Scribd
Upload
46 views12 pages

How To Establish Client To Site VPN To ATP Series With Linux StrongSwan

Uploaded by

Isaias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
46 views12 pages

How To Establish Client To Site VPN To ATP Series With Linux StrongSwan

Uploaded by

Isaias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

www.zyxel.

com

Case Study
How to establish client to site VPN to ATP
series with Linux StrongSwan

1/12
www.zyxel.com

Topic
Case Study ..................................................................................................................................... 1
Background ................................................................................................................................... 3
Scenario and Topology .............................................................................................................. 3
Configuration ................................................................................................................................ 4
Verification................................................................................................................................... 11
Note ............................................................................................................................................... 11

2/12
www.zyxel.com

Background
Virtual Private Network (VPN) is the technology that you can use to access the office
or home network remotely and securely over the Internet, so that the
communication data is protected from sniffing or hijacking by hackers. When the
VPN connection is established to a site, a secured tunnel will be created with
capability to encrypt the traffic, preserve data integrity (no data change during
transmission) and ensure the communication only happen between client to site.
This example shows how to use the VPN Setup Wizard to create a client to site VPN
between a ATP and Linux Ubuntu 18.04.3. The example instructs how to configure
the VPN Tunnel. When the VPN tunnel is configured, office network can be accessed
securely.

Scenario and Topology

The topology and the setup steps are shown below.

Note: All network IP address and subnet masks are used as example in this article.
Please replace them with your actual network IP addresses and subnet masks. This
example was tested using ATP800(Firmware Version: ZLD 4.35 C0) and Linux Ubuntu
(18.04.3 LTS)

3/12
www.zyxel.com

Configuration
Set up the IPSec VPN Tunnel on the ATP

Step.1 In the ATP, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the Ubuntu. Click Next.

Quick Setup > VPN Setup Wizard > Welcome

Step.2 Choose Advanced to create a VPN rule with customized phase1, phase2
settings and authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type

4/12
www.zyxel.com

Step.3 Type the Rule Name used to identify this VPN connection (and VPN gateway).
You may use 1-31alphanumeric characters. This value is case-sensitive.
Select the rule to be Remote Access (Server Role) and Select the IKE Version
to be IKEv1. Click Next.
Quick Setup > VPN Setup Wizard > VPN Settings

Step.4 Select My Address to be the interface connected to the Internet. Set the
Desired Negotiation, Encryption, Authentication, Key Group and SA Life
Time Setting. Type a secure Pre-Shared Key (8-32 characters) which must
match your Linux Ubuntu Pre-Shared Key. Click OK.

5/12
www.zyxel.com

Quick Setup > VPN Setup Wizard > VPN Settings

Step.5 Continue to Phase 2 Settings to select the desired encapsulation,


Encryption, Authentication and Perfect Forward Secrecy (PFS) settings.
Set Local Policy to be the IP address range of the network connected
to the ATP. Click OK.
Quick Setup > VPN Setup Wizard > VPN Settings

6/12
www.zyxel.com

Step.6 This screen provides a read-only summary of the VPN tunnel. Clicks save.

Step.7 Add address pool for phase 2 mode config. Go to “CONFIGURATION > Object >
Address”, click add to create address pool object

Step.8 Apply VPN address pool on phase 2 VPN connection. Go to “CONFIGURATION


> VPN > IPSec VPN > VPN Connection”

7/12
www.zyxel.com

Set up the Host to Network VPN Tunnel on the Ubuntu 18.04


Step 1. Install StrongSwan
You must have root access to install and configure related settings.
root@usg:~# apt-get install strongswan –y
After completed installation, you can check the StrongSwan version
by CLI “ipsec version”
root@usg:~# ipsec version
Linux strongSwan U5.6.2/K4.15.0-66-generic

Institute for Internet Technologies and Applications

University of Applied Sciences Rapperswil, Switzerland

See 'ipsec --copyright' for copyright information.

root@usg:~#

Step 2. Configure StrongSwan on Ubuntu 18.04


Define the Preshare key and
root@usg:~# vi /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host

# which knows the public part.

: PSK 123456789

8/12
www.zyxel.com

vpnclient : XAUTH "1qaz2wsx"

Define the CONNECTION parameters.


root@usg:~# vi /etc/ipsec.conf
config setup

conn %default

ikelifetime=60m

keylife=20m

rekeymargin=3m

keyingtries=1

keyexchange=ikev1

modeconfig=pull

# Add connections here.

conn home

left=10.214.48.60

leftid=vpnclient

leftauth=psk

leftauth2=xauth

leftsourceip=%config

leftfirewall=yes

right=10.214.48.28

rightsubnet=192.168.1.0/24

rightid=10.214.48.28

rightauth=psk

auto=add

ike=aes256-sha2_256-modp1024!

esp=aes256-sha2_256!

# Sample VPN connections

Step 4. Other useful CLI


Set the service to start on boot
root@usg:~# systemctl enable strongswan
Restart the VPN
root@usg:~# ipsec restart
Stopping strongSwan IPsec...

Starting strongSwan 5.6.2 IPsec [starter]...

root@usg:~#

9/12
www.zyxel.com

Check the VPN tunnel status


root@usg:~# ipsec status
Security Associations (1 up, 0 connecting):

home[1]: ESTABLISHED 13 seconds ago, 10.214.48.60[vpnclient]...10.214.48.28[10.214.48.28]

home{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ceda2bbf_i d8acc423_o

home{1}: 192.168.99.17/32 === 192.168.1.0/24

root@usg:~#
Tells the IKE daemon to start up connection
root@usg:~# ipsec up <name>
Tells the IKE daemon to terminate connection
root@usg:~# ipsec down <name>

10/12
www.zyxel.com

Verification

a. Make sure IPSec VPN tunnel is up on ATP and Linux Ubuntu.

 ATP VPN status check

 Ubuntu VPN status check.

root@usg:~# ipsec status


Security Associations (1 up, 0 connecting):

home[1]: ESTABLISHED 54 minutes ago, 10.214.48.60[vpnclient]...10.214.48.28[10.214.48.28]

home{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc26c56a_i 6a5fb4f2_o

home{2}: 192.168.99.17/32 === 192.168.1.0/24

b. Ping to ATP lan IP 192.168.1.1

root@usg:~# ping 192.168.1.1

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.

64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.759 ms

64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.788 ms

--- 192.168.1.1 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4032ms

rtt min/avg/max/mdev = 0.724/0.754/0.788/0.036 ms

Note
If the Host-to-Network VPN tunnel cannot be established successfully, please check
the following items.
 Both ATP and Linux Ubuntu must use the same Pre-Shared Key,
Encryption, Authentication method and DH Key group.
 Make sure ATP WAN to ZyWALL security policy allows IKE, AH and ESP.

11/12
www.zyxel.com

 Must enable mode config on Ubuntu. Add modeconfig=pull into


/etc/ipsec.conf

12/12

You might also like