How to create IPSec Tunnel Between Two Linux Machines

DEFAULT values

sysctl -a | grep "net.ipv4.ip_forward \|net.ipv6.conf.all.forwarding\|net.ipv4.conf.all.accept_redirects\|net.ipv4.conf.all.send_redirects"
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.ip_forward = 0
net.ipv6.conf.all.accept_redirects = 1


Update these params to the following values

sysctl net.ipv4.ip_forward=1
sysctl net.ipv6.conf.all.forwarding=1
sysctl net.ipv4.conf.all.accept_redirects=0
sysctl net.ipv4.conf.all.send_redirects=0


Check Values again

sysctl -a | grep "net.ipv4.ip_forward \|net.ipv6.conf.all.forwarding\|net.ipv4.conf.all.accept_redirects\|net.ipv4.conf.all.send_redirects"
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1


make them persistent

sysctl -p


install iptables

apt install iptables


GATEWAY 1:

GATEWAY PUBLIC IP 192.168.0.194

Private IP: 192.168.100.3

Private Network: 192.168.100.1/24


Add rule as per the IP scheme

iptables -t nat -A POSTROUTING -s 10.124.0.0/20  -d 192.168.100.0/24 -j MASQUERADE
iptables -t nat --list


GATEWAT 2:

Public IP: 192.168.0.173

Private IP: 10.124.0.3

Private Network: 10.124.0.0/20


Add rule as per the IP scheme

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -d 10.124.0.0/20 -j MASQUERADE
iptables -t nat --list


Strongswan configuration for the GATEWAY 1

config setup
        charondebug="all"
        uniqueids=yes
conn devgateway-to-prodgateway
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=10.20.20.1
        leftsubnet=192.168.0.101/24
        right=10.20.20.3
        rightsubnet=10.0.2.15/24
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart


Command

head -c 24 /dev/urandom | base64


Strongswan configuration for the GATEWAY 2

config setup
        charondebug="all"
        uniqueids=yes
conn prodgateway-to-devgateway
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=10.20.20.3
        leftsubnet=10.0.2.15/24
        right=10.20.20.1
        rightsubnet=192.168.0.101/24 
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart


Ref: https://www.tecmint.com/setup-ipsec-vpn-with-strongswan-on-debian-ubuntu/

Ref: https://www.cbui.dev/setting-up-an-aws-to-digital-ocean-site-to-site-vpn-with-strongswan/


Enjoy 😉

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

SIPp UAC Scenario to send RTP

Please install the latest sipp ( >=3.7.3 ) wget https://github.com/SIPp/sipp/releases/download/v3.7.3/sipp chmor +x sipp mv sipp /usr/bin...