StrongSwan Gateway VPN Server on Ubuntu

A VPN allows you to access the Internet safely and securely on an untrusted public Wi-Fi network. You can connect to remote VPN servers using the encrypted connection and surf the web anonymously.

strongSwan is free, open-source, and the most widely-used IPsec-based virtual private network implementation, allowing you to create an encrypted secure tunnel between two or more remote networks.

strongSwan uses the IKEv2 protocol, which allows for direct IPSec tunneling between the server and the client. strongSwan stands for Strong Secure WAN and supports both versions of automatic keying exchange in IPsec VPN, IKE V1 and V2.

References :

Install and Configure StrongSwan on Ubuntu 20.04Linode Guides & Tutorials

How to Install and Configure strongSwan VPN on UbuntuAtlantic.Net

---

Server Side Configuration

Update the system :

sudo apt update && sudo apt upgrade -y

Generate Server Keys and Certificate

Use the IPsec command-line utility to create your IPsec private key.

 sudo ipsec pki --gen --size 4096 --type rsa --outform pem > ca.key.pem
 sudo mv ca.key.pem /etc/ipsec.d/private/ca.key.pem
 sudo chmod 600 /etc/ipsec.d/private/ca.key.pem

Create and sign the root certificate with the configurations included below. Ensure you replace the value of the CN configuration with your own desired name for your StrongSwan VPN server.

 sudo ipsec pki --self --in /etc/ipsec.d/private/ca.key.pem --type rsa \
 --dn "CN=<Name of this VPN Server>" --ca --lifetime 3650 --outform pem | \
 sudo tee /etc/ipsec.d/cacerts/ca.cert.pem > /dev/null

Generate the StrongSwan VPN server’s private key and save it to /etc/ipsec.d/private/server.key.pem. This command ensures root permissions for file creation, and suppresses terminal output.

 sudo ipsec pki --gen --size 4096 --type rsa --outform pem | sudo tee /etc/ipsec.d/private/server.key.pem > /dev/null

Generate the host server certificate. There are two ways to generate the certificate, however, they cannot be mixed. The two ways are as follows:

• Use a local resolver, like DNS, your hosts’ file, or another resolver.

• Use a static host gateway server by providing its IPv4 address.

Local Resolver Method

 sudo ipsec pki --pub --in /etc/ipsec.d/private/server.key.pem --type rsa | \
 sudo ipsec pki --issue --lifetime 3650 \
 --cacert /etc/ipsec.d/cacerts/ca.cert.pem --cakey /etc/ipsec.d/private/ca.key.pem \
 --dn "CN=<serverhost.ourdomain.tld>" --san="<server.ourdomain.tld>" \
 --flag serverAuth --flag ikeIntermediate --outform pem | \
 sudo tee /etc/ipsec.d/certs/server.cert.pem > /dev/null

Gateway Server or IPV4 Address

sudo ipsec pki --pub --in /etc/ipsec.d/private/server.key.pem --type rsa | \
 sudo ipsec pki --issue --lifetime 3650 \
 --cacert /etc/ipsec.d/cacerts/ca.cert.pem --cakey /etc/ipsec.d/private/ca.key.pem \
 --dn "CN=<server static IP address>" \
 --san="<server static IP address>" --san="<server static IP address>" \
 --flag serverAuth --flag ikeIntermediate --outform pem | \
 sudo tee /etc/ipsec.d/certs/server.cert.pem > /dev/null

Important Locations for Key Management for Strongswan :

/etc/ipsec.d/private/ca.key.pem	        VPN Host Gateway Private Key
/etc/ipsec.d/cacerts/ca.cert.pem	VPN Host Gateway Root Certificate
/etc/ipsec.d/private/server.key.pem	VPN Host Gateway Private Key
/etc/ipsec.d/certs/server.cert.pem	VPN Host Gateway Server Certificate

Configuring Strongswan :

Use your preferred text editor to edit your /etc/sysctl.conf file. The configurations to add enable packet forwarding for IPsec and StrongSwan on your Ubuntu system. Add the following parameters in the end of config file

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
    

Reload the config changes using the following command:

sysctl -p

Installing Strongswan :

sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins libtss2-tcti-tabrmd0 -y

Now for the safer side if something goes wrong we first take the config backup

mv /etc/ipsec.conf /etc/ipsec.conf.bak

Make the new config file :

nano /etc/ipsec.conf

Configure the StrongSwan file. Open your /etc/ipsec.conf file and add the configurations included in the example file below.

Within the context of StrongSwan, the gateway host server (your Ubuntu server) is referred to as left resources. External hosts connecting to the StrongSwan VPN are referred to as right resources.

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
    strictcrlpolicy=no
    uniqueids=yes
    cachecrls=no

conn ikev2-rw
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no

    left=%any
    leftid=0.0.0.0/0 OR @example.com <IP/DNS OF THE VPN SERVER>
    leftcert=server.cert.pem
    leftsendcert=always
    leftsubnet=100.100.200.0/24  # Client will have access to this range
    leftsourceip=10.10.69.0/24  # Clients will be assigned IPs from this range

    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.69.0/24  # This will allocate IPs in the 10.10.69.x range
    rightdns=8.8.8.8  # DNS server for the client
    rightsendcert=never
    eap_identity=%identity
    ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!

Create authentication and access secrets. Access control and authentication require that StrongSwan clients provide a username and password. This information is contained in the /etc/ipsec.secrets file.

Using a text editor, create a the /etc/ipsec.secrets file with the following contents:

: RSA "/etc/ipsec.d/private/server.key.pem"
user1 : EAP "password@2"
user2 : EAP "password@1"    

Save and close the file. Then, restart the strongSwan service and enable it to start at reboot:

systemctl restart strongswan-starter.service
systemctl enable strongswan-starter.service
systemctl status strongswan-starter.service

You can also verify the strongSwan certificates using the following command:

ipsec listcerts

Your StrongSwan server is now ready to receive client connections. To check the status of the IPsec tunnel created by StrongSwan, use the following command:

sudo ipsec status

---

Client Side Configuration

We will consider adding clients on windows & Linux OS in this section

Ubuntu or any Linux:

 sudo apt update && upgrade -y

Install the StrongSwan client and required plugins.

 sudo apt install strongswan libcharon-extra-plugins

Download or copy the StrongSwan host gateway VPN server’s certificate. The certificate is located on the VPN server in /etc/ipsec.d/cacerts/ca.cert.pem. Store the copied or downloaded certificate in the client’s /etc/ipsec.d/cacerts directory.

Add the IPsec secrets file to the StrongSwan client. Using a text editor, add the /etc/ipsec.secrets file. The credentials for this user must exactly match those created on the StrongSwan VPN server.

user1 : EAP "password@1"

Create or modify the /etc/ipsec.conf configuration file. The file can be configured to support a host gateway VPN server configured for a resolver/DNS or to support access via an IPv4 address. Refer to the example configuration below that corresponds to your StrongSwan VPN server.

• Resolver DNS based :

config setup

conn ikev2-rw
    right=0.0.0.0/0 OR @example.com  # VPN server IP or DNS NAME
    rightid=0.0.0.0/0 OR @example.com  # Server identity (should match server config leftid)
    rightsubnet=100.100.200.0/24  # MATCH LEFT SUBNET OF SERVER # Network the client will have access to 
    rightauth=pubkey
    leftsourceip=%config  # Client will be assigned IP from the server pool (10.10.69.x)
    leftid=vishvam  # This is the EAP identity
    leftauth=eap-mschapv2  # EAP-MSCHAPv2 authentication
    eap_identity=%identity  # EAP identity should match what is on the server
    auto=start

To start the StrongSwan client VPN, use the following command:

 systemctl start strongswan-starter

Verify the StrongSwan connection from the client to server, use the following command:

 sudo ipsec status / ipsec restart

To enable connection on boot :

systemctl enable strongswan-starter
systemctl disable strongswan-starter

Windows OS :

Importing the VPN Root Certificate on Windows 10

To connect to a StrongSwan VPN gateway server, your Windows 10 system needs a copy of the gateway VPN server’s certificate.

• Import the VPN gateway server’s certificate that is located in /etc/ipsec.d/certs/server.cert.pem. The certificate must be marked as a VPN Root Certificate.

• Use the Microsoft Management Console/MMC to configure the VPN’s IPsec information.

1. Open the Run dialog box, (Windows_key-R), or press the Windows key, and enter into the lower-left dialog box, mmc.exe. This starts the Microsoft Management Console/MMC.

2. From the File menu of the MMC, scroll to Add or Remove Snap-in. Select Certificates from the list, and click Add.

   The Snap-in asks for the account type to manage. From the list that appears, choose Computer account.

   Then, choose Local Compute unless you manage other computers that also use this certificate. Click Finish, and the process is completed.

3. The Console Root MMC displays a list of certificate types on the left side of the MMC, and in the middle, a list of certificates pertaining to the selection on the left.

   On the left of the MMC, open Trusted Root Certificate Authorities, then click the Certificates folder that appears directly under Trusted Root Certificate Authorities.

4. From the MMC Action menu, choose All Tasks, then Import. The Certificate Import Wizard appears. Choose Local Machine, then browse to the location where the server.cert.pem file was imported, and select it.

5. The Certificate Import Wizard asks where to import the certificate. The wizard recognizes the type, and places the certificate into the Trusted Root Certification Authorities certificate store. Click Finish to complete the certificate import process.

Connecting a Windows Client to the StrongSwan Gateway VPN Server

The client authentication process relies on the ipsec.secrets file located on the gateway VPN server.

1. To configure a new VPN connection on your Windows computer, launch the Control Panel from the Windows menu by pressing the Windows key. Then, select Network and Sharing Center.

2. Choose Setup a new connection or network and then, select Connect to a workplace. Next, select Choose Use my Internet Connection (VPN).

   During this step, you need some details about your gateway VPN server. You should know the server’s DNS name if that’s how it was configured in the ipsec.conf file. If, however, you used an IPv4 address when configuring the leftid value in the ipsec.conf file, provide the server’s IPv4 address. Finally, you enter a username and password that matches the VPN server’s ipsec.secrets entry.

3. Start the VPN by clicking its name from the Taskbar Networks list of choices.

4. To terminate your VPN connection, click the VPN again and you have disconnected another network.