IPsec/IKEv2-based VPN software for Linux
# sudo ifconfig eth0 10.0.0.1 netmask 255.255.255.0
# sudo ifconfig eth1 192.168.0.1 netmask 255.255.255.0 # sudo sysctl net.ipv4.ip_forward=1 |
# sudo ifconfig eth0 192.168.0.101 netmask 255.255.255.0
# sudo route add -net 192.168.100.0/24 gw 192.168.0.1 |
auto eth0
iface eth0 inet static address 10.0.0.1 network 10.0.0.0 netmask 255.255.255.0 broadcast 10.0.0.255 auto eth1 iface eth1 inet static address 192.168.0.1 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 |
- VPN Configuration[Tab]
> Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show
Edit VPN Realm(Save, Add, Remove, or Load) pane.
- Click Add VPN Realm button.
- Add a VPN Realm[Dialog]: Enter the following, then click OK button.
Realm ID: 10
Realm Name: Example VPN
Description: Config for Example VPN.
Mode: Remote Client
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Destination[Left-Tree]: Click this tree node and show Destination (Concentrator / Gateway) pane.
- Enter the following.
Destination Address: IPv4 and 10.0.0.1
- VPN Configuration[Tab]
> VPN Realms[Left-Tree]
> 10:Example VPN(Remote Client)[Left-Tree]
> My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.
- Enter the following.
Authentication Method: EAP-MSCHAPv2
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > CA Certificate/CRL[Left-Tree]: Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.
- Enter the following.
Imported Certificate/CRL Format: PEM(Base64-encoding) - File
CA Certificates(X.509, *.pem): TestCA-cacert.pem
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show "Edit VPN Realm(Save, Add, Remove, or Load)" pane.
- Click Save Configuration button.
- VPN Configuration[Tab]
> Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show
Edit VPN Realm(Save, Add, Remove, or Load) pane.
- Click Add VPN Realm button.
- Add a VPN Realm[Dialog]: Enter the following, then click OK button.
Realm ID: 10
Realm Name: Example VPN
Description: Config for Example VPN.
Mode: Remote Client
- Check Advanced Settings. (Version: 0.2.b1-021 or later)
- VPN Configuration[Tab]
> VPN Realms[Left-Tree]
> 10:Example VPN(Remote Client)[Left-Tree]
> VPN Interface[Left-Tree]:
Click this tree node and show VPN Tunnel/TAP Interface pane.
- Enter or select the following.
Internal Address Type: Auto (IKEv2 Configuration)
- VPN Configuration[Tab]
> VPN Realms[Left-Tree]
> 10:Example VPN(Remote Client)[Left-Tree]
> Network Interface[Left-Tree]:
Click this tree node and show Network Interface pane.
- Check Use default route.
- VPN Configuration[Tab]
> VPN Realms[Left-Tree]
> 10:Example VPN(Remote Client)[Left-Tree]
> Service[Left-Tree]:
Click this tree node and show Service pane.
- Network Deployment: Select Spoke Node / Client / Other.
- Remote Configuration(IKEv2): Select Remote Access Client.
- VPN Configuration[Tab]
> VPN Realms[Left-Tree]
> 10:Example VPN(Remote Client)[Left-Tree]
> My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.
- Enter the following.
Authentication Method: EAP-MSCHAPv2
- VPN Configuration[Tab]
> VPN Realms[Left-Tree]
> 10:Example VPN(Remote Client)[Left-Tree]
> Peers[Left-Tree]:
Click this tree node and show Peers pane.
- Click Add Peer button.
- Add a New Peer[Dialog]: Enter the following, then click OK button.
Peer ID Type: Host Name(FQDN)
Peer ID: gateway1.example.com
- VPN Configuration[Tab]
> VPN Realms[Left-Tree]
> 10:Example VPN(Remote Client)[Left-Tree]
> Peers[Left-Tree] >
gateway1.example.com(FQDN)[Left-Tree]:
Click this tree node and show Peer: gateway1.example.com(FQDN) pane.
- Enter the following.
Peer's IP Address: IPv4 and 10.0.0.1
This peer's Network Deployment: Hub(Concentrator) Node
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > CA Certificate/CRL[Left-Tree]: Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.
- Enter the following.
Imported Certificate/CRL Format: PEM(Base64-encoding) - File
CA Certificates(X.509, *.pem): TestCA-cacert.pem
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show "Edit VPN Realm(Save, Add, Remove, or Load)" pane.
- Click Save Configuration button.
# sudo cp gateway1.example.com.key.pem /etc/ipsec.d/private/ # sudo cp gateway1.example.com.cert.pem /etc/ipsec.d/certs/ # sudo cp TestCa-cacert.pem /etc/ipsec.d/cacerts/ |
/etc/ipsec.conf |
# ipsec.conf - strongSwan IPsec configuration file
config setup nat_traversal=yes charonstart=yes plutostart=no # Add connections here. # Example VPN connections conn strongSwan-gw keyexchange=ikev2 auto=add left=10.0.0.1 leftcert=gateway1.example.com.cert.pem leftid=@gateway1.example.com leftsubnet=192.168.0.0/24 leftauth=pubkey leftsendcert=always right=%any rightsourceip=192.168.100.0/28 rightauth=eap-mschapv2 eap_identity=%any |
/etc/strongswan.conf |
# strongswan.conf - strongSwan configuration file
charon { ... plugins { attr { dns = 192.168.0.101 subnet = 192.168.0.0/24 netmask = 255.255.255.240 } } } ... |
/etc/ipsec.secrets |
# /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA gateway1.example.com.key.pem "naisho" alice : EAP "1234567890" |
# sudo ipsec restart |