Setting up a VPN with IPsec and StrongSwan on Linux is an excellent choice for creating a secure and reliable connection for remote users. IPsec (Internet Protocol Security) is a framework for securing Internet Protocol (IP) communications through encryption and authentication. StrongSwan is a popular open-source software for implementing IPsec on Linux-based systems. In this article, we will go through the detailed steps to set up a VPN using IPsec and StrongSwan.
Installing StrongSwan on Linux
First, we need to install StrongSwan on our Linux server. The installation process will depend on the Linux distribution being used. Below are the steps for both Ubuntu and CentOS.
Once installed, you can check that StrongSwan is correctly installed by running:
sudo systemctl status strongswan
Configuring StrongSwan for IPsec
Now that StrongSwan is installed, we can begin configuring it to support IPsec. We will need to modify the configuration files, primarily /etc/ipsec.conf and /etc/ipsec.secrets.
Configuring the ipsec.conf file
The ipsec.conf file is the main configuration file for StrongSwan. Here, you will define the connections, security policies, and encryption algorithms.
Open the ipsec.conf file:
sudo nano /etc/ipsec.conf
Add the following configuration to define a basic IPsec VPN connection:
keyexchange=ikev2 specifies the IKEv2 protocol for secure key exchange.
left refers to the server’s public IP address.
leftsubnet defines the allowed IP range for local connections.
right is set to %any, which means the client can connect from any IP.
rightsourceip assigns an IP address range for the VPN clients.
auto=add automatically starts the connection when the service is restarted.
Configuring the ipsec.secrets file
Next, we need to configure authentication secrets in ipsec.secrets. This file stores the shared secrets or certificates used to authenticate the VPN peers.
Edit the ipsec.secrets file:
sudo nano /etc/ipsec.secrets
Add the following lines for a simple pre-shared key (PSK) authentication:
: PSK "your_shared_secret"
Enabling and Starting StrongSwan
Once the configuration files are updated, we can enable and start the StrongSwan service.
To test the VPN connection, use the ipsec status command to verify that the IPsec tunnels are up and running:
sudo ipsec status
If everything is set up correctly, you should see the active connection listed. Additionally, use the ping command from a client machine to test the VPN connection:
ping 10.10.10.1
Advanced Configuration: Using Certificates for Authentication
For increased security, it’s recommended to use certificates for authentication instead of a pre-shared key. This involves generating certificates for both the server and the client, then configuring StrongSwan to use them.
Generating Certificates
You can generate the necessary certificates using the ipsec pki command:
