Introduction
strongSwan is open-source software designed to implement virtual private networks (VPN) using the IPsec protocol, known for its security, flexibility, and compatibility with multiple platforms. It was originally developed as a fork of the FreeS/WAN project in 2005, has strong support from the community, and is maintained by Andreas Steffen, an emeritus professor of Communication Security at the University of Applied Sciences in Rapperswil, Switzerland.
It is widely used to secure Internet traffic in insecure networks and supports a variety of authentication methods, including certificates and EAP. Suitable for both small and large infrastructures, strongSwan benefits from being an open-source project, ensuring constant review and security improvements, in addition to its ability to interoperate with various systems and devices.A crucial aspect of StrongSwan is its use of the IKEv2 protocol for key management and secure connection establishment, a feature that has strengthened its position.
The combination of IPsec with IKEv2 provides a robust and efficient solution for secure VPNs, scalable for both small implementations and large infrastructures. Its interoperability with various systems and devices enhances its value in environments where secure and reliable communication is required between heterogeneous hardware and software.
Instructions and Prerequisites
This article is exclusively focused on Debian-based systems, for example, the Ubuntu distribution, and it is necessary to log in with the root user (or you can use a user with superuser privileges).
Firewall Configuration
It will be necessary to enable UDP ports 500 and 4500 for both ends. In Clouding, the rules would look like this:
Additionally, it is recommended to create a rule that filters by Source IP for added security.
strongSwan Installation
First, update the repositories and packages, then install strongSwan:
# apt-get update && apt upgrade -y && apt-get install strongswan -y
Also, enable persistent routing on the server:
# echo 'net.ipv4.ip_forward=1' | tee -a /etc/sysctl.conf && sysctl -p
strongSwan Connection Configuration
Subsequently, edit the /etc/ipsec.conf file to configure your VPN connection(s):
# nano /etc/ipsec.conf
Here is an example configuration (you will need to modify the public IP and subnet for the "right" side):
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
ikelifetime=1h
keylife=1h
rekeymargin=5m
keyingtries=5
keyexchange=ikev2 # IKE protocol version.
authby=secret # Use of pre-shared key.
ike=aes256-sha1-modp1024 # IKE encryption.
esp=aes256-sha1 # ESP encryption.
conn IPSec_clouding_to_ejemplo
left=%any # Any or IP address of the strongSwan server.
leftid=%any # Identifying name (must match between ends).
leftsubnet=%any # Any or networks on the VPN server side.
right=Public_IP # Public IP address of the other end.
rightid=%any # Identifying name (must match between ends).
rightsubnet=192.168.1.0/24 # Network or networks on the other end.
auto=start
Where "left" is your VPN server, and "right" is the client or the other end. You can also add more connections with more ends below the last one.
Pre-shared Key (PSK) Configuration
The pre-shared key (PSK) is used for authentication between the two ends of the VPN. Edit the /etc/ipsec.secrets file to add your PSK:
# nano /etc/ipsec.secrets
Replace "MySecretKey" with a strong and unique key:
: PSK 'MySecretKey'
You can add more lines if you want to configure more connections with different keys, specifying each line with the corresponding IDs or IPs for the connection in question.
To apply the configuration, simply restart IPSec and you can check the status of the connections:
# ipsec restart && ipsec statusall
Configuration on the Other End
Once the configuration has been applied, on the other side, the configuration would be:
Type = ikev2
IKE = aes256-sha1-modp1024 (DH Group 2)
ESP = aes256-sha1
PSK = MySecretKey
And indicating the IPs and subnets according to your specific network as the left end. On the right, the public address of the Clouding strongSwan server and the private network, either automatic or manually configured on the servers (Private Network).
We hope this tutorial has been helpful to you. If you have any questions about this or any other issue related to your servers at Clouding, please do not hesitate to contact us at soporte@clouding.io. We are here to help!