Friday, November 15, 2024
Google search engine
HomeGuest BlogsInstall StrongSwan VPN Server on Rocky/AlmaLinux 8|9

Install StrongSwan VPN Server on Rocky/AlmaLinux 8|9

.tdi_3.td-a-rec{text-align:center}.tdi_3 .td-element-style{z-index:-1}.tdi_3.td-a-rec-img{text-align:left}.tdi_3.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_3.td-a-rec-img{text-align:center}}

VPN is an acronym for Virtual Private Network. It is commonly used to provide protection or mask users against untrusted networks. This is achieved by encrypting all the traffic, securing a connection to a network, and bypassing all geographical restrictions allowing users to surf over public networks while keeping their data private.

There are several VPN solutions in the market today. StrongSwan is an open-source, modern, and IPsec-based VPN solution. This multi-platform solution fully supports Internet Key Exchange for IKEv1 and IKEv2 to establish security associations (SA) between two hosts. By doing so, the connection between the client and the server is encrypted and a secure gateway is provided to other resources available on the server and its network.

The amazing features provided by StrongSwan are:

.tdi_2.td-a-rec{text-align:center}.tdi_2 .td-element-style{z-index:-1}.tdi_2.td-a-rec-img{text-align:left}.tdi_2.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_2.td-a-rec-img{text-align:center}}

  • Fully tested support of IPv6 IPsec tunnel and transport connections
  • Powerful IPsec policies based on wildcards or intermediate CAs
  • Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
  • XAUTH server and client functionality on top of IKEv1 Main Mode authentication
  • Runs on Linux 2.6, 3.x, 4.x and 5.x kernels, Android, FreeBSD, OS X, iOS and Windows
  • Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
  • Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
  • Modular plugins for crypto algorithms and relational database interfaces
  • Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface) or protected by a TPM 2.0
  • Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
  • Smooth Linux desktop integration via the strongSwan NetworkManager applet
  • Virtual IP address pool managed by IKE daemon or SQL database
  • NAT-Traversal via UDP encapsulation and port floating (RFC 3947)

StrongSwan works with a peer-peer model as a keying daemon that uses the Internet Key Exchange Version 2 to establish secure associations. The below diagram can be used to demonstrate the architecture.

Strongswan Architecture

In this guide, we will learn how to install StrongSwan VPN Server on Rocky / AlmaLinux 8|9.

Step 1: Enable Kernel IP Forwarding

We will begin by enabling Kernel IP Forwarding on Rocky / AlmaLinux 8|9. This is done by editing the /etc/sysctl.conf file:

sudo vim /etc/sysctl.conf

Add the below lines to the file:

net.ipv4.ip_forward = 1 
net.ipv6.conf.all.forwarding = 1 
net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.all.send_redirects = 0 

Save the file and reload the parameters.

$ sudo sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Step 2: Install StrongSwan VPN Server

The StrongSwan VPN packages are provided in the EPEL repositories. To be able to install them, enable the EPEL repo on your Rocky / AlmaLinux 8|9 system using the command:

sudo dnf install epel-release

Once enabled, install the StrongSwan VPN Server with the command:

sudo dnf install strongswan libreswan 

Dependency Tree:

....
Transaction Summary
================================================================================
Install  5 Packages

Total download size: 4.5 M
Installed size: 8.7 M
Is this ok [y/N]: y

Once complete, verify the installation.

$ strongswan version
Linux strongSwan U5.9.8/K5.14.0-70.13.1.el9_0.x86_64
University of Applied Sciences Rapperswil, Switzerland

Step 3: Configure StrongSwan VPN Server

Once installed, there are several configurations one can make to the StrongSwan VPN Server. Normally, the configurations are located at /etc/strongswan/.

Verify this as shown:

$ ls /etc/strongswan/
ipsec.conf  ipsec.d  ipsec.secrets  strongswan.conf  strongswan.d  swanctl

For this guide, we will use the IPsec StrongSwan utility, so we need to make adjustments to:

  • /etc/strongswan/ipsec.conf: the configuration file for the strongSwan IPsec subsystem.
  • /etc/strongswan/ipsec.secrets: this is the secrets file.

a. Generate Self-signed certificates

The StrongSwan VPN server reads all the certificates in /etc/strongswan/ipsec.d/certs. Begin by setting the correct permissions:

mkdir -p ~/pki/{cacerts,certs,private}
chmod 700 ~/pki

Install the required packages:

sudo yum install haveged tpm2-abrmd -y

Start and enable the service

sudo systemctl enable --now haveged

Create a private certificate for the server:

strongswan pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/ca-key.pem

Create a root certificate authority and sign it:

strongswan pki --self --ca --lifetime 3650 --in ~/pki/private/ca-key.pem \
    --type rsa --dn "CN=VPN root CA" --outform pem > ~/pki/cacerts/ca-cert.pem

Create a private key for the VPN server

strongswan pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/server-key.pem

Now generate the certificate file:

strongswan pki --pub --in ~/pki/private/server-key.pem --type rsa \
    | strongswan pki --issue --lifetime 1825 \
        --cacert ~/pki/cacerts/ca-cert.pem \
        --cakey ~/pki/private/ca-key.pem \
        --dn "CN=vpn.geeksforgeeks.org" --san vpn.geeksforgeeks.org --san 192.168.205.12  --san @192.168.205.12 \
        --flag serverAuth --flag ikeIntermediate --outform pem \
    >  ~/pki/certs/server-cert.pem

Having the additional --sanarguments provide the required resolution to your IP/domain name. Once generated, copy the certificates to the required directories:

sudo cp -r ~/pki/* /etc/strongswan/ipsec.d/

Now set the below permissions for the certs:

sudo chmod -R 775 /etc/strongswan/ipsec.d/

b. Configure Security Gateways

To configure the security gateways on StrongSwan, you need to edit the /etc/strongswan/ipsec.conf.

Create a backup conf file.

sudo cp /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.orig

Now open the file for editing:

sudo vim /etc/strongswan/ipsec.conf

In the opened file, make the below adjustments.

config setup
        charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
        strictcrlpolicy=no
        uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel  # defines the type of connection, tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    [email protected] # if using IP, define it without the @ sign
    leftcert=server-cert.pem  # reads the VPN server cert in /etc/strongswan/ipsec.d/certs
    leftsendcert=always
    leftsubnet=192.168.205.0/24
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=192.168.205.0/24
    rightdns=192.168.205.1,8.8.8.8 #DNS to be assigned to clients
    rightsendcert=never
    eap_identity=%identity  # defines the identity the client uses to reply to an EAP Identity request.
    ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!

In the above file:

  • config setup: defines the IPSec general configuration information which applies to all connections.
    • charondebug: specifies how much Charon debugging output should be logged.
    • uniqueids: defines whether a particular participant ID should be kept unique.
  • conn ikev2-vpn: defines the set connection name.
    • keyexchange: defines the version of the IKE protocol to use.
    • left: defines the IP address of the left participant’s public-network interface.
    • leftid: Specifies the domain name or IP address of the server.
    • leftcert: Specifies the name of the server certificate.
    • leftsubnet: defines the private subnet behind the left participant.
    • right: declares the IP address of the right participant’s public-network interface.
    • rightsubnet: defines the private subnet behind the right participant.
    • rightsourceip: IP address pool to be assigned to the clients.
    • rightdns: DNS to be assigned to clients.

To find more definitions for all other parameters, read the ipsec.conf man page:

man ipsec.conf

c. Configure PSK for Peer-to-Peer Authentication

We have already configured the strongSwan VPN server to accept the client connections. Next, we need to configure client-server authentication credentials, define the RSA private keys and provide the EAP user credentials

Generate the character string for your password with the command:

$ head -c 24 /dev/urandom | base64
7yyoC32RpKeSRDhdEI9Z+XXaL8aTS7V0

Once generated, add it to the file below:

sudo vim /etc/strongswan/ipsec.secrets

Add the below lines to the file:

: RSA "server-key.pem"
vpnsecure : EAP "your-secure-password"

Save the file and start the service:

sudo strongswan start

Check the status of the service:

$ sudo strongswan statusall
Status of IKE charon daemon (strongSwan 5.9.8, Linux 5.14.0-70.13.1.el9_0.x86_64, x86_64):
  uptime: 33 seconds, since Jan 27 10:47:42 2023
  malloc: sbrk 1892352, mmap 0, used 1204176, free 688176
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf ctr ccm gcm drbg newhope curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Virtual IP pools (size/online/offline):
  192.168.205.0/24: 254/0/0
Listening IP addresses:
  192.168.205.12
Connections:
   ikev2-vpn:  %any...%any  IKEv2, dpddelay=300s
   ikev2-vpn:   local:  [vpn.geeksforgeeks.org] uses public key authentication
   ikev2-vpn:    cert:  "CN=vpn.geeksforgeeks.org"
   ikev2-vpn:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
   ikev2-vpn:   child:  192.168.205.0/24 === dynamic TUNNEL, dpdaction=none
Security Associations (0 up, 0 connecting):
  none

From the above output, we currently have no associations with our server. Allow the required ports and services through the firewall.

sudo firewall-cmd --add-port=500/udp --permanent
sudo firewall-cmd --add-port=4500/udp --permanent
sudo firewall-cmd --permanent --add-service="ipsec"
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --reload

Step 4 – Install and Configure StrongSwan VPN Client

To establish To configure a StrongSwan VPN Client, install the strongSwan client packages:

##On Debian/Ubuntu
sudo apt update && sudo apt-get install strongswan libcharon-extra-plugins -y

##On RHEL/Rocky/Alma Linux
sudo dnf install epel-release && sudo dnf install strongswan -y

Copy the ca cert from your StrongSwan server.

##For Example
sudo scp rock[email protected]:/etc/strongswan/ipsec.d/cacerts/ca-cert.pem ~/

Now copy the cert to IPsec the directory.

##On Debian/Ubuntu
sudo mv ~/ca-cert.pem /etc/ipsec.d/cacerts/

##On RHEL/Rocky/Alma Linux
sudo mv ~/ca-cert.pem /etc/strongswan/ipsec.d/cacerts/

On Rhel-based clients, set SELinux in permissive mode for the certs to be accessed.

sudo setenforce 0

Create the authentication on the client;

##On Debian/Ubuntu
sudo vim /etc/ipsec.secrets

##On RHEL/Rocky/AlmaLinux
sudo vim /etc/strongswan/ipsec.secrets

Add the below lines to the file, replacing values where required.

vpnsecure : EAP "your-secure-password"

Also, create the IPsec config on the client

##On Debian/Ubuntu
sudo vim /etc/ipsec.conf

##On RHEL/Rocky/Alma Linux
sudo vim /etc/strongswan/ipsec.conf

Add the below lines to the config.

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn ikev2-vpn
    right=vpn.geeksforgeeks.org
    rightid=@vpn.geeksforgeeks.org  # This should match the `leftid` value on your server's configuration
    rightsubnet=192.168.205.0/24
    rightauth=pubkey
    leftsourceip=%config
    leftid=vpnsecure
    leftauth=eap-mschapv2
    leftcacert=ca-cert.pem 
    eap_identity=%identity
    auto=start

Now restart the service

sudo systemctl restart strongswan-starter

Now check the status of the service:

$ systemctl status strongswan-starter
● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
     Loaded: loaded (/lib/systemd/system/strongswan-starter.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2023-01-27 12:56:13 EAT; 2min 28s ago
   Main PID: 162058 (starter)
      Tasks: 18 (limit: 4629)
     Memory: 4.3M
        CPU: 32ms
     CGroup: /system.slice/strongswan-starter.service
             ├─162058 /usr/lib/ipsec/starter --daemon charon --nofork
             └─162062 /usr/lib/ipsec/charon

Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[IKE] adding DNS server failed
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[IKE] adding DNS server failed
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[CFG] handling INTERNAL_IP4_DNS attribute failed
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[IKE] adding DNS server failed
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[CFG] handling INTERNAL_IP4_DNS attribute failed
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[IKE] installing new virtual IP 192.168.205.1
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c906aacf_i c421b22b_o and TS 192.168.205.1/32 === 192.168.205.0/24
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c906aacf_i c421b22b_o and TS 192.168.205.1/32 === 192.168.205.0/24
Jan 27 12:56:13 client.geeksforgeeks.org charon[162062]: 16[IKE] peer supports MOBIKE

Now on the StrongSwan server, you can check the status:

sudo strongswan status

Sample Output:

Install StrongSwan VPN Server on Rocky

That is it, you have a VPN tunnel between two devices created. You can use this connection for encrypting and providing a secure gateway to other resources available on the server and its network. I hope this was significant.

See more on this page:

.tdi_4.td-a-rec{text-align:center}.tdi_4 .td-element-style{z-index:-1}.tdi_4.td-a-rec-img{text-align:left}.tdi_4.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_4.td-a-rec-img{text-align:center}}

RELATED ARTICLES

Most Popular

Recent Comments