Skip to content

Instantly share code, notes, and snippets.

@umardx

umardx/strongswan.md

Created March 16, 2024 07:53
Show Gist options
  • Save umardx/84f74e100f3bb5c9f03ed0d6e95312e5 to your computer and use it in GitHub Desktop.
Save umardx/84f74e100f3bb5c9f03ed0d6e95312e5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
strongswan.md 
admin@instance-20240226-151936:~$ curl https://test.co.id -v
*   Trying 10.94.2.24:443...
^C
admin@instance-20240226-151936:~$ sudo ipsec start
Starting strongSwan 5.9.8 IPsec [starter]...
admin@instance-20240226-151936:~$ curl https://test.co.id -v -I
*   Trying 10.94.2.24:443...
* Connected to test.co.id (10.94.2.24) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=findaya.co.id
*  start date: Jan  6 14:07:34 2024 GMT
*  expire date: Apr  5 14:07:33 2024 GMT
*  subjectAltName: host "test.co.id" matched cert's "*.findaya.co.id"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: HEAD]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: test.co.id]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x560613b9bc80)
> HEAD / HTTP/2
> Host: test.co.id
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200 
HTTP/2 200 
< date: Mon, 26 Feb 2024 16:14:39 GMT
date: Mon, 26 Feb 2024 16:14:39 GMT
< content-type: text/html
content-type: text/html
< content-length: 1167
content-length: 1167
< vary: Accept-Encoding
vary: Accept-Encoding
< last-modified: Mon, 26 Feb 2024 09:44:21 GMT
last-modified: Mon, 26 Feb 2024 09:44:21 GMT
< etag: "65dc5d75-48f"
etag: "65dc5d75-48f"
< accept-ranges: bytes
accept-ranges: bytes
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< via: 1.1 google
via: 1.1 google

< 
* Connection #0 to host test.co.id left intact
admin@instance-20240226-151936:~$ cat /etc/ipsec.conf 
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.
conn gcp-vpn
        authby=secret
        left=%defaultroute
        right=34.101.203.238         # Public IP of GCP VPN gateway
        rightsubnet=10.94.2.24/32    # GCP VM's IP
        keyexchange=ikev2            # Use IKEv2
        ike=aes256-sha2_256-modp1024!
        esp=aes256-sha2_256!
        keyingtries=0
        ikelifetime=1h
        lifetime=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        auto=start
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment