CentrioHost Blog

Stories and News from IT Industry, Reviews & Tips | Technology Blog


HOW TO SET UP IPSEC VPN ON CENTOS 7

What is IPSec?

Internet Protocol Security – IPsec is an extension to the IP protocol family that secures sessions between agents through cryptographic authentication. It is a network protocol that validates and encrypts packets of data that are sent in network. IPsec can safeguard data transferred between a pair of hosts, a pair of gateways, or between host and gateway.

How does an IPSec-based VPN work?

The IPSec VPN is basically created between two firewalls to transfer data and share resources between the two networks.
While IPSec has two modes, the transport mode and the tunnel mode, for VPN purposes we want to use the tunnel mode.

In order to set up our VPN, will be using StrongSwan, which is an open source IPsec-based VPN solution. StrongSwan supports IKEv1 & IKEv2 key exchange protocols, in addition to natively supporting the NETKEY stack of the Linux kernel.

StrongSwan Installation

First of all let’s install StrongSwan. To do that, open your terminal and type the following:

yum install http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/e/epel-release-7-9.noarch.rpm
yum install strongSwan openssl

Generate certificates

In order to identify & authenticate, both the server and VPN client will need a certificate.

First navigate to the folder /etc/strongswan/ipsec.d. Then download a couple of scripts.

cd /etc/strongswan/ipsec.d

wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/server_key.sh
chmod a+x server_key.sh

wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_vultr/client_key.sh
chmod a+x client_key.sh

Please note in the downloaded .sh file, you can replace O=VULTR-VPS-CENTOS with your own O=YOUR_ORGANIZATION_NAME.

Next, in the server_key.sh file replace SERVER_IP with your IP address:

./server_key.sh SERVER_IP

Next, we will have to generate a client key, P12 file and certificate. In this example here, we will generate a certificate & P12 file for the VPN user – vpnuser.

./client_key.sh vpnuser vpnuser@email.com
Replace “vpnuser” & email with your own.

After we have successfully generated the certificates for both client & server, we will have to copy /etc/strongswan/ipsec.d/uttam.p12 and /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem to our local computer.

strongSwan configuration

First of all, open the IPSec config file with your favorite text editing tool:

vi /etc/strongswan/ipsec.conf

Then replace the following content:

config setup
uniqueids=never
charondebug=”cfg 2, dmn 2, ike 2, net 0″

conn %default
left=%defaultroute
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
right=%any
rightsourceip=172.16.1.100/16

conn CiscoIPSec
keyexchange=ikev1
fragmentation=yes
rightauth=pubkey
rightauth2=xauth
leftsendcert=always
rekey=no
auto=add

conn XauthPsk
keyexchange=ikev1
leftauth=psk
rightauth=psk
rightauth2=xauth
auto=add

conn IpsecIKEv2
keyexchange=ikev2
leftauth=pubkey
rightauth=pubkey
leftsendcert=always
auto=add

conn IpsecIKEv2-EAP
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
leftauth=pubkey
leftsendcert=always
rightauth=eap-mschapv2
eap_identity=%any
auto=add

Navigate to vi /etc/strongswan/strongswan.conf to edit that configuration file:

Then, erase everything & replace with the following:.

charon {
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
}
include strongswan.d/*.conf

Next, let’s edit IPsec’s secret file to add user & password.

vi /etc/strongswan/ipsec.secrets

Add user account “vpnuser” into it.

: RSA vpnHostKey.pem
: PSK “PSK_KEY”
vpnuser %any : EAP “vpnuser’s Password”
vpnuser %any : XAUTH “vpnuser’s Password”

Please note both sides of the colon need a white space.

To allow IPv4 forwarding

Next, navigate and edit /etc/sysctl.conf where we will allow forwarding:

vi /etc/sysctl.conf

Now add the following line:

net.ipv4.ip_forward=1

Finally, save it to apply changes (sysctl -p)

Finally, start your VPN server

systemctl start strongswan
systemctl enable strongswan

strongSwan is now running on your server. If you want others to join your private network, have them install strongswanCert.pem & the .p12 certificate files.

Subscribe Now

10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!

Archive Calendar

SatSunMonTueWedThuFri
 123456
78910111213
14151617181920
21222324252627
28293031 

Over 20000 Satisfied Customers!

  • web hosting reviewer
    Valerie Quinn
    CTO, Acteon Group

    Centriohost staff were fantastic, I had a concern with a domain and they got back to me very quickly and they helped me to resolve the issue! ~ . . . Read more

  • Joomla hosting reviewer
    Collin Bryan
    Photographer, Allister Freeman

    I'm using centrio for my portfolio since 2006. The transition was seamless, the support was immediate, and everything works perfectly. ~ . . . Read more

  • dedicated server reviewer
    Harry Collett
    Actor, A&J Artists

    Very easy to understand & use even though I am not very technologically minded. No complications whatsoever & I wouldn't hesitate to recommend it to all. ~ . . . Read more

  • vps web hosting reviewer
    Porfirio Santos
    Technician, Diageo PLC

    Centrio support team have been amazingly responsive and helpful to any of my queries, thank you so much to the Centriohost have been amazingly responsive and helpful to any of my queries 👍👍👍 ~ . . . Read more

  • wordpress hosting plans reviewer
    Catherine Auer
    Doctor, SmartClinics

    Anytime I've had a problem I can't solve, I've found Centriohost to be diligent and persistent. They simply won't let an issue go until the client is happy. ~ . . . Read more

  • reseller hosting reviewer
    Effectivo Social
    Freelancer, Fiverr

    Recommend their shared hosting for all my SME web design clients. Their cloud or VME offerings are too great to deal with. Pricing is perfect and suitable for all users (͠≖ ͜ʖ͠≖) 👌 ~ . . . Read more

Top