Site to Site IPSec VPN with strongSwan and OpenStack VPNaaS (IPsec)

openstack vpn ipsec site connection list
openstack vpn endpoint group list
openstack vpn service list
openstack vpn ipsec policy list
openstack vpn ike policy list

# install
sudo apt-get install -y strongswan
 
# Left (Peer client, behind NAT)
Ubuntu Client IP: 212.8.9.10
Ubuntu net: 192.168.178.0/24
 
OpenStack VPN IP: 217.50.60.70
OpenStack Net: 10.0.1.0/24

# Peer, e.g. FritzBox
VPN_LEFT_IP=$(curl -s ipinfo.io/ip)
VPN_LEFT_NET=$(ip -o -4 a | grep -v ": lo" | cut -d " " -f7)   # e.g 10.0.100.0/24 
 
# Right (OpenStack VPNaaS)
# OpenStack VPN Service IP:
# VPN_SERVICE_ID=$(openstack vpn service list -c ID -f value)
# openstack vpn service show ${VPN_SERVICE_ID} -c external_v4_ip -f value
VPN_RIGHT_IP=1.2.3.4
 
# OpenStack subnet netmask
# for eatch subnet
# openstack vpn ipsec site connection list -f json --long | jq -r ".[] | select(.\"VPN Service\" == \"${VPN_SERVICE_ID}\") .\"Local Endpoint Group ID\""
# openstack subnet show ${SUBNET_ID} -c cidr -f value
VPN_RIGHT_NET=10.0.1.0/24 
 
mv /etc/ipsec.conf /etc/ipsec.conf.org
cat <<EOF> /etc/ipsec.conf
config setup
 
conn vpn1
 keyexchange=ikev1
 left=%defaultroute
 leftid=${VPN_LEFT_IP}
 leftsubnet=${VPN_LEFT_NET}
 leftauth=psk
 leftfirewall=yes
 authby=psk
 auto=start
 ike=aes256-sha512-modp1024
 esp=aes256-sha512
 right=${VPN_RIGHT_IP}
 rightsubnet=${VPN_RIGHT_NET}
 rightauth=psk
 ikelifetime=3600s
 keylife=3600s
 type=tunnel
EOF

PSK=**********
 
echo ${VPN_RIGHT_IP} : PSK "${PSK}" | sudo tee -a /etc/ipsec.secrets
#/etc/ipsec.d/ipsec.openstack_vpnaas.secrets

sudo ipsec restart
 
sudo ipsec status
sudo ipsec statusall
 
sudo ipsec up vpn1
sudo ipsec down vpn1
 
sudo ipsec listalgs

# Delete VPNs
openstack vpn ipsec site connection list --long | grep ${PROJECT_ID}
openstack vpn ipsec site connection delete ${IPSEC_SITE_CONNECTION_ID}
openstack vpn endpoint group list --long | grep ${PROJECT_ID}
openstack vpn endpoint group delete ${VPN_LOCAL_ENDPOINT_GROUP_ID} ${VPN_PEER_ENDPOINT_GROUP_ID}
openstack vpn service list --long | grep ${PROJECT_ID}
openstack vpn service delete ${VPN_SERVICE_ID}
openstack vpn ipsec policy list --long | grep ${PROJECT_ID}
openstack vpn ipsec policy delete ${VPN_IPSEC_POLICY_ID}
openstack vpn ike policy list --long | grep ${PROJECT_ID}
openstack vpn ike policy delete ${VPN_IKE_POLICY}
 
# auto delete all VPN configurations
VPN_CONNECTION_JSON=$(openstack vpn ipsec site connection list --long -f json | jq -r '.[]')
VPN_CONNECTION_IDS=$(echo ${VPN_CONNECTION_JSON} | jq -r '.ID')
 
for VPN_CONNECTION_ID in ${VPN_CONNECTION_IDS}; do
    echo ${VPN_CONNECTION_ID}
 
    openstack vpn ipsec site connection delete ${VPN_CONNECTION_ID}
    LOCAL_ENDPOINT_ID=$(echo ${VPN_CONNECTION_JSON} | jq -r '."Local Endpoint Group ID"')
    PEER_ENDPOINT_ID=$(echo ${VPN_CONNECTION_JSON} | jq -r '."Peer Endpoint Group ID"')
    openstack vpn endpoint group delete ${LOCAL_ENDPOINT_ID} ${PEER_ENDPOINT_ID}
    VPN_SERVICE_ID=$(echo ${VPN_CONNECTION_JSON} | jq -r '."VPN Service"')
    openstack vpn service delete ${VPN_SERVICE_ID}
    VPN_IPSEC_POLICY=$(echo ${VPN_CONNECTION_JSON} | jq -r '."IPSec Policy"')
    openstack vpn ipsec policy delete ${VPN_IPSEC_POLICY}
    VPN_IKE_POLICY=$(echo ${VPN_CONNECTION_JSON} | jq -r '."IKE Policy"')
    openstack vpn ike policy delete ${VPN_IKE_POLICY}
done

# sudo apt install network-manager-strongswan
 
sudo apt-get install network-manager-l2tp-gnome
sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
journalctl -f -u NetworkManager.service
 
# fixme:
... NetworkManager[459580]: parsed INFORMATIONAL_V1 request 2368110922 [ HASH N(AUTH_FAILED) ]
... NetworkManager[459580]: received AUTHENTICATION_FAILED error notify