[strongSwan] how to setup a strongswan vpn client on ubuntu 16.04 for this tutorial?

小安 annbigbig at gmail.com
Tue Nov 15 19:33:09 CET 2016


hi everyone

i tried to setup a strongswan client on my ubuntu 16.04 laptop,
i have searched google but i didn't find a clear answer, so i need your help
i have followed this tutorial :

https://wiki.openwrt.org/doc/howto/vpn.ipsec.roadwarrior

and installed a strongswan vpn server on openwrt router (DD r49975)
android strongswan client also connected successfully, works fine
but i want to setup vpn client for my ubuntu 16.04 laptop
how to achieve this goal ? what's the files should i copy to ubuntu laptop?
and where should i put them? how to configure /etc/ipsec.conf and
/etc/strongswan.conf and /etc/ipsec.secrets ?
or any files else should i modify/setup? and what is the command for
connecting/disconnecting remote vpn server
could anyone give a complete tutorial for setting up vpn client on ubuntu
16.04?
(for vpn server that was cofigured totally the same way as this tutorial
taught)
this tutorial shows how to setup vpn client on BlackBerry/Windows
7/Android/ iPhones/iOS
but doesn't contain how to setup vpn client on Linux
I tried to use GUI of network-manager to setup vpn client
but after opened dialog I cannot find a option that can let me specify
the path to clientCert.p12 and username and password
as i did on android client


here is /etc/strongswan.conf on my openwrt router
charon {
        threads = 16
        dns1 = 10.2.2.1
        dns2 = 8.8.8.8
port = 2805
port_nat_t = 7777
}

pluto {

}


here is /etc/ipsec.conf on my openwrt router
config setup

conn %default
 keyexchange=ikev2

conn roadwarrior
 left=%any
 leftauth=pubkey
 leftcert=serverCert.pem
 leftid=192.168.0.11
 leftsubnet=0.0.0.0/0
 leftfirewall=yes
 right=%any
 rightsourceip=10.5.3.0/24
 rightauth=pubkey
 rightcert=clientCert.pem
 rightauth2=eap-mschapv2
 auto=add
 esp=aes-aes256-sha-modp1024,aes256-sha512-modp4096
 ike=aes-aes256-sha-modp1024,aes256-sha512-modp4096

here is /etc/ipsec.secrets on my openwrt router
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA serverKey.pem
tony : EAP "tonypassword"
mary : EAP "marypassword"


here is part of /etc/config/firewall  i added for strongswan
(i need custom port for fighting with china great firewall so i change 500
to 2805, and 4500 to 7777)
config rule
option src 'wan'
option name 'IPSec ESP'
option proto 'esp'
option target 'ACCEPT'

config rule
option src 'wan'
option name 'IPSec IKE'
option dest_port '2805'
option proto 'udp'
option target 'ACCEPT'

config rule
option src 'wan'
option name 'IPSec NAT-T'
option proto 'udp'
option dest_port '7777'
option target 'ACCEPT'

config rule
option src 'wan'
option name 'Auth Header'
option proto 'ah'
option target 'ACCEPT'

config forwarding
option dest 'lan'
option src 'vpn'

config forwarding
option dest 'wan'
option src 'vpn'


here is another filewall config /etc/firewall.user
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT

and this is some detail information about my openwrt router
WAN IP: 192.168.0.11 (get dhcp ip from upstream router, later in the future
i will change to public IP)
LAN IP: 10.2.2.1
LAN subnet : 10.2.2.0/24
the subnet i plan for vpn : 10.5.3.0/24
(i don't know should i offer a 10.2.2.x ip for remote vpn client, so i give
them 10.5.3.x)

now the strongswan server(on openwrt router) and strongswan client (on
android)
all works fine without problem , but how could i connect to strongswan
server(on openwrt router) if I want to use my ubuntu 16.04 laptop as vpn
client ???
should i use ubuntu's built-in network-manager GUI, or connect it with pure
text command? how to connect to strongswan server on ubuntu 16.04?

openwrt(server)  <------------------ ubuntu(client)

any suggestion will be appreciated
and sorry for my poor english skill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161116/01b2d6ff/attachment-0001.html>


More information about the Users mailing list