Skip to content

Instantly share code, notes, and snippets.

@hamidrhashmi

hamidrhashmi/ipsec_tunnel.md

Created August 14, 2024 10:02
Show Gist options
  • Save hamidrhashmi/fd95e9f152d7d88836ae9bf53826f400 to your computer and use it in GitHub Desktop.
Save hamidrhashmi/fd95e9f152d7d88836ae9bf53826f400 to your computer and use it in GitHub Desktop.
Download ZIP
How to create IPsec Tunnel
Raw
ipsec_tunnel.md

DEFAULT values

sysctl -a | grep "net.ipv4.ip_forward \|net.ipv6.conf.all.forwarding\|net.ipv4.conf.all.accept_redirects\|net.ipv4.conf.all.send_redirects"
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.ip_forward = 0
net.ipv6.conf.all.accept_redirects = 1

Update these params to the following values

sysctl net.ipv4.ip_forward=1
sysctl net.ipv6.conf.all.forwarding=1
sysctl net.ipv4.conf.all.accept_redirects=0
sysctl net.ipv4.conf.all.send_redirects=0

Check Values again

sysctl -a | grep "net.ipv4.ip_forward \|net.ipv6.conf.all.forwarding\|net.ipv4.conf.all.accept_redirects\|net.ipv4.conf.all.send_redirects"
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

make them persistant

sysctl -p

install iptables

apt install iptables

GATEWAY 1:

GATEWAY PUBLIC IP 192.168.0.194

Private IP: 192.168.100.3

Private Network: 192.168.100.1/24

Add rule as per the IP scheme

iptables -t nat -A POSTROUTING -s 10.124.0.0/20  -d 192.168.100.0/24 -j MASQUERADE
iptables -t nat --list

GATEWAT 2:

Public IP: 192.168.0.173

Private IP: 10.124.0.3

Private Network: 10.124.0.0/20

Add rule as per the IP scheme

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -d 10.124.0.0/20 -j MASQUERADE
iptables -t nat --list

Strongswan configuration for the GATEWAY 1

config setup
        charondebug="all"
        uniqueids=yes
conn devgateway-to-prodgateway
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=10.20.20.1
        leftsubnet=192.168.0.101/24
        right=10.20.20.3
        rightsubnet=10.0.2.15/24
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart

Command

head -c 24 /dev/urandom | base64

Strongswan configuration for the GATEWAY 1

config setup
        charondebug="all"
        uniqueids=yes
conn prodgateway-to-devgateway
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=10.20.20.3
        leftsubnet=10.0.2.15/24
        right=10.20.20.1
        rightsubnet=192.168.0.101/24 
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart

Ref: https://www.tecmint.com/setup-ipsec-vpn-with-strongswan-on-debian-ubuntu/

Ref: https://www.cbui.dev/setting-up-an-aws-to-digital-ocean-site-to-site-vpn-with-strongswan/

Enjoy 😉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment