User Tools
Sidebar
Table of Contents
Description
This example demonstrates how to configure a Site-to-Site IPSec VPN with Strongswan and SSL certificates. The example was tested and verified using Fedora VMs in GNS3.
Install
Install the strongswan package from fedora package repository.
dnf install -y strongswan
Configuration
IP Forwarding
Enable IPv4 traffic forwarding on both VPN sites. /etc/sysctl.conf
net.ipv4.ip_forward = 1
Reload sysctl settings
sysctl -p
Network
Configure a network interface for the WAN connection between VPNs and a network interface for the LAN host network.
VPN-Site-1
nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.1/30 nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.80.1/24 mtu 1460 nmcli connection reload
VPN-Site-2
nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.2/30 nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.90.1/24 mtu 1460 nmcli connection reload
Firewall
Configure firewall rules for both VPN sites.
firewall-cmd --permanent --add-zone=wan firewall-cmd --permanent --change-zone=ens4 --zone=wan firewall-cmd --zone=wan --permanent --add-rich-rule='rule protocol value="esp" accept' firewall-cmd --zone=wan --permanent --add-rich-rule='rule protocol value="ah" accept' firewall-cmd --zone=wan --permanent --add-port=500/udp firewall-cmd --zone=wan --permanent --add-port=4500/udp firewall-cmd --zone=wan --permanent --add-service="ipsec" firewall-cmd --reload
Certificates
Generate and sign certificates and private keys for both VPN sites.
Copy the CA certificate, server certificate, and private key to both VPN sites.
cp <ca_cert> /etc/strongswan/ipsec.d/cacerts/ cp <server_cert> /etc/strongswan/ipsec.d/certs/ cp <vpn_key> /etc/strongswan/ipsec.d/private/
Add the CA certificate to the certificate trust store.
cp <ca_cert> /etc/pki/ca-trust/source/anchors/ update-ca-trust
VPN
The default left site is local and the right site is remote, however you can designate either site as left or right.
VPN-Site-1
/etc/srongswan/ipsec.conf
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel-to-site-2
left=100.64.20.1
leftsubnet=192.168.80.0/24
right=100.64.20.2
rightsubnet=192.168.90.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
lifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
fragmentation=yes
keyexchange=ikev2
type=tunnel
leftcert=vpn1cert.pem
leftid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn1.koba.ninja"
rightid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn2.koba.ninja"
/etc/strongswan/ipsec.secrets
: RSA vpn1key.pem
VPN-Site-2
/etc/srongswan/ipsec.conf
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel-to-site-2
left=100.64.20.2
leftsubnet=192.168.90.0/24
right=100.64.20.1
rightsubnet=192.168.80.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
lifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
fragmentation=yes
keyexchange=ikev2
type=tunnel
leftcert=vpn1cert.pem
leftid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn2.koba.ninja"
rightid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn1.koba.ninja"
/etc/strongswan/ipsec.secrets
: RSA vpn2key.pem
Run
Start the VPN.
strongswan start
The legacy systemd unit can configured by enabling the strongswan-starter.service script.
systemctl enable strongswan-starter.service
systemctl start strongswan-starter.service