strongSwan Server ref (IKEv2)
5.X
Tested version: 5.7.2 (survived migration to 5.9.1, see the note below).
Pre-requisites
- strongswan
- libcharon-extra-plugins
- ufw
- certbot
Note: for version 5.9 libcharon-extauth-plugins is needed for EAP_MSCHAPV2 plugin.
Certificates
Generate certificates:
certbot certonly --rsa-key-size 4096 --standalone --agree-tos --no-eff-email --email postmaster@example.org -d example.org
Install certificates:
cp /etc/letsencrypt/live/example.org/fullchain.pem /etc/ipsec.d/certs
cp /etc/letsencrypt/live/example.org/privkey.pem /etc/ipsec.d/private
cp /etc/letsencrypt/live/example.org/chain.pem /etc/ipsec.d/cacerts
Verify, that certificate structure is as follows:
# tree /etc/ipsec.d
/etc/ipsec.d
├── aacerts
├── acerts
├── cacerts
│ └── chain.pem
├── certs
│ └── fullchain.pem
├── crls
├── ocspcerts
├── policies
├── private
│ └── privkey.pem
└── reqs
Alternatively (preferred, actually) create appropriate links to certificates:
# tree /etc/ipsec.d
/etc/ipsec.d
├── aacerts
├── acerts
├── cacerts
│ └── chain.pem → /etc/letsencrypt/live/example.org/chain.pem
├── certs
│ └── fullchain.pem → /etc/letsencrypt/live/example.org/fullchain.pem
├── crls
├── ocspcerts
├── policies
├── private
│ └── privkey.pem → /etc/letsencrypt/live/example.org/privkey.pem
└── reqs
Configuring strongSwan
mv /etc/ipsec.conf /etc/ipsec.conf.orig
Edit /etc/ipsec.conf (replace example.org with actual domain name):
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@example.org
leftcert=fullchain.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
Stricten permissions:
chmod 640 /etc/ipsec.conf
Configuring authentication
/etc/ipsec.secrets
: RSA "privkey.pem"
test : EAP "12345"
Restart strongSwan:
service ipsec restart
Configuring firewall and kernel ip forwarding
ufw
Don't forget to exclude SSH, HTTP and HTTPS ports (needed by certbot), also unblock IPSec ports:
ufw allow SSH_PORT
ufw allow 80
ufw allow 443
ufw allow 500,4500/udp
/etc/ufw/before.rules
Near the top of the file (before the *filter line), add the following configuration block (also substitute eth0 with actual public interface name if needed):
*nat
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT
*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
The *nat lines create rules so that the firewall can correctly route and manipulate traffic between the VPN clients and the internet. The *mangle line adjusts the maximum packet segment size to prevent potential issues with certain VPN clients.
Next, right after the *filter block, add one more block of configuration:
-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT
These lines tell the firewall to forward ESP (Encapsulating Security Payload) traffic so the VPN clients will be able to connect. ESP provides additional security for our VPN packets as they're traversing untrusted networks.
Save & close.
/etc/ufw/sysctl.conf
To allow routing between one interface to another, uncomment/change/add the following parameters:
net/ipv4/ip_forward=1
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/all/send_redirects=0
net/ipv4/ip_no_pmtu_disc=1
Finally, restart firewall:
# ufw disable
# ufw enable
6.X
Migrating from 5.X.
See also
Refrences
strongSwan wiki
digitalocean howto
howtoforge howto