生まれ変わる - umarekawaru

User Tools

Site Tools

Trace:
technical:ipsec:strongswan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
technical:ipsec:strongswan [2023/04/07 15:51] jctechnical:ipsec:strongswan [2023/06/12 10:52] (current) jc
Line 4: Line 4:
 # Install # Install
 Install the strongswan package from fedora package repository. Install the strongswan package from fedora package repository.
-```+```bash
 dnf install -y strongswan dnf install -y strongswan
 ``` ```
 # Configuration # Configuration
 +## IP Forwarding
 +Enable IPv4 traffic forwarding on both VPN sites.
 +/etc/sysctl.conf
 +```bash
 +net.ipv4.ip_forward = 1
 +```
 +Reload sysctl settings
 +```bash
 +sysctl -p
 +```
 ## Network ## Network
 Configure a network interface for the WAN connection between VPNs and a network interface for the LAN host network. Configure a network interface for the WAN connection between VPNs and a network interface for the LAN host network.
 ### VPN-Site-1 ### VPN-Site-1
-```+```bash
 nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.1/30 nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.1/30
 nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.80.1/24 mtu 1460 nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.80.1/24 mtu 1460
Line 17: Line 27:
 ``` ```
 ### VPN-Site-2 ### VPN-Site-2
-```+```bash
 nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.2/30 nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.2/30
 nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.90.1/24 mtu 1460 nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.90.1/24 mtu 1460
Line 24: Line 34:
 ## Firewall ## Firewall
 Configure firewall rules for both VPN sites. Configure firewall rules for both VPN sites.
-```+```bash
 firewall-cmd --permanent --add-zone=wan firewall-cmd --permanent --add-zone=wan
 firewall-cmd --permanent --change-zone=ens4 --zone=wan firewall-cmd --permanent --change-zone=ens4 --zone=wan
Line 38: Line 48:
  
 2. Copy the CA certificate, server certificate, and private key to both VPN sites. 2. Copy the CA certificate, server certificate, and private key to both VPN sites.
-```+```bash
 cp <ca_cert> /etc/strongswan/ipsec.d/cacerts/ cp <ca_cert> /etc/strongswan/ipsec.d/cacerts/
 cp <server_cert> /etc/strongswan/ipsec.d/certs/ cp <server_cert> /etc/strongswan/ipsec.d/certs/
 cp <vpn_key> /etc/strongswan/ipsec.d/private/ cp <vpn_key> /etc/strongswan/ipsec.d/private/
 +```
 +
 +3. Add the CA certificate to the certificate trust store.
 +```bash
 +cp <ca_cert> /etc/pki/ca-trust/source/anchors/
 +update-ca-trust
 ``` ```
  
 ## VPN ## VPN
 +The default `left` site is local and the `right` site is remote, however you can designate either site as left or right. 
 ### VPN-Site-1 ### VPN-Site-1
 /etc/srongswan/ipsec.conf /etc/srongswan/ipsec.conf
Line 113: Line 130:
 # Run # Run
 Start the VPN. Start the VPN.
-```+```bash
 strongswan start strongswan start
 +```
 +
 +The legacy systemd unit can configured by enabling the `strongswan-starter.service` script.
 +```bash
 +systemctl enable strongswan-starter.service
 +systemctl start strongswan-starter.service
 ``` ```
 # Links # Links
Line 120: Line 143:
 * http://www.remy.org.uk/tech.php?tech=1483382049 * http://www.remy.org.uk/tech.php?tech=1483382049
 </markdown> </markdown>
 +
technical/ipsec/strongswan.1680897119.txt.gz · Last modified: by jc

Page Tools