Strongswan is an open-source multiplatform IPSec implementation. It is an IPSec-based VPN answer that focuses on robust authentication mechanisms. Strongswan gives help for each IKEv1 and IKEv2 key trade protocols, authentication based mostly on X.509 certificates or pre-shared keys, and safe IKEv2 EAP consumer authentication.
On this tutorial, I'll present you find out how to set up an IPSec VPN server utilizing Strongswan. We'll create an IKEv2 VPN server with the 'EAP-MSCHAPv2' authentication and be utilizing Letsencrypt certificates on CentOS eight server.
- CentOS eight Server
- Root privileges
What we'll do?
- Set up Strongswan on CentOS eight
- Generate SSL Letsencrypt
- Configure Strongswan
- Allow NAT Firewall
- Allow Port-Forwarding
Step 1 - Set up Strongswan on CentOS eight
On this first step, we'll set up the strongswan IPsec implement software program and all packages wanted from the EPEL repository.
Earlier than putting in the strongswan package deal, you will need to add the EPEL repository to the CentOS eight system.
Add the EPEL repository for CentOS eight server.
sudo dnf set up epel-release
After that, set up the strongswan package deal from the EPEL repository utilizing the dnf command under.
sudo dnf set up strongswan
Watch for the strongswan package deal to be put in.
Step 2 - Generate SSL Certificates with Let's encrypt
For this information, we will create the IKEv2 VPN server utilizing a website identify 'vpn.hakase-labs.io' and use certificates generated from letsencrypt.
On this step, we'll set up the letsencrypt device 'certbot' manually and generate certificates for the server area identify 'vpn.hakase-labs.io'.
Obtain the certbot binary file from GitHub utilizing the wget command under.
wget https://dl.eff.org/certbot-auto -O /usr/native/bin/certbot-auto
After that, make it an executable by altering the permission of the file.
chmod +x /usr/native/bin/certbot-auto
And the certbot software for producing Letsencrypt certificates has been put in.
Earlier than producing the Letsencrypt certificates, we have to open the HTTP and HTTPS ports of the server utilizing firewall-cmd.
Add the HTTP and HTTPS providers to the firewalld service listing by operating firewall-cmd instructions under.
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
Now we will generate new SSL certificates information utilizing the letsencrypt device certbot-auto.
Change the e-mail tackle and the area identify with your personal and run the 'certbot-auto' command under.
certbot-auto certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email [email protected] -d vpn.hakase-labs.io
As soon as it is full, you'll get the outcome as under.
All certificates of your area identify are generated to the '/and so on/letsencrypt/stay/area.com' listing.
Subsequent, we have to copy the certificates information 'fullchain.pem', 'privkey.pem', and the 'chain.pem' to the '/and so forth/strongswan/ipsec.d/' listing.
cp /and so on/letsencrypt/reside/vpn.hakase-labs.io/fullchain.pem /and so forth/strongswan/ipsec.d/certs/
cp /and so on/letsencrypt/stay/vpn.hakase-labs.io/privkey.pem /and so on/strongswan/ipsec.d/personal/
cp /and so forth/letsencrypt/stay/vpn.hakase-labs.io/chain.pem /and so forth/strongswan/ipsec.d/cacerts/
All letsencrypt certificates for the Strongswan VPN named 'vpn.hakase-labs.io' have been generated and copied to the '/and so on/strongswan/ipsec.d' listing.
tree /and so on/strongswan/ipsec.d/
Step three - Configure Strongswan
Go to the '/and so on/strongswan' listing and backup the default 'ipsec.conf 'configuration file.
cd /and so forth/strongswan/
mv ipsec.conf ipsec.conf.asli
Create a brand new one 'ipsec.conf' utilizing vim editor.
And paste the next configuration.
uniqueids=by no means # permit a number of connections per consumer
charondebug="ike 2, knl 2, cfg 2, internet 2, esp 2, dmn 2, mgr 2"
leftsendcert=all the time
rightsendcert=by no means
Save and exit.
Subsequent, we have to edit the 'ipsec.secrets and techniques' file to outline the RSA server personal key and EAP consumer password credentials.
Edit the 'ipsec.secrets and techniques' file.
vim ipsec.secrets and techniques
Paste the configuration under.
: RSA "privkey.pem"
hakase : EAP "[email protected]"
tensai : EAP "[email protected]"
Save and exit.
And the strongswan IPSec configuration has been accomplished. Add the strongswan service to startup boot time after which begin the service.
systemctl allow strongswan
systemctl begin strongswan
The strongswan service is up and operating on CentOS eight server, verify it utilizing the next command.
systemctl standing strongswan
And you'll be proven the outcome as under.
Step four - Allow NAT in Firewalld
On this step, we'll allow the NAT masquerading and add the IPSec protocols Authentication Header (AH) and Encapsulating Safety Payload (ESP) on Firewalld utilizing the 'rich-rule' configuration.
Add 'AH' and 'ESP' for authentication and encryption protocols to the firewalld.
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol worth="esp" settle for'
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol worth="ah" settle for'
Add the ipsec UDP ports and repair.
firewall-cmd --zone=public --permanent --add-port=500/udp
firewall-cmd --zone=public --permanent --add-port=4500/udp
firewall-cmd --zone=public --permanent --add-service="ipsec"
Now allow the NAT mode masquerade and reload the firewalld configuration guidelines.
firewall-cmd --zone=public --permanent --add-masquerade
The NAT mode on firewalld has been enabled, verify utilizing the command under.
Following is the end result.
Step 5 - Allow Port-Forwarding
To allow port-forwarding, we have to edit the 'sysctl.conf' file.
Edit the '/and so forth/sysctl.conf' file utilizing vim editor.
vim /and so on/sysctl.conf
Paste the next configuration there.
internet.ipv4.ip_forward = 1
internet.ipv4.conf.all.accept_redirects = zero
internet.ipv4.conf.all.send_redirects = zero
Save and exit, now reload utilizing the sysctl command under.
Port-forwarding has been enabled. Now restart the strongswan service.
systemctl restart strongswan
Step 6 - Testing Strongswan IPSec VPN
On this case, we'll do the check on the MacOS X and android telephone.
- Open the 'System Preferences' and click on the 'Community' menu.
Click on the '+' button to create a brand new VPN connection.
- Interface: 'VPN'
- VPN Sort: 'IKEv2'
- Service Identify: 'IKEv2-vpn
- On the 'Server Tackle' and 'Distant ID', sort the VPN area identify 'ikev2.hakase-labs.io'.
- Click on 'Authentication Settings'.
- Authentication utilizing a 'Username'.
- Sort the username 'tensai' with password '[emailÂ protected]'
- Click on 'OK' and click on 'Apply'.
New IKEv2 VPN connection has been created on the shopper. Now click on the join button.
And the shopper has been related to the strongswan VPN server and has an inner/personal IP tackle 10.15.1.1.
- Obtain and set up the native strongswan android software from Google-Play.
- Add new VPN profile
- Sort the server area identify 'ikev2.hakase-labs.io' and use the IKEv2 EAP Username and Password authentication.
FollowingÂ is the end result once we hook up with the VPN server.
The IKEv2 IPSec-based VPN server has been created utilizing Strongswan and Letsencrypt on CentOS eight server.