生まれ変わる - umarekawaru

User Tools

Site Tools

Trace:
technical:ipsec:strongswan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
technical:ipsec:strongswan [2023/03/27 15:35] jctechnical:ipsec:strongswan [2023/06/12 10:52] (current) jc
Line 1: Line 1:
 <markdown> <markdown>
 # Description # Description
 +This example demonstrates how to configure a Site-to-Site IPSec VPN with Strongswan and SSL certificates. The example was tested and verified using Fedora VMs in GNS3.
 +# Install
 +Install the strongswan package from fedora package repository.
 +```bash
 +dnf install -y strongswan
 +```
 +# Configuration
 +## IP Forwarding
 +Enable IPv4 traffic forwarding on both VPN sites.
 +/etc/sysctl.conf
 +```bash
 +net.ipv4.ip_forward = 1
 +```
 +Reload sysctl settings
 +```bash
 +sysctl -p
 +```
 +## Network
 +Configure a network interface for the WAN connection between VPNs and a network interface for the LAN host network.
 +### VPN-Site-1
 +```bash
 +nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.1/30
 +nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.80.1/24 mtu 1460
 +nmcli connection reload
 +```
 +### VPN-Site-2
 +```bash
 +nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.2/30
 +nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.90.1/24 mtu 1460
 +nmcli connection reload
 +```
 +## Firewall
 +Configure firewall rules for both VPN sites.
 +```bash
 +firewall-cmd --permanent --add-zone=wan
 +firewall-cmd --permanent --change-zone=ens4 --zone=wan
 +firewall-cmd --zone=wan --permanent --add-rich-rule='rule protocol value="esp" accept'
 +firewall-cmd --zone=wan --permanent --add-rich-rule='rule protocol value="ah" accept'
 +firewall-cmd --zone=wan --permanent --add-port=500/udp
 +firewall-cmd --zone=wan --permanent --add-port=4500/udp
 +firewall-cmd --zone=wan --permanent --add-service="ipsec"
 +firewall-cmd --reload
 +```
 +## Certificates
 +1. Generate and sign certificates and private keys for both VPN sites.
 +
 +2. Copy the CA certificate, server certificate, and private key to both VPN sites.
 +```bash
 +cp <ca_cert> /etc/strongswan/ipsec.d/cacerts/
 +cp <server_cert> /etc/strongswan/ipsec.d/certs/
 +cp <vpn_key> /etc/strongswan/ipsec.d/private/
 +```
 +
 +3. Add the CA certificate to the certificate trust store.
 +```bash
 +cp <ca_cert> /etc/pki/ca-trust/source/anchors/
 +update-ca-trust
 +```
 +
 +## VPN
 +The default `left` site is local and the `right` site is remote, however you can designate either site as left or right. 
 +### VPN-Site-1
 +/etc/srongswan/ipsec.conf
 +```
 +config setup
 +        charondebug="all"
 +        uniqueids=yes
 +        strictcrlpolicy=no
 +conn %default
 +conn tunnel-to-site-2
 +        left=100.64.20.1
 +        leftsubnet=192.168.80.0/24
 +        right=100.64.20.2
 +        rightsubnet=192.168.90.0/24
 +        ike=aes256-sha2_256-modp1024!
 +        esp=aes256-sha2_256!
 +        keyingtries=0
 +        lifetime=1h
 +        lifetime=8h
 +        dpddelay=30
 +        dpdtimeout=120
 +        dpdaction=restart
 +        auto=start
 +        fragmentation=yes
 +        keyexchange=ikev2
 +        type=tunnel
 +        leftcert=vpn1cert.pem
 +        leftid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn1.koba.ninja"
 +        rightid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn2.koba.ninja"
 +```
 +/etc/strongswan/ipsec.secrets
 +```
 +: RSA vpn1key.pem
 +```
 +### VPN-Site-2
 +/etc/srongswan/ipsec.conf
 +```
 +config setup
 +        charondebug="all"
 +        uniqueids=yes
 +        strictcrlpolicy=no
 +conn %default
 +conn tunnel-to-site-2
 +        left=100.64.20.2
 +        leftsubnet=192.168.90.0/24
 +        right=100.64.20.1
 +        rightsubnet=192.168.80.0/24
 +        ike=aes256-sha2_256-modp1024!
 +        esp=aes256-sha2_256!
 +        keyingtries=0
 +        lifetime=1h
 +        lifetime=8h
 +        dpddelay=30
 +        dpdtimeout=120
 +        dpdaction=restart
 +        auto=start
 +        fragmentation=yes
 +        keyexchange=ikev2
 +        type=tunnel
 +        leftcert=vpn1cert.pem
 +        leftid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn2.koba.ninja"
 +        rightid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn1.koba.ninja"
 +```
 +/etc/strongswan/ipsec.secrets
 +```
 +: RSA vpn2key.pem
 +```
 +# Run
 +Start the VPN.
 +```bash
 +strongswan start
 +```
 +
 +The legacy systemd unit can configured by enabling the `strongswan-starter.service` script.
 +```bash
 +systemctl enable strongswan-starter.service
 +systemctl start strongswan-starter.service
 +```
 # Links # Links
 * https://www.strongswan.org/testing/testresults/ikev2/rw-cert/ * https://www.strongswan.org/testing/testresults/ikev2/rw-cert/
 * http://www.remy.org.uk/tech.php?tech=1483382049 * http://www.remy.org.uk/tech.php?tech=1483382049
 </markdown> </markdown>
 +
technical/ipsec/strongswan.1679945729.txt.gz · Last modified: 2023/03/27 15:35 by jc

Page Tools