Configure strongSwan VPN Client on Ubuntu 18.04/CentOS 8

Follow through this tutorial to learn how to configure strongSwan VPN Client on Ubuntu/CentOS. Our previous tutorial on provided a step by step guide on how to setup strongSwan VPN server on Debian 10 Buster.

Follow the link below to learn how to install and setup strongSwan VPN server on Debian 10 Buster.

Setup IPSEC VPN using StrongSwan on Debian 10

Once you have the strongSwan VPN server setup, you can now proceed to test the IP assignment and local connection via the VPN server.

In this demo, we are using Ubuntu 18.04 and CentOS 8 as our test strongSwan VPN clients.

Configuring strongSwan VPN Client on Ubuntu/CentOS

Install strongSwan on Ubuntu 18.04

strongSwan and extra plugins can be installed on Ubuntu 18.04 by running the command below;

apt update

apt install strongswan libcharon-extra-plugins

Install strongSwan on CentOS 8

strongSwan packages is provided by the EPEL repos on CentOS 8 and similar derivatives. Hence, begin by installing EPEL repos;

dnf install epel-release

dnf update

dnf install strongswan strongswan-charon-nm

Install strongSwan VPN Server CA certificate on the Client

Copy the strongSwan CA certificate generated above, /etc/ipsec.d/cacerts/vpn_ca_cert.pem to the client servers and;

• place it on the /etc/ipsec.d/cacerts/ directory on Ubuntu 18.04
• place it on the /etc/strongswan/ipsec.d/cacerts directory on CentOS 8.

Configuring strongSwan VPN client

On Ubuntu 18.04;

Update the /etc/ipsec.conf configuration file to define how connect to the strongSwan VPN server. See the configuration file below;

vim /etc/ipsec.conf

conn ipsec-ikev2-vpn-client
    auto=start
    right=vpnsvr.kifarunix-demo.com
    rightid=vpnsvr.kifarunix-demo.com
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftid=vpnsecure
    leftauth=eap-mschapv2
    eap_identity=%identity

Setup authentication secrets

vim /etc/ipsec.secrets

...
# user id : EAP secret
vpnsecure : EAP "P@sSw0Rd"

# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc

Save the configuration file and restart the strongswan.

systemctl restart strongswan

Disable strongSwan from running on system boot;

systemctl disable strongswan

Check the status;

ipsec statusall

Security Associations (1 up, 0 connecting):
ipsec-ikev2-vpn-client[1]: ESTABLISHED 1 minutes ago, 10.0.2.15[vpnsecure]...192.168.56.174[vpnsvr.kifarunix-demo.com]
ipsec-ikev2-vpn-client{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cc36db97_i cb5ceb5b_o
ipsec-ikev2-vpn-client{1}:   172.16.7.1/32 === 0.0.0.0/0

On CentOS 8;

Update the /etc/strongswan/ipsec.conf configuration file to define how connect to the strongSwan VPN server.

vim /etc/strongswan/ipsec.conf

conn ipsec-ikev2-vpn-client
    auto=start
    right=vpnsvr.kifarunix-demo.com
    rightid=vpnsvr.kifarunix-demo.com
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftid=koromicha
    leftauth=eap-mschapv2
    eap_identity=%identity

Next, open the /etc/strongswan/ipsec.secrets configuration file and setup the EAP authentication details just as they are defined on the server.

vim /etc/strongswan/ipsec.secrets

# user id : EAP secret
koromicha : EAP "mypassword"

Restart the strongswan.

systemctl restart strongswan

Disable strongSwan from running on system boot;

systemctl disable strongswan

Check the VPN connection status

strongswan statusall

Security Associations (1 up, 0 connecting):
ipsec-ikev2-vpn-client[1]: ESTABLISHED 2 minutes ago, 10.0.2.15[vpnsecure]...192.168.56.174[vpnsvr.kifarunix-demo.com]
ipsec-ikev2-vpn-client{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c573b6a1_i cd8306eb_o
ipsec-ikev2-vpn-client{1}:   172.16.7.2/32 === 0.0.0.0/0

On the strongSwan VPN Server, check the status;

In this demo, our strongSwan VPN server is running on Debian 10 Buster. Hence, you can check status as shown below;

ipsec status

Security Associations (2 up, 0 connecting):
 ipsec-ikev2-vpn[4]: ESTABLISHED 18 seconds ago, 192.168.56.174[vpnsvr.kifarunix-demo.com]…192.168.56.1[koromicha]
 ipsec-ikev2-vpn{4}:  INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: c4e5f1c2_i c8e1a02f_o
 ipsec-ikev2-vpn{4}:   0.0.0.0/0 === 172.16.7.2/32
 ipsec-ikev2-vpn[3]: ESTABLISHED 21 seconds ago, 192.168.56.174[vpnsvr.kifarunix-demo.com]…192.168.56.1[vpnsecure]
 ipsec-ikev2-vpn{3}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c7a4ee1d_i c558073b_o
 ipsec-ikev2-vpn{3}:   0.0.0.0/0 === 172.16.7.1/32

Test VPN Clients Connection

Now that we have two clients assigned their individual addresses;

• Ubuntu 18.04: 172.16.7.1
• CentOS 8: 172.16.7.2

To test the connection, you can simply run the ping test.

From Ubuntu 18.04, ping CentOS 8;

ping 172.16.7.2

PING 172.16.7.2 (172.16.7.2) 56(84) bytes of data.
64 bytes from 172.16.7.2: icmp_seq=1 ttl=64 time=3.18 ms
64 bytes from 172.16.7.2: icmp_seq=2 ttl=64 time=4.15 ms
64 bytes from 172.16.7.2: icmp_seq=3 ttl=64 time=3.47 ms
64 bytes from 172.16.7.2: icmp_seq=4 ttl=64 time=3.61 ms

--- 172.16.7.2 ping statistics --- 
4 packets transmitted, 4 received, 0% packet loss, time 10ms
rtt min/avg/max/mdev = 3.176/3.602/4.154/0.360 ms

From CentOS 8, ping Ubuntu 18.04.

ping 172.16.7.1

PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data.
64 bytes from 172.16.7.1: icmp_seq=1 ttl=64 time=3.24 ms
64 bytes from 172.16.7.1: icmp_seq=2 ttl=64 time=4.37 ms
64 bytes from 172.16.7.1: icmp_seq=3 ttl=64 time=4.08 ms
64 bytes from 172.16.7.1: icmp_seq=4 ttl=64 time=3.43 ms

--- 172.16.7.1 ping statistics --- 
4 packets transmitted, 4 received, 0% packet loss, time 9ms
rtt min/avg/max/mdev = 3.237/3.780/4.371/0.462 ms

Try to SSH both sides;

ssh [email protected]

The authenticity of host '172.16.7.2 (172.16.7.2)' can't be established.
ECDSA key fingerprint is SHA256:wKoh/MWvCicV6cEe6jY19AkcBgk1lyjZorQt3aqflJM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.7.2' (ECDSA) to the list of known hosts.
[email protected]'s password: 
[koromicha@centos8 ~]$

ssh [email protected]

The authenticity of host '172.16.7.1 (172.16.7.1)' can't be established.
ECDSA key fingerprint is SHA256:v20whQz4a4zpTJQfny/CGG56fRnP3Dpx8g5CkeCtFpo.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.7.1' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Linux debian 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 26 00:54:04 2020 from 172.16.7.2
koromicha@debian:~$

That marks the end of our guide on how to configuring strongSwan VPN Client on Ubuntu/CentOS.

Related Tutorials

Connect to Cisco VPN Using PCF file on Ubuntu

Configure IPSEC VPN using StrongSwan on Ubuntu 18.04

Install and Setup OpenVPN Server on Fedora 29/CentOS 7

Install Cisco AnyConnect Client on CentOS 8