====== VPN - Server configuration ======
===== IPsec / strongswan =====
==== Requirements ====
Please install strongswan and check that the version matches the one installed in the gateway. On firmware 4.0.x, the IPsec version is:
ipsec --version
Linux strongSwan U5.5.3/K4.14.9-klk
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
A server with root access is required. This guide was written with Debian 8.
It is assumed that the PKI was set up, if not, please see the [[ wiki:network_mana:vpn_pki| PKI configuration]] page.
==== Configuration ====
The main configuration file describes the VPN connection:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
conn %default
keyexchange=ikev2
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
auto=add
conn kerlink
leftid="C=FR, O=Kerlink, CN=vpn.hostname.tld"
leftsubnet=your_server_subnet
leftcert=vpncert.pem
rightid="C=FR, O=Kerlink, CN=klk-lpbs-060434"
rightsubnet=your_network_subnet
Most of the parameters are defined in the default section, but they could be put under the ''kerlink'' connection should the server have more than one VPN connection.
==== Secrets ====
The secrets file stores all the credentials information. In our case, we only have one line for the VPN server identification (RSA key) and one line per client (certificate):
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc
: RSA vpnkey.pem
The syntax is ''identifier : type ''.
* When the ''identifier'' is empty, it is assumed that it describes the server. Hence, ''type'' is ''RSA'' and the ''parameters'' is the RSA key file name, relative to ''/etc/ipsec.d/private''.
* Otherwise, this can identify clients. In this case, we identify the certificate in the ''identifier'', and the private RSA key.
===== OpenVPN =====
Here is a sample server side configuration file:
# UDP tunnel on port 1194
port 1194
proto udp
dev tun
# Server identification and security parameters
pkcs12 /etc/openvpn/server-cert.p12
dh /etc/openvpn/dh2048.pem
# LAN information and network configuration
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt 86400
mssfix 1200
push "route 172.17.0.0 255.255.0.0"
push "route 172.18.0.0 255.255.0.0"
push "dhcp-option DNS 10.8.0.1"
# Connection management
comp-lzo
keepalive 15 120
cipher AES-256-CBC
# Daemon configuration
user nobody
group nogroup
# Persist across restarts
persist-key
persist-tun
persist-local-ip
persist-remote-ip
# Management options
status openvpn-status.log
verb 4
management localhost 6666
script-security 2
Start with:
openvpn /etc/openvpn/server.conf
===== Next =====
Next, [[wiki:network_mana:secure_network:keros_4.x:setting_up_the_vpn_client|setup the VPN client]] on the gateway.