Home / How To / How to install IKEv2 VPN using Strongswan and let's encrypt on CentOS 8

How to install IKEv2 VPN using Strongswan and let's encrypt on CentOS 8



Strongswan is a multi-source open source IPSec implementation. It is an IPSec-based VPN solution that focuses on strong authentication mechanisms. Strongswan provides support for both IKEv1 and IKEv2 key exchange protocols, authentication based on X.509 certificates or distributed keys, and secure IKEv2 EAP user authentication.

In this tutorial, I will show you how to install an IPSec VPN server using Strongswan. We will create an IKEv2 VPN server with "EAP-MSCHAPv2" authentication and use Letsencrypt certificates on CentOS 8. server.

Prerequisites

  • CentOS 8 Server
  • Root Privileges

What we will do?

  • Install Strongswan on CentOS 8
  • Generate SSL Letsencrypt
  • Configure Strongswan
  • Enable NAT Firewall
  • Enable Port-Forwarding
  • Testing

Step 1
– Install Strongswan on CentOS 8 [194555InthefirststepwewillinstallStrongswanIPsecimplementationsoftwareandallpackagesneededfromtheEPELlayer

Before installing the strongswan package, you must add the EPEL layer to the CentOS 8 system.

Add EPEL repository for CentOS 8 server.

  sudo dnf install epel release 

Then install the Strongswan package from the EPEL repository with the dnf command below.

  sudo dnf install strongswan 

Wait for Strongswan package to be in

 Install Strongswan

Step 2 – Generate SSL Certificate with Let's Encrypt

For this guide we will create the IKEv2 VPN server with a domain name & # 39; vpn.hakase-labs. io & # 39; and use certificates generated from letsencrypt.

In this step, we will install the letsencrypt tool & # 39; certbot & # 39; manually and generate certificates for the server's domain name & # 39; vpn.hakase-labs.io & # 39 ;.

Download certbot binary file from GitHub using the wget command below.

  wget https://dl.eff.org/certbot-auto -O / usr / local / bin / certbot-auto 

After that, you make it executable by changing the state of the file.

  chmod + x / usr / local / bin / certbot-auto 

And the certbot tool for generating Letsencrypt certificates has been installed.

 Creating SSL Certificates with Let & # 39; s Encrypt

Before we generate the Letsencrypt certificates, we must open the server's HTTP and HTTPS ports with firewall cd.

Add the HTTP and HTTPS services to the firewall services list by running firewall cmd commands below.

  firewall-cmd --add-service = http --permanent 
firewall-cmd --add-service = https --permanent
firewall-cmd - load

Now we can create new SSL- certificate files using the lets encrypt tool certbot-auto.

 Configure the firewall

Change your email address and domain name with your own and run the & # 39; certbot-auto & # 39; below.

  certbot-auto certonly --rsa-key-size 2048 - standalone --agree-tos --no-eff- email - email [email protected] -d vpn.hakase-labs.io 

When done you will get the result as below.

 Get SSL Certificates with Certbot

All certificates of your domain name are generated to the & # 39; /etc/letsencrypt/live/domain.com' directory.

Then we need to copy the certificate files & # 39; fullchain.pem & # 39 ;, & # 39; privkey.pem & # 39; and & # 39; the chain .pem & # 39; to & # 39; / etc / s trongswan / ipsec.d / & # 39; directory.

  cp /etc/letsencrypt/live/vpn.hakase-labs.io/fullchain.pem /etc/strongswan/ipsec.d/certs/ Chapter19459017 Edincp / etc / letsencrypt /live/vpn.hakase-labs.io/ privkey.pem /etc/strongswan/ipsec.d/private/strong19459017vardcp /etc/letsencrypt/live/vpn.hakase-labs.io/chain.pem / etc / strongswan / ipsec.d / cacerts / 

All easy encryption certificates for Strongswan VPN named & # 39; vpn.hakase-labs.io & # 39; has been generated and copied to the & # 39; /etc/strongswan/ipsec.d' directory.

  tree /etc/strongswan/ipsec.d/strong19659018 Premiere1919909038Certificate for Strongswan "width =" 750 "height =" 318 "style =" display: block; margin-left: car; margin-right: auto; "/> 

Step 3 - Configure Strongswan

Go to the & # 39; / etc / strongswan & # 39; directory and back up the default & # 39; ipsec.conf & # 39; configuration file .

  cd / etc / strongswan / 
etc. ipsec.conf ipsec.conf.asli

Create a new "ipsec.conf" with vim editor.

  vim ipsec.conf 

And paste following configuration.

  config setup 
uniqueids = never # allow multiple connections per us
charondebug = "ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"

conn% default
fragmentation = yes
closeaction = restart
rekey = no
dpdaction = clear
keyexchange = ikev2
compress = yes
dpddelay = 35s
lifetime = 3 hours
ikelifetime = 12h

ike = aes256gcm16-prfsha512-ec!
esp = aes256gcm16-ecp384!

left =% any
[email protected]
leftcert = fullchain.pem
lefts endcert = always
leftsubnet = 0.0.0.0 / 0

right =% any

rightid =% any
rightauth = eap-mschapv2
rightsourceip = 10.15.1.0 / 24
rightdns = 1.1.1.1,8.8.8.8
rightsendcert = never
eap_identity =% identity
19659053] conn ikev2-pubkey
auto = add

Save and exit.

Next, we need to edit the & # 39; ipsec.secrets & # 39; to define the RSA server's private key and EAP user password.

Edit file & # 39; ipsec.secrets & # 39;

  vim ipsec.secrets 

Paste the configuration below.

 : RSA "privkey.pem" 
hakase: EAP "[email protected]"
tensai: EAP "[email protected]"

Save and exit.

And the strong IPSec configuration has been completed. Add the Strongswan service in the start time for startup and then start the service.

  systemctl enable strongswan 
systemctl start strongswan

 Enable Strongswan Daemon

Strongswan service is running on CentOS 8 server, check it with the following command.

  systemctl status strongswan 
netstat -plntu

And you will see the result as below.

 Strongswan successfully started

Step 4 - Activate NAT in Firewalld

In this step we enable NAT masking and add the IPSec protocols Authentication Header (AH) and Encapsulating Security Payload (ESP) on Firewalld using the "rich-rule" configuration.

Add "AH & # 39; and & # 39; ESP & # 39; for firewall authentication and encryption protocols.

  firewall-cmd - zone = public --permanent --add-rich-rule = & # 39; rule protocol value = "esp" accept "
firewall cmd - zone = public --permanent --add-rich-rule = & # 39; rule protocol value =" ah "accept

Add ipsec UDP- ports and service.

  firewall cmd - zone = public --permanent --add-port = 500 / udp 
firewall-cmd --zone = public --permanent --add-port = 4500 / udp
firewall- cmd --zone = public --permanent --add-service = "ipsec"

Now enable the NAT mode masked and reload the firewall configuration rules. [19659017] firewall-cmd --zone = public --permanent --add-masquerade
firewall-cmd --reload

 Firewall configuration

Firewall NAT mode enabled, check with the command below.

  firewall cmd - list-all 

The following is the result.

 List firewall ports

Step 5 – Enable port forwarding

To enable port forwarding, we need to edit the file "sysctl.conf".

Edit the file "/etc/sysctl.conf" with the vim editor.

  vim /etc/sysctl.conf Chapter19659018.08 Paste the following configuration there. 

  net.ipv4.ip_forward = 1 
net.ipv4.conf .all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Save and exit, reload with command sysctl below.

  sysctl -p 

Port forwarding has been enabled. Restart the Strongswan service.

  systemctl restart Strongswan 

 Enable port forwarding

Step 6 - Test Strongswan IPSec VPN

In this case, we will do the test on MacOS X and Android phone.

On MacOS

- Open "System Settings" and click on the "Network" menu.

Click the "+" button to create a new VPN connection.

    • Interface: "VPN" [19659005] VPN Type: & # 39; IKEv2 & # 39;
    • Service Name: & # 39; IKEv2-vpn

  Configure VPN on MacOS

- Write & # 39; The VPN domain name & # 39; ikev2 on & # 39; Server address & # 39; and & # 39; Remote ID & # 39 ;. .hakase-labs.io & # 39;.
- Click "Authentication Settings".
- Authentication with a "username".
- Enter the username "tensai" with password "[email protected]"
- Click "OK" and click "Apply".

  MacOS VPN Authentication Settings

New IKEv2 VPN connection has been created on the client. Now click on the connect button.

  New IKEv2 VPN connection has been created

And the client has been connected to the strong VPN server and has an internal / private IP address 10.15.1.1. [19659110] On Android

- Download and install the original strongswan android application from Google-Play.
- Add a new VPN profile
- Enter the server domain name & # 39; ikev2.hakase-labs.io & # 39; and use the IKEv2 EAP User Name and Password Authentication.

The following is the result when we connect to the VPN server.

  Configure VPN on Android

The IKEv2 IPSec based VPN server has been created using Strongswan and Letsencrypt on CentOS 8 server.

Reference


Source link