StrongSwan is an open source IPsec-based VPN Solution. It supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. This tutorial will show you how to use strongSwan to set up an IPSec VPN server on CentOS 7.<\/p>\n
The strongSwan packages are available in the Extra Packages for Enterprise Linux (EPEL) repository. We should enable EPEL first, then install strongSwan.<\/p>\n
yum install http:\/\/ftp.nluug.nl\/pub\/os\/Linux\/distr\/fedora-epel\/7\/x86_64\/Packages\/e\/epel-release-7-11.noarch.rpm\r\nyum install strongswan openssl\r\n<\/code><\/pre>\nGenerate certificates<\/h3>\n
Both the VPN client and server need a certificate to identify and authenticate themselves. I have prepared two shell scripts to generate and sign the certificates. First, we download these two scripts into the folder\u00a0\/etc\/strongswan\/ipsec.d<\/code>.<\/p>\ncd \/etc\/strongswan\/ipsec.d\r\nwget https:\/\/raw.githubusercontent.com\/michael-loo\/strongswan_config\/for_aklwebhost\/server_key.sh\r\nchmod a+x server_key.sh\r\nwget https:\/\/raw.githubusercontent.com\/michael-loo\/strongswan_config\/for_aklwebhost\/client_key.sh\r\nchmod a+x client_key.sh\r\n<\/code><\/pre>\nIn these two\u00a0.sh<\/code>\u00a0files, I have set the organization name as\u00a0AKLWEB-HOST-VPS-CENTOS<\/code>. If you want to change it, open the\u00a0.sh<\/code>\u00a0files and replace\u00a0O=AKLWEB-HOST-VPS-CENTOS<\/code>\u00a0with\u00a0O=YOUR_ORGANIZATION_NAME<\/code>.<\/p>\nNext, use\u00a0server_key.sh<\/code>\u00a0with the IP address of your server to generate the certificate authority (CA) key and certificate for server. Replace\u00a0SERVER_IP<\/code>\u00a0with the IP address of your AKLWEB HOST VPS.<\/p>\n.\/server_key.sh SERVER_IP\r\n<\/code><\/pre>\nGenerate the client key, certificate, and P12 file. Here, I will create the certificate and P12 file for the VPN user “john”.<\/p>\n
.\/client_key.sh john john@gmail.com\r\n<\/code><\/pre>\nReplace “john” and his email with yours before running the script.<\/p>\n
After the certificates for client and server are generated, copy\u00a0\/etc\/strongswan\/ipsec.d\/john.p12<\/code>\u00a0and\u00a0\/etc\/strongswan\/ipsec.d\/cacerts\/strongswanCert.pem<\/code>\u00a0to your local computer.<\/p>\nConfigure strongSwan<\/h3>\n
Open the strongSwan IPSec configuration file.<\/p>\n
vi \/etc\/strongswan\/ipsec.conf\r\n<\/code><\/pre>\nReplace its content with the following text.<\/p>\n
config setup\r\n uniqueids=never\r\n charondebug=\"cfg 2, dmn 2, ike 2, net 0\"\r\n\r\nconn %default\r\n left=%defaultroute\r\n leftsubnet=0.0.0.0\/0\r\n leftcert=vpnHostCert.pem\r\n right=%any\r\n rightsourceip=172.16.1.100\/16\r\n\r\nconn CiscoIPSec\r\n keyexchange=ikev1\r\n fragmentation=yes\r\n rightauth=pubkey\r\n rightauth2=xauth\r\n leftsendcert=always\r\n rekey=no\r\n auto=add\r\n\r\nconn XauthPsk\r\n keyexchange=ikev1\r\n leftauth=psk\r\n rightauth=psk\r\n rightauth2=xauth\r\n auto=add\r\n\r\nconn IpsecIKEv2\r\n keyexchange=ikev2\r\n leftauth=pubkey\r\n rightauth=pubkey\r\n leftsendcert=always\r\n auto=add\r\n\r\nconn IpsecIKEv2-EAP\r\n keyexchange=ikev2\r\n ike=aes256-sha1-modp1024!\r\n rekey=no\r\n leftauth=pubkey\r\n leftsendcert=always\r\n rightauth=eap-mschapv2\r\n eap_identity=%any\r\n auto=add\r\n<\/code><\/pre>\nEdit the strongSwan configuration file,\u00a0strongswan.conf<\/code>.<\/p>\nvi \/etc\/strongswan\/strongswan.conf\r\n<\/code><\/pre>\nDelete everything and replace it with the following.<\/p>\n
charon {\r\n load_modular = yes\r\n duplicheck.enable = no\r\n compress = yes\r\n plugins {\r\n include strongswan.d\/charon\/*.conf\r\n }\r\n dns1 = 8.8.8.8\r\n dns2 = 8.8.4.4\r\n nbns1 = 8.8.8.8\r\n nbns2 = 8.8.4.4\r\n}\r\n\r\ninclude strongswan.d\/*.conf\r\n<\/code><\/pre>\nEdit the IPsec secret file to add a user and password.<\/p>\n
vi \/etc\/strongswan\/ipsec.secrets\r\n<\/code><\/pre>\nAdd a user account “john” into it.<\/p>\n
: RSA vpnHostKey.pem\r\n: PSK \"PSK_KEY\"\r\njohn %any : EAP \"John's Password\"\r\njohn %any : XAUTH \"John's Password\"\r\n<\/code><\/pre>\nPlease note that both sides of the colon ‘:’ need a white-space.<\/p>\n
Allow IPv4 forwarding<\/h3>\n
Edit\u00a0\/etc\/sysctl.conf<\/code>\u00a0to allow forwarding in the Linux kernel.<\/p>\nvi \/etc\/sysctl.conf\r\n<\/code><\/pre>\nAdd the following line into the file.<\/p>\n
net.ipv4.ip_forward=1\r\n<\/code><\/pre>\nSave the file, then apply the change.<\/p>\n
sysctl -p\r\n<\/code><\/pre>\nConfigure the firewall<\/h3>\n
Open the firewall for your VPN on the server.<\/p>\n
firewall-cmd --permanent --add-service=\"ipsec\"\r\nfirewall-cmd --permanent --add-port=4500\/udp\r\nfirewall-cmd --permanent --add-masquerade\r\nfirewall-cmd --reload\r\n<\/code><\/pre>\nStart VPN<\/h3>\nsystemctl start strongswan\r\nsystemctl enable strongswan\r\n<\/code><\/pre>\nStrongSwan is now is running on your server. Install the\u00a0strongswanCert.pem<\/code>\u00a0and\u00a0.p12<\/code>\u00a0certificate files into your client. You will now be able to join your private network.<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","manualknowledgebasecat":[231,242,244],"manual_kb_tag":[511],"_links":{"self":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/3046"}],"collection":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb"}],"about":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/types\/manual_kb"}],"author":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/comments?post=3046"}],"version-history":[{"count":2,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/3046\/revisions"}],"predecessor-version":[{"id":3048,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/3046\/revisions\/3048"}],"wp:attachment":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/media?parent=3046"}],"wp:term":[{"taxonomy":"manualknowledgebasecat","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manualknowledgebasecat?post=3046"},{"taxonomy":"manual_kb_tag","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb_tag?post=3046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}