VPN Strongswan
To establish a VPN connection, you need to fulfill the following:
• Confirm the network terms and conditions
• Your password must not be expired
You can check both at your Settings
Contents
• 1 Installation
♦ 1.1 Packetmanagement with Debian Wheezy and Jessie
♦ 1.2 Compile with Linux Mint (18)
• 2 Configuration
♦ 2.1 Preparation
♦ 2.2 strongswan.conf
♦ 2.3 ipsec.conf
♦ 2.4 ipsec.secret
• 3 Open / Close the VPN connection
Installation
Please perform only one of the following installation instructions and pay attention to the remarks at the end of each instruction!
Packetmanagement with Debian Wheezy and Jessie
Wheezy: Add the following source to get the newest Strongswan version: (/etc/apt/sources.list):
deb http://http.debian.net/debian wheezy-backports main
Execute the following commands after this:
apt-get update
apt-get -t wheezy-backports install ca-certificates strongswan libcharon-extra-plugins libstrongswan-extra-plugins libstrongswan-standard-plug
Jessie:
Execute the following commands after this:
apt-get update
apt-get install ca-certificates strongswan libcharon-extra-plugins libstrongswan-extra-plugins libstrongswan-standard-plugins
Additionally, you need to add the following lines to the init script(/etc/init.d/ipsec):
# Required-Start:
# Required-Stop:
$network $remote_fs
$network $remote_fs
Create links to the following configuration files:
ln -s /etc/strongswan.conf ~/Downloads/strongswan/
ln -s /etc/ipsec.conf ~/Downloads/strongswan/
ln -s /etc/ipsec.secrets ~/Downloads/strongswan/
Compile with Linux Mint (18)
If you want to compile it manually, you need to use the terminal. Open the start menu at the bottom left side, and search for "Terminal" and start it.
Change to the directory of your choice. Here is an example of creating a new directory in "Downloads" and then switching into it.
mkdir ~/Downloads/strongswan
cd ~/Downloads/strongswan/
After you switched into your strongswan directory, download the newest version of strongswan(here 5.5.1) and unzip the archive. Use the following
commands to perform this:
wget https://download.strongswan.org/strongswan.tar.gz
tar -xzvf strongswan.tar.gz
Your directory should now contain two new elements. Check it with the command "ls". You should see something like this:
Change to the directory of your downloaded version. Switch to "root" to execute the commands with highest authority. Download and install the following
packets:
cd strongswan-5.5.1/
sudo su
apt-get install libc-dev-bin libc6-dev libgmp-dev \
libgmpxx4ldbl libcurl3 libcurl4-openssl-dev \
libssl-dev zlib1g-dev
Set important parameters with ".configure ..." . Those will be needed to ensure a correct installation of Strongswan:
./configure --enable-curl --enable-eap-mschapv2 \
--enable-eap-identity --enable-openssl
Compile and install the program finally with:
make
make install
exit
Create links to the following configuration files:
ln -s /usr/local/etc/strongswan.conf ~/Downloads/strongswan/
ln -s /usr/local/etc/ipsec.conf ~/Downloads/strongswan/
ln -s /usr/local/etc/ipsec.secrets ~/Downloads/strongswan/
Please note:
If you do not require the packets to compile Strongswan any longer, you can remove them with:
sudo apt-get remove libc-dev-bin libc6-dev libgmp-dev zlib1g-dev\
libcurl4-openssl-dev libssl-dev
It is possible to deinstall Strongswan anytime, as long as the directory in which Strongswan was downloaded(here Downloads/Strongswan) is not
deleted. Open the Terminal, chance to your Strongswan directory and execute the following command:
make uninstall
This is also needed if you want to upgrade Strongswan to a newer version.
Configuration
After the installation, the following files need to be edited:
~/Downloads/strongswan/strongswan.conf
~/Downloads/strongswan/ipsec.conf
~/Downloads/strongswan/ipsec.secrets
Preparation
If you installed and compiled Strongswan manually, use the following command to create a link to the certificate of the Deutsche Telekom:
ln -s /etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem /usr/local/etc/ipsec.d/cacerts/
If you installed Strongswa with your packet manager, use this command instead:
ln -s /etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem /etc/ipsec.d/cacerts/
strongswan.conf
Open strongswan.conf with the editor of your choice(nano is used here).
sudo nano ~/Downloads/strongswan/strongswan.conf
This file must only contain the following text:
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-msc
}
Everything other than this is unnecessary and will sabotage the connection.
ipsec.conf
Open ipsec.conf with the editor of your choice(nano is used here).
sudo nano ~/Downloads/strongswan/ipsec.conf
You must add the following text to the file:
conn hsmw-vpn
keyexchange=ikev2
left=%defaultroute
leftid=%any
leftauth=eap
[email protected]
leftsourceip=%config
leftdns=%config4
leftfirewall=no
right=141.55.128.84
[email protected]
rightsubnet=0.0.0.0/0
rightauth=pubkey
auto=add
Everything else in this file is needed and should not be deleted.
ipsec.secret
Open ipsec.secret with the editor of your choice(nano is used here).
sudo nano ~/Downloads/strongswan/ipsec.secret
You can add the following to this file:
[email protected] : EAP "K3nnw0rt"
Open / Close the VPN connection
To establish a vpn tunnel, the following command needs to be executed:
ipsec up hsmw-vpn
You can close the vpn tunnel with this command:
ipsec down hsmw-vpn
Reminder: If you installed and compiled strongswan manually, you need to start your ipsec service manually, too. Execute the following command:
ipsec start