Please install strongswan and check that the version matches the one installed in the gateway. On firmware 4.0.x, the IPsec version is:
ipsec --version Linux strongSwan U5.5.3/K4.14.9-klk Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information.
A server with root access is required. This guide was written with Debian 8.
It is assumed that the PKI was set up, if not, please see the PKI configuration page.
The main configuration file describes the VPN connection:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
conn %default
keyexchange=ikev2
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
auto=add
conn kerlink
leftid="C=FR, O=Kerlink, CN=vpn.hostname.tld"
leftsubnet=your_server_subnet
leftcert=vpncert.pem
rightid="C=FR, O=Kerlink, CN=klk-lpbs-060434"
rightsubnet=your_network_subnet
Most of the parameters are defined in the default section, but they could be put under the kerlink connection should the server have more than one VPN connection.
The secrets file stores all the credentials information. In our case, we only have one line for the VPN server identification (RSA key) and one line per client (certificate):
# This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. # this file is managed with debconf and will contain the automatically created private key include /var/lib/strongswan/ipsec.secrets.inc : RSA vpnkey.pem
The syntax is identifier : type <parameters>.
identifier is empty, it is assumed that it describes the server. Hence, type is RSA and the parameters is the RSA key file name, relative to /etc/ipsec.d/private.identifier, and the private RSA key.Here is a sample server side configuration file:
# UDP tunnel on port 1194 port 1194 proto udp dev tun # Server identification and security parameters pkcs12 /etc/openvpn/server-cert.p12 dh /etc/openvpn/dh2048.pem # LAN information and network configuration topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt 86400 mssfix 1200 push "route 172.17.0.0 255.255.0.0" push "route 172.18.0.0 255.255.0.0" push "dhcp-option DNS 10.8.0.1" # Connection management comp-lzo keepalive 15 120 cipher AES-256-CBC # Daemon configuration user nobody group nogroup # Persist across restarts persist-key persist-tun persist-local-ip persist-remote-ip # Management options status openvpn-status.log verb 4 management localhost 6666 script-security 2
Start with:
openvpn /etc/openvpn/server.conf
Next, setup the VPN client on the gateway.