HOW TO SET UP IPSEC VPN ON CENTOS 7
- Category : Server Administration
- Posted on : Jan 05, 2017
- Views : 2,009
- By : Ingavar J.
What is IPSec?
Internet Protocol Security – IPsec is an extension to the IP protocol family that secures sessions between agents through cryptographic authentication. It is a network protocol that validates and encrypts packets of data that are sent in network. IPsec can safeguard data transferred between a pair of hosts, a pair of gateways, or between host and gateway.
How does an IPSec-based VPN work?
The IPSec VPN is basically created between two firewalls to transfer data and share resources between the two networks.
While IPSec has two modes, the transport mode and the tunnel mode, for VPN purposes we want to use the tunnel mode.
In order to set up our VPN, will be using StrongSwan, which is an open source IPsec-based VPN solution. StrongSwan supports IKEv1 & IKEv2 key exchange protocols, in addition to natively supporting the NETKEY stack of the Linux kernel.
First of all let’s install StrongSwan. To do that, open your terminal and type the following:
yum install http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/e/epel-release-7-9.noarch.rpm
yum install strongSwan openssl
In order to identify & authenticate, both the server and VPN client will need a certificate.
First navigate to the folder /etc/strongswan/ipsec.d. Then download a couple of scripts.
chmod a+x server_key.sh
chmod a+x client_key.sh
Please note in the downloaded .sh file, you can replace O=VULTR-VPS-CENTOS with your own O=YOUR_ORGANIZATION_NAME.
Next, in the server_key.sh file replace SERVER_IP with your IP address:
Next, we will have to generate a client key, P12 file and certificate. In this example here, we will generate a certificate & P12 file for the VPN user – vpnuser.
./client_key.sh vpnuser email@example.com
Replace “vpnuser” & email with your own.
After we have successfully generated the certificates for both client & server, we will have to copy /etc/strongswan/ipsec.d/uttam.p12 and /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem to our local computer.
First of all, open the IPSec config file with your favorite text editing tool:
Then replace the following content:
charondebug=”cfg 2, dmn 2, ike 2, net 0″
Navigate to vi /etc/strongswan/strongswan.conf to edit that configuration file:
Then, erase everything & replace with the following:.
load_modular = yes
duplicheck.enable = no
compress = yes
dns1 = 18.104.22.168
dns2 = 22.214.171.124
nbns1 = 126.96.36.199
nbns2 = 188.8.131.52
Next, let’s edit IPsec’s secret file to add user & password.
Add user account “vpnuser” into it.
: RSA vpnHostKey.pem
: PSK “PSK_KEY”
vpnuser %any : EAP “vpnuser’s Password”
vpnuser %any : XAUTH “vpnuser’s Password”
Please note both sides of the colon need a white space.
To allow IPv4 forwarding
Next, navigate and edit /etc/sysctl.conf where we will allow forwarding:
Now add the following line:
Finally, save it to apply changes (sysctl -p)
Finally, start your VPN server
systemctl start strongswan
systemctl enable strongswan
strongSwan is now running on your server. If you want others to join your private network, have them install strongswanCert.pem & the .p12 certificate files.
- cPanel Question 47
- cPanel Software Management 29
- cPanel Tutorials 13
- Development 29
- Domain 13
- General 19
- Linux Helpline (Easy Guide) 156
- Marketing 47
- MySQL Question 13
- News 2
- PHP Configuration 14
- SEO 4
- SEO 42
- Server Administration 84
- SSL Installation 54
- Tips and Tricks 24
- VPS 3
- Web Hosting 44
- Website Security 22
- WHM questions 13
- WordPress 148
Subscribe Now10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!
Posted on : Sep 17
Posted on : Sep 10
Posted on : Aug 04
Posted on : Apr 01
- server load
- ddos mitigation
- layer 7
- seo vpn
- Hosting Security
- smtp relay
- VPS Hosting
- cheap vpn
- Small Business
- SSD Hosting
- Link Building