Configure IPSEC VPN using StrongSwan on Ubuntu 18.04


In this guide, we are going to learn how to configure IPSEC VPN using StrongSwan on Ubuntu 18.04. We covered similar guides on how to install OpenVPN server on Fedora 29 and FreeBSD 12. You can check that by following the links below;

Well, the major purpose of the VPN is to create an encrypted secure tunnel between two or more remote networks. This ensures that the communication happening over an insecure network, Internet in this case, is secured. IPSEC is one of the VPN implementations that provides encryption and authentication services at the IP (Internet Protocol) level. While its implementation is mandatory for IPv6 stacks, it is optional for IPv4 stacks.

StrongSwan on the other hand is an opensource VPN software for Linux that implements IPSec. It supports various IPsec protocols and extensions such IKE, X.509 Digital Certificates, NAT Traversal…

Configure IPSEC VPN using OpenSwan on Ubuntu 18.04

Install strongSwan on Ubuntu 18.04

Fortunately, strongSwan is available on the default Ubuntu 18.04 repositories and thus can simply be installed by running the command below;

apt install strongswan

Setup CA Using the strongSwan PKI Tool

In order for the VPN client to verify the authenticity of the VPN server, you need to generate the VPN server certificate and key. Before you can generate the server certificate and the key, you have to create a local CA for signing them. stronSwan provides a PKI utility that eases this process. However you need to install this utility by running the command below;

apt install strongswan-pki

Once the installation is done, proceed to create the CA. To begin with, generate a private key for self-signing the CA certificate.

ipsec pki --gen --size 4096 --type rsa --outform pem > vpn-ca.key.pem

Ensure that you accord this key the absolute privacy it deserves.

Generate the VPN server CA and self-sign with the key generated above.

ipsec pki --self --in vpn-ca.key.pem --type rsa --dn "CN=VPN Server root CA" --ca --lifetime 3650 --outform pem > vpn-ca.cert.pem

Next, generate a VPN server private key and issue a matching certificate using the CA created above.

ipsec pki --gen --size 4096 --type rsa --outform pem > vpn-server.key.pem

Once you have the server key in place, generate the server certificate by running the command below. Be sure to replace the DN and SAN accordingly.

ipsec pki --pub --in vpn-server.key.pem --type rsa \ |
ipsec pki --issue --lifetime 2750 \
--cacert vpn-ca.cert.pem \
--cakey vpn-ca.key.pem \
--dn "" \
--san="" \
--flag serverAuth --flag ikeIntermediate --outform pem > vpn-server.cert.pem

Install the certificates

Now that you got all certificates, you can install them by moving them to the respective IPSec certificates directories under /etc/ipsec.d.

mv vpn-ca.cert.pem /etc/ipsec.d/cacerts/
mv vpn-server.cert.pem /etc/ipsec.d/certs/
mv {vpn-ca.key.pem,vpn-server.key.pem} /etc/ipsec.d/private/

Configure StrongSwan on Ubuntu 18.04

/etc/ipsec.conf configuration file specifies most configuration and control information for the strongSwan IPsec subsystem.It consists of three different section types:

  • CONFIG SECTIONS (config setup)
    – It defines general configuration parameters
  • CONN SECTIONS (conn <name>)
    – A conn section contains a connection specification, defining a network connection to be made using IPsec.
  • CA SECTION (ca <name>)
    – It defines a certification authority.

Before you can configure this file, make a backup of it.

cp /etc/ipsec.conf /etc/ipsec.conf.bak
vim /etc/ipsec.conf

Define the CONFIGURATION parameters;

config setup
        charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
  • The charondebug = <debug list>  parameter defines the charon debug loggin where the debug list can be dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv, pts. The logging levels can one of -1, 0, 1, 2, 3, 4 (for silent, audit, control, controlmore, raw, private). By default, the level is set to 1 for all types. For a description of the debug lists, check the LOGGER CONFIGURATION section on strongswan.conf(5).
  • strictcrlpolicy parameter defines if a fresh CRL must be available in order for the peer authentication based on RSA signatures to succeed.
  • uniqueids defines whether a particular participant ID should be kept unique
  • cachecrls defines whether to or not cache the certificate revocation lists (CRLs) fetched via HTTP or LDAP.

Define the CONNECTION parameters;

conn ipsec-ikev2-vpn
      type=tunnel  # defines the type of connection, tunnel.
      [email protected]    # if using IP, define it without the @ sign
      leftcert=vpn-server.cert.pem  # reads the VPN server cert in /etc/ipsec.d/certs
      rightsourceip=  # IP address Pool to be assigned to the clients
      rightdns=  # DNS to be assigned to clients
      eap_identity=%identity  # defines the identity the client uses to reply to an EAP Identity request.

To see a comprehensive description of the connection parameters and the values used in the above configuration, see man ipsec.conf.

Next, you need to configure client-server authentication credentials. The authentication credentials  are set in the /etc/ipsec.secrets configuration file. Thus open this file and define the RSA private keys for authentication. You can also setup the EAP user credentials by defining a random username and its password. Note the Spacing.

vim /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: RSA vpn-server.key.pem   # VPN server key generated above
# <user id> : EAP <secret>
vpnsecure : EAP "[email protected]"   # Random

Save the configuration file and restart strongSwan for the changes to take effect.

systemctl restart strongswan

To verify that strongSwan has the private key in place, run the command below;

ipsec listcerts
List of X.509 End Entity Certificates

  subject:  ""
  issuer:   "CN=VPN Server root CA"
  validity:  not before Feb 09 20:27:18 2019, ok
             not after  Aug 21 20:27:18 2026, ok (expires in 2749 days)
  serial:    56:e5:08:a6:db:f6:6b:d0
  flags:     serverAuth ikeIntermediate 
  authkeyId: 68:40:92:5b:53:c4:99:18:3e:7e:cb:6b:5b:32:d5:05:f7:de:88:74
  subjkeyId: 09:2f:bd:61:bd:47:1b:c8:13:e0:2f:65:c0:9f:12:7b:0e:e8:c4:9b
  pubkey:    RSA 4096 bits, has private key
  keyid:     75:72:19:89:62:97:27:55:a0:4f:68:be:6a:c9:14:98:04:87:be:a3
  subjkey:   09:2f:bd:61:bd:47:1b:c8:13:e0:2f:65:c0:9f:12:7b:0e:e8:c4:9b

Configure Firewall and Routing

Set UFW to allow and forward the VPN traffic. For IPsec to work through firewall, you need to open UDP ports 500 and 4500.

ufw allow 500/udp      # Allows Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded
ufw allow 4500/udp # Allows handling of IPsec between natted devices

Next, edit the /etc/ufw/before.rules such that your configuration looks like below. Replace the IP pool and the default route interface accordingly. See the highlighted lines added immediately before and after the *filter.


Please enter your comment!
Please enter your name here