Set up ipsec VPN with Strongswan on Ubuntu with PSK for roadwarrior use

This post shows how to setup an ipsec VPN connection in roadwarrior fashion. Roadwarrior mode is where you typically have a mobile device which has a dynamic address and you want to connect back to a VPN server. This post uses a simple pre shared key to establish the VPN connection using strongswan. This is much simpler than my past openswan approach which also relied on L2TP, Pluto etc. needing to be configured. Performance also seems to be better with VPN connections establishing much faster.



1. Install strongswan and the xauth plugin

sudo apt-get install strongswan strongswan-plugin-xauth-pam

2. Establish the VPN ipsec configuration

sudo vi /etc/ipsec.conf

Contents

config setup
# strictcrlpolicy=yes
# uniqueids = no
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
charondebug=1
uniqueids=yes
strictcrlpolicy=no

conn tunnel
        keyexchange=ikev1
aggressive=no
        leftfirewall=yes
        left=192.168.1.100
leftsubnet=0.0.0.0/0
right=%any
        rightsourceip=10.0.0.2
rightdns=192.168.1.1
        rightsubnet=0.0.0.0/0
        authby=xauthpsk
        xauth=server
auto=add
        ike=aes128-sha1-modp1024!
        esp=aes128-sha1!
        type=tunnel


3. Create the pre shared keys used to encrypt the VPN

echo | shasum -a 512 

This has will be inserted as the PSK hash into the secret file in the next step.
4. Create secrets file

sudo vi /etc/ipsec.secrets

Contents

USERNAME : XAUTH PASSWORD

%any %any : PSK "INSERT KEY HASH"

Whereby
USERNAME is the username you want to login with.
PASSWORD is the password you want to login with.
INSERT KEY HASH is the PSK generate by the prior command, keep the quotation marks.


5. Set file permissions so people can not view your keys

sudo chmod 600 /etc/ipsec.secrets

6. Tell the server to forward VPN traffic

sudo vi /etc/sysctl.conf

Find and change the follow from 0 to 1

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

7. Set up the Firewall

sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o enp2s0 -m policy --dir out --pol ipsec -j ACCEPT

sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o enp2s0 -j MASQUERADE

sudo ufw allow 50/udp
sudo ufw allow 51/udp
sudo ufw allow 500/udp
sudo ufw allow 4500/udp

8. Restart the VPN server strongswan

sudo ipsec restart


Client configuration

Android

I only set the following settings:

Type: IPSec Xauth PSK
Server:
IPSEC preshared key:
DNS server:
Username:
Password:

OSX

TO FOLLOW



2 comments:

  1. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info.
    HideMyAss Bitcoin

    ReplyDelete