Table of Contents

VPN - Server configuration

IPsec / strongswan

Requirements

Please install strongswan and check that the version matches the one installed in the gateway. On firmware 4.0.x, the IPsec version is:

ipsec --version
Linux strongSwan U5.5.3/K4.14.9-klk
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

A server with root access is required. This guide was written with Debian 8.

It is assumed that the PKI was set up, if not, please see the PKI configuration page.

Configuration

The main configuration file describes the VPN connection:

/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
 
# basic configuration
 
config setup
 
conn %default
	keyexchange=ikev2
	ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
	esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
	dpdaction=clear
	dpddelay=300s
	rekey=no
	auto=add
 
conn kerlink
        leftid="C=FR, O=Kerlink, CN=vpn.hostname.tld"
        leftsubnet=your_server_subnet
        leftcert=vpncert.pem
        rightid="C=FR, O=Kerlink, CN=klk-lpbs-060434"
        rightsubnet=your_network_subnet

Most of the parameters are defined in the default section, but they could be put under the kerlink connection should the server have more than one VPN connection.

Secrets

The secrets file stores all the credentials information. In our case, we only have one line for the VPN server identification (RSA key) and one line per client (certificate):

/etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
 
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
 
# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc
 
: RSA vpnkey.pem

The syntax is identifier : type <parameters>.

OpenVPN

Here is a sample server side configuration file:

/etc/openvpn/server.conf
# UDP tunnel on port 1194
port 1194
proto udp
dev tun
 
# Server identification and security parameters
pkcs12 /etc/openvpn/server-cert.p12
dh /etc/openvpn/dh2048.pem
 
# LAN information and network configuration
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt 86400
mssfix 1200
push "route 172.17.0.0 255.255.0.0"
push "route 172.18.0.0 255.255.0.0"
push "dhcp-option DNS 10.8.0.1"
 
# Connection management
comp-lzo
keepalive 15 120
cipher AES-256-CBC
 
# Daemon configuration
user nobody
group nogroup
 
# Persist across restarts
persist-key
persist-tun
persist-local-ip
persist-remote-ip
 
# Management options
status openvpn-status.log
verb 4
management localhost 6666
script-security 2

Start with:

openvpn /etc/openvpn/server.conf

Next

Next, setup the VPN client on the gateway.