How to Set Up IPsec-based VPN with Strongswan on Debian and Ubuntu

[‘

n

strongSwan is an open-source, cross-platform, full-featured, and widely-used IPsec-based VPN (Virtual Private Network) implementation that runs on Linux, FreeBSD, OS X, Windows, Android, and iOS. It is primarily a keying daemon that supports the Internet Key Exchange protocols (IKEv1 and IKEv2) to establish security associations (SA) between two peers.

n

This article describes how to set up site-to-site IPSec VPN gateways using strongSwan on Ubuntu and Debian servers. By site-to-site we mean each security gateway has a sub-net behind it. Besides, the peers will authenticate each other using a pre-shared key (PSK).

n

Testing Environment

n

Remember to replace the following IPs with your real-world IPs to configure your environment.

n

Site 1 Gateway (tecmint-devgateway)

n

OS 1: Debian or UbunturnPublic IP: 10.20.20.1rnPrivate IP: 192.168.0.101/24rnPrivate Subnet: 192.168.0.0/24rn

n

Site 2 Gateway (tecmint-prodgateway)

n

OS 2: Debian or UbunturnPublic IP:  10.20.20.3rnPrivate IP: 10.0.2.15/24rnPrivate Subnet: 10.0.2.0/24rn

n

Step 1: Enabling Kernel Packet Forwarding

n

1. First, you need to configure the kernel to enable packet forwarding by adding the appropriate system variables in /etc/sysctl.conf configuration file on both security gateways.

n

$ sudo vim /etc/sysctl.confrn

n

Look for the following lines and uncomment them and set their values as shown (read comments in the file for more information).

n

net.ipv4.ip_forward = 1 rnnet.ipv6.conf.all.forwarding = 1 rnnet.ipv4.conf.all.accept_redirects = 0 rnnet.ipv4.conf.all.send_redirects = 0 rn

n

2. Next, load the new settings by running the following command.

n

$ sudo sysctl -prn

n

Load Sysctl Kernel Settings
Load Sysctl Kernel Settings

n

3. If you have a UFW firewall service enabled, you need to add the following rules to the /etc/ufw/before.rules configuration file just before the filter rules in either security gateways.

n

Site 1 Gateway (tecmint-devgateway)

n

*natrn:POSTROUTING ACCEPT [0:0]rn-A POSTROUTING -s 10.0.2.0/24  -d 192.168.0.0/24 -j MASQUERADErnCOMMITrn

n

Site 2 Gateway (tecmint-prodgateway)

n

*natrn:POSTROUTING ACCEPT [0:0]rn-A POSTROUTING  -s 192.168.0.0/24 -d 10.0.2.0/24 -j MASQUERADErnCOMMITrn

n

4. Once firewall rules have been added, then apply the new changes by restarting UFW as shown.

n

$ sudo ufw disable rn$ sudo ufw enablern

n

Step 2: Installing strongSwan in Debian and Ubuntu

n

5. Update your package cache on both security gateways and install the strongswan package using the APT package manager.

n

$ sudo apt updatern$ sudo apt install strongswan rn

n

6. Once the installation is complete, the installer script will start the strongswan service and enable it to automatically start at system boot. You can check its status and whether it is enabled using the following command.

n

$ sudo systemctl status strongswan.servicern$ sudo systemctl is-enabled strongswan.servicern

n

Step 3: Configuring Security Gateways

n

7. Next, you need to configure the security gateways using the /etc/ipsec.conf configuration file.

n

Site 1 Gateway (tecmint-devgateway)

n

$ sudo cp /etc/ipsec.conf /etc/ipsec.conf.origrn$ sudo nano /etc/ipsec.conf rn

n

Copy and paste the following configuration in the file.

n

config setuprn        charondebug="all"rn        uniqueids=yesrnconn devgateway-to-prodgatewayrn        type=tunnelrn        auto=startrn        keyexchange=ikev2rn        authby=secretrn        left=10.20.20.1rn        leftsubnet=192.168.0.101/24rn        right=10.20.20.3rn        rightsubnet=10.0.2.15/24rn        ike=aes256-sha1-modp1024!rn        esp=aes256-sha1!rn        aggressive=norn        keyingtries=%foreverrn        ikelifetime=28800srn        lifetime=3600srn        dpddelay=30srn        dpdtimeout=120srn        dpdaction=restartrn

n

Site 2 Gateway (tecmint-prodgateway)

n

$ sudo cp /etc/ipsec.conf /etc/ipsec.conf.origrn$ sudo nano /etc/ipsec.conf rn

n

Copy and paste the following configuration into the file.

n

config setuprn        charondebug="all"rn        uniqueids=yesrnconn prodgateway-to-devgatewayrn        type=tunnelrn        auto=startrn        keyexchange=ikev2rn        authby=secretrn        left=10.20.20.3rn        leftsubnet=10.0.2.15/24rn        right=10.20.20.1rn        rightsubnet=192.168.0.101/24 rn        ike=aes256-sha1-modp1024!rn        esp=aes256-sha1!rn        aggressive=norn        keyingtries=%foreverrn        ikelifetime=28800srn        lifetime=3600srn        dpddelay=30srn        dpdtimeout=120srn        dpdaction=restartrn

n

Here is the meaning of each configuration parameter:

n

    n

  • config setup – specifies general configuration information for IPSec which applies to all connections.
  • n

  • charondebug – defines how much Charon debugging output should be logged.
  • n

  • uniqueids – specifies whether a particular participant ID should be kept unique.
  • n

  • conn prodgateway-to-devgateway – defines connection name.
  • n

  • type – defines connection type.
  • n

  • auto – how to handle connection when IPSec is started or restarted.
  • n

  • keyexchange – defines the version of the IKE protocol to use.
  • n

  • authby – defines how peers should authenticate each other.
  • n

  • left – defines the IP address of the left participant’s public-network interface.
  • n

  • leftsubnet – states the private subnet behind the left participant.
  • n

  • right – specifies the IP address of the right participant’s public-network interface.
  • n

  • rightsubnet – states the private subnet behind the left participant.
  • n

  • ike – defines a list of IKE/ISAKMP SA encryption/authentication algorithms to be used. You can add a comma-separated list.
  • n

  • esp – defines a list of ESP encryption/authentication algorithms to be used for the connection. You can add a comma-separated list.
  • n

  • aggressive – states whether to use Aggressive or Main Mode.
  • n

  • keyingtries – states the number of attempts that should be made to negotiate a connection.
  • n

  • ikelifetime – states how long the keying channel of a connection should last before being renegotiated.
  • n

  • lifetime – defines how long a particular instance of a connection should last, from successful negotiation to expiry.
  • n

  • dpddelay – specifies the time interval with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer.
  • n

  • dpdtimeout – specifies the timeout interval, after which all connections to a peer are deleted in case of inactivity.
  • n

  • dpdaction – defines how to use the Dead Peer Detection(DPD) protocol to manage the connection.
  • n

n

For more information about the above configuration parameters, read the ipsec.conf man page by running the command.

n

$ man ipsec.confrn

n

Step 4: Configuring PSK for Peer-to-Peer Authentication

n

8. After configuring both security gateways, generate a secure PSK to be used by the peers using the following command.

n

$ head -c 24 /dev/urandom | base64rn

n

Generate PSK Key
Generate PSK Key

n

9. Next, add the PSK in the /etc/ipsec.secrets file on both gateways.

n

$ sudo vim /etc/ipsec.secretsrn

n

Copy and paste the following line.

n

------- Site 1 Gateway (tecmint-devgateway) ------- rnrn10.20.20.1 10.20.20.3 : PSK "qLGLTVQOfqvGLsWP75FEtLGtwN3Hu0ku6C5HItKo6ac="rnrn------- Site 2 Gateway (tecmint-prodgateway) -------rnrn10.20.20.3  10.20.20.1 : PSK "qLGLTVQOfqvGLsWP75FEtLGtwN3Hu0ku6C5HItKo6ac="rn

n

10. Restart the IPSec program and check its status to view connections.

n

$ sudo ipsec restartrn$ sudo ipsec statusrn

n

View IPSec Connection Status
View IPSec Connection Status

n

11. Finally, verify that you can access the private sub-nets from either security gateways by running a ping command.

n

$ ping 192.168.0.101rn$ ping 10.0.2.15rn

n

Verify Site-to-Site VPN Setup
Verify Site-to-Site VPN Setup

n

12. Besides, you can stop and start IPSec as shown.

n

$ sudo ipsec stoprn$ sudo ipsec startrn

n

13. To know more about IPSec commands to manually bring up connections and more, see the IPSec help page.

n

$ ipsec --helprn

n

That’s all! In this article, we have described how to set up a site-to-site IPSec VPN using strongSwan on Ubuntu and Debian servers, where both security gateways were configured to authenticate each other using a PSK. If you have any questions or thoughts to share, reach us via the feedback form below.

n

‘]