Table of Contents

VPN - Server configuration

IPsec / strongswan

Requirements

Please install strongswan and check that the version matches the one installed in the Wirnet™ gateway. For example, on firmware 3.4.3, the ipsec version is:

ipsec --version
Linux strongSwan U5.5.2/K4.1.15-klk
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

A server with root access is required. This guide was written with Debian 8.

It is assumed that the PKI was set up, if not, please see the PKI configuration page.

Configuration

The main configuration file describes the VPN connection:

/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
 
# basic configuration
 
config setup
 
conn %default
	keyexchange=ikev2
	ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
	esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
	dpdaction=clear
	dpddelay=300s
	rekey=no
	auto=add
 
conn kerlink
        leftid="C=FR, O=Kerlink, CN=vpn.hostname.tld"
        leftsubnet=your_server_subnet
        leftcert=vpncert.pem
        rightid="C=FR, O=Kerlink, CN=klk-wifc-XXXXXX"
        rightsubnet=your_network_subnet

Most of the parameters are defined in the default section, but they can also be defined under the kerlink connection, should the server have more than one VPN connection.

Secrets

The ipsec.secrets file stores all the credentials information. In our case, we only have one line for the VPN server identification (RSA key) and one line per client (certificate):

/etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
 
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
 
# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc
 
: RSA vpnkey.pem

The syntax is identifier : type <parameters>.

OpenVPN

Here is a simple server side configuration file:

/etc/openvpn/server-openvpn.conf
port 1194
proto udp
dev tun
 
#tls-version-min "1.0"
#tls-version-max "1.0"
 
# CA certificate
ca ca.crt
 
# Server and Private Server key # This file should be kept secret
pkcs12 server.12
 
# Diffie-Hellman parameters
dh dh2048.pem
 
# LAN information and network configuration
topology subnet
 
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt 86400
mssfix 1200
push "route 172.17.0.0 255.255.0.0"
push "route 172.18.0.0 255.255.0.0"
push "dhcp-option DNS 10.8.0.1"
 
# Connection management
comp-lzo
keepalive 15 120
cipher AES-256-CBC
 
# Daemon configuration
user nobody
group nogroup
 
# Persist across restarts
persist-key
persist-tun
persist-local-ip
persist-remote-ip
 
# Management options
status openvpn-status.log
verb 4
management localhost 6666
script-security 2
 
client-to-client

Start OpenVPN with the following command:

# sudo openvpn /etc/openvpn/server-openvpn.conf

Note: if you set a passphrase to access your private key, just add the following line in your configuration file :

askpass pass.txt

fill the pass.txt file with your password and chmod 600 it.