Ubuntu Cisco Ipsec Vpn



Skip to main content

  1. Cisco Ipsec Vpn Download
  2. Ubuntu 20.04 Cisco Ipsec Vpn
  3. Ubuntu Cisco Ipsec Vpn Free
  4. Ubuntu Ipsec Vpn Server
  5. Ubuntu 18.04 Cisco Ipsec Vpn
  6. Cisco Ipsec Vpn Configuration

On Ubuntu, you don't need to install the Cisco VPN Client: NetworkManager includes support for Cisco IPSec VPNs. The following steps will walk you through a successful installation and configuration of your VPN client. Configuring IPsec IKEv2 Remote Access VPN Clients on Ubuntu ¶ Before starting, install network-manager-strongswan and strongswan-plugin-eap-mschapv2 using apt-get or a similar mechanism. Setup the VPN Connection ¶ Copy the CA Certificate for the VPN from the firewall to the workstation.

IPSEC VPN on Ubuntu 16.04 with StrongSwan

Cisco Ipsec Vpn Download

Published: 12-09-2016 | Author: Remy van Elst | Text only version of this article


❗ This post is over four years old. It may no longer be up to date. Opinions may have changed.

Table of Contents

  • Certificates
  • Firewall & Packet Routing

This is a guide on setting up an IPSEC VPN server on Ubuntu 16.04 usingStrongSwan as the IPsec server and for authentication. It has a detailedexplanation with every step. We choose the IPSEC protocol stack because ofvulnerabilities found in pptpd VPNs and because it is supported on all recentoperating systems by default.

Why a VPN?

More than ever, your freedom and privacy when online is under threat.Governments and ISPs want to control what you can and can't see while keeping arecord of everything you do, and even the shady-looking guy lurking around yourcoffee shop or the airport gate can grab your bank details easier than you maythink. A self hosted VPN lets you surf the web the way it was intended:anonymously and without oversight.

A VPN (virtual private network) creates a secure, encrypted tunnel through whichall of your online data passes back and forth. Any application that requires aninternet connection works with this self hosted VPN, including your web browser,email client, and instant messaging program, keeping everything you do onlinehidden from prying eyes while masking your physical location and giving youunfettered access to any website or web service no matter where you happen tolive or travel to.

This tutorial is available for the following platforms:

Ubuntu Cisco Ipsec Vpn

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.
You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

IPSEC encrypts your IP packets to provide encryption and authentication, so noone can decrypt or forge data between your clients and your server. It alsoprovides a tunnel to send data to the server.

This VPN setup is called a road-warrior setup, because clients can connect fromanywhere. Another much used VPN setup is called site-to-site, where two VPNservers connect two networks with one another. In a road warrior setup yourlocal network isn't shared, but you do get access to the server's network.

Ipsec vpn cisco asa

To work trough this tutorial you should have:

  • 1 Ubuntu 16.04 server with at least 1 public IP address and root access
  • 1 (or more) clients running an OS that support IPsec IKEv2 vpns (Ubuntu, Mac OS, Windows 7+, Android 4+).
  • Ports 4500/UDP, 500/UDP, 51/UDP and 50/UDP opened in the firewall.

I do all the steps as the root user. You should do to, but only via sudo -i orsu -.

No L2TP?

A few of the previous tutorials used L2TP to set up the VPN tunnel and use IPSEConly for the encryption. With the IKEv2 protocol and newer operating systems(like OS X 10.8+, Android 4+, iOS 6+ and Windows 7+) supporting IKEv2 we canalso use IPSEC to set up the tunnel, before we used IPSEC to do that.

This VPN will therefore not work out of the box on older operating systems. Seemy other tutorials with L2TP on how to do that.

Overview

The tutorial consists out of the following steps:

  • Install packages
  • Generate certificates
  • Configure IPSEC
  • Configure Firewall

Android and Windows client configuration is covered at the end of the tutorial.

Install Strongswan

StrongSwan is a descendant of FreeS/WAN, just like Openswan or LibreSwan.Strongswan however is actively developed, whereas the other ones, exceptLibreSwan are less. StrongSwan is in default in the Ubuntu repositories. You canread more about Strongswan on wikipedia or their website.

Certificates

The VPN server will identify itself with a certificate to the clients. Theclients should use a certificate to authenticate themself. Previous tutorialsalso configured usernames and password and pre-shared keys, this tutorial doesnot. Certificates are easier to use, can be revoked and are less hassle thanmanaging usernames and passwords.

On Android with the StrongSwan Application you can just import the .p12 we aregoing to create later on. OS X and iOS from 10.10 and 9 upwards also supportthis authentication method.

You might want to install haveged to speed up the key generation process:

Haveged provides a constant source of entropy and randomness.

Start by creating a self singed root CA private key:

Generate a self signed root CA certificate of that private key:

You can view the certificate properties with the following command:

Example output:

Generate the VPN Host key. This is the keypair the VPN server host will use toauthenticate itself to clients. First the private key:

Generate the public key and use our earlier created root ca to sign the publickey:

The domain name or IP address of your VPN server, which is later entered in theclients connection properties, MUST be contained either in the subjectDistinguished Name (CN) and/or in a subject Alternative Name (--san). If thisdoes not match the clients will fail to connect.

The built in Windows 7 VPN client needs the serverAuth extended key usage flagin your host certificate as shown above, or the client will refuse to connect.In addition, OS X 10.7.3 or older requires the ikeIntermediate flag, which wealso add here.

We add the IP address twice, one with an @ in front so that it gets added asan subjectAltName of the DNSName type and one of the IPAddess type.

Let's view the certificate:

Output:

You can also use OpenSSL to see the contents, here is an excerpt:

Output:

The private key (/etc/ipsec.d/private/strongswanKey.der) of the CA should bemoved somewhere safe, possibly to a special signing host without access to theInternet. Theft of this master signing key would completely compromise yourpublic key infrastructure. Use it only to generate client certificates whenneeded.

This key needs to be added into /etc/ipsec.secrets, otherwise StrongSwan willnot use it.

Add the key:

The format : RSA keyname is important, don't forget the space. You can checkafterwards if StrongSwan has the private key available with the ipseclistcerts command:

Output:

If it doesn't say has private key on the pubkey line your filename or syntaxis wrong.

Client certificate

Any client will require a personal certificate in order to use the VPN. Theprocess is analogous to generating a host certificate, except that we identify aclient certificate by the clients e-mail address rather than a hostname.

We create a keypair for the example user 'John'.

Private key:

Public key, signed by our root ca we generated:

A VPN client needs a client certificate, its corresponding private key, and thesigning CA certificate. The most convenient way is to put everything in a singlesigned PKCS#12 file and export it with a paraphrase.

Convert the required keys to PEM formt before converting to a .p12:

Construct the .p12:

Enter a passphrase twice, then you have a .p12. You can send John.p12 and itsexport paraphrase to the person who is going to install it onto the client. Insome cases (iOS for example) you have to separately include the CA certificatecacerts/strongswanCert.pem.

Transport this John.p12 file and the password over seperate channels to aclient.

If you need any more user certificates, repeat the above steps with other userdata. You can also do this later on.

Revoking a certificate

If a certificate is lost or stolen, it must be revoked so nobody can use it toconnect to your VPN server. Assuming the certificate from the previous step gotstolen, we revoke it with:

Restart ipsec afterwards:

This generates the new certificate revocation list (CRL) crls/crl.der. Whensomeone tries to authenticate with the stolen certificate, he'll receive anauthentication credentials error message, and your log file will containsomething like:

To add another revoked certificate to the same list, we need to copy theexisting list into a temporary file:

Restart ipsec afterwards:

IPSEC Configuration

The main ipsec configuration file is located in /etc/. We are going to editit:

Ubuntu 20.04 Cisco Ipsec Vpn

Place the following contents:

The configuration has settings for IKEv2 + RSA certificates. This is, as statedabove, the most secure method. Older tutorials also set up IKEv1 (xauth) andusername-password combo, but that is considered insecure.

Apple added support for IKEv2 in iOS 8, but it needs to be configured using acustom configuration profile. OS X 10.9 and lower do not support IKEv2.

Beginning with iOS 9, IKEv2 connections are natively supported. However, iOS9only supports the use of certificates or username/password, but not both.

For iOS 9+ and OS X 10.10+ you need to make sure the leftid= is the same asthe CN in your certificate. You also need to enter that on the devices,otherwise you'll get a no matching peer config found log error.

Android 4+ and Windows 7+ support IKEv2.

Clients will get the Google DNS servers and an IP address in the 10.42.42.0/24range. We use a strong ciphersuite.

The leftcert=vpnHostCert.der expands to the path/etc/ipsec.d/certs/vpnHostCert.der.

Firewall & Packet Routing

Configure the iptables firewall to allow vpn traffic and to forward packets:

Replace %SERVERIP% with the external IP of the VPN server. If your externalinterface is not named ethX (+ is a wildcard) then rename appropriately.

Execute the below commands to enable kernel IP packet forwarding and disable ICPredirects.

Set these settings for other network interfaces:

Apply them:

Persistent settings via /etc/rc.local

To make sure this keeps working at boot you might want to add the following to/etc/rc.local:

Add it before the exit 0 line and replace %SERVERIP% with the external IP ofyour server.

Start the VPN

All the configuration on the server is now done. Enable the VPN at startup:

And start it:

If you get a permission denied error, stroke the files with apparmor:

Ubuntu Cisco Ipsec Vpn Free

Check the status of the service:

Output:

And a more elaborate status:

Output:

Client Configuration

See the Strongswan Wiki for guides on configuring Windows and OS X/iOSclients

On Android, the easiest way is to install the StrongSwan app, copy overthe .p12 and connect with the IP and option IKEv2 Certificate. Nothing more:

Just one tap to Connect and you're good to go:

Sources

Thanks to:

Ubuntu Ipsec Vpn Server

  • StrongSwan Wiki and the
  • StrongSwan ipsec.conf reference for most of the configuration.
  • zeitgeist for the certificate setup.
Tags: debian, ikev2, ipsec, openswan, openvpn, pptp, strongswan, tutorials, ubuntu, vpn

Having an L2TP/IPSEC VPN comes in very handy if you have a Macbook, iOS device, or run Stock Android and want to be able to remotely access your network from on the road. L2TP over IPSEC is a better choice than PPTP which is now considered insecure. Plus L2TP/IPSEC is supported natively by those devices, so no additional client software would be needed unlike OpenVPN.

To get started, let’s imagine a small network that runs on a fairly standard private address range. 192.168.1.0/24. This setup would be run on an internal Ubuntu Server that is networked to the internal network you wish to access. In this example, you only need 1 network card.

Forward Ports
Since the server resides on the internal network behind a router or firewall, you will need to forward certain ports to the server from your perimeter device for this to work.

You need to forward
UDP 500
UDP 4500
ESP Traffic (protocol 50)
AH Traffic (protocol 51)

ESP and AH are not ports, they are protocols. Most comsumer routers can’t forward these protocols, so you may be forced to use a “Forward All traffic” option to the internal server or use a “Internal DMZ Host” setup that can be found on many device. Test it out and find the best option that works for you.

Install IPSEC

Openswan is the package that provides the IPSEC functionality. You can use it for site to site VPNs using Preshared Keys, certificates, or other back-end auth mechanisms. In this setup, I’ll keep it simple and just use a Pre-Shared Key (PSK). A PSK with id and password would be good enough for most people who want to securely access a small or home network.

Edit the file /etc/ipsec.conf so that it looks like this
SANITY CHECK: Make sure you keep the spacing intact under the config headers and conn headers. You might get format errors without it…

Ubuntu Cisco Ipsec Vpn

Edit the /etc/ipsec.secrets file and add in the following to the bottom of the file:

Now lets setup the files that define the Connection.
Create/edit a file and call it /etc/ipsec.d/road-warrior.conf

Next, Create/edit a file called /etc/ipsec.d/road-warrior.secrets

Next, for OPENSWAN to function correctly, you need to run to following at the bash prompt:

To verify the OPENSWAN config use the IPSEC VERIFY command. Your output should match the output below.

Lastly, restart the IPSEC service

Install L2TP

Next up we need to install an L2TP package. L2TP works with IPSEC in that L2TP provides the Tunnel, where IPSEC provides the encryption.

Install the L2TP package:

Ubuntu 18.04 Cisco Ipsec Vpn

Edit the /etc/xl2tpd/xl2tpd.conf

Cisco Ipsec Vpn Configuration

The IP range is used by the L2tp Tunnel. You want to be sure that this range does not overlap with any internal network subnet. The Server IP address should not be part of the ip range.

Install PPP

The final piece of this setup is the user authentication. Every user can share a PreSharedKey, but each user should have a unique ID/PW.

Install PPP

Edit/create /etc/ppp/options.xl2tpd

Change the DNS servers to fit your needs. These servers are public, but you could just as easily use your private DNS in there as well.

Now add users by editing /etc/ppp/chap-secrets

Now setup your remote device with the proper servername, PSK, and id/pw and give it a test.

Final Note, if your OpenSwan doesn’t startup correctly after a reboot, you probably need to add the following to run on startup:

Edit /etc/rc.local to contain:

Troubleshooting:
If you run into trouble:

  • Look at the logs. “tail -f /var/log/syslog /var/log/auth.log” These will give you a lot of insight.
  • Double check that the ports are forwarded. The logs would show an inbound connection of some kind if the ports are open.
  • Double check the PSK matches on client and server
  • From logsd, Server Sends MR2 and waits for MI3 forever indicated ports are partially open, check the perimeter device.
  • The Command IPSEC whack –status” gives you a lot if instant info on the configuration. Plus it’s nice output to GREP for other scripts.

Finally, here are some little facts that threw me for a loop the first time I played with openswan and I wished someone would have pointed out to me when I started:

  • in the road-warrior.conf file, Right and Left simply differentiate the 2 sides of the VPN. You could switch the values for left and right without any issues. There is no difference.
  • Traffic leaving the OpenSwan server into the internal network will masquerade as the Server’s IP. All VPN traffic will look like it originates from the Server if you take a packet capture from any internal target.
  • You can have many *.conf files and *.secrets files as needed. You can mix Road Warrior confs with Site to site confs on the same host. Each with it’s own secrets file. No problem.

Good Luck.