Skip to content

Instantly share code, notes, and snippets.

@awabcodes

awabcodes/ipsec-config.md

Last active June 18, 2022 21:31
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save awabcodes/7a9a66fca8050f8e441e34514ed088ba to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save awabcodes/7a9a66fca8050f8e441e34514ed088ba to your computer and use it in GitHub Desktop.
Download ZIP
[IPSEC Config] #ipsec #tunnel #vpn
Raw
ipsec-config.md

Installation

sudo apt install strongswan

Config

Enable packet forwarding

sudo nano /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0

Add secrets

{internalIp} {targetPublicIp} : PSK "password"

Config file

sudo nano /etc/ipsec.conf
config setup
	 strictcrlpolicy=yes
	 uniqueids = no

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev1
	authby=secret

conn {connectionName}
	left={internalIp}
	leftsubnet={internalIp}/32
	#leftfirewall=yes
	right={targetPublicIp}
	rightsubnet={targetInternalIp}/32
	ike=aes256-sha1-modp1536!
	esp=aes256-sha1-modp1536!
	keyingtries=0
	ikelifetime=1h
	lifetime=8h
	dpddelay=30
	dpdtimeout=120
	dpdaction=restart
	auto=start

conn {anotherConnectionName}
	also={connectionName}
	rightsubnet={anotherTargetInternalIp}/32

Management commands

sudo ipsec statusall
sudo ipsec restart
sudo ipsec up {connectionName}
sudo ipsec up {anotherConnectionName}
sudo ipsec down {connectionName}
sudo ipsec down {anotherConnectionName}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment