Configuring IPSEC VPN

✨ deeznutz

✨ Master ✨
Staff member
May 15, 2017
In this topic, I will tell you how to configure IPSEC VPN using StrongSwan in Ubuntu 18.04.

So, the main purpose of a VPN is to create an encrypted secure tunnel between two or more remote networks.This ensures that communication that occurs over an insecure network, in this case the Internet, is protected.IPSEC is one of the VPN implementations that provides encryption and authentication services at the IP (Internet Protocol) level. Although its implementation is mandatory for IPv6 stacks, it is optional for IPv4 stacks. StrongSwan is an open source VPN software for Linux that implements IPSec.
It supports various protocols and IPsec extensions, such as IKE, X.509 digital certificates, NAT traversal ...

Configure IPSEC VPN using OpenSwan on Ubuntu 18.04

Install strongSwan on Ubuntu 18.04

Luckily, strongSwan is available by default in Ubuntu 18.04 repositories and therefore can be just installed using the command below;
apt install strongswan

Configuring the CA using the PKS strongSwan tool

In order for the VPN client to verify the authenticity of the VPN server, it is necessary to generate the certificate and key of the VPN server.
Before you can generate a server certificate and key, you must create a local CA to sign them. stronSwan provides a PKI utility that facilitates this process.
However, you need to install this utility by running the command below;
apt install strongswan-pki

After installation is complete, proceed to create a certification authority.
First, generate a private key for a self-signed CA certificate.
ipsec pki --gen --size 4096 --type rsa --outform pem > vpn-ca.key.pem

Make sure you give this key the absolute confidentiality it deserves.
Generate a CA VPN server and self-sign with the key generated above.
ipsec pki --self --in vpn-ca.key.pem --type rsa --dn "CN=VPN Server root CA" --ca --lifetime 3650 --outform pem > vpn-ca.cert.pem

Then generate the private key of the VPN server and issue the corresponding certificate using the CA created above.
ipsec pki --gen --size 4096 --type rsa --outform pem > vpn-server.key.pem

Once you have the server key, create the server certificate by running the command below. Be sure to replace the DN and SAN respectively.
ipsec pki --pub --in vpn-server.key.pem --type rsa \ |
ipsec pki --issue --lifetime 2750 \
--cacert vpn-ca.cert.pem \
--cakey vpn-ca.key.pem \
--dn "" \
--san="" \
--flag serverAuth --flag ikeIntermediate --outform pem > vpn-server.cert.pem

Install certificates

Now that you have received all the certificates, you can install them by moving them to the appropriate IPSec certificate directories in /etc/ipsec.d.
mv vpn-ca.cert.pem /etc/ipsec.d/cacerts/
mv vpn-server.cert.pem /etc/ipsec.d/certs/
mv {vpn-ca.key.pem,vpn-server.key.pem} /etc/ipsec.d/private/

Configure StrongSwan in Ubuntu 18.04

The /etc/ipsec.conf configuration file contains most of the configuration and management information for the strongSwan IPS subsystem.
It consists of three different types of partitions:
CONFIG SECTIONS (configuration setting) —determines
general configuration settings
CONN SECTIONS (conn <name>)
—The conn section contains the connection specification that defines the network connection that will be made using IPsec.
CA SECTION (ca <name>)
- It defines a certification authority.
Before you can customize this file, back it up.
cp /etc/ipsec.conf /etc/ipsec.conf.bak
vim /etc/ipsec.conf

Define CONFIGURATION parameters;
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"

The c harondebug = <debug list> parameter defines the charon debug log, in which the debug list can be dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv . The levels of logging can be one of -1, 0, 1, 2, 3, 4 (for no display, audit, control, control, raw, private). By default, the level is set to 1 for all types. A description of debug lists can be found in the “LOGER CONFIGURATION” section on the site strongswan.conf (5).
The strictcrlpolicy parameter specifies whether a new CRL should be available for successful peer-to-peer authentication based on RSA signatures.
uniqueids determines whether a particular member ID should remain unique.
cachecrls determines whether to cache certificate revocation lists (CRLs) obtained via HTTP or LDAP.
Define CONNECTION parameters;

conn ipsec-ikev2-vpn
type=tunnel # defines the type of connection, tunnel.
left=%any # if using IP, define it without the @ sign
leftcert=vpn-server.cert.pem # reads the VPN server cert in /etc/ipsec.d/certs
rightsourceip= # IP address Pool to be assigned to the clients
rightdns= # DNS to be assigned to clients
eap_identity=%identity # defines the identity the client uses to reply to an EAP Identity request.

For a detailed description of the connection parameters and the values used in the configuration above, see man ipsec.conf.
Next, you need to configure the client-server authentication credentials.
Authentication credentials are specified in the /etc/ipsec.secrets configuration file.
Thus, open this file and determine the RSA private keys for authentication.
You can also set up EAP user credentials by entering a random username and password.
Pay attention to the interval.

vim /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: RSA vpn-server.key.pem # VPN server key generated above
# <user id> : EAP <secret>
vpnsecure : EAP "P@sSw0Rd" # Random

Save the configuration file and restart strongSwan for the changes to take effect.
systemctl restart strongswan

To make sure that strongSwan has a private key, run the command below;
ipsec listcerts

List of X.509 End Entity Certificates

subject: "CN ="
issuer: "CN = VPN Server root CA"
validity: not before Feb 09 20:27:18 2019, ok
not after Aug 21 20:27:18 2026, ok (expires in 2749 days)
serial: 56: e5: 08: a6: db: f6: 6b: d0
flags: serverAuth ikeIntermediate
authkeyId: 68: 40: 92: 5b: 53: c4: 99: 18: 3e : 7e: cb: 6b: 5b : 32: d5: 05: f7: de: 88: 74
subjkeyId: 09: 2f: bd: 61: bd: 47: 1b: c8: 13: e0: 2f: 65: c0: 9f: 12: 7b: 0e: e8: c4: 9b
pubkey: RSA 4096 bits, has private key
keyid: 75: 72: 19: 89: 62: 97: 27: 55: a0: 4f: 68: be: 6a: c9: 14: 98: 04: 87: be: a3
subjkey: 09: 2f: bd: 61: bd: 47: 1b: c8: 13: e0: 2f: 65: c0: 9f: 12: 7b: 0e: e8 : c4: 9b

Configure Firewall and Routing

Set UFW to allow and forward VPN traffic.
For IPsec to work through a firewall, you need to open UDP ports 500 and 4500.
ufw allow 500/udp # Allows Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded
ufw allow 4500/udp # Allows handling of IPsec between natted devices

Then edit /etc/ufw/before.rules so that your configuration looks lower.
Replace the IP pool and default route interface accordingly.
See highlighted lines added immediately before and after the filter *.
Top Bottom