Differences

This shows you the differences between two versions of the page.

--- technical:ipsec:strongswan [2023/04/07 15:34] – jc
+++ technical:ipsec:strongswan [2023/06/12 10:52] (current) – jc
@@ Line 4: / Line 4: @@
 # Install
 Install the strongswan package from fedora package repository.
-```
+```bash
 dnf install -y strongswan
 ```
 # Configuration
+## IP Forwarding
+Enable IPv4 traffic forwarding on both VPN sites.
+/etc/sysctl.conf
+```bash
+net.ipv4.ip_forward = 1
+```
+Reload sysctl settings
+```bash
+sysctl -p
+```
 ## Network
 Configure a network interface for the WAN connection between VPNs and a network interface for the LAN host network.
 ### VPN-Site-1
-```
+```bash
 nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.1/30
 nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.80.1/24 mtu 1460
+nmcli connection reload
 ```
 ### VPN-Site-2
-```
+```bash
 nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.2/30
 nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.90.1/24 mtu 1460
+nmcli connection reload
+```
+## Firewall
+Configure firewall rules for both VPN sites.
+```bash
+firewall-cmd --permanent --add-zone=wan
+firewall-cmd --permanent --change-zone=ens4 --zone=wan
+firewall-cmd --zone=wan --permanent --add-rich-rule='rule protocol value="esp" accept'
+firewall-cmd --zone=wan --permanent --add-rich-rule='rule protocol value="ah" accept'
+firewall-cmd --zone=wan --permanent --add-port=500/udp
+firewall-cmd --zone=wan --permanent --add-port=4500/udp
+firewall-cmd --zone=wan --permanent --add-service="ipsec"
+firewall-cmd --reload
 ```
 ## Certificates
 . Generate and sign certificates and private keys for both VPN sites.
-. Copy the CA certificate, VPN certificate, and private key.
+. Copy the CA certificate, server certificate, and private key to both VPN sites.
-```
+```bash
 cp <ca_cert> /etc/strongswan/ipsec.d/cacerts/
-cp <vpn_cert> /etc/strongswan/ipsec.d/certs/
+cp <server_cert> /etc/strongswan/ipsec.d/certs/
 cp <vpn_key> /etc/strongswan/ipsec.d/private/
+```
+. Add the CA certificate to the certificate trust store.
+```bash
+cp <ca_cert> /etc/pki/ca-trust/source/anchors/
+update-ca-trust
 ```
 ## VPN
+The default `left` site is local and the `right` site is remote, however you can designate either site as left or right.
 ### VPN-Site-1
 /etc/srongswan/ipsec.conf
@@ Line 99: / Line 130: @@
 # Run
 Start the VPN.
-```
+```bash
 strongswan start
+```
+The legacy systemd unit can configured by enabling the `strongswan-starter.service` script.
+```bash
+systemctl enable strongswan-starter.service
+systemctl start strongswan-starter.service
 ```
 # Links
@@ Line 106: / Line 143: @@
 * http://www.remy.org.uk/tech.php?tech=1483382049
 </markdown>

生まれ変わる - umarekawaru

User Tools

Site Tools

Differences

Page Tools