PSK within the /and so on/ipsec.secrets and techniques file on each gateways.

$ sudo vim /and so on/ipsec.secrets and techniques

Copy and paste the next line.

------- Site 1 Gateway (tecmint-devgateway) ------- 

10.20.20.1 10.20.20.three : PSK "qLGLTVQOfqvGLsWP75FEtLGtwN3Hu0ku6C5HItKo6ac="

------- Site 2 Gateway (tecmint-prodgateway) -------

10.20.20.three  10.20.20.1 : PSK "qLGLTVQOfqvGLsWP75FEtLGtwN3Hu0ku6C5HItKo6ac="

10. Restart the IPSec program and verify its standing to view connections.

$ sudo ipsec restart
$ sudo ipsec standing
View IPSec Connection StatusView IPSec Connection Status

View IPSec Connection Status

11. Finally, confirm which you can entry the non-public sub-nets from both safety gateways by operating a ping command.

$ ping 192.168.zero.101
$ ping 10.zero.2.15
Verify Site-to-Site VPN SetupVerify Site-to-Site VPN Setup

Verify Site-to-Site VPN Setup

12. Besides, you’ll be able to cease and begin IPSec as proven.

$ sudo ipsec cease
$ sudo ipsec begin

13. To know extra about IPSec instructions to manually deliver up connections and extra, see the IPSec assist web page.

$ ipsec --help

That’s all! In this text, we’ve described how to arrange a site-to-site IPSec VPN utilizing strongSwan on Ubuntu and Debian servers, the place each safety gateways have been configured to authenticate one another utilizing a PSK. If you may have any questions or ideas to share, attain us by way of the suggestions kind beneath.

About Agent

Check Also

SpaceX Successfully Launches 60 More Starlink Satellites as it Continues Towards 2020 Service Debut

SpaceX Successfully Launches 60 More Starlink Satellites as it Continues Towards 2020 Service Debut SpaceX …

Leave a Reply

Your email address will not be published. Required fields are marked *