Configure IPsec site-to-site VPN in Linux Machine

 Configure IPsec site-to-site VPN in Linux Machine:


Update the system and install the package 

apt update && sudo apt upgrade -y

 apt install strongswan -y


Check if the following kernel parameter is set or not

sysctl net.ipv4.ip_forward=1

To list all configured parameters: sysctl -a 
root@ubuntu-server-main:~# sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.accept_redirects = 0
root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.send_redirects = 0
root@ubuntu-server-main:~#
Network Diagram:
IPsec Config:

Configure the PSK and update the VPN endpoints

++++++++++++++
cat /etc/ipsec.secrets
# source      destination
192.168.0.2   192.168.0.108 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"

++++++++++++++
cat /etc/ipsec.conf:

config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no

# connection to Fortigate
conn linux-to-fg
        authby=secret
        left=%defaultroute
        leftid=192.168.0.2
        leftsubnet=10.10.10.0/24
        right=192.168.0.108
        rightsubnet=14.140.40.0/24
        ike=aes256-sha2_256-modp1024!
        esp=aes256-sha2_256!
        keyexchange=ikev1
        keyingtries=0
        ikelifetime=1h
        lifetime=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        auto=start
++++++++++++++

To start/restart the IPsec VPN:
ipsec start  / ipsec restart 

To check the tunnel status:
root@ubuntu-server-main:~# ipsec status
Security Associations (1 up, 0 connecting):
 linux-to-fg[14]: ESTABLISHED 2 minutes ago, 192.168.0.2[192.168.0.2]...192.168.0.108[192.168.0.108]
 linux-to-fg{3}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cfa41d3a_i 6acd4046_o
 linux-to-fg{3}:   10.10.10.0/24 === 14.140.40.0/24

root@ubuntu-server-main:~# ipsec status  linux-to-fg
Security Associations (1 up, 0 connecting):
 linux-to-fg[14]: ESTABLISHED 33 minutes ago, 192.168.0.2[192.168.0.2]...192.168.0.108[192.168.0.108]
 linux-to-fg{3}:  REKEYED, TUNNEL, reqid 2, expires in 6 hours
 linux-to-fg{3}:   10.10.10.0/24 === 14.140.40.0/24
 linux-to-fg{4}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c0571ad3_i 6acd4047_o
 linux-to-fg{4}:   10.10.10.0/24 === 14.140.40.0/24

To bring the tunnel UP:
root@ubuntu-server-main:~# ipsec up linux-to-fg

generating QUICK_MODE request 3235577034 [ HASH SA No ID ID ]
sending packet: from 192.168.0.2[500] to 192.168.0.108[500] (188 bytes)
received packet: from 192.168.0.108[500] to 192.168.0.2[500] (172 bytes)
parsed QUICK_MODE response 3235577034 [ HASH SA No ID ID ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
detected rekeying of CHILD_SA linux-to-fg{3}
CHILD_SA linux-to-fg{4} established with SPIs c0571ad3_i 6acd4047_o and TS 10.10.10.0/24 === 14.140.40.0/24
generating QUICK_MODE request 3235577034 [ HASH ]
connection 'linux-to-fg' established successfully

To bring the tunnel down:
ipsec down linux-to-fg 

Set service to start after boot:
systemctl enable strongswan-starter

To get IPsec SA information:
root@ubuntu-server-main:~#  sudo ip xfrm state
src 192.168.0.2 dst 192.168.0.108
        proto esp spi 0x6acd4047 reqid 2 mode tunnel
        replay-window 0 flag af-unspec
        auth-trunc hmac(sha256) 0x290c3c6c4f6ec512b986588fbeb69506409139e40e4dca98b19c41fd08b3be47 128
        enc cbc(aes) 0x1419dc9671e44cd882b6432fc3fa6638da51637550eae65fbccd7d4a89de7e60
        anti-replay context: seq 0x0, oseq 0xf, bitmap 0x00000000
src 192.168.0.108 dst 192.168.0.2
        proto esp spi 0xc0571ad3 reqid 2 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha256) 0x44d5fa0349cce0f1a91fc4f598f719da18771caa2995d853a2e0769d2cc41958 128
        enc cbc(aes) 0x8bbeb3c2f7b7edec895d85b518ff7b900502d7bcd9d0163f5fe5c67559072613
        anti-replay context: seq 0x10, oseq 0x0, bitmap 0x00007fff
src 192.168.0.2 dst 192.168.0.108
        proto esp spi 0x6acd4046 reqid 2 mode tunnel
        replay-window 0 flag af-unspec
        auth-trunc hmac(sha256) 0x796c45c879c7eb2ffbaa3b5c52a0eecda7e440ee47c14026377a42077d6d25a8 128
        enc cbc(aes) 0x52a1fbf2b1bb43c14a84eb3bb1aca688191010b031b5750f932f205d10c9dc15
        anti-replay context: seq 0x0, oseq 0x4, bitmap 0x00000000
src 192.168.0.108 dst 192.168.0.2
        proto esp spi 0xcfa41d3a reqid 2 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha256) 0x66896e74cc0a075ca8a73df15aa5efed44246920f0c9cc111ae647c894315f10 128
        enc cbc(aes) 0x5ddf64fd64f23c175a17c2849dccbfc3a7311c83c71497d68e5b087bb35c3f9b
        anti-replay context: seq 0x5, oseq 0x0, bitmap 0x0000000f

SA status with statistics:
root@ubuntu-server-main:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-135-generic, x86_64):
  uptime: 17 hours, since Dec 27 19:10:18 2022
  malloc: sbrk 1638400, mmap 0, used 863664, free 774736
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
  192.168.0.2
  10.10.10.2
Connections:
 linux-to-fg:  %any...192.168.0.108  IKEv1, dpddelay=30s
 linux-to-fg:   local:  [192.168.0.2] uses pre-shared key authentication
 linux-to-fg:   remote: [192.168.0.108] uses pre-shared key authentication
 linux-to-fg:   child:  10.10.10.0/24 === 14.140.40.0/24 TUNNEL, dpdaction=restart
Routed Connections:
 linux-to-fg{6}:  ROUTED, TUNNEL, reqid 2
 linux-to-fg{6}:   10.10.10.0/24 === 14.140.40.0/24
Security Associations (1 up, 0 connecting):
 linux-to-fg[28]: ESTABLISHED 12 minutes ago, 192.168.0.2[192.168.0.2]...192.168.0.108[192.168.0.108]
 linux-to-fg[28]: IKEv1 SPIs: 33a686270972bb32_i 80b5c851f6e408e0_r*, pre-shared key reauthentication in 29 minutes
 linux-to-fg[28]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
 linux-to-fg{10}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cf618e7a_i 5b0217df_o
 linux-to-fg{10}:  AES_CBC_256/HMAC_SHA2_256_128, 756 bytes_i (9 pkts, 230s ago), 756 bytes_o (9 pkts, 231s ago), rekeying in 7 hours
 linux-to-fg{10}:   10.10.10.0/24 === 14.140.40.0/24

Capture ESP packet:
root@ubuntu-server-main:~# tcpdump -i eth0 host 192.168.0.108 and esp -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
04:51:32.440607 IP 192.168.0.108 > 192.168.0.2: ESP(spi=0xc0571ad3,seq=0xc), length 136
04:51:32.440695 IP 192.168.0.2 > 192.168.0.108: ESP(spi=0x6acd4047,seq=0xb), length 136
04:51:33.440542 IP 192.168.0.108 > 192.168.0.2: ESP(spi=0xc0571ad3,seq=0xd), length 136
04:51:33.440639 IP 192.168.0.2 > 192.168.0.108: ESP(spi=0x6acd4047,seq=0xc), length 136
04:51:34.440571 IP 192.168.0.108 > 192.168.0.2: ESP(spi=0xc0571ad3,seq=0xe), length 136
04:51:34.440656 IP 192.168.0.2 > 192.168.0.108: ESP(spi=0x6acd4047,seq=0xd), length 136

Capture decrypted packets:
root@ubuntu-server-main:~# tcpdump -i eth0 host 14.140.40.108 and proto 1 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
04:57:03.195051 IP 14.140.40.108 > 10.10.10.2: ICMP echo request, id 2560, seq 0, length 64
04:57:04.194996 IP 14.140.40.108 > 10.10.10.2: ICMP echo request, id 2560, seq 1, length 64
04:57:05.195035 IP 14.140.40.108 > 10.10.10.2: ICMP echo request, id 2560, seq 2, length 64
04:57:06.194993 IP 14.140.40.108 > 10.10.10.2: ICMP echo request, id 2560, seq 3, length 64

List of registered IPsec Algorithm:
root@ubuntu-server-main:~# ipsec listalgs

List of registered IKE algorithms:

  encryption: AES_CBC[aesni] AES_ECB[aesni] AES_CTR[aesni] RC2_CBC[rc2] 3DES_CBC[openssl] CAMELLIA_CBC[openssl]
              CAST_CBC[openssl] BLOWFISH_CBC[openssl] DES_CBC[openssl] DES_ECB[openssl] NULL[openssl]
  integrity:  AES_XCBC_96[aesni] AES_CMAC_96[aesni] HMAC_MD5_96[openssl] HMAC_MD5_128[openssl] HMAC_SHA1_96[openssl]
              HMAC_SHA1_128[openssl] HMAC_SHA1_160[openssl] HMAC_SHA2_256_128[openssl] HMAC_SHA2_256_256[openssl]
              HMAC_SHA2_384_192[openssl] HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_256[openssl]
              HMAC_SHA2_512_512[openssl] CAMELLIA_XCBC_96[xcbc]
  aead:       AES_CCM_8[aesni] AES_CCM_12[aesni] AES_CCM_16[aesni] AES_GCM_8[aesni] AES_GCM_12[aesni] AES_GCM_16[aesni]
              CHACHA20_POLY1305[openssl]
  hasher:     HASH_SHA1[sha1] HASH_SHA2_224[sha2] HASH_SHA2_256[sha2] HASH_SHA2_384[sha2] HASH_SHA2_512[sha2]
              HASH_MD5[md5] HASH_MD4[openssl] HASH_IDENTITY[openssl]
  prf:        PRF_AES128_XCBC[aesni] PRF_AES128_CMAC[aesni] PRF_KEYED_SHA1[sha1] PRF_HMAC_MD5[openssl]
              PRF_HMAC_SHA1[openssl] PRF_HMAC_SHA2_256[openssl] PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl]
              PRF_FIPS_SHA1_160[fips-prf] PRF_CAMELLIA128_XCBC[xcbc]
  xof:        XOF_MGF1_SHA1[mgf1] XOF_MGF1_SHA224[mgf1] XOF_MGF1_SHA256[mgf1] XOF_MGF1_SHA384[mgf1]
              XOF_MGF1_SHA512[mgf1]
  drbg:       DRBG_CTR_AES128[drbg] DRBG_CTR_AES192[drbg] DRBG_CTR_AES256[drbg] DRBG_HMAC_SHA1[drbg]
              DRBG_HMAC_SHA256[drbg] DRBG_HMAC_SHA384[drbg] DRBG_HMAC_SHA512[drbg]
  dh-group:   ECP_256[openssl] ECP_384[openssl] ECP_521[openssl] ECP_224[openssl] ECP_192[openssl] ECP_256_BP[openssl]
              ECP_384_BP[openssl] ECP_512_BP[openssl] ECP_224_BP[openssl] MODP_3072[openssl] MODP_4096[openssl]
              MODP_6144[openssl] MODP_8192[openssl] MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl]
              MODP_1536[openssl] MODP_1024[openssl] MODP_1024_160[openssl] MODP_768[openssl] MODP_CUSTOM[openssl]
              CURVE_25519[openssl] CURVE_448[openssl]
  random-gen: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random]

Comments

Popular posts from this blog

TACACS+ Installation on Linux [CentOS]

Free Radius setup/configuration in Linux [Ubuntu/CentOS]