Install Strongswan: an IPsec-based VPN tool on Linux

Install Strongswan: an IPsec-based VPN tool on Linux

IPsec is a standard that provides network layer security. It contains Authentication Header (AH) and security load encapsulation (ESP) components. AH provides the integrity of the package, and the ESP component provides the confidentiality of the package. IPsec ensures security at the network layer.

• Confidentiality
• Data Packet integrity
• Source Non-Repudiation
• Replay Attack Protection

Strongswan is an open-source implementation of the IPsec protocol. Strongswan indicates a strong security WAN (StrongS/WAN ). It supports Automatic Key Exchange (Network Key Exchange (IKE) V1 and V2) for two versions of IPsec VPN ).

Strongswan basically provides automatic key exchange sharing between two nodes/gateways of the VPN, and then it uses the IPsec (AH and ESP) Implementation of the Linux kernel. The IKE mechanism used for ESP Data Encryption after Key Sharing is used. In the IKE stage, strongswan uses OpenSSL encryption algorithms (AES, SHA, etc.) and other Encryption Class Libraries. In any case, the security algorithm used by the ESP component in IPsec is implemented by the Linux kernel. The main features of Strongswan are as follows:

• X.509 Certificate or pre-shared key-based authentication
• Support for IKEv1 and IKEv2 key exchange protocols
• Optional. built-in integrity and encryption tests for plug-ins and libraries
• Supports elliptic curve DH groups and ECDSA certificates
• Store RSA private keys and certificates on Smart Cards

It can be used in the Client/Server (road warrior mode) and gateway-to-Gateway scenarios.

 

How to install

Almost all Linux distributions support the Strongswan Binary Package. In this tutorial, strongswan will be installed from the Binary Package, and strongswan with appropriate features will be compiled from the source code.

 

Use a Binary Package

Run the following command to install Strongswan to Ubuntu 14.04 LTS.

1. $ sudo aptitude install strongswan

Install strongswan

The strongswan global configuration (strongswan. conf) file and the ipsec configuration (ipsec. conf/ipsec. secrets) file are all in the/etc/directory.

Dependency package for strongswan source code compilation and Installation

• GMP (High Precision mathematical library used by strongswan)
• OpenSSL (the encryption algorithm comes from this library)
• PKCS (, 12) (certificate encoding and Smart Card integration)

 

Procedure

1) run the following command on the terminal to go to the/usr/src/directory:

1. $ cd /usr/src

2) use the following command to download the source code from the strongswan Website:

1. $ sudo wget http://download.strongswan.org/strongswan-5.2.1.tar.gz

(Strongswan-5.2.1.tar.gz is the latest version .)

Download Software

3) use the following command to extract the downloaded software and enter the directory.

1. $ sudo tar –xvzf strongswan-5.2.1.tar.gz; cd strongswan-5.2.1

4) use the configure command to configure each desired option of strongswan.

1. $ ./configure --prefix=/usr/local-–enable-pkcs11 -–enable-openssl

Check the strongswan package

If the GMP library is not installed, the following error occurs in the configuration script.

GMP library error

Therefore, run the following command to install the GMP library and then execute the configuration script.

Gmp installation

However, if the above error is reported after GMP is installed, run the following command on Ubuntu /, /usr/lib/x86_64-linux-gnu/libgmp. so library to create a soft connection.

1. $ sudo ln -s /usr/lib/x86_64-linux-gnu/libgmp.so.10.1.3/usr/lib/x86_64-linux-gnu/libgmp.so

Softlink of libgmp. so library

After creating the libgmp. so soft connection, execute the./configure script to find the gmp library. However, if other errors occur in the gmp header file, as shown below.

GMP header file issu

To solve the preceding error, run the following command to install the libgmp-dev package:

1. $ sudo aptitude install libgmp-dev

Installation of Development library of GMP

After installing the gmp development library, run the configuration script again. If no error occurs, you will see the following output.

Output of Configure scirpt

Use the following command to compile and install strongswan.

1. $ sudo make ; sudo make install

After strongswan is installed, the global configuration (strongswan. conf) and ipsec Policy/password configuration file (ipsec. conf/ipsec. secretes) are placed in the/usr/local/etc directory.

According to our security needs, Strongswan can be used as a tunnel or transmission mode. It provides the well-known site-2-site mode and road warrior mode VPN. It is easy to use on Cisco and Juniper devices.

Via: http://linoxide.com/security/install-strongswan/

Author: nido Translator: wyangsun Proofreader: wxy

This article was originally translated by LCTT and launched with the Linux honor in China

This article permanently updates the link address: