Using Strongswan to Establish a vpn connection(Tunnel mode)
Server Side Configuration
Install Strongswan first:
switch to superuser first:
$ sudo su
Change your directory
$ cd /etc/ipsec.d/
Generating a self private key
$ ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem
change the generate key mod to read and write
$ chmod 600 private/strongswanKey.pem
Generate a self signed CA with 10 year expiration
$ ipsec pki --self --ca --lifetime 3650 --outform pem \
--in private/strongswanKey.pem --type rsa \
--dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
> cacerts/strongswanCert.pem
C- country O-organization CN- common name
you may change this word accordingly to your needs
Warning: The private key /etc/ipsec.d/private/strongswanKey.pem of the CA should be moved somewhere safe, possibly to a special signing host without access to the Internet. Theft of this master signing key would completely compromise your public key infrastructure.
Generate a host certificate
This will be used to authenticate the vpn server
$ ipsec pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem
change the generate certificate mod to read and write
$ chmod 600 private/vpnHostKey.pem
we extract its public key and pipe it over to issue vpnHostCert.pem
ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
ipsec pki --issue --lifetime 730 --outform pem \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--dn "C=CH, O=strongSwan, CN= your vpn host ip" \
--san your vpn host ip \
--flag serverAuth --flag ikeIntermediate \
> certs/vpnHostCert.pem
Replace your vpn host ip where it is highlighted in red.
If you manage to arrive here therefore you were able to generate all key for the VPN server(the machine u have been running those command)
you can use:
$ ipsec pki --print --in "path to certficate/key"
to see the detail of the generated key or certificate
configuring ipsec.conf
We will make a tunnel connection between the vpn server and the client
let backup the original file.
$ mv /etc/ipsec.conf /etc/ipsec.conf-bak
Create a new config file in the /etc/ for the ipsec
vim /etc/ipsec.conf
paste the following code:
# ipsec.conf - strongSwan IPsec configuration file
config setup
# By default only one client can connect at the same time with an identical
# certificate and/or password combination. Enable this option to disable
# this behavior.
# uniqueids=never
# Slightly more verbose logging. Very useful for debugging.
charondebug="cfg 2, dmn 2, ike 2, net 2"
# Default configuration options, used below if an option is not specified.
# See: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
conn %default
# Use IKEv2 by default
keyexchange=ikev2
# Prefer modern cipher suites that allow PFS (Perfect Forward Secrecy)
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
# Dead Peer Discovery
dpdaction=clear
dpddelay=300s
# Do not renegotiate a connection if it is about to expire
rekey=no
# Server side
left=%any
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
# Client side
right=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=%dhcp
# IKEv2: Newer version of the IKE protocol
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
# IKEv2-EAP
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
# IKEv1 (Cisco-compatible version)
conn CiscoIPSec
keyexchange=ikev1
# forceencaps=yes
rightauth=pubkey
rightauth2=xauth
auto=add
the server secret key need to be configured in the /etc/ipsec.secrets
: RSA vpnHostKey.pem
after configuring the secret key,strongswan need to be reload:
$ ipsec rereadsecrets
To be able to route the vpn tunnel properly, those file must be edited
$ vim /etc/sysctl.conf
paste:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Reload the file
$ sysctl -p
$ vim /etc/sysctl.d/10-net-forward.conf
# VPN
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
the above config file assign ip address to connected device using dhcp, if the dhcp server is running on the same host as the strongswan we need to edit the /etc/strongswan.d/charon/dhcp.conf
dhcp {
force_server_address = yes
server = 255.255.255.255
load = yes
}
Most linux distributor has a firewall so make sure you allow the protocol:
- ESP (Encrypted Secure Payload): Standard IPSec traffic
- UDP 4500: IPSec traffic in "NAT Traversal" mode
- UDP 500: Key exchanges (IKE)
Arch linux used iptables to manage packet
now adjust the iptables with this rule
$ iptables -t nat -A POSTROUTING -o <your network interface> ! -p esp \
-j SNAT --to-source <your VPN host IP>
$ iptables -A INPUT -p udp --dport 500 --j ACCEPT
$ iptables -A INPUT -p udp --dport 4500 --j ACCEPT
$ iptables -A INPUT -p esp -j ACCEPT
Generate the clientside certificate
$ ipsec pki --gen --type rsa --size 2048 --outform pem > private/ClientKey.pem
$ chmod 600 private/ClientKey.pem
$ ipsec pki --pub --in private/ClientKey.pem --type rsa | \
ipsec pki --issue --lifetime 730 --outform pem \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--dn "C=CH, O=strongSwan, CN=myself@example.com" \
--san myself@example.com \
ca > certs/ClientCert.pem
replace the myself@example.com with your mail to identify client
after generating all the key, we can compile all key in a more apropriate format for client use such as pkcs12:
$ openssl pkcs12 -export -name "My own VPN client certificate" \
-inkey private/ClientKey.pem \
-in certs/ClientCert.pem \
-certfile cacerts/strongswanCert.pem \
-caname "strongSwan Root CA" \
-out Client.p12
Client Side Configuration
You can share the Client.p12 file to the device that you wish to connect to the host server. I used my android phone to establish the connection from the client side.
To do so, I used the strongswan vpn client
https://play.google.com/store/apps/details?id=org.strongswan.android&gl=US
The application has a log file to view if there is any error in the connection.
 |
| tap on add vpn profile |
.jpeg) |
| tap on install user certificate |
 |
| select ikev2 certificate as we setup the client certificate in the pkcs#12 |
 |
| upload your file |
 |
| enter the passphrase you input when compiling the pkcs#12 with openssl |
 |
| select your certificate, i have a lot due to some error i made while making the certificate lol |
 |
| dont forget to input your host ip address to connect to it then tap on the list |
 |
| and voila you are connected thought a tunnel to your pc using strongswan |