Site to Site IPSec VPN with strongSwan and OpenStack VPNaaS (IPsec)

Setup

# Left (Ubuntu client, behind NAT)
Ubuntu Client IP: 212.8.9.10
Ubuntu net: 192.168.178.0/24
 
# Right (OpenStack VPNaaS)
VPN_SERVICE_ID=$(openstack vpn service list -c ID -f value)
VPN_SERVICE_IP=$(openstack vpn service show ${VPN_SERVICE_ID} -c external_v4_ip -f value)
echo ${VPN_SERVICE_IP}
 
OpenStack VPN IP: 217.50.60.70
OpenStack Net: 10.0.1.0/24

Create OpenStack VPN endpoint
http://www.panticz.de/openstack/vpnaas

/etc/ipsec.secrets

217.50.60.70 : PSK "PASS1234"

/etc/ipsec.conf

config setup
 
conn vpn1
 keyexchange=ikev1
 left=%defaultroute
 leftid=212.8.9.10
 leftsubnet=192.168.178.0/24
 leftauth=psk
 leftfirewall=yes
 authby=psk
 auto=start
 ike=aes256-sha512-modp1024
 esp=aes256-sha512
 right=217.50.60.70
 rightsubnet=10.0.1.0/24
 rightauth=psk
 ikelifetime=3600s
 keylife=3600s
 type=tunnel

CLI

sudo ipsec status
sudo ipsec statusall
sudo ipsec restart
 
sudo ipsec up vpn1
sudo ipsec down vpn1
 
sudo ipsec listalgs

List

openstack vpn ipsec site connection list
openstack vpn endpoint group list
openstack vpn service list
openstack vpn ipsec policy list
openstack vpn ike policy list

Delete

openstack vpn ipsec site connection delete conn1
openstack vpn endpoint group delete ep-subnet
openstack vpn endpoint group delete ep-cidr
openstack vpn service delete vpn1
openstack vpn ipsec policy delete ipsec-aes256-sha512
openstack vpn ike policy delete ike-aes256-sha512

NetworkManager

sudo apt-get install network-manager-l2tp-gnome
sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
journalctl -f -u NetworkManager.service
 
# fixme:
... NetworkManager[459580]: parsed INFORMATIONAL_V1 request 2368110922 [ HASH N(AUTH_FAILED) ]
... NetworkManager[459580]: received AUTHENTICATION_FAILED error notify

Links
https://sysadmins.co.za/setup-a-site-to-site-ipsec-vpn-with-strongswan-on-ubuntu/
https://mlohr.com/fritzbox-lan-2-lan-vpn-with-strongswan/
https://cloud.google.com/community/tutorials/using-cloud-vpn-with-strongswan