Set up ikev2 VPN on your Google Compute Engine via strongswan

Accually, There is one key set up scripts, algo.
Algo supports DigitalOcean (most user friendly), Amazon EC2, Google Compute Engine, and Microsoft Azure.

Install strongswan:
sudo apt-get install strongswan strongswan-plugin-eap-mschapv2 strongswan-plugin-xauth-generic

errong_leng@freevpn:~$ ipsec version
Linux strongSwan U5.3.5/K4.8.0-51-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.



Build CA:
ipsec pki --gen --outform pem > ca.key.pem
ipsec pki --self --in ca.key.pem --dn "C=CN, O=lengerrong, CN=104.198.151.116" --ca --outform pem > ca.cert.pem
ipsec pki --gen --outform pem > server.key.pem
ipsec pki --pub --in server.key.pem | ipsec pki --issue --cacert ca.cert.pem  --cakey ca.key.pem --dn "C=CN, O=lengerrong, CN=104.198.151.116" --san="104.198.151.116" --flag serverAuth --flag ikeIntermediate --out
form pem > server.cert.pem

Install CA:
sudo cp ca.cert.pem /etc/ipsec.d/cacerts/
sudo cp server.cert.pem /etc/ipsec.d/certs/
sudo cp server.key.pem /etc/ipsec.d/private/

Config strongswan:
errong_leng@freevpn:~$ cat  /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

Config ipsec conf:
errong_leng@freevpn:~$ sudo cat /etc/ipsec.conf
config setup
    uniqueids=never # allow multiple connections per user
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
    fragmentation=yes
    rekey=no
    dpdaction=clear
    keyexchange=ikev2
    compress=yes
    dpddelay=35s

    ike=aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256!
    esp=aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256!

    left=%any
    leftauth=pubkey
    leftid=104.198.151.116
    leftcert=server.cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0,::/0

    right=%any
    rightauth=eap-mschapv2
    rightsourceip=10.19.48.0/24,fd9d:bc11:4020::/48
    rightdns=8.8.8.8,8.8.4.4
conn ikev2-pubkey
    auto=add

Please replace  104.198.151.116 with your own external IP.

Config ipsec secrets:

errong_leng@freevpn:~$ sudo cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: RSA server.key.pem
: PSK "ucLinux1!"
lengerrong : XAUTH "ucLinux1!"
lengerrong : EAP "ucLinux1!"    

please replace "ucLinux1!" with your own password.
lengerrong is the username, you can replace it too and add more EAP user/password
using same format like it.
Config iptables:
sudo iptables -A INPUT -p udp --dport 500 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.19.48.0/24 -o ens4 -j MASQUERADE
sudo iptables -A FORWARD -s 10.19.48.0/24 -j ACCEPT
sudo iptables -A FORWARD -s 10.19.48.0/24 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1316
-A FORWARD -s 10.19.48.0/24 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1316

Please replace  ens4 with your own internet interface( check it via ifconfig )

 Enable ip forwarding:
sudo vim /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.all.forwarding=1
net.ipv6.conf.all.forwarding=1
fs.suid_dumpable=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.send_redirects=0
sudo sysctl -p


Restart strongswan:
sudo service strongswan restart

You can check ipsec status:
errong_leng@freevpn:~$ sudo ipsec status
Security Associations (1 up, 0 connecting):
ikev2-pubkey[8]: ESTABLISHED 50 minutes ago, 10.128.0.3[104.198.151.116]...117.136.66.142[lengerrong]
ikev2-pubkey{6}:  INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: c0b3c907_i 64cfa142_o
ikev2-pubkey{6}:   0.0.0.0/0 ::/0 === 10.19.48.1/32 fd9d:bc11:4020::1/128
COMMIT

Comments

Post a Comment

Popular posts from this blog

How to fix error : no module named sendgrid when try to use sendgrid python lib in PHP.

Image
"no module named sendgrid" error reported with below codes: <?php system("/usr/bin/python sendmail.py 2>&1"); system("/usr/bin/python --version 2>&1", $ret); ?> sendmail.py import sendgrid import os from sendgrid.helpers.mail import * sg = sendgrid.SendGridAPIClient( apikey = os.environ.get( ' SENDGRID_API_KEY ' )) from_email = Email( " test@example.com " ) to_email = Email( " test@example.com " ) subject = " Sending with SendGrid is Fun " content = Content( " text/plain " , " and easy to do anywhere, even with Python " ) mail = Mail(from_email, subject, to_email, content) response = sg.client.mail.send.post( request_body = mail.get()) print (response.status_code) print (response.body) print (response.headers) ....
Read more

react-native run-android : sun.security.provider.cert path.SunCertPathBuilderException : unable to find valid certification path to req uested target

Image
F:\webrowser>react-native run-android Scanning folders for symlinks in F:\webrowser\node_modules (73ms) Starting JS server... Building and installing the app on the device (cd android && gradlew.bat install Debug)... Downloading https://services.gradle.org/distributions/gradle-4.1-all.zip Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.val idator.ValidatorException: PKIX path building failed: sun.security.provider.cert path.SunCertPathBuilderException: unable to find valid certification path to req uested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker. java:1514) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav a:216) at s
Read more

react-native run-android : do not build/update modified code(App.js)

Solution react-native bundle --platform android --dev false --entry-file index.js --bundle-output android/app/src/main/assets/index.android.bundle --assets-dest android/app/src/main/res c:\Users\lenger\Desktop\webrowser>react-native bundle --platform android --dev false --entry-file index.js --bundle-output android/app/src/main/assets/index.android.bundle --assets-dest android/app/src/main/res Scanning folders for symlinks in c:\Users\lenger\Desktop\webrowser\node_modules (43ms) Scanning folders for symlinks in c:\Users\lenger\Desktop\webrowser\node_modules (38ms) Loading dependency graph, done. bundle: start bundle: finish bundle: Writing bundle output to: android/app/src/main/assets/index.android.bundle bundle: Done writing bundle output Run react-native run-android again, you will find your modification work.
Read more