Create an IPsec Tunnel
===
###### tags: `Templates` `Meeting`
:::info
- **Location:** RT LAB
- **Date:** August 12, 2024
- **Agenda**
1. Create an ipsec Tunnel for W-AGF
- VM OS : Ubuntu 20.04.6
- IP : 192.168.60.14
2. Create an IPsec tunnel for OAI gNB
- VM OS : Ubuntu 18.04.6
- IP : 192.168.60.22
- **Author:** Saffana Zyan DINI
- **Contact:** Zyzy <M11102815@gapps.ntust.edu.tw>
- **Reference:**
- [strongswan installation guide](https://docs.strongswan.org/docs/5.9/install/install.html)
:::
##
:dart: Install Strongswan
---
- install strongswan
```
sudo apt-get install strongswan-starter
sudo apt-get install strongswan-pki
```
- make directory for cert and permission
```
mkdir -p ~/pki/{cacerts,certs,private}
chmod 700 ~/pki
```
- Generate certificate
```
# Generate CA Private Key
ipsec pki --gen --outform pem > ~/pki/private/ca-key.pem
# Generate CA Certificate
ipsec pki --self --in ~/pki/private/ca-key.pem --dn "CN=VPN CA" --ca --outform pem > ~/pki/cacerts/ca-cert.pem
# Generate Server A Private Key
ipsec pki --gen --outform pem > ~/pki/private/server-a-key.pem
# Generate Server A Certificate
ipsec pki --pub --in ~/pki/private/server-a-key.pem | ipsec pki --issue --lifetime 3650 \
--cacert ~/pki/cacerts/ca-cert.pem --cakey ~/pki/private/ca-key.pem \
--dn "CN=server-a" --san "server-a" --outform pem > ~/pki/certs/server-a-cert.pem
# Generate Server B Private Key
ipsec pki --gen --outform pem > ~/pki/private/server-b-key.pem
# Generate Server B Certificate
ipsec pki --pub --in ~/pki/private/server-b-key.pem | ipsec pki --issue --lifetime 3650 \
--cacert ~/pki/cacerts/ca-cert.pem --cakey ~/pki/private/ca-key.pem \
--dn "CN=server-b" --san "server-b" --outform pem > ~/pki/certs/server-b-cert.pem
```
- Copy Certificates and Keys to the Correct Locations
```
sudo mkdir -p /etc/ipsec.d/{private,certs,cacerts}
sudo cp ~/pki/private/server-a-key.pem /etc/ipsec.d/private/
sudo cp ~/pki/certs/server-a-cert.pem /etc/ipsec.d/certs/
sudo cp ~/pki/cacerts/ca-cert.pem /etc/ipsec.d/cacerts/
```
```
sudo mkdir -p /etc/ipsec.d/{private,certs,cacerts}
sudo cp ~/pki/private/server-b-key.pem /etc/ipsec.d/private/
sudo cp ~/pki/certs/server-b-cert.pem /etc/ipsec.d/certs/
sudo cp ~/pki/cacerts/ca-cert.pem /etc/ipsec.d/cacerts/
```
:books: Configure IPsec
---
Step 4: Configure IPsec
Configure ipsec.conf on Server A (192.168.60.14):
conf
```
config setup
charondebug="ike 2, knl 2, cfg 2"
conn %default
keyexchange=ikev2
authby=pubkey
ike=aes256-sha256-modp2048!
esp=aes256-sha256!
conn site-to-site
left=192.168.60.14
leftid=@server-a
leftcert=server-a-cert.pem
leftsendcert=always
leftsubnet=192.168.60.14/24
right=192.168.60.22
rightid=@server-b
rightcert=server-b-cert.pem
rightsubnet=192.168.60.22/24
auto=start
```
Configure ipsec.conf on Server B (192.168.60.22):
conf
```
config setup
charondebug="ike 2, knl 2, cfg 2"
conn %default
keyexchange=ikev2
authby=pubkey
ike=aes256-sha256-modp2048!
esp=aes256-sha256!
conn site-to-site
left=192.168.60.22
leftid=@server-b
leftcert=server-b-cert.pem
leftsendcert=always
leftsubnet=192.168.60.22/24
right=192.168.60.14
rightid=@server-a
rightcert=server-a-cert.pem
rightsubnet=192.168.60.14/24
auto=start
```
Configure ipsec.secrets on Both Servers
Add the following line to `/etc/ipsec.secrets` on each server:
On Server A (192.168.60.14):
```conf!
: RSA server-a-key.pem
```
On Server B (192.168.60.22):
```
: RSA server-b-key.pem
```
* Enable and Start the StrongSwan Service
Start the Service on Both Servers:
```
sudo systemctl enable strongswan-starter
sudo systemctl start strongswan-starter
```
* Verify the Service Status:
```
sudo systemctl status strongswan-starter
```
Manually Start StrongSwan if Needed:
If necessary, you can manually start the service:
```
sudo ipsec start
```
* Verify and Test the Connection
Verify the Connection Status:
```
sudo ipsec statusall
```
Debugging with tcpdump
Use tcpdump to inspect IKE traffic:
On both servers:
```
sudo tcpdump -i any port 500 or port 4500 -n -vv
```
Sign in with Wallet
Connect another wallet