From 7b0d87bbb20b136fc1860390f409331b4dc2828b Mon Sep 17 00:00:00 2001 From: Rajakavitha Kodhandapani Date: Thu, 6 Feb 2025 13:05:32 +0530 Subject: [PATCH 1/3] [update] Install and Configure a StrongSwan Gateway VPN Server on Ubuntu 20.04 --- .../strongswan-vpn-server-install/index.md | 27 +++++++++++++++---- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/docs/guides/networking/vpn/strongswan-vpn-server-install/index.md b/docs/guides/networking/vpn/strongswan-vpn-server-install/index.md index 32ced86d10f..2f3ef11768e 100644 --- a/docs/guides/networking/vpn/strongswan-vpn-server-install/index.md +++ b/docs/guides/networking/vpn/strongswan-vpn-server-install/index.md @@ -44,17 +44,21 @@ The steps in this guide are written for non-root users. Commands that require el 1. Use the IPsec command-line utility to create your IPsec private key. In the case of this tutorial, the private key is used to create the root certificate for StrongSwan. You can also use this key to generate other certificates. - sudo ipsec pki --gen --size 4096 --type rsa --outform pem > /etc/ipsec.d/private/ca.key.pem + sudo ipsec pki --gen --size 4096 --type rsa --outform pem > ca.key.pem + sudo mv ca.key.pem /etc/ipsec.d/private/ca.key.pem + sudo chmod 600 /etc/ipsec.d/private/ca.key.pem 1. Create and sign the root certificate with the configurations included below. Ensure you replace the value of the `CN` configuration with your own desired name for your StrongSwan VPN server. - ipsec pki --self --in /etc/ipsec.d/private/ca.key.pem --type rsa --dn "CN=" --ca --lifetime 3650 --outform pem > /etc/ipsec.d/cacerts/ca.cert.pem + sudo ipsec pki --self --in /etc/ipsec.d/private/ca.key.pem --type rsa \ + --dn "CN=" --ca --lifetime 3650 --outform pem | \ + sudo tee /etc/ipsec.d/cacerts/ca.cert.pem > /dev/null In the example above, the `--lifetime 3650` configuration sets the certificate's lifetime to 3650 days or approximately ten years. The lifetime of the certificate determines when it is to be regenerated and distributed to your StrongSwan server and connected clients. You can adjust this setting to your preferred value. 1. Generate the StrongSwan VPN server's private certificate. - ipsec pki --gen --size 4096 --type rsa --outform pem > /etc/ipsec.d/private/server.key.pem + sudo ipsec pki --gen --size 4096 --type rsa --outform pem | sudo tee /etc/ipsec.d/private/server.key.pem > /dev/null 1. Generate the host server certificate. There are two ways to generate the certificate, however, they cannot be mixed. The two ways are as follows: @@ -64,13 +68,26 @@ The steps in this guide are written for non-root users. Commands that require el **Local Resolver Method** The example below uses a local resolver. The IPsec utility takes the server key from step 2 and uses it as an input private certificate source, and generates a resolver-based certificate. Ensure you replace the value of `CN` and `san` with your own. The `--dn “CN=` is a DNS or `/etc/hosts` call that should be changed to reflect your organization's own hostname. - ipsec pki --pub --in /etc/ipsec.d/private/server.key.pem --type rsa | ipsec pki --issue --lifetime 3650 --cacert /etc/ipsec.d/cacerts/ca.cert.pem --cakey /etc/ipsec.d/private/ca.key.pem --dn "CN=" --san="" --flag serverAuth --flag ikeIntermediate --outform pem > /etc/ipsec.d/certs/server.cert.pem + sudo ipsec pki --pub --in /etc/ipsec.d/private/server.key.pem --type rsa | \ + sudo ipsec pki --issue --lifetime 3650 \ + --cacert /etc/ipsec.d/cacerts/ca.cert.pem --cakey /etc/ipsec.d/private/ca.key.pem \ + --dn "CN=" --san="" \ + --flag serverAuth --flag ikeIntermediate --outform pem | \ + sudo tee /etc/ipsec.d/certs/server.cert.pem > /dev/null + **Gateway Server IPv4 Address** The duplicate `–san=”` configuration in the command below is correct; do not omit both configurations. Replace their values with your own gateway server's IPv4 address. - ipsec pki --pub --in /etc/ipsec.d/private/server.key.pem --type rsa | ipsec pki --issue --lifetime 3650 --cacert /etc/ipsec.d/cacerts/ca.cert.pem --cakey /etc/ipsec.d/private/ca.key.pem --dn "CN=" –san=”” --san="" --flag serverAuth --flag ikeIntermediate --outform pem > /etc/ipsec.d/certs/server.cert.pem + sudo ipsec pki --pub --in /etc/ipsec.d/private/server.key.pem --type rsa | \ + sudo ipsec pki --issue --lifetime 3650 \ + --cacert /etc/ipsec.d/cacerts/ca.cert.pem --cakey /etc/ipsec.d/private/ca.key.pem \ + --dn "CN=" \ + --san="" --san="" \ + --flag serverAuth --flag ikeIntermediate --outform pem | \ + sudo tee /etc/ipsec.d/certs/server.cert.pem > /dev/null + At the end of this section, you should have generated the following files on your Ubuntu 20.04 server: From e6e169ec806be04f4b7c0918723458da6a055940 Mon Sep 17 00:00:00 2001 From: Rajakavitha Kodhandapani Date: Fri, 14 Mar 2025 14:06:39 +0530 Subject: [PATCH 2/3] Update index.md fixed indentation --- .../networking/vpn/strongswan-vpn-server-install/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/guides/networking/vpn/strongswan-vpn-server-install/index.md b/docs/guides/networking/vpn/strongswan-vpn-server-install/index.md index 2f3ef11768e..4f3ed13ca4e 100644 --- a/docs/guides/networking/vpn/strongswan-vpn-server-install/index.md +++ b/docs/guides/networking/vpn/strongswan-vpn-server-install/index.md @@ -51,8 +51,8 @@ The steps in this guide are written for non-root users. Commands that require el 1. Create and sign the root certificate with the configurations included below. Ensure you replace the value of the `CN` configuration with your own desired name for your StrongSwan VPN server. sudo ipsec pki --self --in /etc/ipsec.d/private/ca.key.pem --type rsa \ - --dn "CN=" --ca --lifetime 3650 --outform pem | \ - sudo tee /etc/ipsec.d/cacerts/ca.cert.pem > /dev/null + --dn "CN=" --ca --lifetime 3650 --outform pem | \ + sudo tee /etc/ipsec.d/cacerts/ca.cert.pem > /dev/null In the example above, the `--lifetime 3650` configuration sets the certificate's lifetime to 3650 days or approximately ten years. The lifetime of the certificate determines when it is to be regenerated and distributed to your StrongSwan server and connected clients. You can adjust this setting to your preferred value. From 2e4f254e45c91000956cb790b8851943f1c17a87 Mon Sep 17 00:00:00 2001 From: Rajakavitha Kodhandapani Date: Fri, 14 Mar 2025 14:11:53 +0530 Subject: [PATCH 3/3] Update index.md - added description --- .../networking/vpn/strongswan-vpn-server-install/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/networking/vpn/strongswan-vpn-server-install/index.md b/docs/guides/networking/vpn/strongswan-vpn-server-install/index.md index 4f3ed13ca4e..5fc51afc54a 100644 --- a/docs/guides/networking/vpn/strongswan-vpn-server-install/index.md +++ b/docs/guides/networking/vpn/strongswan-vpn-server-install/index.md @@ -56,7 +56,7 @@ The steps in this guide are written for non-root users. Commands that require el In the example above, the `--lifetime 3650` configuration sets the certificate's lifetime to 3650 days or approximately ten years. The lifetime of the certificate determines when it is to be regenerated and distributed to your StrongSwan server and connected clients. You can adjust this setting to your preferred value. -1. Generate the StrongSwan VPN server's private certificate. +1. Generate the StrongSwan VPN server’s private key and save it to `/etc/ipsec.d/private/server.key.pem`. This command ensures root permissions for file creation, and suppresses terminal output. sudo ipsec pki --gen --size 4096 --type rsa --outform pem | sudo tee /etc/ipsec.d/private/server.key.pem > /dev/null