Configure IPsec site-to-site VPN in Linux Machine
Configure IPsec site-to-site VPN in Linux Machine:
Update the system and install the package
apt update && sudo apt upgrade -y
apt install strongswan -y
Check if the following kernel parameter is set or not
sysctl net.ipv4.ip_forward=1
To list all configured parameters:
sysctl -a
root@ubuntu-server-main:~# sysctl net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1 root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.all.accept_redirects = 0 root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.all.send_redirects = 0 root@ubuntu-server-main:~#
Network Diagram:
IPsec Config:
Configure the PSK and update the VPN endpoints
++++++++++++++
cat /etc/ipsec.secrets
# source destination
192.168.0.2 192.168.0.108 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"
++++++++++++++
cat /etc/ipsec.conf:
config setup charondebug="all" uniqueids=yes strictcrlpolicy=no
# connection to Fortigateconn linux-to-fg authby=secret left=%defaultroute leftid=192.168.0.2 leftsubnet=10.10.10.0/24 right=192.168.0.108 rightsubnet=14.140.40.0/24 ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! keyexchange=ikev1 keyingtries=0 ikelifetime=1h lifetime=8h dpddelay=30 dpdtimeout=120 dpdaction=restart auto=start++++++++++++++
To start/restart the IPsec VPN:ipsec start / ipsec restart
To check the tunnel status:root@ubuntu-server-main:~# ipsec statusSecurity Associations (1 up, 0 connecting): linux-to-fg[14]: ESTABLISHED 2 minutes ago, 192.168.0.2[192.168.0.2]...192.168.0.108[192.168.0.108] linux-to-fg{3}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cfa41d3a_i 6acd4046_o linux-to-fg{3}: 10.10.10.0/24 === 14.140.40.0/24
root@ubuntu-server-main:~# ipsec status linux-to-fgSecurity Associations (1 up, 0 connecting): linux-to-fg[14]: ESTABLISHED 33 minutes ago, 192.168.0.2[192.168.0.2]...192.168.0.108[192.168.0.108] linux-to-fg{3}: REKEYED, TUNNEL, reqid 2, expires in 6 hours linux-to-fg{3}: 10.10.10.0/24 === 14.140.40.0/24 linux-to-fg{4}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c0571ad3_i 6acd4047_o linux-to-fg{4}: 10.10.10.0/24 === 14.140.40.0/24
To bring the tunnel UP:root@ubuntu-server-main:~# ipsec up linux-to-fg
generating QUICK_MODE request 3235577034 [ HASH SA No ID ID ]sending packet: from 192.168.0.2[500] to 192.168.0.108[500] (188 bytes)received packet: from 192.168.0.108[500] to 192.168.0.2[500] (172 bytes)parsed QUICK_MODE response 3235577034 [ HASH SA No ID ID ]selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQdetected rekeying of CHILD_SA linux-to-fg{3}CHILD_SA linux-to-fg{4} established with SPIs c0571ad3_i 6acd4047_o and TS 10.10.10.0/24 === 14.140.40.0/24generating QUICK_MODE request 3235577034 [ HASH ]connection 'linux-to-fg' established successfully
To bring the tunnel down:ipsec down linux-to-fg
Set service to start after boot:systemctl enable strongswan-starter
To get IPsec SA information:root@ubuntu-server-main:~# sudo ip xfrm statesrc 192.168.0.2 dst 192.168.0.108 proto esp spi 0x6acd4047 reqid 2 mode tunnel replay-window 0 flag af-unspec auth-trunc hmac(sha256) 0x290c3c6c4f6ec512b986588fbeb69506409139e40e4dca98b19c41fd08b3be47 128 enc cbc(aes) 0x1419dc9671e44cd882b6432fc3fa6638da51637550eae65fbccd7d4a89de7e60 anti-replay context: seq 0x0, oseq 0xf, bitmap 0x00000000src 192.168.0.108 dst 192.168.0.2 proto esp spi 0xc0571ad3 reqid 2 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha256) 0x44d5fa0349cce0f1a91fc4f598f719da18771caa2995d853a2e0769d2cc41958 128 enc cbc(aes) 0x8bbeb3c2f7b7edec895d85b518ff7b900502d7bcd9d0163f5fe5c67559072613 anti-replay context: seq 0x10, oseq 0x0, bitmap 0x00007fffsrc 192.168.0.2 dst 192.168.0.108 proto esp spi 0x6acd4046 reqid 2 mode tunnel replay-window 0 flag af-unspec auth-trunc hmac(sha256) 0x796c45c879c7eb2ffbaa3b5c52a0eecda7e440ee47c14026377a42077d6d25a8 128 enc cbc(aes) 0x52a1fbf2b1bb43c14a84eb3bb1aca688191010b031b5750f932f205d10c9dc15 anti-replay context: seq 0x0, oseq 0x4, bitmap 0x00000000src 192.168.0.108 dst 192.168.0.2 proto esp spi 0xcfa41d3a reqid 2 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha256) 0x66896e74cc0a075ca8a73df15aa5efed44246920f0c9cc111ae647c894315f10 128 enc cbc(aes) 0x5ddf64fd64f23c175a17c2849dccbfc3a7311c83c71497d68e5b087bb35c3f9b anti-replay context: seq 0x5, oseq 0x0, bitmap 0x0000000f
SA status with statistics:root@ubuntu-server-main:~# ipsec statusallStatus of IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-135-generic, x86_64): uptime: 17 hours, since Dec 27 19:10:18 2022 malloc: sbrk 1638400, mmap 0, used 863664, free 774736 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6 loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic countersListening IP addresses: 192.168.0.2 10.10.10.2Connections: linux-to-fg: %any...192.168.0.108 IKEv1, dpddelay=30s linux-to-fg: local: [192.168.0.2] uses pre-shared key authentication linux-to-fg: remote: [192.168.0.108] uses pre-shared key authentication linux-to-fg: child: 10.10.10.0/24 === 14.140.40.0/24 TUNNEL, dpdaction=restartRouted Connections: linux-to-fg{6}: ROUTED, TUNNEL, reqid 2 linux-to-fg{6}: 10.10.10.0/24 === 14.140.40.0/24Security Associations (1 up, 0 connecting): linux-to-fg[28]: ESTABLISHED 12 minutes ago, 192.168.0.2[192.168.0.2]...192.168.0.108[192.168.0.108] linux-to-fg[28]: IKEv1 SPIs: 33a686270972bb32_i 80b5c851f6e408e0_r*, pre-shared key reauthentication in 29 minutes linux-to-fg[28]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 linux-to-fg{10}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cf618e7a_i 5b0217df_o linux-to-fg{10}: AES_CBC_256/HMAC_SHA2_256_128, 756 bytes_i (9 pkts, 230s ago), 756 bytes_o (9 pkts, 231s ago), rekeying in 7 hours linux-to-fg{10}: 10.10.10.0/24 === 14.140.40.0/24
Capture ESP packet:root@ubuntu-server-main:~# tcpdump -i eth0 host 192.168.0.108 and esp -nntcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes04:51:32.440607 IP 192.168.0.108 > 192.168.0.2: ESP(spi=0xc0571ad3,seq=0xc), length 13604:51:32.440695 IP 192.168.0.2 > 192.168.0.108: ESP(spi=0x6acd4047,seq=0xb), length 13604:51:33.440542 IP 192.168.0.108 > 192.168.0.2: ESP(spi=0xc0571ad3,seq=0xd), length 13604:51:33.440639 IP 192.168.0.2 > 192.168.0.108: ESP(spi=0x6acd4047,seq=0xc), length 13604:51:34.440571 IP 192.168.0.108 > 192.168.0.2: ESP(spi=0xc0571ad3,seq=0xe), length 13604:51:34.440656 IP 192.168.0.2 > 192.168.0.108: ESP(spi=0x6acd4047,seq=0xd), length 136
Capture decrypted packets:root@ubuntu-server-main:~# tcpdump -i eth0 host 14.140.40.108 and proto 1 -nntcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes04:57:03.195051 IP 14.140.40.108 > 10.10.10.2: ICMP echo request, id 2560, seq 0, length 6404:57:04.194996 IP 14.140.40.108 > 10.10.10.2: ICMP echo request, id 2560, seq 1, length 6404:57:05.195035 IP 14.140.40.108 > 10.10.10.2: ICMP echo request, id 2560, seq 2, length 6404:57:06.194993 IP 14.140.40.108 > 10.10.10.2: ICMP echo request, id 2560, seq 3, length 64
List of registered IPsec Algorithm:root@ubuntu-server-main:~# ipsec listalgs
List of registered IKE algorithms:
encryption: AES_CBC[aesni] AES_ECB[aesni] AES_CTR[aesni] RC2_CBC[rc2] 3DES_CBC[openssl] CAMELLIA_CBC[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl] DES_CBC[openssl] DES_ECB[openssl] NULL[openssl] integrity: AES_XCBC_96[aesni] AES_CMAC_96[aesni] HMAC_MD5_96[openssl] HMAC_MD5_128[openssl] HMAC_SHA1_96[openssl] HMAC_SHA1_128[openssl] HMAC_SHA1_160[openssl] HMAC_SHA2_256_128[openssl] HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_192[openssl] HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_256[openssl] HMAC_SHA2_512_512[openssl] CAMELLIA_XCBC_96[xcbc] aead: AES_CCM_8[aesni] AES_CCM_12[aesni] AES_CCM_16[aesni] AES_GCM_8[aesni] AES_GCM_12[aesni] AES_GCM_16[aesni] CHACHA20_POLY1305[openssl] hasher: HASH_SHA1[sha1] HASH_SHA2_224[sha2] HASH_SHA2_256[sha2] HASH_SHA2_384[sha2] HASH_SHA2_512[sha2] HASH_MD5[md5] HASH_MD4[openssl] HASH_IDENTITY[openssl] prf: PRF_AES128_XCBC[aesni] PRF_AES128_CMAC[aesni] PRF_KEYED_SHA1[sha1] PRF_HMAC_MD5[openssl] PRF_HMAC_SHA1[openssl] PRF_HMAC_SHA2_256[openssl] PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl] PRF_FIPS_SHA1_160[fips-prf] PRF_CAMELLIA128_XCBC[xcbc] xof: XOF_MGF1_SHA1[mgf1] XOF_MGF1_SHA224[mgf1] XOF_MGF1_SHA256[mgf1] XOF_MGF1_SHA384[mgf1] XOF_MGF1_SHA512[mgf1] drbg: DRBG_CTR_AES128[drbg] DRBG_CTR_AES192[drbg] DRBG_CTR_AES256[drbg] DRBG_HMAC_SHA1[drbg] DRBG_HMAC_SHA256[drbg] DRBG_HMAC_SHA384[drbg] DRBG_HMAC_SHA512[drbg] dh-group: ECP_256[openssl] ECP_384[openssl] ECP_521[openssl] ECP_224[openssl] ECP_192[openssl] ECP_256_BP[openssl] ECP_384_BP[openssl] ECP_512_BP[openssl] ECP_224_BP[openssl] MODP_3072[openssl] MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl] MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] MODP_1536[openssl] MODP_1024[openssl] MODP_1024_160[openssl] MODP_768[openssl] MODP_CUSTOM[openssl] CURVE_25519[openssl] CURVE_448[openssl] random-gen: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random]
Comments
Post a Comment