Using StrongSwan for IPSec VPN on CentOS 7


StrongSwan is an open source IPsec-based VPN Solution. It supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. This tutorial will show you how to use strongSwan to set up an IPSec VPN server on CentOS 7.

Install strongSwan

The strongSwan packages are available in the Extra Packages for Enterprise Linux (EPEL) repository. We should enable EPEL first, then install strongSwan.

yum install http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpmyum install strongswan openssl

Generate certificates

Both the VPN client and server need a certificate to identify and authenticate themselves. I have prepared two shell scripts to generate and sign the certificates. First, we download these two scripts into the folder /etc/strongswan/ipsec.d.

cd /etc/strongswan/ipsec.dwget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/server_key.shchmod a+x server_key.shwget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/client_key.shchmod a+x client_key.sh

In these two .sh files, I have set the organization name as VULTR-VPS-CENTOS. If you want to change it, open the .sh files and replace O=VULTR-VPS-CENTOS with O=YOUR_ORGANIZATION_NAME.

Next, use server_key.sh with the IP address of your server to generate the certificate authority (CA) key and certificate for server. Replace SERVER_IP with the IP address of your Vultr VPS.

./server_key.sh SERVER_IP

Generate the client key, certificate, and P12 file. Here, I will create the certificate and P12 file for the VPN user “john”.

./client_key.sh john john@gmail.com

Replace “john” and his email with yours before running the script.

After the certificates for client and server are generated, copy /etc/strongswan/ipsec.d/john.p12 and /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem to your local computer.

Configure strongSwan

Open the strongSwan IPSec configuration file.

vi /etc/strongswan/ipsec.conf

Replace its content with the following text.

config setup    uniqueids=never    charondebug="cfg 2, dmn 2, ike 2, net 0"conn %default    left=%defaultroute    leftsubnet=0.0.0.0/0    leftcert=vpnHostCert.pem    right=%any    rightsourceip=172.16.1.100/16conn CiscoIPSec    keyexchange=ikev1    fragmentation=yes    rightauth=pubkey    rightauth2=xauth    leftsendcert=always    rekey=no    auto=addconn XauthPsk    keyexchange=ikev1    leftauth=psk    rightauth=psk    rightauth2=xauth    auto=addconn IpsecIKEv2    keyexchange=ikev2    leftauth=pubkey    rightauth=pubkey    leftsendcert=always    auto=addconn IpsecIKEv2-EAP    keyexchange=ikev2    ike=aes256-sha1-modp1024!    rekey=no    leftauth=pubkey    leftsendcert=always    rightauth=eap-mschapv2    eap_identity=%any    auto=add

Edit the strongSwan configuration file, strongswan.conf.

vi /etc/strongswan/strongswan.conf

Delete everything and replace it with the following.

charon {    load_modular = yes    duplicheck.enable = no    compress = yes    plugins {            include strongswan.d/charon/*.conf    }    dns1 = 8.8.8.8    dns2 = 8.8.4.4    nbns1 = 8.8.8.8    nbns2 = 8.8.4.4}include strongswan.d/*.conf

Edit the IPsec secret file to add a user and password.

vi /etc/strongswan/ipsec.secrets

Add a user account “john” into it.

: RSA vpnHostKey.pem: PSK "PSK_KEY"john %any : EAP "John's Password"john %any : XAUTH "John's Password"

Please note that both sides of the colon ‘:’ need a white-space.

Allow IPv4 forwarding

Edit /etc/sysctl.conf to allow forwarding in the Linux kernel.

vi /etc/sysctl.conf

Add the following line into the file.

net.ipv4.ip_forward=1

Save the file, then apply the change.

sysctl -p

Configure the firewall

Open the firewall for your VPN on the server.

firewall-cmd --permanent --add-service="ipsec"firewall-cmd --permanent --add-port=4500/udpfirewall-cmd --permanent --add-masqueradefirewall-cmd --reload

Start VPN

systemctl start strongswansystemctl enable strongswan

StrongSwan is now is running on your server. Install the strongswanCert.pem and .p12 certificate files into your client. You will now be able to join your private network.

Want to contribute?

You could earn up to $300 by adding new articles

Submit your article
Suggest an update
Request an article

No comments

Powered by Blogger.