User:NeddySeagoon/strongswan
This article describes setting up a strongswan based VPN
I've tried a few times an lost interest but it would be a good thing to have.
Scope
At present, this page is more 'notes to self', since its not working.
The approach will be 'baby steps'. Get a tunnel up between two hosts on the same subnet.
Fix the routing to support a tunnel between subnets. The motivation for that is to enable printing from untrusted hosts on WiFi to my printer on the trusted network. I could just move the printer to the untrusted network but that's a pain.
The next step will be to allow VPN connections from the big bad internet.
My router is a KVM running shorewall. It supports Ipv4 and IPv6. The intent is to make both work. The shorewall setup will be described too.
I won't be able to avoid kernel configuration either.
At present, I don't intend to cover l2tp, since I don't think I have a use for it. However, if Android 8 needs it ...
Motivation
There is lots of documentation around the web describing all the various bits, so it should just be assembling all the bits.
I've tried that, its like trying to cross a chasm in several small jumps. There are bits missing in the middle. Hence the 'baby steps' approach of building on what works.
Planning
The goal is to set up a VPN server, listening to the big bad internet, that will manage the tunnel(s) and route traffic to and from the protected network as if VPN was its own shorewall zone.
The end game then is one shorewall install and one strongswan install on the router KVM. My network will look like
Table below shows firewall setup. Symbols are From - To may not initiate connections From ? To connection initiation determined by shorewall rules From / To its in the same zone - no restrictions --------------------------------------------------------------------------------------------------+ | fw IP | From | To | +-------------------------------------------------------------------------------------------------+ | | net | Green | Blue | DMZ | fw |VPN-Net|VPN-Blue | +-------------------------------------------------------------------------------------------------+ | Internet/29 | Net | / | - | - | ? | ? | | ? | +-------------------------------------------------------------------------------------------------+ | 192.168.100.253/24 | Green | ? | / | ? | ? | ? | ? | ? | --------------------------------------------------------------------------------------------------+ | 192.168.54.253/24 | Blue | ? | - | / | ? | - | - | - | +-------------------------------------------------------------------------------------------------+ | 192.168.10.253/24 | DMZ | ? | - | - | / | - | - | - | +-------------------------------------------------------------------------------------------------+ | All of the Above | fw | ? | - | - | ? | / | +-------------------------------------------------------------------------------------------------+ | Internet/29 | VPN-Net | ??? | ? | - | ? | - | / | - | +-------------------------------------------------------------------------------------------------+ | 192.168.54.253 | VPN-Blue | ??? | - | ? | ? | - | - | / | +-------------------------------------------------------------------------------------------------+ Net = Internet Green = Trusted Blue = Untrusted DMZ = Servers reachable from the internet
The IPv6 version will use the same logicp
The Kit of Parts
Kernel
VPN is ipsec based and requires policy routing, so the following kernel options are required at both ends of the tunnel.
[*] TCP/IP networking [*] IP: advanced router [*] IP: policy routing
For IPv4
<M> IP: AH transformation <M> IP: ESP transformation < > IP: ESP transformation offload <*> IP: IPComp transformation <M> IP: IPsec transport mode <M> IP: IPsec tunnel mode <M> IP: IPsec BEET mode
For IPv6, if you want to support a VPN over IPv6
<*> IPv6: AH transformation <*> IPv6: ESP transformation < > IPv6: ESP transformation offload <*> IPv6: IPComp transformation < > IPv6: Mobility < > IPv6: Identifier Locator Addressing (ILA) <*> IPv6: IPsec transport mode <*> IPv6: IPsec tunnel mode <*> IPv6: IPsec BEET mode
These settings will also turn on some basic crypto support that will get you started.
Strongswan
This needs to be on the same system running shorewall.
root #
emerge -av strongswan
Packets going to/from the VPN tunnel will traverse the firewall twice.
Outgoing packets arrive unencrypted and are routed to the VPN. They are then encrypted and routed over the internet. This process is reversed at the other end.
Shorewall
Shorewall will not be required until we need to do some routing.
Transport Mode (No Routing)
An encrypted link between two hosts on the same network. Until this works, nothing else will work either.
Configuration
Create the root only file /etc/ipsec.secrets to hold the pre shared key. This file must be securely transmitted to all systems that will encrypt/decrypt VPN traffic and installed with
-r-------- 1 root root
permissions.
Edit /etc/ipsec.conf
Debug
Transport Mode (Routing Encrypted Traffic)
An encrypted link between two hosts on different networks. Now we route encrypted traffic. This is the traffic that will eventually be going out onto the internet.