This is an old revision of the document!

---

Description

This example demonstrates how to configure a Site-to-Site IPSec VPN with Strongswan and SSL certificates. The example was tested and verified using Fedora VMs in GNS3.

Install

Install the strongswan package from fedora package repository.

dnf install -y strongswan

Configuration

Network

Configure a network interface for the WAN connection between VPNs and a network interface for the LAN host network.

VPN-Site-1

nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.1/30
nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.80.1/24 mtu 1460

VPN-Site-2

nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.2/30
nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.90.1/24 mtu 1460

Certificates

1. Generate and sign certificates and private keys for both VPN sites.

2. Copy the CA certificate, VPN certificate, and private key.

   cp <ca_cert> /etc/strongswan/ipsec.d/cacerts/
   cp <vpn_cert> /etc/strongswan/ipsec.d/certs/
   cp <vpn_key> /etc/strongswan/ipsec.d/private/

   VPN

   VPN-Site-1

   /etc/srongswan/ipsec.conf

   config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no
   conn %default
   conn tunnel-to-site-2
        left=100.64.20.1
        leftsubnet=192.168.80.0/24
        right=100.64.20.2
        rightsubnet=192.168.90.0/24
        ike=aes256-sha2_256-modp1024!
        esp=aes256-sha2_256!
        keyingtries=0
        lifetime=1h
        lifetime=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        auto=start
        fragmentation=yes
        keyexchange=ikev2
        type=tunnel
        leftcert=vpn1cert.pem
        leftid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn1.koba.ninja"
        rightid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn2.koba.ninja"

   /etc/strongswan/ipsec.secrets

   : RSA vpn1key.pem

   VPN-Site-2

   /etc/srongswan/ipsec.conf

   config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no
   conn %default
   conn tunnel-to-site-2
        left=100.64.20.2
        leftsubnet=192.168.90.0/24
        right=100.64.20.1
        rightsubnet=192.168.80.0/24
        ike=aes256-sha2_256-modp1024!
        esp=aes256-sha2_256!
        keyingtries=0
        lifetime=1h
        lifetime=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        auto=start
        fragmentation=yes
        keyexchange=ikev2
        type=tunnel
        leftcert=vpn1cert.pem
        leftid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn2.koba.ninja"
        rightid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn1.koba.ninja"

   /etc/strongswan/ipsec.secrets

   : RSA vpn2key.pem

   Links

   • https://www.strongswan.org/testing/testresults/ikev2/rw-cert/
   • http://www.remy.org.uk/tech.php?tech=1483382049