Simple VPN construction of IPsec gateway with CentOS 8 and openSUSE (Raspberry Pi) ―― 1. StrongSwan introduced

Assumptions and preparations

Linux server building article

-Building a file server with Samba (CentOS 8.1 / openSUSE 15.1 / Ubuntu 20.04) -Source compilation of Apache2.4 + PHP7.4 on Linux-- 1. Apache introduction / [Raspberry Pi] / items / 67686eccaaec73251458) -Source compilation of Apache2.4 + PHP7.4 on Linux-- 2. PHP introduction / [[Raspberry Pi]](https://qiita.com/kazumi75kitty / items / 50f1a447f6ebc2ee2b61) -Source compilation of Apache2.4 + PHP7.4 on Linux-- 3. MySQL introduction/[[Raspberry Pi]](https://qiita.com/kazumi75kitty / items / 4212dacc45944f27ca94) -Apache2.4 + PHP7.4 on Linux --4 Security (chown and firewalld) --VPN construction of IPsec gateway on Linux --1 StrongSwan introduction [This article] / [Ubuntu 20.04 + Raspberry Pi] -Build an IPsec gateway on Linux for VPN-- 2. Check connection to VPN / [[Ubuntu 20.04 + Raspberry Pi]](https://qiita.com / kazumi75kitty / items / c83f920f052d83d62457)

Even an individual can connect and install in at least 7 to 8 hours if they can handle Linux commands ✩ °. ⋆⸜ (\ * ॑ ꒳ ॑ \ *) ⸝ It costs 2000 yen per hour to work alone. Then, the work cost is about 16000 yen ... [It seems more efficient to work on multiple machines at the same time ... I feel that it seems that one person can work on 2 or 3 machines at the same time]

The IPsec gateway can be done with Raspberry Pi and a used laptop as long as you can compile the source of StrongSwan, so if you really want to keep the network in a secure VPN area, this construction method may be the best, so please try it. I did! (˶ ・ ᴗ ・) ੭⚐⚑

environment

Premise

--Minimal installation of OS. Also, the OS must be updated in the latest state. --User installed as root (in my verification, it is an administrator account called admin, and it is processed by sudo from there) --For all distributions, the firewall uses firewalld (I want to use firewalld for common operations in the distribution rather than the firewall in the distribution dialect). --For CentOS, do not use SELinux with built-in file system because SELinux is complicated (restart is required after editing / etc / selinux / config), and use firewalld.

CentOS8.1


# vi /etc/selinux/config

/etc/selinux/config


SELINUX=disabled

CentOS8.1


# reboot

Server conditions

IP address and network construction diagram

--Network segment: --Internet connection possible: 192.168.1.0/24 --Raspberry Pi (negotiation receiving side on the left of the figure) Secure segment: 192.168.2.0/24 --CentOS 8 (negotiation originator on the right of the figure) Secure segment: 192.168.5.0/24

Ability and version to download and install individual packages (as of September 2020)

Other required packages are installed with the distribution's standard package commands (dnf, apt, etc.) and do not need to be downloaded individually.

For download, you can access the official website, download from there and transfer it by FTP, or you can get it with wget if you know the URL of the download file, but the acquisition method is omitted.

Work procedure

Preparation

Install make, cmake, package decompression function

Install per distribution on Hyper-V virtual machine and Raspberry Pi (source compilation is the same for both)

CentOS8.1(Hyper-V/x64)


# dnf -y install make cmake tar bzip2

openSUSE15.1(RaspberryPi)


# zypper -n install make cmake tar bzip2

Install GCC and C ++ compiler

CentOS8.1(Hyper-V/x64)


# dnf -y install gcc gcc-c++

openSUSE15.1(RaspberryPi)


# zypper -n install gcc gcc-c++

zlib source installation

I installed zlib without changing the default location. Source compilation is the same for Hyper-V virtual machines and Raspberry Pi

# cd [The directory where the zlib archive files are located]
# tar zxvf zlib-1.2.11.tar.gz
# cd zlib-1.2.11/
# ./configure
# make
# make install

Enable IP forwarding

IP forwarding must be enabled in order to operate as an IPsec gateway, so enable it. In CentOS 8.1 of the Hyper-V virtual machine, enable the transfer by executing the following command. Raspberry Pi's openSUSE can be set in YaST.

CentOS8.1(Hyper-V/x64)


# cat /proc/sys/net/ipv4/ip_forward
0
# vi /etc/sysctl.d/01-ipv4fwd.conf

conf:/etc/sysctl.d/01-ipv4fwd.conf(CentOS)


# Controls IP packet forwarding
net.ipv4.ip_forward = 1

openSUSE15.1(RaspberryPi)


# yast
[After that, enable IPv4 forwarding from the network and security settings according to the YaST settings.]

Expansion of network adapters in the VPN area

For both Hyper-V virtual machine and Raspberry Pi, ** turn off the power once ** to enable IP transfer + add a network adapter. In my case, Raspberry Pi added a wired LAN adapter for VPN via USB, and Hyper-V added a network adapter in the settings.

After the expansion, check if "eth1" is added, but of course the IP address has not been assigned yet.

# ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether [MAC address of the network adapter from the beginning] brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.18/24 brd 192.168.1.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 [IPv6 address of the network adapter from the beginning] scope global dynamic noprefixroute
       valid_lft 14373sec preferred_lft 12573sec
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether [MAC address of the extension network adapter] brd ff:ff:ff:ff:ff:ff
    inet6 [IPv6 address of extension network adapter] scope link noprefixroute
       valid_lft forever preferred_lft forever

# ip route

default via 192.168.1.1 dev eth0 proto static metric 100
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.18 metric 100

In the case of CentOS, the command is used to enable IP forwarding, so check if it is enabled (ip_forward is 1).

CentOS8.1(Hyper-V/x64)


# cat /proc/sys/net/ipv4/ip_forward
1

# sysctl --system
…(Omission)
* Applying /etc/sysctl.d/01-ipv4fwd.conf ...
net.ipv4.ip_forward = 1
…(Omission)

Install the packages required to compile StrongSwan with the distribution standard package command

Note: If you do not execute it even if it is troublesome, you will get an error saying that there is no package and the compilation will be stopped (´ • ω • ̥`)

CentOS8.1(Hyper-V/x64)


# dnf -y install gmp-devel openssl-devel

openSUSE15.1(RaspberryPi)


# zypper -n install gmp-devel libopenssl-devel

Installation of source compilation for StrongSwan 5.9.0

Common to Hyper-V virtual machines and Raspberry Pi. This process took quite a while (especially for the Raspberry Pi, it took 20-30 minutes)

configure and make

# cd [strongswan-5.9.0.tar.Directory where gz is located]
# tar xvzf strongswan-5.9.0.tar.gz
# cd strongswan-5.9.0/
# ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl
# make
# make install

If you can compile without error, the installation is complete ♪ (\ * ˘︶˘ \ *) ...: \ * ♡

StrongSwan Preferences

When StrongSwan is installed by source compilation, the configuration file is stored in /etc/ipsec.conf, and the IPsec connection settings are set in it.

[Apache basic settings]
# vi /etc/ipsec.conf

The side that establishes IPsec (the one that sends the establishment), yes, first set up CentOS 8.1 of Hyper-V. As described in the "Server conditions" section, from the Hyper-V machine side, your IP address will be 192.168.1.18 and the Raspberry Pi of the establishment partner will be 192.168.1.22, so write the pair to the configuration file.

"Left" writes the information of the person who negotiates the establishment, and "right" writes the information of the person to establish (from StrongSwan official manual. / ConnSection)))

CentOS8.1(Hyper-V/x64)


…
#Add the following
conn [Distinguished name Example: linux-2-linux]
      authby=secret
      auto=start				#Send IPsec negotiations
      closeaction=restart
      dpdaction=restart
      left=192.168.1.18			#left is your own IPsec gateway
      leftid=192.168.1.18		#ID that identifies you to negotiate IPsec
      leftsubnet=192.168.5.0/24
      right=192.168.1.22		#right is the other IPsec gateway
      rightid=192.168.1.22		#ID that identifies the IPsec negotiating partner
      rightsubnet=192.168.2.0/24
…

By the way, for the ID, I used the IP address for simplicity in my case, but a character string is also OK. And since leftsubnet and rightsubnet are VPN areas that you and the other party are in charge of, leftsubnet is your own VPN area, so 192.168.5.0/24, and rightsubnet is your partner's Raspberry Pi VPN area, so 192.168.2.0/ I put in 24.

Next, set up openSUSE for Raspberry Pi. As described in the "Server conditions" section, the IP address to be established is 192.168.1.22, and the Hyper-V CentOS 8 on the other side to be established is 192.168.1.18, so what is Hyper-V (CentOS 8)? Write the reverse content to the configuration file.

openSUSE15.1(RaspberryPi)


#Add the following
conn [Distinguished name Example: linux-2-linux]
      authby=secret
      auto=add				#Receive IPsec negotiations
      closeaction=clear
      dpdaction=clear
      left=192.168.1.22
      leftid=192.168.1.22
      leftsubnet=192.168.2.0/24
      right=192.168.1.18
      rightid=192.168.1.18
      rightsubnet=192.168.5.0/24

The point is that by setting auto = add, it is set on the receiving side of the IPsec establishment negotiation, and the contents of left and right are reversed. That way, if the distinguished names (the string after conn) match, you can establish an IPsec connection.

StrongSwan's default is PSK, which uses AES / SHA encryption as standard. If it is necessary to set other encryption methods, set them separately, but omit them here.

As an aside, StrongSwan at this point supports NAT-T, and IPsec can be applied to NAT (in the past, IPsec could not be applied to NAT), so NAT is used on the Internet. It seems that even the space that is being used can communicate VPN built with StrongSwan over the Internet (although I have never experimented with it ...).

[StrongSwan key setting]
# vi /etc/ipsec.secrets

/etc/ipsec.secrets


…
: PSK "[Appropriate string: Example ... kazumi75kitty]"
…

Since we are using the default PSK method, we will make it the same for both Hyper-V virtual machines and Raspberry Pi.

Launch StrongSwan

Service startup script creation & activation

Now that you have the necessary environment settings for StrongSwan, I would like to be able to start it. Since the startup script is Systemd, create it in / etc / systemd / system

# cd /etc/systemd/system
# vi strongswan.service

strongswan.service


[Unit]
Description=strongSwan

[Service]
Type=forking
ExecStart=/usr/sbin/ipsec start
ExecStop=/usr/sbin/ipsec stop

[Install]
WantedBy=multi-user.target

The Systemd script is not explained in detail here, but since the start and stop are executed in the background from the parent process, the Type of [Service] is forking in strongSwan.

firewalld settings

Next, in the firewalld settings, IPsec is accepted (the encrypted data itself exchanged by IPsec and IPsec negotiations can be accepted). However, with the settings here, tunneling is not specified. 192.168.1.0/24 Internal limitation is not specified, and IPsec packets can be received from other network segments if they can pass. However, if you take measures up to this point, it will be complicated, so for the sake of simplicity, we will only allow IPsec.

# firewall-cmd --permanent --add-service=ipsec
# firewall-cmd --reload

# firewall-cmd --list-all

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: cockpit dhcpv6-client ipsec
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.1.0/24" port port="12345" protocol="tcp" accept

This command is common to both Hyper-V virtual machines and Raspberry Pi.

Start up and check operation

Let's start it. Always start with enable Enable & confirm that status is "Active" and "Running".

** First, StrongSwan is started from the side that receives the IPsec establishment negotiation, and then it is started in the order of the side that sends the IPsec establishment **. Here, after starting StrongSwan of Raspberry Pi, StrongSwan of Hyper-V virtual machine is started.

# systemctl start strongswan
# systemctl enable strongswan
# systemctl status strongswan

起動成功

Check that the Hyper-V virtual machine and Raspberry Pi are set to "Active" and "Running", and finally check if IPsec tunneling is established.

CentOS8.1(Hyper-V/x64)


# /usr/sbin/ipsec status
Security Associations (1 up, 0 connecting):
linux-2-linux[1]: ESTABLISHED 2 minutes ago, 192.168.1.18[192.168.1.18]...192.168.1.22[192.168.1.22]
linux-2-linux{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ********_i ********_o
linux-2-linux{1}:   192.168.5.0/24 === 192.168.2.0/24

# ip xfrm policy
src 192.168.5.0/24 dst 192.168.2.0/24
        dir out priority 375423 ptype main
        tmpl src 192.168.1.18 dst 192.168.1.22
                proto esp spi 0x******** reqid 1 mode tunnel
src 192.168.2.0/24 dst 192.168.5.0/24
        dir fwd priority 375423 ptype main
        tmpl src 192.168.1.22 dst 192.168.1.18
                proto esp reqid 1 mode tunnel
src 192.168.2.0/24 dst 192.168.5.0/24
        dir in priority 375423 ptype main
        tmpl src 192.168.1.22 dst 192.168.1.18
                proto esp reqid 1 mode tunnel

openSUSE15.1(RaspberryPi)


# /usr/sbin/ipsec status
Security Associations (1 up, 0 connecting):
linux-2-linux[1]: ESTABLISHED 2 minutes ago, 192.168.1.22[192.168.1.22]...192.168.1.18[192.168.1.18]
linux-2-linux{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ********_i ********_o
linux-2-linux{1}:   192.168.2.0/24 === 192.168.5.0/24

# ip xfrm policy
src 192.168.2.0/24 dst 192.168.5.0/24
        dir out priority 375423 ptype main
        tmpl src 192.168.1.22 dst 192.168.1.18
                proto esp spi 0x******** reqid 1 mode tunnel
src 192.168.5.0/24 dst 192.168.2.0/24
        dir fwd priority 375423 ptype main
        tmpl src 192.168.1.18 dst 192.168.1.22
                proto esp reqid 1 mode tunnel
src 192.168.5.0/24 dst 192.168.2.0/24
        dir in priority 375423 ptype main
        tmpl src 192.168.1.18 dst 192.168.1.22
                proto esp reqid 1 mode tunnel

IPsec tunneling has been successfully established with Hyper-V virtual machines and Raspberry Pi (˶ ・ ᴗ ・) ੭⚐⚑

Bonus (specify a character string such as domain for the ID of ipsec.conf)

In the StrongSwan configuration file /etc/ipsec.conf, even if you use a character string instead of an IP address with leftid or rightid, the capture screen will be posted (\ * ´꒳` \ *)

Maybe this one is easier to understand. In the example, "raspberry pi" and "test only @ kazumi-jam" are distinguished. ipsec.confのIDに文字列やドメインを指定する

Supplement (when IPsec tunneling goes through NAT)

I don't have an easy-to-understand image yet, but for the left and right IP addresses in ipsec.conf, enter your own IP address and the IP address of the other party after NAT conversion as seen from you. At that time, it is necessary that the left id and the right id match each other in pairs.

Example: 192.168.1.0/24 → When 192.168.120.0/28 is partitioned by NAT

IPsecGW-1 (within 192.168.1.0/24)  left=192.168.1.22  leftid="gw1"  right=192.168.1.18  rightid="gw2" IPsecGW-2 (within 192.168.120.0/28)  left=192.168.120.1  leftid="gw2"  right=192.168.120.3  rightid="gw1"

In this way, IPsec can be established by entering an IP address that takes NAT into consideration, but I will post more details later.

next time

With the introduction of StrongSwan, the construction of the IPsec gateway was completed on CentOS 8.1 on Raspberry Pi and Hyper-V. Next, connect the client and server to the VPN connected to the IPsec gateway and try to connect to each other (˶˙ᵕ˙˶).

Recommended Posts

Simple VPN construction of IPsec gateway with CentOS 8 and openSUSE (Raspberry Pi) ―― 1. StrongSwan introduced
IPsec gateway VPN construction with CentOS 8 and openSUSE (Raspberry Pi) --2 StrongSwan VPN connection confirmation
Simple VPN construction of IPsec gateway with Ubuntu 20.04 and Raspberry Pi --2 StrongSwan VPN connection confirmation
VPN server construction with Raspberry Pi
Production of temperature control system with Raspberry Pi and ESP32 (1)
Graph display of household power consumption with 3GPI and Raspberry Pi
Make a wireless LAN Ethernet converter and simple router with Raspberry Pi
Production of temperature control system with Raspberry Pi and ESP32 (2) Production of transmission device
Pet monitoring with Rekognition and Raspberry pi
I tweeted the illuminance of the room with Raspberry Pi, Arduino and optical sensor
MQTT RC car with Arduino and Raspberry Pi
CSV output of pulse data with Raspberry Pi (CSV output)
Get CPU information of Raspberry Pi with Python
Get temperature and humidity with DHT11 and Raspberry Pi
Measure CPU temperature of Raspberry Pi with Python
Distributed environment construction with Raspberry PI series (Part 4: NFS server construction and client OS import)
Record temperature and humidity with systemd on Raspberry Pi
Machine learning with Raspberry Pi 4 and Coral USB Accelerator
Easy IoT to start with Raspberry Pi and MESH
Detect mask wearing status with OpenCV and Raspberry Pi
Take the value of SwitchBot thermo-hygrometer with Raspberry Pi
Measure temperature and humidity with Raspberry Pi3 and visualize with Ambient
Log the value of SwitchBot thermo-hygrometer with Raspberry Pi
Ubuntu 20.04 on raspberry pi 4 with OpenCV and use with python
Installation of Docker on Raspberry Pi and L Chika
Getting Started with Yocto Project with Raspberry Pi 4 and WSL2
Troubleshoot with installing OpenCV on Raspberry Pi and capturing
Let's operate GPIO of Raspberry Pi with Python CGI
Easily make a TweetBot that notifies you of temperature and humidity with Raspberry Pi + DHT11.
Distributed environment construction with Raspberry PI series (7: tftp route setting and startup test for each Raspberry Pi)