Quick Note 061: Main Mode Ipsec Ikev1 VPN From Transport To Strongswan Using Preshared Key
Quick Note 061: Main Mode Ipsec Ikev1 VPN From Transport To Strongswan Using Preshared Key
Quick Note 061: Main Mode Ipsec Ikev1 VPN From Transport To Strongswan Using Preshared Key
22 August 2017
Contents
1 Introduction ......................................................................................................................................................... 3
1.1 Introduction................................................................................................................................................. 3
5 Testing ................................................................................................................................................................ 19
Page | 2
1 INTRODUCTION
1.1 Introduction
This document describes how to configure a VPN IPsec tunnel between a Digi TransPort WR to and a
StrongSwan server using Main Mode, IKEv1 and pre-shared key authentication.
Internet
TransPort WR Router
StrongSwan
Page | 3
1.3 Outline
This guide details the steps involved in configuring a Digi TransPort router to act as an IPsec VPN
client to a StrongSwan appliance configured as an IPsec VPN server using Main Mode, IKEv1 and pre-
shared key authentication. This example assumes that both equipment’s are not behind a NAT box.
1.4 Assumptions
This guide has been written for use by technically competent personnel with a good understanding of
the communications technologies used in the product and of the requirements for their specific
application. It also assumes a basic ability to access and navigate a Digi TransPort router and
configure it with basic routing functions
This application note applies to:
Configuration: This document assumes that the devices are set to their factory default
configurations. Most configuration commands are shown only if they differ from the factory default.
Please note: This application note has been specifically rewritten for the specified firmware versions
and later but will work on earlier versions of firmware. Please contact tech.support@digi.com if your
require assistance in upgrading the firmware of the TransPort WR routers.
1.5 Corrections
Requests for corrections or amendments to this application note are welcome and should be
addressed to: tech.support@digi.com Requests for new application notes can be sent to the same
address.
1.6 Version
Version Number Status
1.0 Completed 14.08.2017
Page | 4
2 TRANSPORT CONFIGURATION
Page | 5
2.1 WAN interface configuration
In this example, the mobile interface will be used as the WAN interface on which the IPsec tunnel will
be established.
Navigate to:
Configuration – Network > Interfaces > Mobile
Service Plan / APN Your.APN.goes.here Enther the APN of your mobile provider
Enable IPsec on this Enable IPsec to be built on this WAN
Checked
interface interface
Please note: If required, enter a SIM PIN and Username/Password for this SIM card and APN.
Page | 6
2.1 Tunnel Configuration
Open a web browser to the IP address of the TransPort WR21 router.
Page | 7
2.1.2 Phase 2 settings
Navigate to:
Configuration – Network > Virtual Private Network (VPN) > IPsec > IPsec 0 – 9 > IPsec 0
Page | 8
Parameter Setting Description
The IP address or
hostname of the 192.168.1.118 WAN IP Address of the StrongSwan
remote unit
Click Apply
Page | 9
2.2 Configure users
Navigate to Configuration - Security > Users > User 0-9 > User 9
Here the pre-shared key is configured using the WAN IP address of the StrongSwan. The username
value should therefore match the Peer ID set in the IPsec configuration above:
Page | 10
3 STRONGSWAN CONFIGURATION
Page | 11
Get:5 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64
libstrongswan-standard-plugins amd64 5.3.5-1ubuntu3.4 [267 kB]
Get:6 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64
strongswan all 5.3.5-1ubuntu3.4 [27.1 kB]
Fetched 3,731 kB in 12s (307 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libstrongswan.
(Reading database ... 175214 files and directories currently installed.)
Preparing to unpack .../libstrongswan_5.3.5-1ubuntu3.4_amd64.deb ...
Unpacking libstrongswan (5.3.5-1ubuntu3.4) ...
Selecting previously unselected package strongswan-libcharon.
Preparing to unpack .../strongswan-libcharon_5.3.5-1ubuntu3.4_amd64.deb ...
Unpacking strongswan-libcharon (5.3.5-1ubuntu3.4) ...
Selecting previously unselected package strongswan-starter.
Preparing to unpack .../strongswan-starter_5.3.5-1ubuntu3.4_amd64.deb ...
Unpacking strongswan-starter (5.3.5-1ubuntu3.4) ...
Selecting previously unselected package strongswan-charon.
Preparing to unpack .../strongswan-charon_5.3.5-1ubuntu3.4_amd64.deb ...
Unpacking strongswan-charon (5.3.5-1ubuntu3.4) ...
Selecting previously unselected package libstrongswan-standard-plugins.
Preparing to unpack .../libstrongswan-standard-plugins_5.3.5-
1ubuntu3.4_amd64.deb ...
Unpacking libstrongswan-standard-plugins (5.3.5-1ubuntu3.4) ...
Selecting previously unselected package strongswan.
Preparing to unpack .../strongswan_5.3.5-1ubuntu3.4_all.deb ...
Unpacking strongswan (5.3.5-1ubuntu3.4) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up libstrongswan (5.3.5-1ubuntu3.4) ...
Setting up strongswan-libcharon (5.3.5-1ubuntu3.4) ...
Setting up strongswan-starter (5.3.5-1ubuntu3.4) ...
Setting up strongswan-charon (5.3.5-1ubuntu3.4) ...
Setting up libstrongswan-standard-plugins (5.3.5-1ubuntu3.4) ...
Setting up strongswan (5.3.5-1ubuntu3.4) ...
Please note: All commands have to be used in elevated or super user mode. For ease of
configuration, this document will use the root user (not recommended). In most case, using “sudo” in
front of each commands will provide the expected result.
Page | 12
3.3 Configure StrongSwan
Page | 13
3.3.1.1 ipsec.conf
Edit the ipsec.conf file using a text editor such as vi:
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=%forever
keyexchange=ikev1
authby=secret
conn peer1-peer2
left=192.168.1.118
leftsubnet=100.10.10.0/24
leftfirewall=yes
right=%any
rightallowany=yes
rightsubnet=10.0.0.0/24
auto=start
closeaction=restart
ike=aes128-sha1-modp1024
esp=aes128-sha1
type=tunnel
keyingtries=%forever
type :wq to save and close
Page | 14
conn %default
conn peer1-peer2
Page | 15
3.3.1.2 ipsec.secrets
Edit the ipsec.secrets file using a text editor such as vi:
192.168.1.118 : PSK "digidigi"
192.168.1.23 : PSK "digidigi"
type :wq to save and close
Parameter Description
192.168.1.118 IPv4 ID
192.168.1.23 IPv4 ID
“digidigi” Preshared key
Page | 16
4 CHECK TUNNEL STATUS
Via CLI:
sastat
Command: sastat
Command result
Page | 17
4.2 StrongSwan
Page | 18
5 TESTING
To simply test the tunnel, generate a ping from each side of the tunnel and ping the remote end’s
ethernet interface.
sent PING # 1
PING receipt # 1 : response time 0.00 seconds
Iface: PPP 1
Ping Statistics
Sent : 1
Received : 1
Success : 100 %
Average RTT : 0.00 seconds
OK
Page | 19
6 TRANSPORT CONFIGURATION
Page | 20
ike 0 authalg "SHA1"
ike 0 ikegroup 2
ike 0 noresp ON
ike 0 deblevel 4
ike 0 debug ON
ana 0 anon ON
ana 0 l2on OFF
ana 0 l3on OFF
ana 0 xoton OFF
ana 0 lapdon 0
ana 0 lapbon 0
ana 0 ikeon ON
ana 0 logsize 45
cmd 0 unitid "ss%s>"
cmd 0 cmdnua "99"
cmd 0 hostname "digi.router"
cmd 0 asyled_mode 2
cmd 0 tremto 1200
cmd 0 rcihttp ON
user 0 access 0
user 1 name "username"
user 1 epassword "KD5lSVJDVVg="
user 1 access 0
user 2 access 0
user 3 access 0
user 4 access 0
user 5 access 0
user 6 access 0
user 7 access 0
user 8 access 0
user 9 name "192.168.1.118"
user 9 epassword "PDZxU0FFQFU="
user 9 access 4
local 0 transaccess 2
sslsvr 0 certfile "cert01.pem"
sslsvr 0 keyfile "privrsa.pem"
ssh 0 hostkey1 "privSSH.pem"
ssh 0 nb_listen 5
ssh 0 v1 OFF
cloud 0 clientconn ON
cloud 0 ssl ON
OK
Page | 21