生まれ変わる - umarekawaru

User Tools

Site Tools

Trace: pfsense strongswan

Sidebar

technical:ipsec:strongswan

This is an old revision of the document!

Table of Contents

Description

This example demonstrates how to configure a Site-to-Site IPSec VPN with Strongswan and SSL certificates. The example was tested and verified using Fedora VMs in GNS3.

Install

Install the strongswan package from fedora package repository. 

dnf install -y strongswan

Configuration

Network

Configure a network interface for the WAN connection between VPNs and a network interface for the LAN host network.

VPN-Site-1

nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.1/30
nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.80.1/24 mtu 1460

VPN-Site-2

nmcli connection add ifname ens4 connection.id wan connection.type 802-3-ethernet mtu 1460 ipv4.method manual ipv4.address 100.64.20.2/30
nmcli connection add ifname ens5 connection.id lan connection.type 802-3-ethernet ipv4.method manual ipv4.address 192.168.90.1/24 mtu 1460

Firewall

firewall-cmd --permanent --add-zone=wan
firewall-cmd --permanent --change-zone=ens4 --zone=wan
firewall-cmd --zone=wan --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --zone=wan --permanent --add-rich-rule='rule protocol value="ah" accept'
firewall-cmd --zone=wan --permanent --add-port=500/udp
firewall-cmd --zone=wan --permanent --add-port=4500/udp
firewall-cmd --zone=wan --permanent --add-service="ipsec"
firewall-cmd --reload

Certificates

  1. Generate and sign certificates and private keys for both VPN sites.

  2. Copy the CA certificate, VPN certificate, and private key. 

    cp <ca_cert> /etc/strongswan/ipsec.d/cacerts/
cp <vpn_cert> /etc/strongswan/ipsec.d/certs/
cp <vpn_key> /etc/strongswan/ipsec.d/private/

VPN

VPN-Site-1

/etc/srongswan/ipsec.conf 

config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no
conn %default
conn tunnel-to-site-2
        left=100.64.20.1
        leftsubnet=192.168.80.0/24
        right=100.64.20.2
        rightsubnet=192.168.90.0/24
        ike=aes256-sha2_256-modp1024!
        esp=aes256-sha2_256!
        keyingtries=0
        lifetime=1h
        lifetime=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        auto=start
        fragmentation=yes
        keyexchange=ikev2
        type=tunnel
        leftcert=vpn1cert.pem
        leftid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn1.koba.ninja"
        rightid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn2.koba.ninja"

/etc/strongswan/ipsec.secrets 

: RSA vpn1key.pem

VPN-Site-2

/etc/srongswan/ipsec.conf 

config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no
conn %default
conn tunnel-to-site-2
        left=100.64.20.2
        leftsubnet=192.168.90.0/24
        right=100.64.20.1
        rightsubnet=192.168.80.0/24
        ike=aes256-sha2_256-modp1024!
        esp=aes256-sha2_256!
        keyingtries=0
        lifetime=1h
        lifetime=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        auto=start
        fragmentation=yes
        keyexchange=ikev2
        type=tunnel
        leftcert=vpn1cert.pem
        leftid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn2.koba.ninja"
        rightid="C=US, ST=Michigan, L=Livonia, O=KobaNet, OU=NetOps, CN=vpn1.koba.ninja"

/etc/strongswan/ipsec.secrets 

: RSA vpn2key.pem

Run

Start the VPN. 

strongswan start

Links

technical/ipsec/strongswan.1680896808.txt.gz · Last modified: 2023/04/07 15:46 by jc

Page Tools