Configure IPSec VPN Gateway to Connect to External Systems using Strongswan

  1. Create a new Virtual Machine on the same network as the rest of the cluster nodes. This machine will be used as a gateway to access the external IPs. This machine will need a public IP. The preferred OS is Ubuntu Server 20.04 or higher.

  2. The rest of this guide will assume the following:

    1. 10.10.0.0/24 - the local network subnet.

    2. 192.168.0.0/24 - the external network subnet which we are trying to reach over VPN.

    3. 10.10.0.15 - the internal IP of the VPN gateway machine from Step 1.

    4. 3.10.x.x - Public IP of the VPN gateway machine from Step 1.

    5. 4.10.y.y - Public IP of VPN tunnel of the external Network.

  3. VPN Gateway Setup:

    1. Enable IP Forwarding on the node.

      1. Create a file /etc/sysctl.d/60-ip-forward.conf with the following contents:

        net.ipv4.ip_forward = 1
        net.ipv6.conf.all.forwarding = 1
      2. Run this to apply the above config:

        sudo systctl --system
    2. Install and configure Strongswan.

      1. Install Strongswan, run:

        sudo apt install strongswan libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins
      2. Take backup of ipsec.conf, run:

        sudo cp /etc/ipsec.conf /etc/ipsec.conf.orig
      3. Edit the /etc/ipsec.conf with the following contents:

        config setup
                charondebug="all"
                uniqueids=yes
        conn openg2p-to-external-vpn
                type=tunnel
                auto=start
                keyexchange=ikev2
                authby=psk
                # Phase 1
                ike=aes256-sha256-ecp521
                ikelifetime=28800s
                # Phase 2
                esp=aes256-sha256-ecp256
                lifetime=3600s
                aggressive=no
                keyingtries=%forever
                rekeymargin=3m
                left=10.10.0.15
                leftsubnet=10.10.0.15/32
                leftid=3.10.x.x
                right=4.10.y.y
                rightsubnet=192.168.0.0/24
                rightid=4.10.y.y
                dpddelay=30s
                dpdtimeout=120s
                dpdaction=restart
      4. Create /etc/ipsec.secrets with the following content:

        10.10.0.15 4.10.y.y : PSK "<PSK Value>"
      5. Start strongswan tunnel, run:

        sudo systemctl enable ipsec
        sudo systemctl start ipsec
      6. Check status by running:

        sudo ipsec statusall
    3. Configure iptables (firewall).

      1. Install iptables-persistent , run:

        sudo apt install iptables-persistent
      2. Set default forward policy as DROP, run:

        sudo iptables -P FORWARD DROP
      3. For each node that is allowed to access the external network, run the following: (The following is only an example, change it according to your system. To get the network interface names run: ip link )

        sudo iptables -A FORWARD -o <primary_network_interface_name> -s <10.10.node1.internalip> -j ACCEPT
        sudo iptables -A FORWARD -i <primary_network_interface_name> -d <10.10.node1.internalip> -j ACCEPT
        
        sudo iptables -A FORWARD -o <primary_network_interface_name> -s <10.10.node2.internalip> -j ACCEPT
        sudo iptables -A FORWARD -i <primary_network_interface_name> -d <10.10.node2.internalip> -j ACCEPT
      4. Enable NAT forwarding; run

        sudo iptables -A POSTROUTING -t nat -o <primary_network_interface_name> -j MASQUERADE
      5. Save the iptables changes for the next boot, run: (Make sure to run this whenever you change something on iptables)

        sudo bash -c 'iptables-save > /etc/iptables/rules.v4'
  4. Add an IP Route on all the other nodes that need to access the VPN, to hop over the VPN Gateway node. (If a global routing table exists on the network, this rule can be added there instead.)

    sudo ip route add 192.168.0.0/24 via 10.10.0.15

Last updated

Logo

Copyright © 2024 OpenG2P. This work is licensed under Creative Commons Attribution International LicenseCC-BY-4.0 unless otherwise noted.