====== VPN - Server configuration ====== ===== IPsec / strongswan ===== ==== Requirements ==== Please install strongswan and check that the version matches the one installed in the gateway. On firmware 4.0.x, the IPsec version is: ipsec --version Linux strongSwan U5.5.3/K4.14.9-klk Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. A server with root access is required. This guide was written with Debian 8. It is assumed that the PKI was set up, if not, please see the [[ wiki:network_mana:vpn_pki| PKI configuration]] page. ==== Configuration ==== The main configuration file describes the VPN connection: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup conn %default keyexchange=ikev2 ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! dpdaction=clear dpddelay=300s rekey=no auto=add conn kerlink leftid="C=FR, O=Kerlink, CN=vpn.hostname.tld" leftsubnet=your_server_subnet leftcert=vpncert.pem rightid="C=FR, O=Kerlink, CN=klk-lpbs-060434" rightsubnet=your_network_subnet Most of the parameters are defined in the default section, but they could be put under the ''kerlink'' connection should the server have more than one VPN connection. ==== Secrets ==== The secrets file stores all the credentials information. In our case, we only have one line for the VPN server identification (RSA key) and one line per client (certificate): # This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. # this file is managed with debconf and will contain the automatically created private key include /var/lib/strongswan/ipsec.secrets.inc : RSA vpnkey.pem The syntax is ''identifier : type ''. * When the ''identifier'' is empty, it is assumed that it describes the server. Hence, ''type'' is ''RSA'' and the ''parameters'' is the RSA key file name, relative to ''/etc/ipsec.d/private''. * Otherwise, this can identify clients. In this case, we identify the certificate in the ''identifier'', and the private RSA key. ===== OpenVPN ===== Here is a sample server side configuration file: # UDP tunnel on port 1194 port 1194 proto udp dev tun # Server identification and security parameters pkcs12 /etc/openvpn/server-cert.p12 dh /etc/openvpn/dh2048.pem # LAN information and network configuration topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt 86400 mssfix 1200 push "route 172.17.0.0 255.255.0.0" push "route 172.18.0.0 255.255.0.0" push "dhcp-option DNS 10.8.0.1" # Connection management comp-lzo keepalive 15 120 cipher AES-256-CBC # Daemon configuration user nobody group nogroup # Persist across restarts persist-key persist-tun persist-local-ip persist-remote-ip # Management options status openvpn-status.log verb 4 management localhost 6666 script-security 2 Start with: openvpn /etc/openvpn/server.conf ===== Next ===== Next, [[ wiki:network_mana:vpn_client|setup the VPN client]] on the gateway.