strongSwan : Configure Server2025/03/24 |
|
Install strongSwan that is the IPsec-based VPN solution. This example is based on the environment like follows. First, it needs to configure IP masquerade setting on your router that UDP packets to global IP address of strongSwan server from strongSwan client via internet are forwared to local IP address of strongSwan server.
+------------------------+
| [ strongSwan Server ] |
| dlp.srv.world +--------+
| | |
+-----------+------------+ |
enp1s0|10.0.0.30/24 |
| |
| Local Network |
+------+-----+ |
-------| Router#1 |---------------|-----
+------+-----+ |
| |
Internet | Internet |
| |
+------+-----+ |
-------| Router#2 |---------------|-----
+------+-----+ |
| Local Network |
| |
enp1s0|192.168.10.30/24 |
+-----------+------------+ |
| [ strongSwan Client] | |
| +--------+
| |172.16.100.x (VPN IP)
+------------------------+
|
| [1] | |
| [2] | Install strongSwan. |
|
# install from EPEL [root@dlp ~]# dnf --enablerepo=epel -y install strongswan
|
| [3] | Configure strongSwan. It needs Firewalld is running for the example of settings below. |
|
# create symbolic links for certificate [root@dlp ~]# ln -s /etc/letsencrypt/live/dlp.srv.world/fullchain.pem \ /etc/strongswan/swanctl/x509/fullchain.pem [root@dlp ~]# ln -s /etc/letsencrypt/live/dlp.srv.world/privkey.pem \ /etc/strongswan/swanctl/private/privkey.pem [root@dlp ~]# ln -s /etc/letsencrypt/live/dlp.srv.world/chain.pem \
/etc/strongswan/swanctl/x509ca/chain.pem
[root@dlp ~]#
vi /etc/strongswan/swanctl/conf.d/ikev2.conf # create new
connections {
ikev2 {
version = 2
proposals = default,aes256-sha256-modp4096,aes256-sha256-modp2048,aes256gcm16-sha256-modp1024
unique = never
send_cert = always
pools = ipv4
fragmentation = yes
local {
# set hostname of strongSwan
# match the hostname registered in the certificate
id = dlp.srv.world
certs = fullchain.pem
}
remote {
auth = eap-mschapv2
eap_id = %any
}
children {
child-ikev2 {
# set your local network
local_ts = 10.0.0.0/24
}
}
}
}
pools {
ipv4 {
# network that is used for VPN clients
addrs = 172.16.100.0/24
# name servers that is used for VPN clients
dns = 8.8.8.8
}
}
secrets {
# set VPN users
eap-1 {
id = vpnuser01
secret = "userPassword01"
}
eap-2 {
id = vpnuser02
secret = "userPassword02"
}
}
[root@dlp ~]#
chmod 600 /etc/strongswan/swanctl/conf.d/ikev2.conf
[root@dlp ~]#
vi /etc/strongswan/masquerade.sh # create new
#!/bin/bash
# network interface that can connect to a local network
IF=enp1s0
case "$1" in
"start")
firewall-cmd --zone=public --add-masquerade
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o ${IF} -j ACCEPT
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o ${IF} -j MASQUERADE
firewall-cmd --add-service=ipsec
;;
"stop")
firewall-cmd --zone=public --remove-masquerade
firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -o ${IF} -j ACCEPT
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o ${IF} -j MASQUERADE
firewall-cmd --remove-service=ipsec
;;
*)
echo "Unknown option is specified"
;;
esac
chmod 700 /etc/strongswan/masquerade.sh
[root@dlp ~]#
systemctl edit strongswan # create new [Service] ExecStartPost=/etc/strongswan/masquerade.sh start ExecStopPost=/etc/strongswan/masquerade.sh stop systemctl enable --now strongswan
|
| [4] | If SELinux is enabled, change policy. |
|
[root@dlp ~]#
vi swan-ipsec.te # create new
module swan-ipsec 1.0;
require {
type ipsec_conf_file_t;
type init_t;
type lsmd_t;
type passt_repair_exec_t;
class file { getattr execute execute_no_trans };
}
#============= init_t ==============
allow init_t ipsec_conf_file_t:file { execute execute_no_trans };;
allow lsmd_t passt_repair_exec_t:file getattr;
checkmodule -m -M -o swan-ipsec.mod swan-ipsec.te [root@dlp ~]# semodule_package --outfile swan-ipsec.pp --module swan-ipsec.mod [root@dlp ~]# semodule -i swan-ipsec.pp |
| Sponsored Link |
|
|