Setup
# install sudo apt-get install -y strongswan # Left (Peer client, behind NAT) Ubuntu Client IP: 212.8.9.10 Ubuntu net: 192.168.178.0/24 OpenStack VPN IP: 217.50.60.70 OpenStack Net: 10.0.1.0/24
Create OpenStack VPN endpoint
http://www.panticz.de/openstack/vpnaas
/etc/ipsec.conf
# Peer, e.g. FritzBox VPN_LEFT_IP=$(curl -s ipinfo.io/ip) VPN_LEFT_NET=$(ip -o -4 a | grep -v ": lo" | cut -d " " -f7) # e.g 10.0.100.0/24 # Right (OpenStack VPNaaS) # OpenStack VPN Service IP: # VPN_SERVICE_ID=$(openstack vpn service list -c ID -f value) # openstack vpn service show ${VPN_SERVICE_ID} -c external_v4_ip -f value VPN_RIGHT_IP=1.2.3.4 # OpenStack subnet netmask # for eatch subnet # openstack vpn ipsec site connection list -f json --long | jq -r ".[] | select(.\"VPN Service\" == \"${VPN_SERVICE_ID}\") .\"Local Endpoint Group ID\"" # openstack subnet show ${SUBNET_ID} -c cidr -f value VPN_RIGHT_NET=10.0.1.0/24 mv /etc/ipsec.conf /etc/ipsec.conf.org cat <<EOF> /etc/ipsec.conf config setup conn vpn1 keyexchange=ikev1 left=%defaultroute leftid=${VPN_LEFT_IP} leftsubnet=${VPN_LEFT_NET} leftauth=psk leftfirewall=yes authby=psk auto=start ike=aes256-sha512-modp1024 esp=aes256-sha512 right=${VPN_RIGHT_IP} rightsubnet=${VPN_RIGHT_NET} rightauth=psk ikelifetime=3600s keylife=3600s type=tunnel EOF
/etc/ipsec.secrets
PSK=********** echo ${VPN_RIGHT_IP} : PSK "${PSK}" | sudo tee -a /etc/ipsec.secrets #/etc/ipsec.d/ipsec.openstack_vpnaas.secrets
CLI
sudo ipsec restart sudo ipsec status sudo ipsec statusall sudo ipsec up vpn1 sudo ipsec down vpn1 sudo ipsec listalgs
Delete
# Delete VPNs openstack vpn ipsec site connection list --long | grep ${PROJECT_ID} openstack vpn ipsec site connection delete ${IPSEC_SITE_CONNECTION_ID} openstack vpn endpoint group list --long | grep ${PROJECT_ID} openstack vpn endpoint group delete ${VPN_LOCAL_ENDPOINT_GROUP_ID} ${VPN_PEER_ENDPOINT_GROUP_ID} openstack vpn service list --long | grep ${PROJECT_ID} openstack vpn service delete ${VPN_SERVICE_ID} openstack vpn ipsec policy list --long | grep ${PROJECT_ID} openstack vpn ipsec policy delete ${VPN_IPSEC_POLICY_ID} openstack vpn ike policy list --long | grep ${PROJECT_ID} openstack vpn ike policy delete ${VPN_IKE_POLICY} # auto delete all VPN configurations VPN_CONNECTION_JSON=$(openstack vpn ipsec site connection list --long -f json | jq -r '.[]') VPN_CONNECTION_IDS=$(echo ${VPN_CONNECTION_JSON} | jq -r '.ID') for VPN_CONNECTION_ID in ${VPN_CONNECTION_IDS}; do echo ${VPN_CONNECTION_ID} openstack vpn ipsec site connection delete ${VPN_CONNECTION_ID} LOCAL_ENDPOINT_ID=$(echo ${VPN_CONNECTION_JSON} | jq -r '."Local Endpoint Group ID"') PEER_ENDPOINT_ID=$(echo ${VPN_CONNECTION_JSON} | jq -r '."Peer Endpoint Group ID"') openstack vpn endpoint group delete ${LOCAL_ENDPOINT_ID} ${PEER_ENDPOINT_ID} VPN_SERVICE_ID=$(echo ${VPN_CONNECTION_JSON} | jq -r '."VPN Service"') openstack vpn service delete ${VPN_SERVICE_ID} VPN_IPSEC_POLICY=$(echo ${VPN_CONNECTION_JSON} | jq -r '."IPSec Policy"') openstack vpn ipsec policy delete ${VPN_IPSEC_POLICY} VPN_IKE_POLICY=$(echo ${VPN_CONNECTION_JSON} | jq -r '."IKE Policy"') openstack vpn ike policy delete ${VPN_IKE_POLICY} done
List
openstack vpn ipsec site connection list openstack vpn endpoint group list openstack vpn service list openstack vpn ipsec policy list openstack vpn ike policy list
NetworkManager
# sudo apt install network-manager-strongswan sudo apt-get install network-manager-l2tp-gnome sudo /usr/lib/NetworkManager/nm-l2tp-service --debug journalctl -f -u NetworkManager.service # fixme: ... NetworkManager[459580]: parsed INFORMATIONAL_V1 request 2368110922 [ HASH N(AUTH_FAILED) ] ... NetworkManager[459580]: received AUTHENTICATION_FAILED error notify
Links
https://sysadmins.co.za/setup-a-site-to-site-ipsec-vpn-with-strongswan-on-ubuntu/
https://mlohr.com/fritzbox-lan-2-lan-vpn-with-strongswan/
https://cloud.google.com/community/tutorials/using-cloud-vpn-with-strongswan
https://www.networkworld.com/article/2224654/mtu-size-issues.html