生まれ変わる - umarekawaru

User Tools

Site Tools

Trace:
technical:ipsec:strongswan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
technical:ipsec:strongswan [2023/04/07 14:49] jctechnical:ipsec:strongswan [2023/06/12 10:52] (current) jc
Line 1: Line 1:
 <markdown> <markdown>
 # Description # Description
-This example demonstrates how to configure a Site-to-Site IPSec VPN with Strongswan on Fedora.+This example demonstrates how to configure a Site-to-Site IPSec VPN with Strongswan and SSL certificates. The example was tested and verified using Fedora VMs in GNS3.
 # Install # Install
-# Network+Install the strongswan package from fedora package repository. 
 +```bash 
 +dnf install -y strongswan
 ``` ```
-nmcli connection add ifname ens4 ipv4.method manual ipv4.address 100.64.20.1/24 +# Configuration 
-nmcli connection add ifname ens5 ipv4.method manual ipv4.address 192.168.90.1/24+## IP Forwarding 
 +Enable IPv4 traffic forwarding on both VPN sites. 
 +/etc/sysctl.conf 
 +```bash 
 +net.ipv4.ip_forward = 1 
 +``` 
 +Reload sysctl settings 
 +```bash 
 +sysctl -p 
 +``` 
 +## Network 
 +Configure a network interface for the WAN connection between VPNs and a network interface for the LAN host network. 
 +### VPN-Site-1 
 +```bash 
 +nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.1/30 
 +nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.80.1/24 mtu 1460 
 +nmcli connection reload 
 +``` 
 +### VPN-Site-2 
 +```bash 
 +nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.2/30 
 +nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.90.1/24 mtu 1460 
 +nmcli connection reload 
 +``` 
 +## Firewall 
 +Configure firewall rules for both VPN sites. 
 +```bash 
 +firewall-cmd --permanent --add-zone=wan 
 +firewall-cmd --permanent --change-zone=ens4 --zone=wan 
 +firewall-cmd --zone=wan --permanent --add-rich-rule='rule protocol value="esp" accept' 
 +firewall-cmd --zone=wan --permanent --add-rich-rule='rule protocol value="ah" accept' 
 +firewall-cmd --zone=wan --permanent --add-port=500/udp 
 +firewall-cmd --zone=wan --permanent --add-port=4500/udp 
 +firewall-cmd --zone=wan --permanent --add-service="ipsec" 
 +firewall-cmd --reload 
 +``` 
 +## Certificates 
 +1. Generate and sign certificates and private keys for both VPN sites. 
 + 
 +2. Copy the CA certificate, server certificate, and private key to both VPN sites. 
 +```bash 
 +cp <ca_cert> /etc/strongswan/ipsec.d/cacerts/ 
 +cp <server_cert> /etc/strongswan/ipsec.d/certs/ 
 +cp <vpn_key> /etc/strongswan/ipsec.d/private/ 
 +``` 
 + 
 +3. Add the CA certificate to the certificate trust store. 
 +```bash 
 +cp <ca_cert> /etc/pki/ca-trust/source/anchors/ 
 +update-ca-trust 
 +``` 
 + 
 +## VPN 
 +The default `left` site is local and the `right` site is remote, however you can designate either site as left or right.  
 +### VPN-Site-1 
 +/etc/srongswan/ipsec.conf 
 +``` 
 +config setup 
 +        charondebug="all" 
 +        uniqueids=yes 
 +        strictcrlpolicy=no 
 +conn %default 
 +conn tunnel-to-site-2 
 +        left=100.64.20.1 
 +        leftsubnet=192.168.80.0/24 
 +        right=100.64.20.2 
 +        rightsubnet=192.168.90.0/24 
 +        ike=aes256-sha2_256-modp1024! 
 +        esp=aes256-sha2_256! 
 +        keyingtries=0 
 +        lifetime=1h 
 +        lifetime=8h 
 +        dpddelay=30 
 +        dpdtimeout=120 
 +        dpdaction=restart 
 +        auto=start 
 +        fragmentation=yes 
 +        keyexchange=ikev2 
 +        type=tunnel 
 +        leftcert=vpn1cert.pem 
 +        leftid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn1.koba.ninja" 
 +        rightid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn2.koba.ninja" 
 +``` 
 +/etc/strongswan/ipsec.secrets 
 +``` 
 +: RSA vpn1key.pem 
 +``` 
 +### VPN-Site-2 
 +/etc/srongswan/ipsec.conf 
 +``` 
 +config setup 
 +        charondebug="all" 
 +        uniqueids=yes 
 +        strictcrlpolicy=no 
 +conn %default 
 +conn tunnel-to-site-2 
 +        left=100.64.20.2 
 +        leftsubnet=192.168.90.0/24 
 +        right=100.64.20.1 
 +        rightsubnet=192.168.80.0/24 
 +        ike=aes256-sha2_256-modp1024! 
 +        esp=aes256-sha2_256! 
 +        keyingtries=0 
 +        lifetime=1h 
 +        lifetime=8h 
 +        dpddelay=30 
 +        dpdtimeout=120 
 +        dpdaction=restart 
 +        auto=start 
 +        fragmentation=yes 
 +        keyexchange=ikev2 
 +        type=tunnel 
 +        leftcert=vpn1cert.pem 
 +        leftid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn2.koba.ninja" 
 +        rightid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn1.koba.ninja" 
 +``` 
 +/etc/strongswan/ipsec.secrets 
 +``` 
 +: RSA vpn2key.pem 
 +``` 
 +# Run 
 +Start the VPN. 
 +```bash 
 +strongswan start 
 +``` 
 + 
 +The legacy systemd unit can configured by enabling the `strongswan-starter.service` script. 
 +```bash 
 +systemctl enable strongswan-starter.service 
 +systemctl start strongswan-starter.service
 ``` ```
-# VPN  
 # Links # Links
 * https://www.strongswan.org/testing/testresults/ikev2/rw-cert/ * https://www.strongswan.org/testing/testresults/ikev2/rw-cert/
 * http://www.remy.org.uk/tech.php?tech=1483382049 * http://www.remy.org.uk/tech.php?tech=1483382049
 </markdown> </markdown>
 +
technical/ipsec/strongswan.1680893361.txt.gz · Last modified: 2023/04/07 14:49 by jc

Page Tools