Skip to content

Instantly share code, notes, and snippets.

@Horat1us

Horat1us/strongswan.md

Created June 5, 2023 13:45
Show Gist options
  • Save Horat1us/38b712d65fd11abdab23347eca41b9fb to your computer and use it in GitHub Desktop.
Save Horat1us/38b712d65fd11abdab23347eca41b9fb to your computer and use it in GitHub Desktop.
Download ZIP
Configuring Site-to-Site IPSec VPN
Raw
strongswan.md

Configuring Site-to-Site IPSec VPN on Ubuntu using Strongswan

Requirements

This instruction is tested on Ubuntu 22.04 LTS

Open ports

  • UDP 4500
  • UDP 500
  • Custom protocol 50

For AWS Disable "Source / destination check"

  1. Go to EC2 Instances
  2. Choose instance
  3. Go to Actions -> Networking -> Change Source / destination check
  4. Choose "Stop"

Example

In followed example we will configure Site-to-Site IPSec VPN.

Site A

  • Private IP: 172.31.11.254
  • Private subnet: 172.31.11.0/24
  • Public IP: x.x.x.x

Site B

  • Private IP: 10.1.32.254
  • Private subnet: 172.31.11.0/24
  • Public IP: y.y.y.y

Installation

First of all you need to install strongSwan on both of your instances

  1. Update your system
sudo apt update && sudo apt upgrade -y
  1. Configure the kernel to enable packet forwarding for IPv4. Edit the configuration file
sudo nano /etc/sysctl.conf
  1. Add followed lines to the file
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
  1. Save and exit the file then run the following command to load settings.
sudo sysctl -p
  1. Install strongSwan and supporting dependencies:
sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins libtss2-tcti-tabrmd0 -y
  1. Set the service to start on boot:
sudo systemctl enable strongswan-starter
  1. Check for the service status
systemctl status strongswan-starter
  1. Generate a secure PSK to be used by the peers using the following command.
head -c 24 /dev/urandom | base64

output:

wu1DcUd+4bJav5doD8gsD36CZBZdwuCl
  1. Add the key to /etc/ipsec.secrets file
sudo nano /etc/ipsec.secrets

Add followed line to the file

  • on Site-A instance
x.x.x.x y.y.y.y : PSK "0kfrp1vSj006fxz2qjcwitqEGPepAnIR"
  • on Site-B instance
y.y.y.y x.x.x.x : PSK "0kfrp1vSj006fxz2qjcwitqEGPepAnIR"
  1. Backup ipsec configuration
sudo cp /etc/ipsec.conf /etc/ipsec.conf.bak
  1. Create new configuration file
sudo nano /etc/ipsec.conf
  • On Site-A instance:
config setup
        charondebug="all"
        uniqueids=yes
conn site-a
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=172.31.11.254
        leftsubnet=172.31.11.0/24
        leftsourceip=172.31.11.256
        leftid=x.x.x.x
        right=y.y.y.y
        rightsubnet=10.1.32.0/24
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=86400s
        lifetime=43200s
        lifebytes=576000000
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart
  • On Site-B instance:
config setup
        charondebug="all"
conn site-b
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        right=x.x.x.x 
        rightsubnet=172.31.11.0/24
        rightsourceip=172.31.11.254         
        left=10.1.32.254
        leftid=y.y.y.y
        leftsubnet=10.1.32.0/24
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=86400s
        lifetime=43200s
        lifebytes=576000000
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart
  1. Restart strongSwan
sudo ipsec restart
  1. Check IPSec status
sudo ipsec statusall

Expected output:

Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.19.0-1026-aws, x86_64):
  uptime: 24 minutes, since Jun 05 13:18:48 2023
  malloc: sbrk 2588672, mmap 0, used 1801344, free 787328
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
  172.31.11.254
Connections:
      site-a:  172.31.11.254...y.y.y.y  IKEv2, dpddelay=30s
      site-a:   local:  [x.x.x.x] uses pre-shared key authentication
      site-a:   remote: [y.y.y.y] uses pre-shared key authentication
      site-a:   child:  172.31.11.0/24 === 10.1.32.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
      site-a[2]: ESTABLISHED 24 minutes ago, 172.31.11.187[18.184.129.96]...13.245.167.45[13.245.167.45]
      site-a[2]: IKEv2 SPIs: ..., pre-shared key reauthentication in 23 hours
      site-a[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      site-a{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c885ed77_i cdd1a184_o
      site-a{2}:  AES_CBC_256/HMAC_SHA1_96, 1869 bytes_i (16 pkts, 722s ago), 1495 bytes_o (14 pkts, 722s ago), rekeying in 11 hours
      site-a{2}:   172.31.11.0/24 === 10.1.32.0/24

External links

strongswan.org - connection techviewleo.com - Configure Site-to-Site VPN using StrongSwan on Ubuntu 22.04 serverfault.com - Strongswan VPN tunnel between two AWS instances won't connect

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment