StrongSwan is an open source IPsec-based VPN Solution. It supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. This tutorial will show you how to use strongSwan to set up an IPSec VPN server on CentOS 7.
Install strongSwan
The strongSwan packages are available in the Extra Packages for Enterprise Linux (EPEL) repository. We should enable EPEL first, then install strongSwan.
yum install http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
yum install strongswan openssl
Generate certificates
Both the VPN client and server need a certificate to identify and authenticate themselves. I have prepared two shell scripts to generate and sign the certificates. First, we download these two scripts into the folder /etc/strongswan/ipsec.d.
cd /etc/strongswan/ipsec.d
wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_aklwebhost/server_key.sh
chmod a+x server_key.sh
wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_aklwebhost/client_key.sh
chmod a+x client_key.sh
In these two .sh files, I have set the organization name as AKLWEB-HOST-VPS-CENTOS. If you want to change it, open the .sh files and replace O=AKLWEB-HOST-VPS-CENTOS with O=YOUR_ORGANIZATION_NAME.
Next, use server_key.sh with the IP address of your server to generate the certificate authority (CA) key and certificate for server. Replace SERVER_IP with the IP address of your AKLWEB HOST VPS.
./server_key.sh SERVER_IP
Generate the client key, certificate, and P12 file. Here, I will create the certificate and P12 file for the VPN user “john”.
./client_key.sh john john@gmail.com
Replace “john” and his email with yours before running the script.
After the certificates for client and server are generated, copy /etc/strongswan/ipsec.d/john.p12 and /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem to your local computer.
Configure strongSwan
Open the strongSwan IPSec configuration file.
vi /etc/strongswan/ipsec.conf
Replace its content with the following text.
config setup
uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 0"
conn %default
left=%defaultroute
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
right=%any
rightsourceip=172.16.1.100/16
conn CiscoIPSec
keyexchange=ikev1
fragmentation=yes
rightauth=pubkey
rightauth2=xauth
leftsendcert=always
rekey=no
auto=add
conn XauthPsk
keyexchange=ikev1
leftauth=psk
rightauth=psk
rightauth2=xauth
auto=add
conn IpsecIKEv2
keyexchange=ikev2
leftauth=pubkey
rightauth=pubkey
leftsendcert=always
auto=add
conn IpsecIKEv2-EAP
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
leftauth=pubkey
leftsendcert=always
rightauth=eap-mschapv2
eap_identity=%any
auto=add
Edit the strongSwan configuration file, strongswan.conf.
vi /etc/strongswan/strongswan.conf
Delete everything and replace it with the following.
charon {
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
}
include strongswan.d/*.conf
Edit the IPsec secret file to add a user and password.
vi /etc/strongswan/ipsec.secrets
Add a user account “john” into it.
: RSA vpnHostKey.pem
: PSK "PSK_KEY"
john %any : EAP "John's Password"
john %any : XAUTH "John's Password"
Please note that both sides of the colon ‘:’ need a white-space.
Allow IPv4 forwarding
Edit /etc/sysctl.conf to allow forwarding in the Linux kernel.
vi /etc/sysctl.conf
Add the following line into the file.
net.ipv4.ip_forward=1
Save the file, then apply the change.
sysctl -p
Configure the firewall
Open the firewall for your VPN on the server.
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
Start VPN
systemctl start strongswan
systemctl enable strongswan
StrongSwan is now is running on your server. Install the strongswanCert.pem and .p12 certificate files into your client. You will now be able to join your private network.