Please install strongswan and check that the version matches the one installed in the Wirnet™ gateway. For example, on firmware 3.4.3, the ipsec version is:
ipsec --version Linux strongSwan U5.5.2/K4.1.15-klk Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information.
A server with root access is required. This guide was written with Debian 8.
It is assumed that the PKI was set up, if not, please see the PKI configuration page.
The main configuration file describes the VPN connection:
# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup conn %default keyexchange=ikev2 ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! dpdaction=clear dpddelay=300s rekey=no auto=add conn kerlink leftid="C=FR, O=Kerlink, CN=vpn.hostname.tld" leftsubnet=your_server_subnet leftcert=vpncert.pem rightid="C=FR, O=Kerlink, CN=klk-wifc-XXXXXX" rightsubnet=your_network_subnet
Most of the parameters are defined in the default section, but they can also be defined under the kerlink connection, should the server have more than one VPN connection.
The ipsec.secrets
file stores all the credentials information. In our case, we only have one line for the VPN server identification (RSA key) and one line per client (certificate):
# This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. # this file is managed with debconf and will contain the automatically created private key include /var/lib/strongswan/ipsec.secrets.inc : RSA vpnkey.pem
The syntax is identifier : type <parameters>
.
identifier
is empty, it is assumed that it describes the server. Hence, type
is RSA
and the parameters
is the RSA key file name, relative to /etc/ipsec.d/private
.
identifier
, and the private RSA key.
Here is a simple server side configuration file:
port 1194 proto udp dev tun #tls-version-min "1.0" #tls-version-max "1.0" # CA certificate ca ca.crt # Server and Private Server key # This file should be kept secret pkcs12 server.12 # Diffie-Hellman parameters dh dh2048.pem # LAN information and network configuration topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt 86400 mssfix 1200 push "route 172.17.0.0 255.255.0.0" push "route 172.18.0.0 255.255.0.0" push "dhcp-option DNS 10.8.0.1" # Connection management comp-lzo keepalive 15 120 cipher AES-256-CBC # Daemon configuration user nobody group nogroup # Persist across restarts persist-key persist-tun persist-local-ip persist-remote-ip # Management options status openvpn-status.log verb 4 management localhost 6666 script-security 2 client-to-client
Start OpenVPN with the following command:
# sudo openvpn /etc/openvpn/server-openvpn.conf
Note: if you set a passphrase to access your private key, just add the following line in your configuration file :
askpass pass.txt
fill the pass.txt file with your password and chmod 600 it.