Site to Site IPSec VPN with strongSwan and OpenStack VPNaaS (IPsec)

Setup

# install
sudo apt-get install -y strongswan
 
# Left (Peer client, behind NAT)
Ubuntu Client IP: 212.8.9.10
Ubuntu net: 192.168.178.0/24
 
OpenStack VPN IP: 217.50.60.70
OpenStack Net: 10.0.1.0/24

Create OpenStack VPN endpoint
http://www.panticz.de/openstack/vpnaas

/etc/ipsec.conf

# Peer, e.g. FritzBox
VPN_LEFT_IP=$(curl -s ipinfo.io/ip)
VPN_LEFT_NET=$(ip -o -4 a | grep -v ": lo" | cut -d " " -f7)   # e.g 10.0.100.0/24 
 
# Right (OpenStack VPNaaS)
# OpenStack VPN Service IP:
# VPN_SERVICE_ID=$(openstack vpn service list -c ID -f value)
# openstack vpn service show ${VPN_SERVICE_ID} -c external_v4_ip -f value
VPN_RIGHT_IP=1.2.3.4
 
# OpenStack subnet netmask
# for eatch subnet
# openstack vpn ipsec site connection list -f json --long | jq -r ".[] | select(.\"VPN Service\" == \"${VPN_SERVICE_ID}\") .\"Local Endpoint Group ID\""
# openstack subnet show ${SUBNET_ID} -c cidr -f value
VPN_RIGHT_NET=10.0.1.0/24 
 
mv /etc/ipsec.conf /etc/ipsec.conf.org
cat <<EOF> /etc/ipsec.conf
config setup
 
conn vpn1
 keyexchange=ikev1
 left=%defaultroute
 leftid=${VPN_LEFT_IP}
 leftsubnet=${VPN_LEFT_NET}
 leftauth=psk
 leftfirewall=yes
 authby=psk
 auto=start
 ike=aes256-sha512-modp1024
 esp=aes256-sha512
 right=${VPN_RIGHT_IP}
 rightsubnet=${VPN_RIGHT_NET}
 rightauth=psk
 ikelifetime=3600s
 keylife=3600s
 type=tunnel
EOF

/etc/ipsec.secrets

PSK=**********
 
echo ${VPN_RIGHT_IP} : PSK "${PSK}" | sudo tee -a /etc/ipsec.secrets
#/etc/ipsec.d/ipsec.openstack_vpnaas.secrets

CLI

sudo ipsec restart
 
sudo ipsec status
sudo ipsec statusall
 
sudo ipsec up vpn1
sudo ipsec down vpn1
 
sudo ipsec listalgs

Delete

# Delete VPNs
openstack vpn ipsec site connection list --long | grep ${PROJECT_ID}
openstack vpn ipsec site connection delete ${IPSEC_SITE_CONNECTION_ID}
openstack vpn endpoint group list --long | grep ${PROJECT_ID}
openstack vpn endpoint group delete ${VPN_LOCAL_ENDPOINT_GROUP_ID} ${VPN_PEER_ENDPOINT_GROUP_ID}
openstack vpn service list --long | grep ${PROJECT_ID}
openstack vpn service delete ${VPN_SERVICE_ID}
openstack vpn ipsec policy list --long | grep ${PROJECT_ID}
openstack vpn ipsec policy delete ${VPN_IPSEC_POLICY_ID}
openstack vpn ike policy list --long | grep ${PROJECT_ID}
openstack vpn ike policy delete ${VPN_IKE_POLICY}
 
# auto delete all VPN configurations
VPN_CONNECTION_JSON=$(openstack vpn ipsec site connection list --long -f json | jq -r '.[]')
VPN_CONNECTION_IDS=$(echo ${VPN_CONNECTION_JSON} | jq -r '.ID')
 
for VPN_CONNECTION_ID in ${VPN_CONNECTION_IDS}; do
    echo ${VPN_CONNECTION_ID}
 
    openstack vpn ipsec site connection delete ${VPN_CONNECTION_ID}
    LOCAL_ENDPOINT_ID=$(echo ${VPN_CONNECTION_JSON} | jq -r '."Local Endpoint Group ID"')
    PEER_ENDPOINT_ID=$(echo ${VPN_CONNECTION_JSON} | jq -r '."Peer Endpoint Group ID"')
    openstack vpn endpoint group delete ${LOCAL_ENDPOINT_ID} ${PEER_ENDPOINT_ID}
    VPN_SERVICE_ID=$(echo ${VPN_CONNECTION_JSON} | jq -r '."VPN Service"')
    openstack vpn service delete ${VPN_SERVICE_ID}
    VPN_IPSEC_POLICY=$(echo ${VPN_CONNECTION_JSON} | jq -r '."IPSec Policy"')
    openstack vpn ipsec policy delete ${VPN_IPSEC_POLICY}
    VPN_IKE_POLICY=$(echo ${VPN_CONNECTION_JSON} | jq -r '."IKE Policy"')
    openstack vpn ike policy delete ${VPN_IKE_POLICY}
done

List

openstack vpn ipsec site connection list
openstack vpn endpoint group list
openstack vpn service list
openstack vpn ipsec policy list
openstack vpn ike policy list

NetworkManager

# sudo apt install network-manager-strongswan
 
sudo apt-get install network-manager-l2tp-gnome
sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
journalctl -f -u NetworkManager.service
 
# fixme:
... NetworkManager[459580]: parsed INFORMATIONAL_V1 request 2368110922 [ HASH N(AUTH_FAILED) ]
... NetworkManager[459580]: received AUTHENTICATION_FAILED error notify

Links
https://sysadmins.co.za/setup-a-site-to-site-ipsec-vpn-with-strongswan-on-ubuntu/
https://mlohr.com/fritzbox-lan-2-lan-vpn-with-strongswan/
https://cloud.google.com/community/tutorials/using-cloud-vpn-with-strongswan
https://www.networkworld.com/article/2224654/mtu-size-issues.html