Strongswan server configuration
First, install the related package
apt install strongswan -yGenerate a PSK to be used on both ends (Save it to a secure place to avoid loosing it):
openssl rand -base64 64You will get something like this:
YGOnBqAi0FOZNC36gg5jy9B9ROZavhMPDMDLXfknZdbQrWm+sRV200hkFsp6Ja4Y
7uDWFbljD2Hr36c3SQC27w==Edit /etc/sysctl.conf and add the following lines at the botton:
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0Then run this command to apply those change:
sysctl -p /etc/sysctl.confipsec.secrets
The file /etc/ipsec.secrets contains the PSK for your tunnels, edit it accordingly:
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
vpn.mydomain.fr : PSK "YGOnBqAi0FOZNC36gg5jy9B9ROZavhMPDMDLXfknZdbQrWm+sRV200hkFsp6Ja4Y7uDWFbljD2Hr36c3SQC27w=="ipsec.conf
The file /etc/ipsec.conf contains the tunnels configuration details:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
# Add connections here.
# Base information used as template
conn sts-base
authby=secret
fragmentation=yes
dpdaction=restart
ike=aes128-sha256-curve25519
esp=aes256gcm16-curve25519!
keyingtries=1
leftid=1.1.1.1
# OPNsense connection
conn vpn-01
also=sts-base
keyexchange=ikev2
leftsubnet=10.0.0.0/32
rightsubnet=192.168.0.0/24
# for this to work, DNS must be usable and working.
right=%vpn.mydomain.fr
auto=startHere, we have defined a template connection that holds the common tunnel settings like IKE settings. In addition, we defined the actual OPNsense connection. Note that we can define multiple left or right networks using comma separated networks.
OPNsense configuration
Now it’s about configuring our local OPNsense, which is really easy too. Just follow the next steps:
Go to VPN > IPsec > Tunnel Settings
- Add a new Phase 1 entry
- Connection method: Start on traffic (This side of the tunnel will rule the tunnel connection)
- Key exchange: v2
- Interface: WAN
- Remote gateway: the public IP address of your remote Strongwan server
- Authentication method: Mutual PSK
- My identifier: I chose Distinguished name and set my public IP address DNS name here.
- Peer identifier: Peer IP address (that correspond to what we set on the strongwan server, but feel free to adapt your configuration)
- Encryption algorithm: 256 bit AES-GCM with 128 bit ICV
- Hash algorithm: SHA512
- DH key group: 31 Elliptic curve 25519
- Lifetime: 28800
- Install policy: checked
- NAT Traversal: Enable
- Add a Phase 2 entry to the Phase 1 you just added
- Mode: Tunnel IPv4
- Type (local network): LAN subnet (because I wanted to allow only that subnet)
- Type (remote network): Network
- Address: your remote network address
- Protocol: ESP
- Encryption algorithms: aes256gcm16
- Hash algorithms: SHA512
- PFS key group: 31 (Elliptic Curve 25519)
Strongswan basic commands
Now you all set, I am sure you want to try it, here some commands in order to troubleshoot your tunnel on the Strongswan side:
Show Strongswan status:
ipsec status
# If all good, you should see something like that:
Security Associations (1 up, 0 connecting):
vpn-01[2]: ESTABLISHED 4 minutes ago, 10.0.0.1[1.1.1.1]...2.2.2.2[vpn.mydomain.fr]
vpn-01{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c1e50580_i ce6450e0_o
vpn-01{2}: 10.0.0.0/24 === 192.168.1.0/24Restart Strongswan:
ipsec restartTurn on a tunnel by its name (see your ipsec.conf configuration file):
ipsec up connectionNameReplace up by down to shutdown a tunnel.