How to Set Up IPsec-based VPN with Strongswan on CentOS/RHEL 8

[‘

n

strongSwan is an open-source, multi-platform, modern and complete IPsec-based VPN solution for Linux that provides full support for Internet Key Exchange (both IKEv1 and IKEv2) to establish security associations (SA) between two peers. It is full-featured, modular by design and offers dozens of plugins that enhance the core functionality.

n

Related Article: How to Set Up IPsec-based VPN with Strongswan on Debian and Ubuntu

n

In this article, you will learn how to set up site-to-site IPsec VPN gateways using strongSwan on CentOS/RHEL 8 servers. This enables peers to authenticate each other using a strong pre-shared key (PSK). A site-to-site setup means each security gateway has a sub-net behind it.

n

Testing Environment

n

Do not forget to use your real-world IP addresses during the configurations while following the guide.

n

Site 1 Gateway

n

Public IP: 192.168.56.7rnPrivate IP: 10.10.1.1/24rnPrivate Subnet: 10.10.1.0/24rn

n

Site 2 Gateway

n

Public IP:  192.168.56.6rnPrivate IP: 10.20.1.1/24rnPrivate Subnet: 10.20.1.0/24rn

n

Step 1: Enabling Kernel IP Forwarding in CentOS 8

n

1. Start by enabling kernel IP forwarding functionality in /etc/sysctl.conf configuration file on both VPN gateways.

n

# vi /etc/sysctl.confrn

n

Add these lines in the file.

n

net.ipv4.ip_forward = 1 rnnet.ipv6.conf.all.forwarding = 1 rnnet.ipv4.conf.all.accept_redirects = 0 rnnet.ipv4.conf.all.send_redirects = 0 rn

n

2. After saving the changes in the file, run the following command to load the new kernel parameters in runtime.

n

# sysctl -prn

n

3. Next, create a permanent static route in the file /etc/sysconfig/network-scripts/route-eth0 on both security gateways.

n

# vi /etc/sysconfig/network-scripts/route-eth0rn

n

Add the following line in the file.

n

#Site 1 Gatewayrn10.20.1.0/24  via 192.168.56.7rnrn#Site 2 Gatewayrn10.10.1.0/24 via 192.168.56.6rn

n

4. Then restart the network manager to apply the new changes.

n

# systemctl restart NetworkManagerrn

n

Step 2: Installing strongSwan in CentOS 8

n

5. The strongswan package is provided in the EPEL repository. To install it, you need to enable the EPEL repository, then install strongwan on both security gateways.

n

# dnf install epel-releasern# dnf install strongswanrn

n

6. To check the version of strongswan installed on both gateways, run the following command.

n

# strongswan versionrn

n

7. Next, start the strongswan service and enable it to automatically start at system boot. Then verify the status on both security gateways.

n

# systemctl start strongswan rn# systemctl enable strongswanrn# systemctl status strongswanrn

n

Note: The latest version of strongswan in CentOS/REHL 8 comes with support for both swanctl (a new, portable command-line utility introduced with strongSwan 5.2.0, used to configure, control and monitor the IKE daemon Charon using the vici plugin) and starter (or ipsec) utility using the deprecated stroke plugin.

n

8. The main configuration directory is /etc/strongswan/ which contains configuration files for both plugins:

n

# ls /etc/strongswan/rn

n

Strongswan Configuration Structure
Strongswan Configuration Structure

n

For this guide, we will use IPsec utility which is invoked using the strongswan command and the stroke interface. So we will use the following configuration files:

n

    n

  • /etc/strongswan/ipsec.conf – configuration file for the strongSwan IPsec subsystem.
  • n

  • /etc/strongswan/ipsec.secrets – secrets file.
  • n

n

Step 3: Configuring Security Gateways

n

9. In this step, you need to configure the connection profiles on each security gateways for each site using the /etc/strongswan/ipsec.conf strongswan configuration file.

n

Configuring Site 1 Connection Profile

n

# cp /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.origrn# vi /etc/strongswan/ipsec.confrn

n

Copy and paste the following configuration in the file.

n

config setuprn        charondebug="all"rn        uniqueids=yesrnconn ateway1-to-gateway2rn        type=tunnelrn        auto=startrn        keyexchange=ikev2rn        authby=secretrn        left=192.168.56.7rn        leftsubnet=10.10.1.1/24rn        right=192.168.56.6rn        rightsubnet=10.20.1.1/24rn        ike=aes256-sha1-modp1024!rn        esp=aes256-sha1!rn        aggressive=norn        keyingtries=%foreverrn        ikelifetime=28800srn        lifetime=3600srn        dpddelay=30srn        dpdtimeout=120srn        dpdaction=restartrn

n

Configuring Site 2 Connection Profile

n

# cp /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.origrn# vi /etc/strongswan/ipsec.confrn

n

Copy and paste the following configuration in the file:

n

config setuprn        charondebug="all"rn        uniqueids=yesrnconn 2gateway-to-gateway1rn        type=tunnelrn        auto=startrn        keyexchange=ikev2rn        authby=secretrn        left=192.168.56.6rn        leftsubnet=10.20.1.1/24rn        right=192.168.56.7rn        rightsubnet=10.10.1.1/24rn        ike=aes256-sha1-modp1024!rn        esp=aes256-sha1!rn        aggressive=norn        keyingtries=%foreverrn        ikelifetime=28800srn        lifetime=3600srn        dpddelay=30srn        dpdtimeout=120srn        dpdaction=restartrn

n

Let’s briefly describe each of the configuration parameters above:

n

    n

  • config setup – defines the general configuration information for IPSec which applies to all connections.
  • n

  • charondebug – specifies how much Charon debugging output should be logged.
  • n

  • uniqueids – defines whether a particular participant ID should be kept unique.
  • n

  • conn gateway1-to-gateway2 – used to set the connection name.
  • n

  • type – defines connection type.
  • n

  • Auto – used to declare how to handle connection when IPSec is started or restarted.
  • n

  • keyexchange – declares the version of the IKE protocol to use.
  • n

  • authby – specifies how peers should authenticate each other.
  • n

  • left – declares the IP address of the left participant’s public-network interface.
  • n

  • leftsubnet – declares the private subnet behind the left participant.
  • n

  • right – declares the IP address of the right participant’s public-network interface.
  • n

  • rightsubnet – declares the private subnet behind the left participant.
  • n

  • ike – used to declare a list of IKE/ISAKMP SA encryption/authentication algorithms to be used. Note that this can be a comma-separated list.
  • n

  • esp – specifies a list of ESP encryption/authentication algorithms to be used for the connection.
  • n

  • aggressive – declares whether to use Aggressive or Main Mode.
  • n

  • keyingtries – declares the number of attempts that should be made to negotiate a connection.
  • n

  • ikelifetime – specifies how long the keying channel of a connection should last before being renegotiated.
  • n

  • lifetime – specifies how long a particular instance of a connection should last, from successful negotiation to expiry.
  • n

  • dpddelay – declares the time interval with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer.
  • n

  • dpdtimeout – used to declare the timeout interval, after which all connections to a peer are deleted in case of inactivity.
  • n

  • dpdaction – specifies how to use the Dead Peer Detection(DPD) protocol to manage the connection.
  • n

n

You can find a description of all configuration parameters for the strongSwan IPsec subsystem by reading the ipsec.conf man page.

n

# man ipsec.confrn

n

Step 4: Configuring PSK for Peer-to-Peer Authentication

n

10. Next, you need to generate a strong PSK to be used by the peers for authentication as follows.

n

# head -c 24 /dev/urandom | base64rn

n

Generate PSK Key
Generate PSK Key

n

11. Add the PSK in the /etc/strongswan/ipsec.conf file on both security gateways.

n

# vi /etc/strongswan/ipsec.secretsrn

n

Enter the following line in the file.

n

#Site 1 Gatewayrn192.168.56.7  192.168.56.6 : PSK "0GE0dIEA0IOSYS2o22wYdicj/lN4WoCL"rnrn#Site 1 Gatewayrn192.168.56.6  192.168.56.7 : PSK "0GE0dIEA0IOSYS2o22wYdicj/lN4WoCL"rn

n

12. Then start the strongsan service and check the status of connections.

n

# systemctl restart strongswanrn# strongswan statusrn

n

Check Strongswan Connections
Check Strongswan Connections

n

13. Test if you can access the private sub-nets from either security gateways by running a ping command.

n

# ping 10.20.1.1rn# ping 10.10.1.1rn

n

Ping Security Gateways
Ping Security Gateways

n

14. Last but not least, to learn more strongswan commands to manually bring up/down connections and more, see the strongswan help page.

n

# strongswan --helprn

n

That’s all for now! To share your thoughts with us or ask questions, reach us via the feedback form below. And to learn more about the new swanctl utility and the new more flexible configuration structure, see the strongSwan User Documentation.

n

‘]