Abdul Hakim's Blog

Cara Setup IPSec Strongswan di Ubuntu 20.04

Photo by David Gardiner on Unsplash

Cara Setup IPSec Strongswan di Ubuntu 20.04

Pada tulisan kali ini kita akan melakukan setup IPSec VPN menggunakan strongswan di ubuntu 20.04

Abdul Hakim's photo
Abdul Hakim
·

4 min read

Kebutuhan:

Nama nodeIP publikIP privateSubnet
node134.229.xx.xx172.31.34.3172.31.34.3/16
node254.196.xx.xx10.16.49.21910.16.49.219/16

Pastikan firewall sudah terbuka untuk port 500 dan 4500 pada protocol UDP.

Setup:

Lakukan di kedua node

  1. Install strongswan
sudo apt update && sudo apt upgrade -y
sudo apt install strongswan -y
  1. Lihat status ipsec, pastikan running.
sudo systemctl status ipsec
  1. Setup forwarding
sudo vim /etc/sysctl.conf
...
net.ipv4.ip_forward = 1 
net.ipv6.conf.all.forwarding = 1 
net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.all.send_redirects = 0
...
  1. Load perubahan
$ sudo sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Setting IPSec di node1

  1. Tambahkan konfigurasi ipsec pada file /etc/ipsec.conf
sudo vi /etc/ipsec.conf
...
config setup
        charondebug="all"
        uniqueids=yes

# Sample VPN connections
conn node1-to-node2
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=%defaultroute
        leftid=34.229.xx.xx
        leftsubnet=172.31.34.3/16
        right=54.196.xx.xx
        rightsubnet=10.16.49.219/16
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart
...
  1. Konfigurasi PSK untuk Peer-to-Peer Authentication
$ head -c 24 /dev/urandom | base64
kU9tF2ClzAKI9V8d+YJwJlAlOP0cgTkF
  1. Tambahkan PSK ke file /etc/ipsec.secrets
$ sudo vi /etc/ipsec.secrets
...
# <IP Publik node1> <IP Publik node2> : PSK "secret"

34.229.xx.xx 54.196.xx.xx : PSK "kU9tF2ClzAKI9V8d+YJwJlAlOP0cgTkF"
...
  1. Restart IPSec
$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.5 IPsec [starter]...
  1. Lihat status IPSec
$ sudo ipsec status
Security Associations (1 up, 0 connecting):
node1-to-node2[1]: ESTABLISHED 26 minutes ago, 172.31.34.3[34.229.40.23]...54.196.39.43[54.196.39.43]
node1-to-node2{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cb558209_i ce392e5f_o
node1-to-node2{1}:   172.31.0.0/16 === 10.16.0.0/16

Pada status diatas terlihat bahwa ipsec sudah ESTABLISHED, yang mana koneksi ipsec dari node1 ke node2 sudah tersambung.

Setting IPSec di node2

  1. Tambahkan konfigurasi ipsec pada file /etc/ipsec.conf
$ ssh node2
$ sudo vi /etc/ipsec.conf
...
config setup
        charondebug="all"
        uniqueids=yes

# Sample VPN connections
conn node2-to-node1
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=%defaultroute
        leftid=54.196.xx.xx
        leftsubnet=10.16.49.219/16
        right=34.229.xx.xx
        rightsubnet=172.31.34.3/16
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart
  1. Konfigurasi PSK untuk Peer-to-Peer Authentication
$ head -c 24 /dev/urandom | base64
kU9tF2ClzAKI9V8d+YJwJlAlOP0cgTkF
  1. Tambahkan PSK ke file /etc/ipsec.secrets
$ sudo vi /etc/ipsec.secrets
...
# <IP Publik node1> <IP Publik node2> : PSK "secret"

54.196.39.43 34.229.40.23 : PSK "kU9tF2ClzAKI9V8d+YJwJlAlOP0cgTkF"
...
  1. Restart IPSec
$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.5 IPsec [starter]...
  1. Lihat status IPSec
$ sudo ipsec status
Security Associations (1 up, 0 connecting):
node2-to-node1[2]: ESTABLISHED 9 seconds ago, 10.16.49.219[54.196.39.43]...34.229.40.23[34.229.40.23]
node2-to-node1{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce392e5f_i cb558209_o
node2-to-node1{1}:   10.16.0.0/16 === 172.31.0.0/16

Pada status diatas terlihat bahwa ipsec sudah established, yang mana koneksi ipsec sudah tersambung.

Verifikasi dengan ping kedua node

  1. ping dari node1 ke node2
$ date; ping 10.16.49.219
Sat Feb  4 16:58:57 UTC 2023
PING 10.16.49.219 (10.16.49.219) 56(84) bytes of data.
64 bytes from 10.16.49.219: icmp_seq=1 ttl=64 time=0.681 ms
64 bytes from 10.16.49.219: icmp_seq=2 ttl=64 time=0.658 ms
64 bytes from 10.16.49.219: icmp_seq=3 ttl=64 time=0.714 ms
64 bytes from 10.16.49.219: icmp_seq=4 ttl=64 time=0.671 ms
64 bytes from 10.16.49.219: icmp_seq=5 ttl=64 time=0.723 ms
^C
--- 10.16.49.219 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4082ms
rtt min/avg/max/mdev = 0.658/0.689/0.723/0.025 ms
  1. Ping dari node2 ke node1
$ ping 172.31.34.3
PING 172.31.34.3 (172.31.34.3) 56(84) bytes of data.
64 bytes from 172.31.34.3: icmp_seq=1 ttl=64 time=0.733 ms
64 bytes from 172.31.34.3: icmp_seq=2 ttl=64 time=0.730 ms
64 bytes from 172.31.34.3: icmp_seq=3 ttl=64 time=0.719 ms
64 bytes from 172.31.34.3: icmp_seq=4 ttl=64 time=1.46 ms
64 bytes from 172.31.34.3: icmp_seq=5 ttl=64 time=0.982 ms
64 bytes from 172.31.34.3: icmp_seq=6 ttl=64 time=0.753 ms
64 bytes from 172.31.34.3: icmp_seq=7 ttl=64 time=0.806 ms
64 bytes from 172.31.34.3: icmp_seq=8 ttl=64 time=0.730 ms
^C
--- 172.31.34.3 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7070ms
rtt min/avg/max/mdev = 0.719/0.864/1.464/0.240 ms

Jika ping telah berhasil maka koneksi tunnel IPSec telah berhasil.

Troubleshoot:

Jika mengalami kendala pada instalasi bisa melakukan pengecekan pada file konfigurasi dan melihat detail log di file tail -f /var/log/syslog | grep charon seperti berikut:

tail -f /var/log/syslog | grep charon

Terima kasih.

Referensi:

How to Set Up IPsec-based VPN with Strongswan on Debian and Ubuntu

https://docs.strongswan.org/docs/5.9/index.html

vpnipsec