StrongSwan is an open source IPsec-based VPN Solution. It supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. This tutorial will show you how to use strongSwan to set up an IPSec VPN server on CentOS 7.<\/p>\n

Install strongSwan<\/h3>\n

The strongSwan packages are available in the Extra Packages for Enterprise Linux (EPEL) repository. We should enable EPEL first, then install strongSwan.<\/p>\n

yum install http:\/\/ftp.nluug.nl\/pub\/os\/Linux\/distr\/fedora-epel\/7\/x86_64\/Packages\/e\/epel-release-7-11.noarch.rpm\r\nyum install strongswan openssl\r\n<\/code><\/pre>\n
Generate certificates<\/h3>\n
Both the VPN client and server need a certificate to identify and authenticate themselves. I have prepared two shell scripts to generate and sign the certificates. First, we download these two scripts into the folder\u00a0\/etc\/strongswan\/ipsec.d<\/code>.<\/p>\n
cd \/etc\/strongswan\/ipsec.d\r\nwget https:\/\/raw.githubusercontent.com\/michael-loo\/strongswan_config\/for_aklwebhost\/server_key.sh\r\nchmod a+x server_key.sh\r\nwget https:\/\/raw.githubusercontent.com\/michael-loo\/strongswan_config\/for_aklwebhost\/client_key.sh\r\nchmod a+x client_key.sh\r\n<\/code><\/pre>\n
In these two\u00a0.sh<\/code>\u00a0files, I have set the organization name as\u00a0AKLWEB-HOST-VPS-CENTOS<\/code>. If you want to change it, open the\u00a0.sh<\/code>\u00a0files and replace\u00a0O=AKLWEB-HOST-VPS-CENTOS<\/code>\u00a0with\u00a0O=YOUR_ORGANIZATION_NAME<\/code>.<\/p>\n
Next, use\u00a0server_key.sh<\/code>\u00a0with the IP address of your server to generate the certificate authority (CA) key and certificate for server. Replace\u00a0SERVER_IP<\/code>\u00a0with the IP address of your AKLWEB HOST VPS.<\/p>\n
.\/server_key.sh SERVER_IP\r\n<\/code><\/pre>\n
Generate the client key, certificate, and P12 file. Here, I will create the certificate and P12 file for the VPN user “john”.<\/p>\n
.\/client_key.sh john john@gmail.com\r\n<\/code><\/pre>\n
Replace “john” and his email with yours before running the script.<\/p>\n
After the certificates for client and server are generated, copy\u00a0\/etc\/strongswan\/ipsec.d\/john.p12<\/code>\u00a0and\u00a0\/etc\/strongswan\/ipsec.d\/cacerts\/strongswanCert.pem<\/code>\u00a0to your local computer.<\/p>\n
Configure strongSwan<\/h3>\n
Open the strongSwan IPSec configuration file.<\/p>\n
vi \/etc\/strongswan\/ipsec.conf\r\n<\/code><\/pre>\n
Replace its content with the following text.<\/p>\n
config setup\r\n    uniqueids=never\r\n    charondebug=\"cfg 2, dmn 2, ike 2, net 0\"\r\n\r\nconn %default\r\n    left=%defaultroute\r\n    leftsubnet=0.0.0.0\/0\r\n    leftcert=vpnHostCert.pem\r\n    right=%any\r\n    rightsourceip=172.16.1.100\/16\r\n\r\nconn CiscoIPSec\r\n    keyexchange=ikev1\r\n    fragmentation=yes\r\n    rightauth=pubkey\r\n    rightauth2=xauth\r\n    leftsendcert=always\r\n    rekey=no\r\n    auto=add\r\n\r\nconn XauthPsk\r\n    keyexchange=ikev1\r\n    leftauth=psk\r\n    rightauth=psk\r\n    rightauth2=xauth\r\n    auto=add\r\n\r\nconn IpsecIKEv2\r\n    keyexchange=ikev2\r\n    leftauth=pubkey\r\n    rightauth=pubkey\r\n    leftsendcert=always\r\n    auto=add\r\n\r\nconn IpsecIKEv2-EAP\r\n    keyexchange=ikev2\r\n    ike=aes256-sha1-modp1024!\r\n    rekey=no\r\n    leftauth=pubkey\r\n    leftsendcert=always\r\n    rightauth=eap-mschapv2\r\n    eap_identity=%any\r\n    auto=add\r\n<\/code><\/pre>\n
Edit the strongSwan configuration file,\u00a0strongswan.conf<\/code>.<\/p>\n
vi \/etc\/strongswan\/strongswan.conf\r\n<\/code><\/pre>\n
Delete everything and replace it with the following.<\/p>\n
charon {\r\n    load_modular = yes\r\n    duplicheck.enable = no\r\n    compress = yes\r\n    plugins {\r\n            include strongswan.d\/charon\/*.conf\r\n    }\r\n    dns1 = 8.8.8.8\r\n    dns2 = 8.8.4.4\r\n    nbns1 = 8.8.8.8\r\n    nbns2 = 8.8.4.4\r\n}\r\n\r\ninclude strongswan.d\/*.conf\r\n<\/code><\/pre>\n
Edit the IPsec secret file to add a user and password.<\/p>\n
vi \/etc\/strongswan\/ipsec.secrets\r\n<\/code><\/pre>\n
Add a user account “john” into it.<\/p>\n
: RSA vpnHostKey.pem\r\n: PSK \"PSK_KEY\"\r\njohn %any : EAP \"John's Password\"\r\njohn %any : XAUTH \"John's Password\"\r\n<\/code><\/pre>\n
Please note that both sides of the colon ‘:’ need a white-space.<\/p>\n
Allow IPv4 forwarding<\/h3>\n
Edit\u00a0\/etc\/sysctl.conf<\/code>\u00a0to allow forwarding in the Linux kernel.<\/p>\n
vi \/etc\/sysctl.conf\r\n<\/code><\/pre>\n
Add the following line into the file.<\/p>\n
net.ipv4.ip_forward=1\r\n<\/code><\/pre>\n
Save the file, then apply the change.<\/p>\n
sysctl -p\r\n<\/code><\/pre>\n
Configure the firewall<\/h3>\n
Open the firewall for your VPN on the server.<\/p>\n
firewall-cmd --permanent --add-service=\"ipsec\"\r\nfirewall-cmd --permanent --add-port=4500\/udp\r\nfirewall-cmd --permanent --add-masquerade\r\nfirewall-cmd --reload\r\n<\/code><\/pre>\n
Start VPN<\/h3>\n
systemctl start strongswan\r\nsystemctl enable strongswan\r\n<\/code><\/pre>\n
StrongSwan is now is running on your server. Install the\u00a0strongswanCert.pem<\/code>\u00a0and\u00a0.p12<\/code>\u00a0certificate files into your client. You will now be able to join your private network.<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","manualknowledgebasecat":[231,242,244],"manual_kb_tag":[511],"_links":{"self":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/3046"}],"collection":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb"}],"about":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/types\/manual_kb"}],"author":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/comments?post=3046"}],"version-history":[{"count":2,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/3046\/revisions"}],"predecessor-version":[{"id":3048,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/3046\/revisions\/3048"}],"wp:attachment":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/media?parent=3046"}],"wp:term":[{"taxonomy":"manualknowledgebasecat","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manualknowledgebasecat?post=3046"},{"taxonomy":"manual_kb_tag","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb_tag?post=3046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}