Cara Setup IPSec Strongswan di Ubuntu 20.04

Pada tulisan kali ini kita akan melakukan setup IPSec VPN menggunakan strongswan di ubuntu 20.04

Kebutuhan:

Nama nodeIP publikIP privateSubnet
node134.229.xx.xx172.31.34.3172.31.34.3/16
node254.196.xx.xx10.16.49.21910.16.49.219/16

Pastikan firewall sudah terbuka untuk port 500 dan 4500 pada protocol UDP.

Setup:

Lakukan di kedua node

  1. Install strongswan
sudo apt update && sudo apt upgrade -y
sudo apt install strongswan -y
  1. Lihat status ipsec, pastikan running.
sudo systemctl status ipsec
  1. Setup forwarding
sudo vim /etc/sysctl.conf
...
net.ipv4.ip_forward = 1 
net.ipv6.conf.all.forwarding = 1 
net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.all.send_redirects = 0
...
  1. Load perubahan
$ sudo sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Setting IPSec di node1

  1. Tambahkan konfigurasi ipsec pada file /etc/ipsec.conf
sudo vi /etc/ipsec.conf
...
config setup
        charondebug="all"
        uniqueids=yes

# Sample VPN connections
conn node1-to-node2
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=%defaultroute
        leftid=34.229.xx.xx
        leftsubnet=172.31.34.3/16
        right=54.196.xx.xx
        rightsubnet=10.16.49.219/16
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart
...
  1. Konfigurasi PSK untuk Peer-to-Peer Authentication
$ head -c 24 /dev/urandom | base64
kU9tF2ClzAKI9V8d+YJwJlAlOP0cgTkF
  1. Tambahkan PSK ke file /etc/ipsec.secrets
$ sudo vi /etc/ipsec.secrets
...
# <IP Publik node1> <IP Publik node2> : PSK "secret"

34.229.xx.xx 54.196.xx.xx : PSK "kU9tF2ClzAKI9V8d+YJwJlAlOP0cgTkF"
...
  1. Restart IPSec
$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.5 IPsec [starter]...
  1. Lihat status IPSec
$ sudo ipsec status
Security Associations (1 up, 0 connecting):
node1-to-node2[1]: ESTABLISHED 26 minutes ago, 172.31.34.3[34.229.40.23]...54.196.39.43[54.196.39.43]
node1-to-node2{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cb558209_i ce392e5f_o
node1-to-node2{1}:   172.31.0.0/16 === 10.16.0.0/16

Pada status diatas terlihat bahwa ipsec sudah ESTABLISHED, yang mana koneksi ipsec dari node1 ke node2 sudah tersambung.

Setting IPSec di node2

  1. Tambahkan konfigurasi ipsec pada file /etc/ipsec.conf
$ ssh node2
$ sudo vi /etc/ipsec.conf
...
config setup
        charondebug="all"
        uniqueids=yes

# Sample VPN connections
conn node2-to-node1
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=%defaultroute
        leftid=54.196.xx.xx
        leftsubnet=10.16.49.219/16
        right=34.229.xx.xx
        rightsubnet=172.31.34.3/16
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart
  1. Konfigurasi PSK untuk Peer-to-Peer Authentication
$ head -c 24 /dev/urandom | base64
kU9tF2ClzAKI9V8d+YJwJlAlOP0cgTkF
  1. Tambahkan PSK ke file /etc/ipsec.secrets
$ sudo vi /etc/ipsec.secrets
...
# <IP Publik node1> <IP Publik node2> : PSK "secret"

54.196.39.43 34.229.40.23 : PSK "kU9tF2ClzAKI9V8d+YJwJlAlOP0cgTkF"
...
  1. Restart IPSec
$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.5 IPsec [starter]...
  1. Lihat status IPSec
$ sudo ipsec status
Security Associations (1 up, 0 connecting):
node2-to-node1[2]: ESTABLISHED 9 seconds ago, 10.16.49.219[54.196.39.43]...34.229.40.23[34.229.40.23]
node2-to-node1{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce392e5f_i cb558209_o
node2-to-node1{1}:   10.16.0.0/16 === 172.31.0.0/16

Pada status diatas terlihat bahwa ipsec sudah established, yang mana koneksi ipsec sudah tersambung.

Verifikasi dengan ping kedua node

  1. ping dari node1 ke node2
$ date; ping 10.16.49.219
Sat Feb  4 16:58:57 UTC 2023
PING 10.16.49.219 (10.16.49.219) 56(84) bytes of data.
64 bytes from 10.16.49.219: icmp_seq=1 ttl=64 time=0.681 ms
64 bytes from 10.16.49.219: icmp_seq=2 ttl=64 time=0.658 ms
64 bytes from 10.16.49.219: icmp_seq=3 ttl=64 time=0.714 ms
64 bytes from 10.16.49.219: icmp_seq=4 ttl=64 time=0.671 ms
64 bytes from 10.16.49.219: icmp_seq=5 ttl=64 time=0.723 ms
^C
--- 10.16.49.219 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4082ms
rtt min/avg/max/mdev = 0.658/0.689/0.723/0.025 ms
  1. Ping dari node2 ke node1
$ ping 172.31.34.3
PING 172.31.34.3 (172.31.34.3) 56(84) bytes of data.
64 bytes from 172.31.34.3: icmp_seq=1 ttl=64 time=0.733 ms
64 bytes from 172.31.34.3: icmp_seq=2 ttl=64 time=0.730 ms
64 bytes from 172.31.34.3: icmp_seq=3 ttl=64 time=0.719 ms
64 bytes from 172.31.34.3: icmp_seq=4 ttl=64 time=1.46 ms
64 bytes from 172.31.34.3: icmp_seq=5 ttl=64 time=0.982 ms
64 bytes from 172.31.34.3: icmp_seq=6 ttl=64 time=0.753 ms
64 bytes from 172.31.34.3: icmp_seq=7 ttl=64 time=0.806 ms
64 bytes from 172.31.34.3: icmp_seq=8 ttl=64 time=0.730 ms
^C
--- 172.31.34.3 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7070ms
rtt min/avg/max/mdev = 0.719/0.864/1.464/0.240 ms

Jika ping telah berhasil maka koneksi tunnel IPSec telah berhasil.

Troubleshoot:

Jika mengalami kendala pada instalasi bisa melakukan pengecekan pada file konfigurasi dan melihat detail log di file tail -f /var/log/syslog | grep charon seperti berikut:

tail -f /var/log/syslog | grep charon

Terima kasih.

Referensi:

How to Set Up IPsec-based VPN with Strongswan on Debian and Ubuntu

https://docs.strongswan.org/docs/5.9/index.html