- Joined
- May 15, 2017
- Messages
- 981
- Likes
- 760
- Points
- 1,045
In this topic, I will tell you how to configure IPSEC VPN using StrongSwan in Ubuntu 18.04.
So, the main purpose of a VPN is to create an encrypted secure tunnel between two or more remote networks.This ensures that communication that occurs over an insecure network, in this case the Internet, is protected.IPSEC is one of the VPN implementations that provides encryption and authentication services at the IP (Internet Protocol) level. Although its implementation is mandatory for IPv6 stacks, it is optional for IPv4 stacks. StrongSwan is an open source VPN software for Linux that implements IPSec.
It supports various protocols and IPsec extensions, such as IKE, X.509 digital certificates, NAT traversal ...
Configure IPSEC VPN using OpenSwan on Ubuntu 18.04
Install strongSwan on Ubuntu 18.04
Luckily, strongSwan is available by default in Ubuntu 18.04 repositories and therefore can be just installed using the command below;
Configuring the CA using the PKS strongSwan tool
In order for the VPN client to verify the authenticity of the VPN server, it is necessary to generate the certificate and key of the VPN server.
Before you can generate a server certificate and key, you must create a local CA to sign them. stronSwan provides a PKI utility that facilitates this process.
However, you need to install this utility by running the command below;
After installation is complete, proceed to create a certification authority.
First, generate a private key for a self-signed CA certificate.
Make sure you give this key the absolute confidentiality it deserves.
Generate a CA VPN server and self-sign with the key generated above.
Then generate the private key of the VPN server and issue the corresponding certificate using the CA created above.
Once you have the server key, create the server certificate by running the command below. Be sure to replace the DN and SAN respectively.
Install certificates
Now that you have received all the certificates, you can install them by moving them to the appropriate IPSec certificate directories in /etc/ipsec.d.
Configure StrongSwan in Ubuntu 18.04
The /etc/ipsec.conf configuration file contains most of the configuration and management information for the strongSwan IPS subsystem.
It consists of three different types of partitions:
CONFIG SECTIONS (configuration setting) —determines
general configuration settings
CONN SECTIONS (conn <name>)
—The conn section contains the connection specification that defines the network connection that will be made using IPsec.
CA SECTION (ca <name>)
- It defines a certification authority.
Before you can customize this file, back it up.
Define CONFIGURATION parameters;
The c harondebug = <debug list> parameter defines the charon debug log, in which the debug list can be dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv . The levels of logging can be one of -1, 0, 1, 2, 3, 4 (for no display, audit, control, control, raw, private). By default, the level is set to 1 for all types. A description of debug lists can be found in the “LOGER CONFIGURATION” section on the site strongswan.conf (5).
The strictcrlpolicy parameter specifies whether a new CRL should be available for successful peer-to-peer authentication based on RSA signatures.
uniqueids determines whether a particular member ID should remain unique.
cachecrls determines whether to cache certificate revocation lists (CRLs) obtained via HTTP or LDAP.
Define CONNECTION parameters;
For a detailed description of the connection parameters and the values used in the configuration above, see man ipsec.conf.
Next, you need to configure the client-server authentication credentials.
Authentication credentials are specified in the /etc/ipsec.secrets configuration file.
Thus, open this file and determine the RSA private keys for authentication.
You can also set up EAP user credentials by entering a random username and password.
Pay attention to the interval.
Save the configuration file and restart strongSwan for the changes to take effect.
To make sure that strongSwan has a private key, run the command below;
List of X.509 End Entity Certificates
Configure Firewall and Routing
Set UFW to allow and forward VPN traffic.
For IPsec to work through a firewall, you need to open UDP ports 500 and 4500.
Then edit /etc/ufw/before.rules so that your configuration looks lower.
Replace the IP pool and default route interface accordingly.
See highlighted lines added immediately before and after the filter *.
So, the main purpose of a VPN is to create an encrypted secure tunnel between two or more remote networks.This ensures that communication that occurs over an insecure network, in this case the Internet, is protected.IPSEC is one of the VPN implementations that provides encryption and authentication services at the IP (Internet Protocol) level. Although its implementation is mandatory for IPv6 stacks, it is optional for IPv4 stacks. StrongSwan is an open source VPN software for Linux that implements IPSec.
It supports various protocols and IPsec extensions, such as IKE, X.509 digital certificates, NAT traversal ...
Configure IPSEC VPN using OpenSwan on Ubuntu 18.04
Install strongSwan on Ubuntu 18.04
Luckily, strongSwan is available by default in Ubuntu 18.04 repositories and therefore can be just installed using the command below;
Configuring the CA using the PKS strongSwan tool
In order for the VPN client to verify the authenticity of the VPN server, it is necessary to generate the certificate and key of the VPN server.
Before you can generate a server certificate and key, you must create a local CA to sign them. stronSwan provides a PKI utility that facilitates this process.
However, you need to install this utility by running the command below;
After installation is complete, proceed to create a certification authority.
First, generate a private key for a self-signed CA certificate.
Make sure you give this key the absolute confidentiality it deserves.
Generate a CA VPN server and self-sign with the key generated above.
Then generate the private key of the VPN server and issue the corresponding certificate using the CA created above.
Once you have the server key, create the server certificate by running the command below. Be sure to replace the DN and SAN respectively.
Install certificates
Now that you have received all the certificates, you can install them by moving them to the appropriate IPSec certificate directories in /etc/ipsec.d.
Configure StrongSwan in Ubuntu 18.04
The /etc/ipsec.conf configuration file contains most of the configuration and management information for the strongSwan IPS subsystem.
It consists of three different types of partitions:
CONFIG SECTIONS (configuration setting) —determines
general configuration settings
CONN SECTIONS (conn <name>)
—The conn section contains the connection specification that defines the network connection that will be made using IPsec.
CA SECTION (ca <name>)
- It defines a certification authority.
Before you can customize this file, back it up.
Define CONFIGURATION parameters;
The c harondebug = <debug list> parameter defines the charon debug log, in which the debug list can be dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv . The levels of logging can be one of -1, 0, 1, 2, 3, 4 (for no display, audit, control, control, raw, private). By default, the level is set to 1 for all types. A description of debug lists can be found in the “LOGER CONFIGURATION” section on the site strongswan.conf (5).
The strictcrlpolicy parameter specifies whether a new CRL should be available for successful peer-to-peer authentication based on RSA signatures.
uniqueids determines whether a particular member ID should remain unique.
cachecrls determines whether to cache certificate revocation lists (CRLs) obtained via HTTP or LDAP.
Define CONNECTION parameters;
For a detailed description of the connection parameters and the values used in the configuration above, see man ipsec.conf.
Next, you need to configure the client-server authentication credentials.
Authentication credentials are specified in the /etc/ipsec.secrets configuration file.
Thus, open this file and determine the RSA private keys for authentication.
You can also set up EAP user credentials by entering a random username and password.
Pay attention to the interval.
Save the configuration file and restart strongSwan for the changes to take effect.
To make sure that strongSwan has a private key, run the command below;
List of X.509 End Entity Certificates
Configure Firewall and Routing
Set UFW to allow and forward VPN traffic.
For IPsec to work through a firewall, you need to open UDP ports 500 and 4500.
Then edit /etc/ufw/before.rules so that your configuration looks lower.
Replace the IP pool and default route interface accordingly.
See highlighted lines added immediately before and after the filter *.