Strongswan IPSec only VPN Tutorial (XAuth/PSK)

[iCynik]

In this tutorial I'll be presenting to you step-by-step instructions on how to setup Strongswan 5.2.1 on your Raspberry Pi, using PSK/XAUTH (no certificate). At this point, I'm able to connect both iOS and Android Devices successfully, however I am having issues with the connection for Android, where I can establish a VPN connection, do a Google search, but cannot load a specific web-page (If anyone in the audience has any suggestions, please type it out below). The methods that I've taken to set up Strongswan requires modifying the sources.list file to include the jessie distro. This is tricky because jessie is in 'Testing' phase, so there's a chance that you might come across unstable packages when you do apt-get update later on. I'd advise you to back up your Raspberry Pi before you proceed so that you can return to your back up in case things go awry.

To start, do the following:

1. Edit /etc/apt/sources.list and add the following below

Code: Select all

deb http://mirrordirector.raspbian.org/raspbian/ jessie main contrib non-free rpi

Save and exit (CTRL-X, Y, Enter)

2. Then apt-get update. At his point, it may ask you to restart a variety of services that are already installed on your Pi. In that case, select the option to restart services without prompting you, because it's going to restart a lot of services.

3. When it's done, install strongswan 5.2.1 with the following:

Code: Select all

apt-get install -t jessie strongswan

and an additional package called libcharon-extra-plugins

Code: Select all

apt-get install -t jessie libcharon-extra-plugins

5. Edit /etc/ipsec.conf and add the following:

Code: Select all

config setup
    cachecrls=yes
    uniqueids=yes

conn ios
    keyexchange=ikev1
    authby=xauthpsk
    xauth=server
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    right=%any
    rightsubnet=10.0.0.0/24
    rightsourceip=10.0.0.2/24
    rightdns=4.2.2.1
    auto=add

*NOTE on uniqueids, which pertains to ipsec.secrets - you can leave it as 'yes' if you want multiple devices to be able to connect simultaneously with different usernames, otherwise one device that is already connected will disconnect so that the other device can connect, or change it 'no' or 'never' if you want all devices to be able to connect simultaneously with one username.

Save and exit

6. Edit /etc/ipsec.secrets and add the following at the end of the file

Code: Select all

YOUR MACHINES IP ADDRESS %any : PSK "YOUR PRE-SHARED KEY HERE"

user1  : XAUTH "YOUR PASSWORD HERE"
user2  : XAUTH "YOUR PASSWORD HERE"
user3  : XAUTH "YOUR PASSWORD HERE"
user4  : XAUTH "YOUR PASSWORD HERE"
user5  : XAUTH "YOUR PASSWORD HERE"

Save and exit

7. Edit /etc/sysctl.conf and find this line

Code: Select all

# Uncomment the next line to enable packet forwarding for IPv4

and remove the hashtag in front of

Code: Select all

net.ipv4.ip_forward=1

to enable packet forwarding.

Save and exit

8. Type sysctl -p

9. Edit /etc/rc.local and add the following to the bottom, before exit0

Code: Select all

# VPN NAT
/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE

Save and exit

9. Type the following:
update-rc.d -f ipsec remove
Hit Enter, then type
update-rc.d -f ipsec start 41 2 3 4 5 . stop 91 1 . start 34 0 6 .
Hit Enter.

10. Afterwards, return to /etc/apt/sources.list and comment out/remove the following below

Code: Select all

deb http://mirrordirector.raspbian.org/raspbian/ jessie main contrib non-free rpi

Save and exit (CTRL-X, Y, Enter). Then reboot your Raspberry Pi.

From here, your machine should reboot with strongswan up and running.

If there's someone out there who can help solve the issue with Android connections, the help would be much appreciated.

[j0nnylester]

I've been struggling to get Strongswan to work with certificates on my iPhone for weeks now. I'd all but given up. Thanks to this I've got it working with PSK so this is hopefully a valuable 1st step, I'll try with certs another time. Sorry I can't help with your android issue but thank you; I found this very useful.

[iCynik]

I'm glad to know that I'm able to help others with getting Strongswan set up, after going about on the web to find a lot of people are having a hard time setting up Strongswan. I was struggling for weeks myself setting up pre-shared keys, until I came across a forum post here that mentioned installing Stongswan from Jessie.

If it makes you feel better, I've also been spending some time successfully setting up certificates that work with iOS. I'll need some time to put up a tutorial for certificate creation as well. You should expect an update to this page in a few days. Although the certificates work, I'm having difficulty setting up VPN On Demand for iOS, as it involves using something called Apple Configurator for Mac OS, which I don't have access to.

[j0nnylester]

Do you have access to a Mac at all? If so Apple Configurator is available from the Mac App Store:
https://itunes.apple.com/gb/app/apple-c ... 3123?mt=12

I've used it before at work which is where I found out about On-Demand VPNs with certificates.
I also found this from my own googling and I know I'll need it for my intended use:
http://www.derman.com/blogs/iOS-IPSec-V ... mand-Setup

Again, thank you for your previous post/guide.

[iCynik]

No, unfortunately I do not have a Mac. My household is mostly Windows.

[pavinjoseph]

Hi. Thanks a lot for this tutorial. I'm getting Error: 789 "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer" when attempting to connect from my Windows 8.1 64 bit PC. I am behind a router and have forwarded ports 50,500 and 4500 to the Raspberry Pi's IP 192.168.0.101

My /etc/ipsec.secrets file looks like this :

192.168.0.101 : PSK "mypskPassword123"

myUserName : XAUTH "myPassword123"
user2 : XAUTH "YOUR PASSWORD HERE"
user3 : XAUTH "YOUR PASSWORD HERE"
user4 : XAUTH "YOUR PASSWORD HERE"
user5 : XAUTH "YOUR PASSWORD HERE"

What might I be doing wrong?

[iCynik]

If you are trying to set up IPsec through my tutorial, then L2TP isn't needed since were trying to establish only IPsec. Try removing L2TP from your set up.

[bhayduko]

Hello,

Thank you for the perfect tutorial!
I was able to configure it very quickly. So I'm currently able to connect my mobile devices iOS and Android, but I'm having troubles with my PC running Windows 10 64 bits. Is there something specific in order to connect Windows 10 to the VPN server?

Best regards,

[iCynik]

Hi. Sorry for responding so late, but to be honest, I'm clueless about the setup for Windows. I'll try it out myself and get back to you on my findings.

[eymas]

I've set this up myself a while back and also discovered why this wouldn't work so easily with Windows clients.
The first part is that the built-in VPN client in Windows doesn't support IPSec/PSK alone, and that it will look for an L2TP connection regardless.
This could be helped by using a third-party client that does support the protocol, but so far my efforts were fruitless there for an unknown reason.

[d.i.saunders]

ok, need a bit of help with this.. Its starting to send me crazy!
Connecting from an iphone on 4g, I get the message "Negotiation with the VPN server failed"

My setup is as follows:
Router: 192.168.1.254
Pi: 192.168.1.248

/etc/ipsec.conf

Code: Select all

config setup
    cachecrls=yes
    uniqueids=yes

conn ios
    keyexchange=ikev1
    authby=xauthpsk
    xauth=server
    left=%defaultroute
    leftsubnet=192.168.1.0/24
    leftfirewall=yes
    right=myip.dyndns.com
    rightsubnet=vhost:%no,%priv
    rightsourceip=192.168.1.0/24
    rightdns=4.2.2.1
    auto=add

/etc/ipsec.secrets

Code: Select all

myip.dyndns.com %any : PSK "mypassword1234"

user1  : XAUTH "mystrongpassword"

/etc/rc.local

Code: Select all

# VPN NAT
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

When running the command:

update-rc.d -f ipsec start 41 2 3 4 5 . stop 91 1 . start 34 0 6 .

I get: "update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults"

Also what ports do I need to forward? For now its in the routers DMZ.

Hope someone can help me sort my lefts and rights

[d.i.saunders]

OK, now have this working for IOS devices, but I cant get windows to connect..

Anyone out there?

[theextremenerd]

This might be a bit of a stupid question but how to I connect this to my iOS 10 device in the VPN tab

[iCynik]

In the VPN tab, select Add VPN Configuration > IPSec > Enter credentials

[solly]

Can you please clarify the ip's you are using for the left and the right? Which one is raspberry pi ip and which one is gateway?

[solly]

Can u clarify which is the gateway ip and which is the raspberry pi IP. I am trying to follow your tutorial but I am having a hard time setting up my ipsec.conf file