strongSwan VPN
strongSwan to rozwiązanie VPN oparte na IPsec, modułowe i przenośne, typu open source, które umożliwia zabezpieczanie ruchu IP w scenariuszach IPsec opartych na zasadach i trasach, od prostych do bardzo złożonych.
Serwer strongSwan
Serwer został uruchomiony w chmurze Oracle. Komunikacja z serwerem została ograniczona do adresu z chmury Netii (217.30.138.17) na potrzeby zestawienia tunelu VPN.
| NAME | strongSwan-serevr-1 |
|---|---|
| PUBLIC IP | 89.168.101.203 |
| NETWORK | 10.10.1.0/27 |
| PRIVATE IP | 10.10.1.21 |
| GUEST OS | Ubuntu 24.04.1 LTS (64 bit) |
| CPU | 1 GB |
| RAM | 1 GB |
| STORAGE | 50 GB |
Terminal
sudo apt update
sudo apt install strongswan strongswan-pki
Zawartość pliku konfiguracyjnego /etc/ipsec.conf:
/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2, knl 2, cfg 2"
uniqueids=no
conn site-to-site
authby=secret
auto=start
keyexchange=ikev2
ike=aes256gcm16-sha256-ecp521!
esp=aes256gcm16-ecp521!
left=10.10.1.21
leftid=89.168.101.203
leftsubnet=10.10.1.0/27
right=217.30.138.17
rightsubnet=10.10.2.0/27
dpdaction=restart
dpddelay=30s
dpdtimeout=120s
rekey=yes
reauth=no
pfs=yes
ikelifetime=24h
lifetime=1h
keyingtries=%forever
Zawartość pliku konfiguracyjnego /etc/ipsec.secrets:
/etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
89.168.101.203 217.30.138.17 : PSK "8Wjxb*28*qYVVWo3tr5#dRCR&w9YvBfco8259&wlrcNmcnhLZWXygDABF!etD7^lfGLnHR^G$7e6xdBrEK^#7%@2!dxPEfGq5V@$GupRCsPH8@jM^5@^988r#tcd27rV"
Terminal
sudo systemctl restart strongswan-starter.service
VMware Edge - IPSec VPN Tunnel
| NAME | strongSwan-Oracle |
|---|---|
| IKE Profiles | |
| Version | IKE v2 |
| Encryption | AES GCM 256 |
| Diffie-Hellman Group | Group 21 |
| Association Life Time (seconds) | 86400 |
| Tunnel Configuration | |
| Perfect Forward Secrecy | Enabled |
| Defragmentation Policy | Copy |
| Encryption | AES GCM 256 |
| Digest | - |
| Diffie-Hellman Group | Group 21 |
| Association Life Time (seconds) | 3600 |
| DPD Configuration | |
| Probe Interval (seconds) | 60 |
| Authentication Mode | Pre-Shared Key |
| Local Endpoint | |
| IP Address | 217.30.138.17 |
| Networks | 10.10.2.0/27 |
| Remote Endpoint | |
| IP Address | 89.168.101.203 |
| Networks | 10.10.1.0/27 |
Zabbix Monitoring
Na maszynie zainstalowano Zabbix Agent 2 w celu monitorowania maszyny, jak również zestawionego tunelu VPN. Plik instalacyjny pobrano z oficjalnej strony Zabbixa
Terminal
sudo wget https://repo.zabbix.com/zabbix/6.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_latest+ubuntu24.04_all.deb
sudo dpkg -i zabbix-release_latest+ubuntu24.04_all.deb
sudo apt update
sudo apt install zabbix-agent2 zabbix-agent2-plugin-*
Skonfigurowano agenta podając adres prywatny serwera ICT-TOOLS i określając na jakim porcie ma nasłuchiwać:
/etc/zabbix/zabbix_agent2.conf
# Server Passive
Server=10.10.2.2
ListenPort=10050
ListenIP=10.10.1.21
# Server Active
Server=10.10.2.2
# Hostname
Hostname=strongSwan
Firewall
Firewall (Oracle Cloud)
| NAME | STATE | PORT/PROTOCOL | SOURCE | DESTINATION | ACTION |
|---|---|---|---|---|---|
| 217.30.138.17_IN | Enabled | All | 217.30.138.17 | 89.168.101.203 | Allow |
| SSH_IN | Enabled | 22 | Any | 89.168.101.203 | Allow |
| ICMP_IN | Enabled | ICMPv4 | Any | 89.168.101.203 | Allow |
| 89.168.101.203_OUT | Enabled | All | 89.168.101.203 | Any | Allow |
| default_rule | Enabled | - | Any | Any | Drop |
Firewall (strongSwan-server-1)
user.rules
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###
### tuple ### allow tcp 10050 0.0.0.0/0 any 172.16.239.0/24 in
-A ufw-user-input -p tcp --dport 10050 -s 172.16.239.0/24 -j ACCEPT
### tuple ### allow any any 10.10.2.0/27 any 10.10.1.0/27 in
-A ufw-user-input -d 10.10.2.0/27 -s 10.10.1.0/27 -j ACCEPT
### tuple ### allow any any 10.10.1.0/27 any 10.10.2.0/27 in
-A ufw-user-input -d 10.10.1.0/27 -s 10.10.2.0/27 -j ACCEPT
### tuple ### allow any any 0.0.0.0/0 any 217.30.138.17 in
-A ufw-user-input -s 217.30.138.17 -j ACCEPT
### tuple ### allow any any 0.0.0.0/0 any 10.10.0.2 in
-A ufw-user-input -s 10.10.0.2 -j ACCEPT
### tuple ### allow any any 0.0.0.0/0 any 10.10.2.2 in
-A ufw-user-input -s 10.10.2.2 -j ACCEPT
### tuple ### allow any any 0.0.0.0/0 any 172.20.0.0/16 in
-A ufw-user-input -s 172.20.0.0/16 -j ACCEPT
### tuple ### allow any any 0.0.0.0/0 any 172.19.0.0/16 in
-A ufw-user-input -s 172.19.0.0/16 -j ACCEPT
### tuple ### allow any any 0.0.0.0/0 any 172.17.0.0/16 in
-A ufw-user-input -s 172.17.0.0/16 -j ACCEPT
### tuple ### allow any any 0.0.0.0/0 any 172.16.239.0/24 in
-A ufw-user-input -s 172.16.239.0/24 -j ACCEPT
### tuple ### allow any any 0.0.0.0/0 any 172.18.0.0/16 in
-A ufw-user-input -s 172.18.0.0/16 -j ACCEPT
### tuple ### allow any any 0.0.0.0/0 any 172.16.238.0/24 in
-A ufw-user-input -s 172.16.238.0/24 -j ACCEPT
### tuple ### allow any any 0.0.0.0/0 any 10.10.2.0/27 in
-A ufw-user-input -s 10.10.2.0/27 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 217.30.138.17 in
-A ufw-user-input -p tcp --dport 22 -s 217.30.138.17 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 217.30.138.17 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 195.114.160.130 in
-A ufw-user-input -p tcp --dport 22 -s 195.114.160.130 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 195.114.160.130 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 195.114.160.131 in
-A ufw-user-input -p tcp --dport 22 -s 195.114.160.131 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 195.114.160.131 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 195.114.160.132 in
-A ufw-user-input -p tcp --dport 22 -s 195.114.160.132 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 195.114.160.132 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 195.114.160.133 in
-A ufw-user-input -p tcp --dport 22 -s 195.114.160.133 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 195.114.160.133 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 195.114.160.134 in
-A ufw-user-input -p tcp --dport 22 -s 195.114.160.134 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 195.114.160.134 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 195.114.160.135 in
-A ufw-user-input -p tcp --dport 22 -s 195.114.160.135 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 195.114.160.135 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 195.114.160.136 in
-A ufw-user-input -p tcp --dport 22 -s 195.114.160.136 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 195.114.160.136 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 195.114.160.137 in
-A ufw-user-input -p tcp --dport 22 -s 195.114.160.137 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 195.114.160.137 -j ACCEPT
### END RULES ###
### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###
### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT