VPN StrongSwam setup

VPN StrongSwan

strongSwan is a multiplatform IPsec implementation. The focus of the project is on strong authentication mechanisms using X.509 public key certificates and optional secure storage of private keys and certificates on smartcards through a standardized PKCS#11 interface and on TPM 2.0.

Launch an instance with Ubuntu

Update setup script

• Following is setup.sh

#!/bin/bash
usage() {
  echo "Usage:  strongswan.sh [install|start] [PATADDR] [ETHDEV]

    'install' parameters:
      PATADDR        The private address on MARKETNET (eg. 172.17.133.10)
      ETHDEV         The name of the local ethernet device (eg. etho)
   "
  exit 1
}


install_function () {
  apt update -y
  apt install strongswan -y
  cp ipsec.conf /etc/ipsec.conf
  cp ipsec.secrets /etc/ipsec.secrets
  sysctl -w net.ipv4.ip_forward=1
  ip addr add 172.17.12.127 dev eth0
  iptables -t nat -F
  iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
  iptables -t nat -A POSTROUTING -d 146.164.46.0/24 -j SNAT --to 172.17.12.127
  iptables-save
}

start_function () {
  ipsec reload
  ipsec rereadsecrets
  ipsec up remote-vpn-b
  ipsec down remote-vpn-b
  ipsec up remote-vpn-a
  ipsec down remote-vpn-a
}

if [ $# -lt 1 ]; then
  echo "No command"
  usage
fi


export operation=$1

if [ "$operation" = "install" ]; then
  install_function
elif [ "$operation" = "start" ]; then
  start_function
fi

Update IPSec config

config setup
         strictcrlpolicy=no
         uniqueids = no
         charondebug="ike 3,dmn 0, mgr 3, chd 2, cfg 2, knl 0, net 2, enc 0, esp 3"

conn %default
    auto=route
    compress=no
    type=tunnel
    keyexchange=ikev2
    ike=aes256-sha512-modp2048
    esp=aes256-sha512-modp2048
    leftauth=psk
    rightauth=psk
    authby=secret
    lifetime=28800
    ikelifetime=28800
    rekey=yes
    reauth=no
    inactivity=1800
conn remote-vpn-a
    left=%defaultroute
    leftsubnet=172.17.12.127/32
    leftid=13.31.131.113
    right=202.22.20.2
    rightid=202.22.20.2
    rightsubnet=146.164.46.0/24
conn remote-vpn-b
    left=%defaultroute
    leftsubnet=172.17.12.127/32
    leftid=13.31.131.113
    right=202.22.22.2
    rightid=202.22.22.2
    rightsubnet=146.164.46.0/24

Update IPSec secrets

13.31.131.113 202.22.20.2 : PSK Your_Remote_Key
13.31.131.113 202.22.22.2 : PSK Your_Remote_Key

Setup & Test StrongSwan

sudo bash strongswan.sh install
sudo ipsec reload
sudo ipsec rereadsecrets
sudo ipsec up remote-vpn-b
sudo ipsec down remote-vpn-b
ipsec up remote-vpn-a
sudo ipsec up remote-vpn-a
ipsec up remote-vpn-b
sudo ipsec up remote-vpn-b