strongSwan 5 based IPSec VPN, Ubuntu 14.04 LTS and PSK/XAUTH

I prefer strongSwan over Openswan because it’s still in active development, easier to setup and doesn’t require a L2TP daemon. I prefer a simple IKEv1 setup using PSK and XAUTH over certificates. If you plan to share your VPN server with your friends it’s also a lot easier to setup for them without certificates. I haven’t tried the VPN configuration below with non-Apple clients but it works well with iOS and OS X clients. Make sure to use the Cisco IPSec VPN profile, not the L2TP over IPSec profile you need for Openswan. While strongSwan works well with KVM and Xen containers, it probably won’t work with non-virtualised containers like OpenVZ or LXC.

strongSwan 5 has been modularised in Ubuntu 14.04 so we need to install the required plugins using apt-get as well:

apt-get install strongswan strongswan-plugin-xauth-generic

/etc/ipsec.secrets (replace 123.123.123.123 with the server’s public IP address)

123.123.123.123 %any : PSK "replace but leave the quotes"

jan : XAUTH "janspassword"
someone : XAUTH "anotherpassword"

/etc/ipsec.conf

config setup
	cachecrls=yes
	uniqueids=yes

conn ios
	keyexchange=ikev1
	authby=xauthpsk
	xauth=server
	left=%defaultroute
	leftsubnet=0.0.0.0/0
	leftfirewall=yes
	right=%any
	rightsubnet=10.7.0.0/24
	rightsourceip=10.7.0.2/24
	rightdns=4.2.2.1
	auto=add

That’s already all we need for strongSwan. Restart it using

service strongswan restart

Make sure to allow IPv4 packet forwarding in /etc/sysctl.conf:

net.ipv4.ip_forward=1

And reload the changes using:

sysctl -p

We also need a NAT rule:

# VPN NAT
/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE

I’m NATing the entire 10/8 for VPN usage and assign different /24’s to different VPN softwares. This way I just need one NAT rule for everything.

Here’s a sample inbound-only firewall script which also covers OpenVPN and Iodine ports:

#!/bin/sh

# Flush old rules, old custom tables
/sbin/iptables --flush
/sbin/iptables --flush -t nat
/sbin/iptables --delete-chain

# Set default policies for all three default chains
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Allow VPN forwarding
/sbin/iptables -A FORWARD -i tun+ -j ACCEPT
/sbin/iptables -A FORWARD -o tun+ -j ACCEPT
/sbin/iptables -A FORWARD -i dns+ -j ACCEPT
/sbin/iptables -A FORWARD -o dns+ -j ACCEPT

# Accept limited inbound ICMP messages
/sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m recent --set
/sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 5 --hitcount 10 -j DROP
/sbin/iptables -A INPUT -p icmp -j ACCEPT

# All TCP sessions should begin with SYN
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 0/0 -j DROP

# Accept inbound TCP packets
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Accept inbound UDP packets
/sbin/iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT

# Accept IPSEC packets
/sbin/iptables -A INPUT -p esp -j ACCEPT
/sbin/iptables -A INPUT -p 50 -j ACCEPT
/sbin/iptables -A INPUT -p 51 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT

# VPN NAT
/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE

18 thoughts on “strongSwan 5 based IPSec VPN, Ubuntu 14.04 LTS and PSK/XAUTH

  1. Mohammed Rashid

    Hey Jan,

    I have seen read your post.. It’s very nice..
    I have some issues, could you please help me out.
    I would like to setup IPsec Xauth PSK, IPsec Xauth RSA, IPsec hybrid RSA and L2TP/IPsec PSK, L2TP /IPsec RSA and PPTP on ubuntu server for the bunch of mobile users(andriod).
    I’m bit confused, can you please guide me..
    I would really appreciate if you could do so.

    Thanks
    Mohammed
    Thanks

  2. Hey Jan,
    Do you have any guides to use this setup with a Ubuntu-client? I’m able to connect to a Server installed by this guide on OSX, iOS and many other systems but not on linux.. I also tried many guides but theres always something wrong.

    Danke für’d Hilf! :b
    Jan / b0xCH

  3. Jan thank you so much for your helpful tips. I was able to establish a connection using my iPad. I’m unable to browse the internet though, I’m almost certain it’s a routing issue. My server is behind the subnet 192.168.1.0/24, with a static local IP of 192.168.1.6. I assign 192.168.20.0/24 to the VPN clients. The VPN clients are getting the new IPs no problem, but can’t browse the internet. What might I be doing wrong? Thanks so much!

      • And allowing anything per default in iptables may help as well to debug the problem:
        iptables -P INPUT ACCEPT
        iptables -P FORWARD ACCEPT
        iptables -P OUTPUT ACCEPT

        And don’t forget to NAT the subnet you’re using for the VPN.

      • Jan, great news! I ended up fixing it. The problem was that I hard-coded my leftsubnet as 192.168.1.0/24

        Once I changed it to leftsubnet=0.0.0.0/0 everything was fine. Why is that??

        Jan you’re a life saver! I appreciate your quick response!

  4. I followed your easy through instructions all the way. Both my android and ios can connect to the server, however there is no data going through……any directions you wanna point me to? very much appreciated mate.

    • Mike, four things come to mind:
      a) It’s just a DNS problem, ping 8.8.8.8 may be working
      b) MASQUERADE rule issue
      c) Paket forwarding is not enabled
      d) Try iptables -P INPUT ACCEPT && iptables -P FORWARD ACCEPT as well just to make sure it’s not a firewall issue.

      But other than that, I don’t know.

      Cheers,
      Jan

  5. Hi,

    I have followed the guide. My andriod phone connects no problems, however once its connected I still can’t ping anything.
    Can’t ping either of the interfaces eth0 (external) or eth1 (internal) and cant ping the phone either. It gets an IP and I can see the rule appear in /var/log/syslog. Any chance you could help?
    I have setup exactly as above…

    Help!!

    Thanks
    Rob

  6. Hi!

    I used your ipsec.conf and when I try to start Strongswan it gave me this error:
    start: Job failed to start

    I then typed ipsec start and I get the following error:
    Starting strongSwan 5.1.2 IPsec [starter]…
    /etc/ipsec.conf:6: syntax error, unexpected FIRST_SPACES [ ]
    unable to start strongSwan — fatal errors in config

    • I had the same problem. Deleting all file contents and just pasting the new configuration into the file solved the problem for me.

    • Hello,
      The reason why have the problem is that the configuration file ipsec.conf doesn’t accept more ‘ ‘ before a note line.
      So you just need to delete addtional ‘ ‘ in line 21 and 22.

  7. Thanks!! added the user details to ipsec.secrets, restarted the strongswan service and I was able to authenticate.

    I’m glad it was something trivial!

    Thanks for the help.

    • guys i dont get how the ipsec.secret should look like ? can u post an working example ?
      btw i have the same error as Nate had
      regards

  8. Nate, I accidentally truncated a line in ipsec.secrets. Yes, you’re right, the XAUTH entry was missing. Thanks for the heads up!

    Cheers,
    Jan

  9. Hi,

    I have followed your guide on setting this up on Ubuntu 14.04 and I’m having an issue with authentication.

    When trying to connect the VPN from my iPhone I get the following error “VPN Connection – User authentication failed.” almost immediately.

    Specifying the wrong secret on the iPhone client yields a longer time-out before a different error, so seems that this has been set correctly.

    auth.log is showing “localhost charon: 01[IKE] 220.233.42.xxx is initiating a Main Mode IKE_SA” when trying to connect. There are no other errors showing in this log file when the connection fails to authenticate.

    Is this just a case that I have not specified the xauth user somewhere? I have tried this with two accounts setup on the ubuntu server (including root).

    Any pointers you can provide would be appreciated.

Comments are closed.