Header Navigation

Monday, July 18, 2016

Learning how build IPSec site-to-site VPN with Strongswan

1. Overview

If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to whom the secret was told.
- The Art of War, Sun Tzu

Information security is important thing in internet nowadays, when you deliver information over internet. It has a lot of possibility tapped, changed, or others harmful things. There are a lot of way to secure your information that delivered, using secure application that encrypted from client apps to server apps. Or securing your traffic in IP network level that we called IP Security or IPSec.


1.1 IPSec Overview

1.1.1 System Overview

Secure Network was defined in RFC 1636 - Security in the Internet Architecture, this accomplished to prevent unauthorized monitoring and control of traffic and also to secure end-user-to-end-user traffic using authentication and encryption mechanism. IP-level Security encompasses three functional area: authentication, encryption due confidentially, and key management. The authentication has responsibility to ensure the "sender" and “receiver” has a right to transmitted and received packet. Encryption make sure the packet keep secure and prevent to eavesdropping by third party. And the last is key management that concerned for secure key exchange.
Figure 1 - Top Level IPSec Processing Model
IPSec create boundary between protected and unprotected network. Traffic traversing the boundary is a subject to access controls that specified by user or administrator responsible for IPSec configuration. From the control, the traffic maybe cross the boundary with afforded security services via AH or ESP, or are discarded.

1.1.2 IPSec Policy

Fundamental of IPSec service is the concept of security policy that determined by two database. Those are, Security Policy Database (SPD), and Security Association Database (SAD). This policy applied to each IP packet that transit from a source to a destination.

  1. Security Association
    Security Association is a key concept to both node exchange information about authentication and encryption mechanism. An association is a one-way logical connection between a sender and a receiver that affords security services to the traffic carried on it
    Figure 2- IPSec Architecture
    There are three parameter that identify the security association:
    1. Security Parameters Index (SPI), bit string carry IPSec protocol header information to enable receiving system to select packet that will be received
    2. IP Destination Address, the endpoint address of IPSec
    3. Security Protocol Identifier, this field from the outer IP header indicates whether the association is an AH or ESP security association
  2. Security Association Database
    In each IPsec implementation, there is a nominal Security Association Database that defines the parameters associated with each SA. This database stored a parameter to build IKE SA and IPSec SA. Below the parameter in an SAD entry:
    1. Security Parameter Index: A 32-bit value selected by the receiving end of an SA to uniquely identify the SA
    2. Sequence Number Counter: A 32-bit value used to generate the Sequence Number field in IPSec Protocol headers.
    3. Sequence Counter Overflow: A flag indicating whether overflow of the Sequence Number Counter should generate an auditable event and prevent further transmission of packets on this SA
    4. Anti-Replay Window: Used to determine whether an inbound AH or ESP packet is a replay
    5. AH Information: Authentication algorithm, keys, key lifetimes, and related parameters being used with AH
    6. ESP Information: Encryption and authentication algorithm, keys, initialization values, key lifetimes, and related parameters being used with ESP (required for ESP implementations).
    7. Lifetime of this Security Association: A time interval or byte count after which an SA must be replaced with a new SA (and new SPI) or terminated, plus an indication of which of these actions should occur
    8. IPsec Protocol Mode: Tunnel, transport, or wildcard
    9. Path MTU: Any observed path maximum transmission unit (maximum size of a packet that can be transmitted without fragmentation) and aging variables
  3. Security Policy Database
    Security policy stores the IP traffic that related to specific SA, it means SPD contains the entries, each entry defines a subset of IP traffic and points to an SA for that traffic. Each SPD entry is defined by IP and upper-layer protocol field values, called selector. These selector is used to filter outgoing traffic in order to map it in to a particular SA. The following selectors determine an SPD entry:
    1. Remote IP Address: This may be a single IP address, an enumerated list or range of addresses, or a wildcard (mask) address for remote private network
    2. Local IP Address: This may be a single IP address, an enumerated list or range of addresses, or a wildcard (mask) address for local private network
    3. Next Layer Protocol: The IP protocol header (IPv4, IPv6, or IPv6 Extension) includes a field (Protocol for IPv4, Next Header for IPv6 or IPv6 Extension) that designates the protocol operating over IP
    4. Name: A user identifier from the operating system. This is not a field in the IP or upper-layer headers but is available if IPsec is running on the same operating system as the user.
    5. Local and Remote Ports: These may be individual TCP or UDP port values, an enumerated list of ports, or a wildcard port.

1.1.3 IPSec Protocol

IPSec using protocol Authentication Header (AH), and Encapsulation Security Payload (ESP), to provide traffic security services. Both protocols are described in detail in their respective RFCs [4303, 4302]. The IP Authentication Header (AH) offers integrity and data origin authentication, with optional (at the discretion of the receiver) anti-replay features. The Encapsulating Security Payload (ESP) protocol offers the same set of services, and also offers confidentiality. ESP can work with a variety of encryption and authentication algorithms, including authenticated encryption algorithms such as GCM. Both AH and ESP offer access control, enforced through the distribution of cryptographic keys and the management of traffic flows as dictated by the Security Policy Database.
Commonly, ESP using in Virtual Private Network or underlay network context, and we will focus with this protocol than Authentication Header. Because in service provider network, we often meet this kind of protocol.
Figure 3 - Top-Level Format of an ESP Packet

ESP Protocol header contains the following fields:

  • Security Parameters Index (32 bits): Identifies a security association.
  • Sequence Number (32 bits): A monotonically increasing counter value; this provides an anti-replay function, as discussed for AH.
  • Payload Data (variable): This is a transport-level segment (transport mode) or IP packet (tunnel mode) that is protected by encryption.
  • Padding (0–255 bytes): The purpose of this field is discussed later.
  • Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field.
  • Next Header (8 bits): Identifies the type of data contained in the payload data field by identifying the first header in that payload (for example, an extension header in IPv6, or an upper-layer protocol such as TCP).
  • Integrity Check Value (variable): A variable-length field (must be an integral number of 32-bit words) that contains the Integrity Check Value computed over the ESP packet minus the Authentication Data field.

1.1.4 Transport Mode VS Tunnel Mode

Security Association (SA) can be configured two mode IPSec operation, they are Tunnel mode or Transport mode. Transport mode provides protection primarily for upper-layer protocols. That is, transport mode protection extends to the payload of an IP packet. Typically, transport mode is used for end-to-end communication between two hosts (e.g., a client and a server, or two workstations). When a host runs AH or ESP over IPv4, the payload is the data that normally follow the IP header. ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header. AH in transport mode authenticates the IP payload and selected portions of the IP header
Figure 4 - ESP Transport mode Data-gram
Tunnel mode provides protection to the entire IP packet. To achieve this, after the AH or ESP fields are added to the IP packet, the entire packet plus security fields is treated as the payload of new outer IP packet with a new outer IP header. With tunnel mode, a number of hosts on networks behind firewalls may engage in secure communications without implementing IPsec. The unprotected packets generated by such hosts are tunneled through external networks by tunnel mode SAs set up by the IPsec software in the firewall or secure router at the boundary of the local network
Figure 5 - ESP Tunnel mode Data-gram
Figure 6 - Tunnel Mode and Transport Mode Functionality
From this information, we can mapping the pros and cons from each mode, like below:
  • Transport mode
    • Pros
      • Provides End to End security
      • Lower overhead than tunnel mode
      • Larger MTU
      • Negotiation of connection-specific selectors is common practice
    • Cons
      • Requires IPsec to be implemented on the IPS entities
      • Greater difficulties with NAT traversal (TCP checksum invalidation)
  • Tunnel mode
    • Pros
      • More compatible with existing VPN gateways
      • Don’t have to implement IPsec on the IPS entity
      • Easier to traverse NATs
    • Cons 
      • More overhead
      • Smaller MTU
      • Secure operation within IPS scenarios would require negotiation of connection-specific selectors – not current practice
      • For hosts with dynamically assigned addresses (iSCSI), interoperability is poor
      • Existing implementations typically utilize proprietary extensions for configuration (mode config) or authentication (XAUTH)
      • To avoid normative references to proprietary protocols, iSCSI and IPS security drafts would need to cite draft-ietf-ipsec-dhcp-13.txt for config and possibly draft-ietf-ipsra-pic-04.txt – which adds significantly complexity

1.1.5 IP Traffic Processing

IPSec is executed on a packet on packet-by-packet basis. When IPSec implemented, each outbound packet is processed by IPSec logic before transmission. The Packet that sent must be consulted with the Security Policy Database (SPD) (or associated caches). If no policy is found in the SPD that matches a packet (for either inbound or outbound traffic), the packet MUST be discarded, vice versa.
Figure 7 - Processing Model for Outbound Packets
Figure 8 - Processing Model for Inbound Packets

1.1.6 IPSec Implementation and Application Scenario


There are many ways to implement IPSec in host, or conjunction with firewall or router to create security gateway. IPSec may integrated into the native IP stack with access the IP source code. IPSec may in a “bump-in-the-stack” (BITS) implementation, IPsec is implemented "underneath" an existing implementation of an IP protocol stack, between the native IP and the local network drivers. Or "bump-in-the-wire" (BITW) implementation. Where IPSec put in inline security protocol processor.
Some Application of IPSec are:
  1. Secure branch office connectivity over the Internet
  2. Secure remote access over the Internet
  3. Establishing extranet and intranet connectivity with partners
  4. Enhancing electronic commerce security
Figure 9 - An IPSec Scenario

1.2 Strongswan Overview

1.2.1 The Open Source IPsec-based VPN Solution

StrongSwan is an Open Source IPsec implementation. It was originally based on the discontinued FreeS/WAN project and the X.509 patch that we developed. In order to have a stable IPsec platform to base the extensions of the X.509 capability on, we decided to launch the strongSwan project in 2005.
Since then a new IKE daemon has been written in a modern object-oriented coding style so that the current code base does not share code with its ancestor anymore. Initially that daemon only supported IKEv2, while IKEv1 was handled by an extended version of FreeS/WAN's Pluto daemon. But because adoption of IKEv2 by other vendors took longer than anticipated support for IKEv1 was added to the new daemon with strongSwan 5.0.0.
StrongSwan originally was designed for Linux, but has since been ported to Android, FreeBSD, Mac OS X, Windows and other platforms. The focus of strongSwan is on:

  1. Simplicity of configuration
  2. Strong encryption and authentication methods
  3. Powerful IPsec policies supporting large and complex VPN networks
  4. Modular design with great expandability

The maintainer of the strongSwan project is Andreas Steffen, who is a professor for security in communications and head of the Institute for Internet Technologies and Applications at the University of Applied Sciences Rapperswil in Switzerland and president of the consulting firm strongSec GmbH.

1.2.2 System Consideration Related deploy in centOS

For lab test, I using CentOS Operating System. There are limitation in system, The CentOS/RHEL repo's only ship Libreswan. Strongswan shipped in EPEL project from fedora. Extra Packages for Enterprise Linux (or EPEL) is a Fedora Special Interest Group that creates, maintains, and manages a high quality set of additional packages for Enterprise Linux, including, but not limited to, Red Hat Enterprise Linux (RHEL), CentOS and Scientific Linux (SL), Oracle Linux (OL).
Figure 10 - Epel from Fedora Project

2. Test LAB

2.1 Topology, Interface and Parameter Information

Below the topology that tested in LAB. There are 6 routers. 3 routers as L1 and L2 router and 3 router as L1 router.
Figure 11 - Strongswan Site-to-Site Topology
Below the parameter information:
Figure 12 - Strongswan Parameter

2.2 Pre-deploy Strongswan IPSec using centos 7

Before we use this, let me share how to install it. As information described point 1.2.2, Strongswan need epel repo to run in RHEL/CentOS.

  1. Install epel repository, in this lab, I grab it from kambing.ui.ac.id
    $ yum install http://kambing.ui.ac.id/epel/7/x86_64/e/epel-release-7-6.noarch.rpm
  2. Install strongswan
    $ yum install strongswan
  3. Check the configuration file, strongswan.conf, you free to modify this file depend on your own and concern
    [root@strongswan-achyarnurandidotnet-s1 ~]# cat /etc/strongswan/strongswan.conf
    # strongswan.conf - strongSwan configuration file
    #
    # Refer to the strongswan.conf(5) manpage for details
    #
    # Configuration changes should be made in the included files
    
    charon {
            load_modular = yes
            plugins {
                    include strongswan.d/charon/*.conf
            }
    }
    
    include strongswan.d/*.conf
    [root@strongswan-achyarnurandidotnet-s1 ~]#
    

  4. You modify feature or create your code under include strongswan.d/

2.3 IPSec Site-to-Site Configuration


  1. Strongswan-s1
    1. Ipsec.conf
      [root@strongswan-achyarnurandidotnet-s1 ~]# cat /etc/strongswan/ipsec.conf
      config setup
      
      conn %default
              ikelifetime=60m
              keylife=20m
              rekeymargin=3m
              keyingtries=1
              keyexchange=ikev1
              authby=secret
      
      conn server1-server2
              left=10.0.2.1
              leftsubnet=192.168.223.0/24
              leftid=@s1.achyarnurandi.net
              ike=aes128-md5-modp1024
              esp=aes128-sha1-modp1024!
              leftfirewall=yes
              right=10.0.2.2
              rightsubnet=192.168.222.0/24
              rightid=@s2.achyarnurandi.net
              auto=start
      
      [root@strongswan-achyarnurandidotnet-s1 ~]#
    2. In strongswan, Pre-Shared Key is created in ipsec.secrets file.
      [root@strongswan-achyarnurandidotnet-s1 ~]# cat /etc/strongswan/ipsec.secrets
      # ipsec.secrets - strongSwan IPsec secrets file
      
      @s1.achyarnurandi.net @s2.achyarnurandi.net : PSK 3k1Eb0el4d
      
      
      [root@strongswan-achyarnurandidotnet-s1 ~]#
  2. Strongswan-s2
    1. Ipsec.conf
      [root@strongswan-achyarnurandidotnet-s2 ~]# cat /etc/strongswan/ipsec.conf
      config setup
      
      conn %default
              ikelifetime=60m
              keylife=20m
              rekeymargin=3m
              keyingtries=1
              keyexchange=ikev1
              authby=secret
      
      conn server2-server1
              left=10.0.2.2
              leftsubnet=192.168.222.0/24
              leftid=@s2.achyarnurandi.net
              ike=aes128-md5-modp1024
              esp=aes128-sha1-modp1024!
              leftfirewall=yes
              right=10.0.2.1
              rightsubnet=192.168.223.0/24
              rightid=@s1.achyarnurandi.net
              auto=start
      [root@strongswan-achyarnurandidotnet-s2 ~]
    2. Creat ipsec.secrets file and add your secreet in it.
      [root@strongswan-achyarnurandidotnet-s2 ~]# cat /etc/strongswan/ipsec.secrets
      # ipsec.secrets - strongSwan IPsec secrets file
      
      @s1.achyarnurandi.net @s2.achyarnurandi.net : PSK 3k1Eb0el4d
      
      [root@strongswan-achyarnurandidotnet-s2 ~]#
      

  3. Enabling IP forwarding in CentOS, we need it because strongswan put the ip traffic processing in different ip rule show in operating system. 
    1. Check your operating system ip forwarding
      $ sysctl net.ipv4.ip_forward
    2. If the value = 1, is done for you. But the value = 0, you should change the value in /etc/sysctl.conf, add the parameter net.ipv4.ip_forward=1
      $ net.ipv4.ip_forward=1
    3. Restart your network, then verify again
      $ sysctl restart network

2.4 Validation

After configuration, do restart in each server with command #strongswan restart, then do verify in each server like below:
    1. Make sure endpoint is reachable with do look at  ip route-table and ping test
      [root@strongswan-achyarnurandidotnet-s1 ~]# ip route
      10.0.2.0/30 dev enp0s8  proto kernel  scope link  src 10.0.2.1  metric 100
      192.168.223.0/24 dev enp0s3  proto kernel  scope link  src 192.168.223.101  metric 100
      [root@strongswan-achyarnurandidotnet-s1 ~]# ping 10.0.2.2 -c 5
      PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
      64 bytes from 10.0.2.2: icmp_seq=1 ttl=64 time=0.910 ms
      64 bytes from 10.0.2.2: icmp_seq=2 ttl=64 time=0.575 ms
      64 bytes from 10.0.2.2: icmp_seq=3 ttl=64 time=0.584 ms
      64 bytes from 10.0.2.2: icmp_seq=4 ttl=64 time=0.429 ms
      64 bytes from 10.0.2.2: icmp_seq=5 ttl=64 time=0.635 ms
      
      --- 10.0.2.2 ping statistics ---
      5 packets transmitted, 5 received, 0% packet loss, time 4003ms
      rtt min/avg/max/mdev = 0.429/0.626/0.910/0.159 ms
      [root@strongswan-achyarnurandidotnet-s1 ~]#
    2. Check strongswan status, make sure the auth and enc algorithm that ike and esp using is correct with parameter is defined (look at table parameter in point 2.1)
      [root@strongswan-achyarnurandidotnet-s1 ~]# strongswan statusall
      Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.10.0-327.18.2.el7.x86_64, x86_64):
        uptime: 16 minutes, since Jun 04 22:25:38 2016
        malloc: sbrk 1593344, mmap 0, used 468576, free 1124768
        worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
        loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac ctr ccm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
      Listening IP addresses:
        192.168.223.101
        10.0.2.1
      Connections:
      server1-server2:  10.0.2.1...10.0.2.2  IKEv1
      server1-server2:   local:  [s1.achyarnurandi.net] uses pre-shared key authentication
      server1-server2:   remote: [s2.achyarnurandi.net] uses pre-shared key authentication
      server1-server2:   child:  192.168.223.0/24 === 192.168.222.0/24 TUNNEL
      Security Associations (1 up, 0 connecting):
      server1-server2[1]: ESTABLISHED 16 minutes ago, 10.0.2.1[s1.achyarnurandi.net]...10.0.2.2[s2.achyarnurandi.net]
      server1-server2[1]: IKEv1 SPIs: 6e2171a515d98589_i* 42aba19a2981ae27_r, pre-shared key reauthentication in 37 minutes
      server1-server2[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
      server1-server2{1}:  REKEYED, TUNNEL, reqid 1, expires in 3 minutes
      server1-server2{1}:   192.168.223.0/24 === 192.168.222.0/24
      server1-server2{4}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7e583a1_i cded3be7_o
      server1-server2{4}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 16 minutes
      server1-server2{4}:   192.168.223.0/24 === 192.168.222.0/24
      server1-server2{3}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c32ac819_i c0d3e391_o
      server1-server2{3}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 14 minutes
      server1-server2{3}:   192.168.223.0/24 === 192.168.222.0/24
      [root@strongswan-achyarnurandidotnet-s1 ~]#
      
    3. Strongswan reserved kernel routing in 220 routing database, each strongswan ipsec established, route mapping will install in this Routing Database. After establish information. Check the route was installed and do ping test.
      [root@strongswan-achyarnurandidotnet-s1 ~]# ip route list table 220
      192.168.222.0/24 via 10.0.2.2 dev enp0s8  proto static  src 192.168.223.101
      [root@strongswan-achyarnurandidotnet-s1 ~]# ping 192.168.222.101 -c 5
      PING 192.168.222.101 (192.168.222.101) 56(84) bytes of data.
      64 bytes from 192.168.222.101: icmp_seq=1 ttl=64 time=0.804 ms
      64 bytes from 192.168.222.101: icmp_seq=2 ttl=64 time=0.801 ms
      64 bytes from 192.168.222.101: icmp_seq=3 ttl=64 time=0.822 ms
      64 bytes from 192.168.222.101: icmp_seq=4 ttl=64 time=0.849 ms
      64 bytes from 192.168.222.101: icmp_seq=5 ttl=64 time=0.693 ms
      
      --- 192.168.222.101 ping statistics ---
      5 packets transmitted, 5 received, 0% packet loss, time 4007ms
      rtt min/avg/max/mdev = 0.693/0.793/0.849/0.064 ms
      [root@strongswan-achyarnurandidotnet-s1 ~]#
      
    4. Verify the ipsec datagram using xrfm, xfrm is an IP framework which can transform the format datagram. Make sure the enc and auth suitable. And make sure the private network Subnet installed in this policy
      [root@strongswan-achyarnurandidotnet-s1 ~]# ip -s xfrm state
      src 10.0.2.1 dst 10.0.2.2
              proto esp spi 0xc4d97574(3302585716) reqid 1(0x00000001) mode tunnel
              replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
              auth-trunc hmac(sha1) 0x53b9e69ac7322ff9babd8ec2d26ee27acea23c51 (160 bits) 96
              enc cbc(aes) 0xcac265f99341cc66d5313984ad77e6a3 (128 bits)
              lifetime config:
                limit: soft (INF)(bytes), hard (INF)(bytes)
                limit: soft (INF)(packets), hard (INF)(packets)
                expire add: soft 839(sec), hard 1200(sec)
                expire use: soft 0(sec), hard 0(sec)
              lifetime current:
                1344(bytes), 16(packets)
                add 2016-05-30 12:03:36 use 2016-05-30 12:04:43
              stats:
                replay-window 0 replay 0 failed 0
      src 10.0.2.2 dst 10.0.2.1
              proto esp spi 0xccbee1c2(3435061698) reqid 1(0x00000001) mode tunnel
              replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
              auth-trunc hmac(sha1) 0xc8f0318dd8dca4e0a00d3b83b3f30cb1dfd2a15f (160 bits) 96
              enc cbc(aes) 0x37f0f5ea3a534c7b473c58bf3f30b731 (128 bits)
              lifetime config:
                limit: soft (INF)(bytes), hard (INF)(bytes)
                limit: soft (INF)(packets), hard (INF)(packets)
                expire add: soft 984(sec), hard 1200(sec)
                expire use: soft 0(sec), hard 0(sec)
              lifetime current:
                1344(bytes), 16(packets)
                add 2016-05-30 12:03:36 use 2016-05-30 12:04:43
              stats:
                replay-window 0 replay 0 failed 0
      src 10.0.2.1 dst 10.0.2.2
              proto esp spi 0xc7fcdba6(3355237286) reqid 1(0x00000001) mode tunnel
              replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
              auth-trunc hmac(sha1) 0xa5d7c83318aa3fb840e3799c91e212a37e6ff40c (160 bits) 96
              enc cbc(aes) 0x5a16b956d6604c2ea8a9d8fd7ab07bae (128 bits)
              lifetime config:
                limit: soft (INF)(bytes), hard (INF)(bytes)
                limit: soft (INF)(packets), hard (INF)(packets)
                expire add: soft 881(sec), hard 1200(sec)
                expire use: soft 0(sec), hard 0(sec)
              lifetime current:
                0(bytes), 0(packets)
                add 2016-05-30 12:03:29 use -
              stats:
                replay-window 0 replay 0 failed 0
      src 10.0.2.2 dst 10.0.2.1
              proto esp spi 0xc8f11738(3371243320) reqid 1(0x00000001) mode tunnel
              replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
              auth-trunc hmac(sha1) 0x349bacecb19c8fb80b4ce51a32c416afc4b1fb74 (160 bits) 96
              enc cbc(aes) 0xb97240c8de4a23fc274a3d5a66d4dd8b (128 bits)
              lifetime config:
                limit: soft (INF)(bytes), hard (INF)(bytes)
                limit: soft (INF)(packets), hard (INF)(packets)
                expire add: soft 988(sec), hard 1200(sec)
                expire use: soft 0(sec), hard 0(sec)
              lifetime current:
                0(bytes), 0(packets)
                add 2016-05-30 12:03:29 use -
              stats:
                replay-window 0 replay 0 failed 0
      [root@strongswan-achyarnurandidotnet-s1 ~]#
      
Below documentation video about this lab:

3. Reference

  1. Fedoraproject. EPEL. https://fedoraproject.org/wiki/EPEL  (Accessed: 21 February 2016)
  2. IETF. 2001. Draft-ietf-ips-security-06.txt. https://www.ietf.org/proceedings/52/slides/ips-1/sld005.htm  (Accessed: 2 June 2016)
  3. Linux foundation. iproute2. http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2  (Accessed: 21 March 2016)
  4. R. Braden, C. Huitema, D. Clark, S. Crocker. 1994. Report of IAB Workshop on Security in the Internet Architecture. IETF
  5. S. Kent, K. Seo. 2005. RFC 4301 - Security Architecture for the Internet Protocol. IETF
  6. SS64. ip xfrm. http://ss64.com/bash/ip-xfrm.html  (Accessed: 20 May 2016)
  7. Stallings, William. 2011. Network Security Essentials: Applications and Standards. 4th ed. New Jersey: Pearson Education, Inc
  8. Strongswan. About Strongswan. https://www.strongswan.org/about.html (Accessed: 2 January 2016)
  9. Strongswan. Strongswan IKEv1 Cipher Suites. https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites . (Accessed: 2 January 2016)

65 comments:

  1. Updating with the latest technology and implementing it is the only way to survive in our niche. Thanks for making me this article. You have done a great job by sharing this content in here. Keep writing article like this.
    SAS Training in Chennai | SAS Course in Chennai

    ReplyDelete
  2. The strategy you have posted on this technology helped me to get into the next level and had lot of information in it. The python programming language is very popular and most widely used.
    Python Training in Chennai | Python Course in Chennai

    ReplyDelete
  3. Thanks for sharing this unique and informative content which provided me the required information.
    Java Training in Chennai | JAVA Course in Chennai

    ReplyDelete
  4. i have tried your tutorial, but i failed. Is it be apply for ipv6 based network? or
    could you make a tutorial for strongswan with site-to-site ipv6 based network?
    thanks before.

    ReplyDelete
    Replies
    1. What knind of operating system do you use?
      Thank you for comments, I will try to make IPv6 site-to-site test

      Delete
    2. i'm using CentOS 6.8.
      could you make it with CA authentication?
      thanks before :)

      Delete
  5. Thanks for sharing the information about the java and keep updating us.
    JAVA Training in Chennai

    Best JAVA Training in Chennai

    ReplyDelete
  6. Thanks for your informative post on Java application development. This open source platform assists software developers to create stunning mobile application with ease. Further, they can make use of this platform at free of cost. Best Java Training in Chennai | Best JAVA Course in Chennai|JAVA Training

    ReplyDelete
  7. Day by day I am getting new things and learn new concept through your blogs, I feel very confident, thanks for your informative blog keep your post as updated one...
    Hadoop Training in Chennai|Big Data Training in Chennai|Big Data Training

    ReplyDelete
  8. Hi Dude,
    Awesome Post!!! With unique content, I really get interest to read this post. I hope this article help many of them who looking this pretty information.
    Regards,
    cloud computing training chennai|cloud computing training centers in chennai

    ReplyDelete
  9. Thanks for taking the time to discuss that, I feel strongly about this and so really like getting to know more on this kind of field. Do you mind updating your blog post with additional insight? It should be really useful for all of us. vpn

    ReplyDelete
  10. Nowadays, most of the businesses rely on cloud based CRM tool to power their business process. They want to access the business from anywhere and anytime. In such scenarios, salesforce CRM will ensure massive advantage to the business owners. Salesforce Training | Salesforce Training in Chennai

    ReplyDelete
  11. Cost-effective templatized interactivities and self-contained learning objects are two of the major attributes of K-12 content development. Besides, Interactive White Board (IWB) based applications are developed by companies.
    free learning

    ReplyDelete
  12. really you have posted an informative blog. it will be really helpful to many peoples. thank you for sharing this blog.
    java training in chennai

    ReplyDelete
  13. This comment has been removed by the author.

    ReplyDelete
  14. Strongswan VPN seems good though I didn't use if for a while. But after reading this article I'm so much interested to use this. Though I knew about VPN connection from here: https://www.vpnsrus.com/netflix-proxy-error-fix/. BTW thanks for sharing this great article with codes. Hope this codes will work properly.

    ReplyDelete
  15. There are so many useful information in your post, I like it all the time. And I want to share this boost app ranking with you, you can take a look. This is very useful.

    ReplyDelete
  16. Needed to compose you a very little word to thank you yet again regarding the nice suggestions you’ve contributed here.

    java training in bangalore

    ReplyDelete
  17. Thank you a lot for providing individuals with a very spectacular possibility to read critical reviews from this site.
    data-science-training-in-bangalore

    ReplyDelete
  18. Your very own commitment to getting the message throughout came to be rather powerful and have consistently enabled employees just like me to arrive at their desired goals.
    big data training in Chennai

    ReplyDelete
  19. I have to voice my passion for your kindness giving support to those
    people that should have guidance on this important matter.

    java training in chennai



    java training in bangalore

    ReplyDelete
  20. Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing.
    MCA Project Center in Chennai | MCA Project Center in Velachery

    ReplyDelete
  21. I have read your Blog..Its really helpful to us...keep updating such a wonderful article..
    white label website builder

    mobile website builder

    ReplyDelete
  22. This is very educational content and written well for a change. It's nice to see that some people still understand how to write a quality post! vpn services

    ReplyDelete
  23. Thanks a lot very much for the high quality and results-oriented help.
    I won’t think twice to endorse your blog post to anybody who wants
    and needs support about this area.


    white label website builder

    ReplyDelete
  24. With web security treats popping left and right, picking the best VPN benefit is critical With web security treats popping left and right, picking the best VPN benefit is critical in guaranteeing that your business and your own data are not hacked or noxiously conveyed on the web. popcorn time in guaranteeing that your business and your own data are not hacked or noxiously conveyed on the web.

    ReplyDelete
  25. This comment has been removed by the author.

    ReplyDelete
  26. This article goes hand in hand with information on bestvpnrating.com. And it's overwelmed with techical aspects here. You would get much more views if you simplified it a bit.

    ReplyDelete
  27. Nice and informative article.Thanks for sharing such nice article, keep on updating.

    Python Training in Chennai
    Python Training

    ReplyDelete
  28. hi, thank you for the tutorial, but i have a some cases.
    1. i do some testing , i stop strongswan service on one site and wait for a few minutes, when i started strongswan again, the connection between two sites still not established.
    2. some time, the connection is closed by its own, i can not ping from one site to the other site, so i have to restart strongswan service from both sites.

    can you give some tips for this

    ReplyDelete
  29. I think this is a better than average article. You make this data intriguing and locks in. You give perusers a considerable measure to consider and I welcome that sort of composing. visit website

    ReplyDelete
  30. I want to say thanks for beautiful blog sharing with us. Your blog really great resource to update my knowledge. https://prywatnoscwsieci.pl

    ReplyDelete
  31. Awesome post. Really you are shared very informative concept... Thank you for sharing. Keep on updating...

    Guest posting sites
    Education

    ReplyDelete
  32. Awwsome informative blog ,Very good information thanks for sharing such wonderful blog with us ,after long time came across such knowlegeble blog. keep sharing such informative blog with us.
    Airport Ground Staff Training Courses in Chennai | Airport Ground Staff Training in Chennai | Ground Staff Training in Chennai

    ReplyDelete
  33. This comment has been removed by the author.

    ReplyDelete
  34. Nice Article,Great experience for me by reading this info.thanks for sharing the information with us.keep updating your ideas.
    Cloud computing Training in Bangalore
    Cloud computing courses in Anna Nagar
    Cloud Computing Certification Training in T nagar

    ReplyDelete
  35. wow, great, I was wondering how to cure acne naturally. and found your site by google, learned a lot, now i’m a bit clear. I’ve bookmark your site and also add rss. keep us updated. https://privatnostonline.com

    ReplyDelete
  36. Good post but I was wondering if you could write a litte more on this subject? I’d be very thankful if you could elaborate a little bit further. Appreciate it..! lemigliorivpn.com

    ReplyDelete
  37. It literally something that gives you positive vibes.
    Google Ranking Your Site

    ReplyDelete
  38. I have perused a couple of the articles on your site now, and I truly like your style of blogging. I added it to my top choices online journal website list and will be inquiring soon. If it's not too much trouble look at my site also and let me realize what you think. best backlinks

    ReplyDelete
  39. Our services are available in all cities of Minneapolis and its surroundings. We are having years of experience which enabled our customers and clients to trust our services. gizlilikveguvenlik

    ReplyDelete
  40. I'm setting up ipsec site-to-site VPN connection (with pre-shared key auth method). However I'm unsure of the correct values to put in ipsec.conf... andy michael

    ReplyDelete
  41. You have done a great job on this article. It’s very readable and highly intelligent. You have even managed to make it understandable and easy to read. You have some real writing talent. Thank you. https://prywatnoscwsieci.pl

    ReplyDelete
  42. Extremely intriguing online journal. A lot of web journals I see nowadays don't generally give anything that I'm keen on, however I'm most definitely inspired by this one. Recently felt that I would post and let you know. https://diadiktiokaiasfalia.com

    ReplyDelete
  43. Thank you so much for the post you do. I like your post and all you share with us is up to date and quite informative, internetprivatsphare

    ReplyDelete
  44. I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. In fact your creative writing abilities has inspired me to start my own BlogEngine blog now. Really the blogging is spreading its wings rapidly. Your write up is a fine example of it. Netflix VPN

    ReplyDelete
  45. You don't need to be a businessman to require the consolation and security of a VPN. how to find default gateway mac

    ReplyDelete
  46. Moreover,BUSINESS MUT individuals will feel miserable or considerably endure on the off chance that they are in a state more regrettable than others. Along these lines, each individual has a sense to contend.

    ReplyDelete
  47. It is imperative that we read blog post very carefully. I am already done it and find that this post is really amazing. vpnveteran

    ReplyDelete