1- OS Installation
Ubuntu server version 16 is tested and recommended to be used as OS of VPN gateway.
2- Update your repository indexes and install strongswan:
$ apt update && sudo apt upgrade -y $ apt install strongswan -y
3- Set the following kernel parameters:
$ cat >> /etc/sysctl.conf << EOF net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 EOF $ sysctl -p /etc/sysctl.conf
4- Generate Preshared Key:
We will need a pre-shared key that both servers will use.
For example: dP87zRQqylaoeF5I8o
5- Configuring the customer side:
Site A: CloudAcropolis side
External(Public) IP Address: X.X.X.X
Internal(Private) IP Address: Y.Y.Y.Y/Z
Site B: Customer side
External(Public) IP Address: A.A.A.A
Internal(Private) IP Address: B.B.B.B/C
We will setup our VPN Gateway in Site B (Customer side), setup the /etc/ipsec.secrets file:
$ cat /etc/ipsec.secrets A.A.A.A X.X.X.X : PSK "dP87zRQqylaoeF5I8o"
Next to setup our VPN Configuration:
cat /etc/ipsec.conf
# basic configuration
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
# connection to CloudAcropolis
conn customer_x-to-CloudAcropolis_DC
authby=secret
left=%defaultroute
leftid=A.A.A.A
leftsubnet=B.B.B.B/C
right=X.X.X.X
rightsubnet=Y.Y.Y.Y/Z
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
6-Start the VPN:
$ sudo ipsec restart
Get the status of the tunnel, in this case we are logged onto our Site A (CloudAcropolis) Server:
$ sudo ipsec status
Security Associations (1 up, 0 connecting):
customer_x-to-CloudAcropolis_DC [2]: ESTABLISHED 14 minutes ago, 10.10.27.161[51.15.139.201]...51.15.44.48[51.15.44.48]
customer_x-to-CloudAcropolis_DC {1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c8c868ee_i c9d58dbd_o
customer_x-to-CloudAcropolis_DC {1}: 10.10.27.1/24 === 10.9.141.1/24
Test if we can see the remote end on its private range:
$ ping B.B.B.B PING 10.9.141.97 (10.9.141.97) 56(84) bytes of data. 64 bytes from 10.9.141.97: icmp_seq=1 ttl=64 time=14.6 ms
7- Set the service to start on boot:
$ sudo systemctl enable strongswan
Some Useful commands:
$ sudo ipsec up connection-name $ sudo ipsec down connection-name $ sudo ipsec restart $ sudo ipsec status $ sudo ipsec statusall $ sudo ip xfrm state $ sudo ip xfrm policy $ sudo ipsec rereadsecrets $ sudo tcpdump esp
IPSec Proposal list
|
No. |
Parameter |
Value |
|
|
1 |
VPN Gateway |
StrongSWAN 5.3.5(CA) |
Customer Side |
|
2 |
Tunnel Source (Public IP) |
X.X.X.X |
|
|
3 |
LAN Address(Private IP range) |
172.27.X.X/27 |
|
|
4 |
IKE Version (Key Exchange) |
IKEv1 |
IKEv1 |
|
5 |
IKE Auth. Algorithm |
SHA2 (SHA256) |
SHA2 (SHA256) |
|
6 |
IKE Enc. Algorithm |
AES256 |
AES256 |
|
7 |
ESP Auth. Algorithm |
SHA2 (SHA256) |
SHA2 (SHA256) |
|
8 |
ESP Enc. Algorithm |
AES256 |
AES256 |
|
9 |
PFS |
Yes |
Yes |
|
10 |
DH-Group |
Group 2 (modp1024) |
Group 2 (modp1024) |
|
11 |
Authentication Type |
PSK |
PSK |
|
12 |
Pre-Shared Key |
secure_PSK |
secure_PSK |
|
13 |
ISAKMP lifetime (seconds) |
3600 |
3600 |
|
14 |
IPSec lifetime |
28800 |
28800 |
|
15 |
IPSec operation mode |
Tunnel |
Tunnel |
|
16 |
Negotiation mode (Exchange) |
Main |
Main |
