| tagged with

# A simple IPsec tunnel with StrongSwan

This assumes Debian stretch.

First let’s configure the server-side.

## Server

$sudo apt-get install strongswan strongswan-pki Now let’s create the certificate authority and keys for our client and server, $ mkdir swan
$cd swan$ cat <<EOF > setup.sh

org="smart-cactus"
ipsec=/usr/sbin/ipsec

$ipsec pki --gen --outform pem > ca.key.pem$ipsec pki --self --in ca.key.pem --dn "C=CN, O=$org, CN=smart-cactus ca" --ca --outform pem > ca.cert.pem server_key() { hostname=$1
$ipsec pki --gen --outform pem >$hostname.key.pem
$ipsec pki --pub --in$hostname.key.pem | $ipsec pki --issue --cacert ca.cert.pem --cakey ca.key.pem --dn "C=CN, O=$org, CN=$hostname" --san=$hostname --outform pem > $hostname.cert.pem servers="$servers $hostname" } client_key() { hostname=$1
$ipsec pki --gen --outform pem >$hostname.key.pem
$ipsec pki --pub --in$hostname.key.pem | $ipsec pki --issue --cacert ca.cert.pem --cakey ca.key.pem --dn "C=CN, O=$org, CN=$hostname" --outform pem >$hostname.cert.pem
}

install() {
sudo cp ca.cert.pem /etc/ipsec.d/cacerts
for server in $servers; do sudo cp$server.cert.pem /etc/ipsec.d/certs
sudo cp $server.key.pem /etc/ipsec.d/private done } server_key home.smart-cactus.org client_key ben-laptop.smart-cactus.org install EOF$ bash -ex setup.sh

Now we can configure the VPN itself,

$cat <<EOF >/etc/ipsec.d/vpn.conf conn ben-server left=%defaultroute leftcert=home.smart-cactus.org.cert.pem auto=add leftsubnet=192.168.2.0/24 rightsubnetwithin=0.0.0.0/0 right=%any compress=yes type=tunnel dpddelay=30 dpdtimeout=120 dpdaction=clear EOF$ sudo systemctl restart strongswan.service
$sudo journalctl -f -u strongswan.service Finally, we’ll need to add firewall rules allowing traffic on IP protocol 50 (for encrypted traffic), and UDP ports 500 and 4500 (for negotiation and NAT traversal, respectively). Now we can turn our attention to the client. ## Client You’ll need to grab the CA certificate, client key, and client certificate files from the server (e.g. swan/ca.cert.pem, swan/ben-laptop.smart-cactus.org.cert.pem, and swan/ben-laptop.smart-cactus.org.key.pem above). network-manager has excellent support for the sort of IKEv2 tunnel we are configuring here via the strongswan-nm package, $ sudo apt-get install strongswan-nm

Now create a new NetworkManager IKEv2 connection, specifying the appropriate CA cerfificate, selecting “Certificate/private-key” as the authentication mechanism, and the appropriate client key and certificate.

At this point you should be able to connect. We should now have the ability for the client to tunnel to the server, seeing a view of the server’s network as though it were sitting on the same network segment (except it won’t receive broadcast traffic, which can be addressed although we won’t do so here). However, hosts on the network won’t be able to see the tunneled client. To fix this we’ll need to give it an IP address.

## Assigning Virtual IPs

To make tunneled clients addressable on the network we’ll first need an address range from which we can assign. Let’s say this range is 192.168.10.0/24. To assign from this range, we simply add a rightsourceip key to the conn in vpn.conf,

conn ben-server
...
rightsourceip=192.168.10.0/24

That’s all that’s too it.