# Description This example demonstrates how to configure a Site-to-Site IPSec VPN with Strongswan and SSL certificates. The example was tested and verified using Fedora VMs in GNS3. # Install Install the strongswan package from fedora package repository. ```bash dnf install -y strongswan ``` # Configuration ## IP Forwarding Enable IPv4 traffic forwarding on both VPN sites. /etc/sysctl.conf ```bash net.ipv4.ip_forward = 1 ``` Reload sysctl settings ```bash sysctl -p ``` ## Network Configure a network interface for the WAN connection between VPNs and a network interface for the LAN host network. ### VPN-Site-1 ```bash nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.1/30 nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.80.1/24 mtu 1460 nmcli connection reload ``` ### VPN-Site-2 ```bash nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.2/30 nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.90.1/24 mtu 1460 nmcli connection reload ``` ## Firewall Configure firewall rules for both VPN sites. ```bash firewall-cmd --permanent --add-zone=wan firewall-cmd --permanent --change-zone=ens4 --zone=wan firewall-cmd --zone=wan --permanent --add-rich-rule='rule protocol value="esp" accept' firewall-cmd --zone=wan --permanent --add-rich-rule='rule protocol value="ah" accept' firewall-cmd --zone=wan --permanent --add-port=500/udp firewall-cmd --zone=wan --permanent --add-port=4500/udp firewall-cmd --zone=wan --permanent --add-service="ipsec" firewall-cmd --reload ``` ## Certificates 1. Generate and sign certificates and private keys for both VPN sites. 2. Copy the CA certificate, server certificate, and private key to both VPN sites. ```bash cp /etc/strongswan/ipsec.d/cacerts/ cp /etc/strongswan/ipsec.d/certs/ cp /etc/strongswan/ipsec.d/private/ ``` 3. Add the CA certificate to the certificate trust store. ```bash cp /etc/pki/ca-trust/source/anchors/ update-ca-trust ``` ## VPN The default `left` site is local and the `right` site is remote, however you can designate either site as left or right. ### VPN-Site-1 /etc/srongswan/ipsec.conf ``` config setup charondebug="all" uniqueids=yes strictcrlpolicy=no conn %default conn tunnel-to-site-2 left=100.64.20.1 leftsubnet=192.168.80.0/24 right=100.64.20.2 rightsubnet=192.168.90.0/24 ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! keyingtries=0 lifetime=1h lifetime=8h dpddelay=30 dpdtimeout=120 dpdaction=restart auto=start fragmentation=yes keyexchange=ikev2 type=tunnel leftcert=vpn1cert.pem leftid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn1.koba.ninja" rightid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn2.koba.ninja" ``` /etc/strongswan/ipsec.secrets ``` : RSA vpn1key.pem ``` ### VPN-Site-2 /etc/srongswan/ipsec.conf ``` config setup charondebug="all" uniqueids=yes strictcrlpolicy=no conn %default conn tunnel-to-site-2 left=100.64.20.2 leftsubnet=192.168.90.0/24 right=100.64.20.1 rightsubnet=192.168.80.0/24 ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! keyingtries=0 lifetime=1h lifetime=8h dpddelay=30 dpdtimeout=120 dpdaction=restart auto=start fragmentation=yes keyexchange=ikev2 type=tunnel leftcert=vpn1cert.pem leftid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn2.koba.ninja" rightid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn1.koba.ninja" ``` /etc/strongswan/ipsec.secrets ``` : RSA vpn2key.pem ``` # Run Start the VPN. ```bash strongswan start ``` The legacy systemd unit can configured by enabling the `strongswan-starter.service` script. ```bash systemctl enable strongswan-starter.service systemctl start strongswan-starter.service ``` # Links * https://www.strongswan.org/testing/testresults/ikev2/rw-cert/ * http://www.remy.org.uk/tech.php?tech=1483382049