I prefer strongSwan over Openswan because it’s still in active development, easier to setup and doesn’t require a L2TP daemon. I prefer a simple IKEv1 setup using PSK and XAUTH over certificates. If you plan to share your VPN server with your friends it’s also a lot easier to setup for them without certificates. I haven’t tried the VPN configuration below with non-Apple clients but it works well with iOS and OS X clients. Make sure to use the Cisco IPSec VPN profile, not the L2TP over IPSec profile you need for Openswan. While strongSwan works well with KVM and Xen containers, it probably won’t work with non-virtualised containers like OpenVZ or LXC.
strongSwan 5 has been modularised in Ubuntu 14.04 so we need to install the required plugins using apt-get as well:
apt-get install strongswan strongswan-plugin-xauth-generic
/etc/ipsec.secrets (replace 123.123.123.123 with the server’s public IP address)
123.123.123.123 %any : PSK "replace but leave the quotes" jan : XAUTH "janspassword" someone : XAUTH "anotherpassword"
/etc/ipsec.conf
config setup cachecrls=yes uniqueids=yes conn ios keyexchange=ikev1 authby=xauthpsk xauth=server left=%defaultroute leftsubnet=0.0.0.0/0 leftfirewall=yes right=%any rightsubnet=10.7.0.0/24 rightsourceip=10.7.0.2/24 rightdns=4.2.2.1 auto=add
That’s already all we need for strongSwan. Restart it using
service strongswan restart
Make sure to allow IPv4 packet forwarding in /etc/sysctl.conf:
net.ipv4.ip_forward=1
And reload the changes using:
sysctl -p
We also need a NAT rule:
# VPN NAT /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE
I’m NATing the entire 10/8 for VPN usage and assign different /24’s to different VPN softwares. This way I just need one NAT rule for everything.
Here’s a sample inbound-only firewall script which also covers OpenVPN and Iodine ports:
#!/bin/sh # Flush old rules, old custom tables /sbin/iptables --flush /sbin/iptables --flush -t nat /sbin/iptables --delete-chain # Set default policies for all three default chains /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT # Enable free use of loopback interfaces /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT # Allow VPN forwarding /sbin/iptables -A FORWARD -i tun+ -j ACCEPT /sbin/iptables -A FORWARD -o tun+ -j ACCEPT /sbin/iptables -A FORWARD -i dns+ -j ACCEPT /sbin/iptables -A FORWARD -o dns+ -j ACCEPT # Accept limited inbound ICMP messages /sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m recent --set /sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 5 --hitcount 10 -j DROP /sbin/iptables -A INPUT -p icmp -j ACCEPT # All TCP sessions should begin with SYN /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 0/0 -j DROP # Accept inbound TCP packets /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT # Accept inbound UDP packets /sbin/iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT # Accept IPSEC packets /sbin/iptables -A INPUT -p esp -j ACCEPT /sbin/iptables -A INPUT -p 50 -j ACCEPT /sbin/iptables -A INPUT -p 51 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT # VPN NAT /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE
Hi,
I have followed your guide on setting this up on Ubuntu 14.04 and I’m having an issue with authentication.
When trying to connect the VPN from my iPhone I get the following error “VPN Connection – User authentication failed.” almost immediately.
Specifying the wrong secret on the iPhone client yields a longer time-out before a different error, so seems that this has been set correctly.
auth.log is showing “localhost charon: 01[IKE] 220.233.42.xxx is initiating a Main Mode IKE_SA” when trying to connect. There are no other errors showing in this log file when the connection fails to authenticate.
Is this just a case that I have not specified the xauth user somewhere? I have tried this with two accounts setup on the ubuntu server (including root).
Any pointers you can provide would be appreciated.
Nate, I accidentally truncated a line in ipsec.secrets. Yes, you’re right, the XAUTH entry was missing. Thanks for the heads up!
Cheers,
Jan
Thanks!! added the user details to ipsec.secrets, restarted the strongswan service and I was able to authenticate.
I’m glad it was something trivial!
Thanks for the help.
guys i dont get how the ipsec.secret should look like ? can u post an working example ?
btw i have the same error as Nate had
regards
Hi!
I used your ipsec.conf and when I try to start Strongswan it gave me this error:
start: Job failed to start
I then typed ipsec start and I get the following error:
Starting strongSwan 5.1.2 IPsec [starter]…
/etc/ipsec.conf:6: syntax error, unexpected FIRST_SPACES [ ]
unable to start strongSwan — fatal errors in config
I had the same problem. Deleting all file contents and just pasting the new configuration into the file solved the problem for me.
Kelvin, looks like some sort of copy-paste problem. Check for wrong indentation and thinks like that.
Cheers,
Jan
Hi,
I have followed the guide. My andriod phone connects no problems, however once its connected I still can’t ping anything.
Can’t ping either of the interfaces eth0 (external) or eth1 (internal) and cant ping the phone either. It gets an IP and I can see the rule appear in /var/log/syslog. Any chance you could help?
I have setup exactly as above…
Help!!
Thanks
Rob
I followed your easy through instructions all the way. Both my android and ios can connect to the server, however there is no data going through……any directions you wanna point me to? very much appreciated mate.
Mike, four things come to mind:
a) It’s just a DNS problem,
ping 8.8.8.8may be workingb) MASQUERADE rule issue
c) Paket forwarding is not enabled
d) Try
iptables -P INPUT ACCEPT && iptables -P FORWARD ACCEPTas well just to make sure it’s not a firewall issue.But other than that, I don’t know.
Cheers,
Jan
you need to compile strongswan with –enable-kernel-libipsec