
StrongSwan – IPsec VPN for Linux, Android, FreeBSD, Mac OS X, Windows - spaceboy
https://www.strongswan.org/
======
windexh8er
Seeing all the complaints in here of how hard this is to setup brings back
memories. I was the lead consultant on a project between a very large US
retailer and Centrify to build a product called DirectSecure. It's generally
very easy to deploy IPsec policy in a Windows environment via GPO and the
customer wanted that to flow down into their _nix environments. Centrify,
having good hooks in to AD already, was chosen to build a product that did
just the same thing in their_ nix environments by consuming IPsec
configuration out of GPO.

While not a sales pitch, and in fact I don't think the product seems to have
sold well anyway, it was very interesting to work with them on the test
harness we built to validate correct IPsec operations, configuration,
validation that data wasn't leaking outside of the SAs that were being
provisioned, and performance via the translated policy. The relatable
component was this was mainly done against StrongSwan implementations of the
IKE daemon if I remember correctly (Linux, AIX and Solaris mainly). I wonder
if any of those bits flowed back upstream or if the bolt-on aspect kept that
from happening.

StrongSwan isn't complex if you are well versed in IPsec implementation as a
whole. It's no more or less complicated than other implementation and is
"better" than TLS in it's own right with regard to things that could go wrong.
In static environments it's relatively painless once the learning curve is
overcome.

That being said I feel like IPsec has a badge it will never get rid of and
people discard it before attempting implementation at this point. Hopefully,
as mentioned amongst the comments, things like WireGuard will mature and
become more mainstream. I very much like the concept carry over that both
IPsec and WireGuard can be silent actors within the network not giving away
hosts as things like OpenVPN and SSH do. IPsec can, unfortunately, also be
implemented to squawk at spurious connection attempts - but at least doesn't
rely on the premise as much as things like OpenVPN and SSH do.

And for the record - you can tell someone who's dealt with IPsec extensively
since they won't refer to it as IPSec. o_O Microsoft is notorious for getting
it wrong.

~~~
dguido
For an easier way, try Algo. Algo is a set of Ansible scripts that helps you
deploy a fully functional StrongSwan IPSEC server with the most secure
settings available:

[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

It even generates Apple profiles to auto configure your iPhone!

~~~
gmac
I have a simple bash script that does something similar, including the Apple
profile, and also gets you a Let's Encrypt server cert that auto-renews.

[https://github.com/jawj/IKEv2-setup](https://github.com/jawj/IKEv2-setup)

~~~
dguido
Bash is not idempotent, using a public CA has downsides, and MSCHAP has known
weaknesses that make the crypto easier to bruteforce.

~~~
gmac
Right. On the other hand, a Bash script has a low barrier to entry, it's handy
not to have to install certificates on the client, and the highest possible
security is not always top priority (if, for example, you're just trying to
evade your government's illiberal bulk domain/IP address collection policies).
Swings and roundabouts, I'd say.

------
tamalsaha001
We use Strongswan to secure host to host connections using pre-shared key when
setting up Kubernetes clusters in simple VPS providers like DigitalOcean. This
is important since DO, Linode etc does not provide private network. Flannel
works with it transparently to provide a Kubernetes-aware ip network.

You can see our work here:
[https://github.com/appscode/swanc](https://github.com/appscode/swanc)

~~~
justinsaccount
That's pretty cool. I've considered doing things like that to set up a secure
overlay network to lock down a 'sort of' private l2 network.

Any reason you didn't use weave?

~~~
tamalsaha001
I have never tried Weave. But StrongSwan sets up host to host tunnel using
Ikev2. So, it should probably work with weave. If you find problems, please
let me know in github issues.

~~~
justinsaccount
Ah.. weave has built in encryption, so you would probably use that by itself.

------
falcolas
I've seen this implemented quite usefully in a corporate environment and for
container-container communication; but attempting to set it up for my personal
use was an absolute disaster. A bit over a week spent trying to make it work,
and it never did.

OpenVPN worked just fine, but I could never make StrongSwan work at all. Which
is a shame, I really wanted to have an easy-to-use VPN for my phone and so
forth. Settled on OpenVPN, which worked well enough with the iOS clients.

~~~
terrywang
OpenVPN is SSL VPN, relatively easy to setup, it operates in transport layer.
strongSwan (IPsec) works in layer 3.

To properly install and configure strongSwan, following the tutorials
available over the Nnternet is not enough. One needs to have basic networking
knowledge (NAT, iptables in particular), good understanding of IPsec protocol
suite (including IKE, AH, ESP), PKI, Linux skills and etc.

This is a good reference but still needs the knowledge mentioned above to get
it to work:
[https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.h...](https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html)

~~~
MichaelGG
OpenVPN isn't really an SSL VPN. In one of the major modes (preshared key),
TLS isn't used at all. In client-server mode, TLS is only used for session
negotiation (keys, options, user/pass) and the rest goes over their own
protocol and doesn't use TLS at all. And even then it isn't TLS over TCP
directly, but TLS over OpenVPN's own protocol.

For whatever reason, OpenVPN is way easier to get up and running. Little
knowledge required. UDP overhead is minimal.

t. Recently implemented an OpenVPN client from scratch.

~~~
terrywang
Thanks for pointing out, good insight. Haven't really done a deep dive for
OpenVPN as strongSwan works perfectly fine for pretty much all my use cases.

However, strongSwan (IPsec) is easy to block (e.g. if detected by big brother
- GFW in China) as by default is uses UDP ports 500, 4500, while OpenVPN can
easily disguise as SSL/TLS or anything. In that sense, OpenVPN can be a backup
for IPsec for remote access (fighting censorship).

~~~
MichaelGG
OpenVPN cannot disguise as SSL/TLS - every packet has an OpenVPN header, so it
won't look like, say, an HTTPS connection. And the data packets do not use TLS
at all. It would not take much effort at all to detect that a stream is using
OpenVPN. Every data packet will start with the same few bits regardless of
encryption options used. And the start of a new session has a recognizable
sequence of initial bytes, again, regardless of the options used.

Whether or not firewalls are doing enough DPI to figure this out is another
question.

------
baby
With the 4000 LOC Wireguard
[https://www.wireguard.io/](https://www.wireguard.io/)

what are the incentives to continue using IPsec or Strongswan?

~~~
drdaeman
Because IPSec is natively supported by many OSes out-of-box, while Wireguard
doesn't seem to have even third-party packages for many systems?

~~~
baby
Sure, but if you care about security you won't mind installing it.

~~~
discreditable
WireGuard is not production ready.

> Warning: WireGuard is currently under heavy development, and therefore any
> installation steps here should be considered as experimental. Please do not
> rely on WireGuard at this stage. We are rapidly working toward a first
> release that we will consider secure and ready for widespread usage, but
> that time has not yet come.

[https://www.wireguard.io/install/](https://www.wireguard.io/install/)

------
equalunique
I'd only use StrongSwan if an OpenBSD gateway is not an option. Configuring
IPsec IKEv2 on OpenBSD is very simple.

~~~
kchoudhu
Yeah, I moved over to OpenBSD from FreeBSD because of their no-bullshit
approach to supporting IPSEC -- everything just worked out of the box.

I was thrilled when FreeBSD added IPSEC support in 11-RELEASE, but was less
excited to learn that IPSEC_NAT_T wasn't compiled in, making it impossible to
use strongswan. Oh well, maybe in 11.1 :)

~~~
gonzo
> I was thrilled when FreeBSD added IPSEC support in 11-RELEASE

You're welcome.

------
ratherbefuddled
I set this up a few weeks ago on a linux vps I'm using for dev. IPSEC with
IKEV2 and certificates. Native clients on windows 10 and Ubuntu laptop (needed
a network-manager plugin to be built), and took the shortcut and used the
StrongSwan app on android.

The process was complex and there are things I still don't understand but it
does work and the documentation and examples are quite comprehensive. The only
issue I had with them was they assume a fair amount of familiarity with
subjects that I didn't have. I'm mainly a serverside developer not a network
admin, and whilst I have a vague understanding of how certs work I didn't have
much awareness of VPN protocols or terminology so I had to abuse google pretty
thoroughly.

It took about a day to do and I had to watch logs from server and client to
figure it out, but it was interesting. I'm still pleased with the results and
would recommend the product.

------
Nux
On the subject of VPNs, if people find *swan or Openvpn difficult to get
working, I highly recommend OpenConnect (ocserv); _so_ easy to setup.

It's an open source implementation of the Cisco AnyConnect SSL vpn, works
great and it's compatible with the AnyConnect clients.

~~~
tehno
Any good Ansible (or other) recipes for this? One I found is [0] but can you
point to any others?

[0] [https://github.com/ftao/vpn-deploy-
playbook/tree/master/role...](https://github.com/ftao/vpn-deploy-
playbook/tree/master/roles/ocserv)

~~~
Nux
No idea, sorry. But doing it manually only takes 5 minutes:
[http://www.infradead.org/ocserv/recipes-ocserv-
configuration...](http://www.infradead.org/ocserv/recipes-ocserv-
configuration-basic.html)

------
justinsaccount
One of the reasons ipsec is tricky to understand is it doesn't create virtual
interfaces like most other vpn systems on linux. With something like openvpn
you can run tcpdump on eth0 / tun0 to figure out what is going on. With ipsec
there's no 'ipsec0' interface and the way it works is a little more 'magic'.

------
pYQAJ6Zm
During the past holidays, at my parent’s, I set up some infrastructure to
allow remote management of some network equipment and computers. I used to
employ OpenVPN for this, but I decided to give IPsec a try. Since I have been
learning CentOS, initially I went with RedHat’s suggested option: Libreswan.

I tried and tried, yet couldn’t get it to work. Documentation surely was
lacking for Libreswan. But then I found Strongswan, and after a few more
attempts I managed to set a tunnel as I wanted it. The documentation is much
more complete, and the examples were specially helpful.

I am baffled by the choice made by RedHat, to use Libreswan as their official
IPsec implementation. It gave me a “beta” feel, while Strongswan seems more
solid. Plus the difference regarding documentation is like night and day.

------
terrywang
strongSwan is the best free and open source IPsec implementation available on
Linux, (much better than libreswan...), good documentation, use cases and
examples etc, good quality of code (less bugs - that's what we've found
running it in production for 2+ years with 500+ instances deployed) actively
developed and maintained by a group of passionate developers that knows the
stuff well.

Personally I've been using strongSwan since its 5.0.x for remote access -
protect privacy and fight censorship (yes, originally from China where the
infamous GFW is deployed...). The native strongSwan client for Android is also
a killer feature worth mentioning, RSA authentication with X509 certificates
works flawlessly with 1 click ;-)

My company (pre-IPO startup) has been using strongSwan for 2+ years as site-
to-site solution from AWS VPC to on-premises data centres (or other cloud
virtual network), with 500+ instances deployed, track record has proved it
reliable as long as it's properly configured (most outages were caused by AWS
maintenance ;-) The only drawback is that strongSwan currently does NOT have a
mature HA solution but it's shaping up (5.4.0 introduced IKEv2 redirect). We
are currently building a custom HA solution (designed to work in VPC - provide
similar redundancy to AWS VPN but a lot more flexible and controllable) using
strongSwan (have to use route-based as syncing 2 policy based instances are
too hard or impossible).

NOTE: I've seen people mentioned L2TP, it is obsolete. L2TP does NOT provide
encryption or confidentiality to traffic passes through it. L2TP/IPsec
encapsulates data twice at layer 2, it has pros and cons. See this (may be
out-dated) -> [https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-
vs...](https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs-sstp-vs-
ikev2/)

IKEv{1,2} + IPsec (ESP) (tunnel mode) with PFS for both ike and esp is
recommended configuration.

As mentioned in another comment: To properly install and configure strongSwan,
following the tutorials available over the Internet is not enough, it requires
good networking knowledge (NAT, iptables in particular), understanding of
IPsec protocol suite (including IKE, AH, ESP), PKI, Linux skills and etc.

A good reference to start with:
[https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.h...](https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html)

~~~
Florin_Andrei
Yup, it's the most actively maintained branch of all the XXXswan projects.

My experience has been that it's trivial to setup for site-to-site IPSec
tunnels using PSK. It's literally install the package, copy a config file from
the docs, start the service, done. I've been using it in scenarios like this
for a while, works great even when the remote ends of the tunnel are something
else (Cisco appliances, AWS VPN endpoints, etc).

I'm a little less sure how to implement it as a VPN endpoint for employees.
There are two main issues here:

1\. Having to support a variety of clients (Android, iOS, Mac OS X - perhaps
also Windows and Linux)

2\. Doing multifactor authentication in a way that works well

Especially when considering #1 and #2 together, it seems difficult to meet all
demands. How to do multifactor in a way that works with many different
clients? I don't much care what the "factors" are as long as they are "multi".
E.g. certificate + individual password.

If I only had to support, say, user/pass authentication, I think that would be
somewhat easily doable.

Any clues?

~~~
rantam0ct
No idea for #1, but regarding multifactor, I've used Strongswan with Feitian
PKI smartcards. Basically, I have one card that I set up as a CA and use to
sign CSRs for "user" smartcards as well as for the VPN servers. You need to
have your card and PIN to connect. The private keys are stored on the cards -
no PSKs. This is something cool to do if you are cheap. You may be able to do
this with Yubikeys, though I haven't tried this.

[https://wiki.strongswan.org/projects/strongswan/wiki/SmartCa...](https://wiki.strongswan.org/projects/strongswan/wiki/SmartCards)
[https://github.com/OpenSC/OpenSC/wiki/Feitian-PKI-
card](https://github.com/OpenSC/OpenSC/wiki/Feitian-PKI-card)

edit:

Some quick and dirty instructions to generate keys/certs that you can use with
a Linux or Android client:

git clone [https://github.com/ramann/smartcard-
pki](https://github.com/ramann/smartcard-pki)

cd smartcard-pki

git checkout vpn-phone

# Edit etc/vpn_server.conf to use your server's IP address

bash -x <(cat README.md | grep '`' | tr -d '`') # You really should generate
the VPN server's key & request on the VPN server, but this is just to get
something working

# Move vpn_server_key.pem, ca/signing-ca.crt, certs/vpn_server.crt,
certs/phone.pem to your VPN server's /etc/ipsec.d/

# Edit your VPN server's /etc/ipsec.conf so that leftcert=vpn_server.crt and
rightcert=phone.crt

# To set up your Android phone, just import the phone-and-ca.pfx file

# To set up your Linux client (Ubuntu 16.04 in my case), move phone_key.pem,
ca/signing-ca.crt, certs/vpn_server.crt, and certs/phone.crt to /etc/ipsec.d

# Edit your client's /etc/ipsec.conf so that leftcert=phone.crt and
rightcert=vpn_server.crt

# To start server: sudo ipsec start

# How to start the Android client should be obvious.

# To start linux client: sudo ipsec start; sudo ipsec up connection_name

------
shawkinaw
It is indeed a bit of a pain to set up properly, but it can be done, I have a
droplet running it 24/7 and have no problems connecting to it from Apple
devices. Here are some helpful guides for setting up:

[https://www.zeitgeist.se/2013/11/22/strongswan-howto-
create-...](https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-
own-vpn/)

[http://www.jfcarter.net/~jimc/documents/strongswan-1308.html](http://www.jfcarter.net/~jimc/documents/strongswan-1308.html)

~~~
ratherbefuddled
Both of these were immensely helpful resources to me when I did this last
month.

------
dkhenry
When I was looking to replace my OpenVPN server for a cloud based VPN one
thing I wanted was to use the OS native VPN solution. Everything pointed me to
L2TP/IPSec, I am wondering why I would choose IKEv2 over that.

~~~
teilo
First off, IKEv2 _is_ IPSec. IPSec tunnels are either IKEv1 or IKEv2.

The advantages:

* It has a streamlined/faster key negotiation protocol. IKEv2 tunnels can be established in a fraction of the time it takes for IKEv1 negotiation, especially when negotiating multiple SAs.

* More robust integrity algorithms which can detect and re-establish a tunnel faster.

* It supports EAP, so in client/server mode (vs. tunnel mode) you can attach it to an AAA server to assign IP addresses and do user authentication, making L2TP and shared secrets unnecessary. (Note that when using IKEv2 for IPSec tunnels, one still must use either a shared secret or certificates for authentication.)

------
fulafel
Anyone knows if Docker is using IPsec in some interoperable mode? They say
here that they are using IPsec:
[https://docs.docker.com/engine/userguide/networking/overlay-...](https://docs.docker.com/engine/userguide/networking/overlay-
security-model/)

------
1_player
StrongSwan is a real powerhorse, even though a bit of a b*tch to configure to
work out-of-the-box on most platforms. The documentation is scarce and the
wiki was a bit out of date IIRC.

I'm using it on my VPS, with my Mac as a client to bypass the UK big brother,
and on Android to bypass tethering blocks (in conjunction with the Tether app)

~~~
Florin_Andrei
For site-to-site PSK tunnels it's really trivial to setup. Just install the
package, copy/paste a config from the docs, add the PSK on both sides, and
start the service. Wham, bam, thank you ma'am, you're done.

~~~
nikanj
And if it doesn't work, there's plenty of forum posts available listing the
same symptoms. No solutions usually, but at least you're not suffering alone!

------
klinquist
This works great for me to connect my Meraki MX-series firewall into my AWS
VPC.

------
post_break
I could never get this to work. Tried for quite a while and just gave up.

------
more_corn
Good luck getting 2fa working

~~~
mwj
What are you using for 2fa?

------
peterposter
This seems great, but what would I actually use this for?

e: Everybody says that using a VPN is a "good thing" but I honestly can't find
a use for one in my day-to-day.

~~~
ktta
You really don't have to worry about all this if you're asking.

Most people use VPN for security purposes. Now, when I mention security,
there's various kinds. It can vary from hiding from state-attackers, to not
wanting to be surveilled, to just torrenting stuff to avoiding a nasty letter
from your ISP.

If you have nothing to worry about in the last paragraph, then the other case
is organisational policies or accessibility. Routing all client traffic
through a companies server because some companies' internal servers only allow
requests from whitelisted IPs and drop all other packets. Of course, as a
consumer/employee this is not something you have to worry about but it is
something for sysadmins, and/or the security person who makes decisions at a
company. And looks like there are a few of those in this thread. Hence all
these discussions.

If you want to get into using VPNs, I'd suggest getting a server online first,
something from digital ocean, AWS or Gcloud. If you want something super
cheap, I suggest OVH's VPS. And the best tutorials in my opinion are from
Digital Ocean[1]. If you only know how to use Ubuntu, here's[2] what you want.

[1]:[https://www.digitalocean.com/community/tags/vpn?type=tutoria...](https://www.digitalocean.com/community/tags/vpn?type=tutorials)

[2]: [https://www.digitalocean.com/community/tutorials/how-to-
set-...](https://www.digitalocean.com/community/tutorials/how-to-set-up-an-
openvpn-server-on-ubuntu-16-04)

~~~
thelittleone
Here is a nice tutorial for getting the excellent Streisand privacy server up
and running on Digital Ocean.

[http://jerrygamblin.com/2016/07/10/the-vpn-you-should-be-
usi...](http://jerrygamblin.com/2016/07/10/the-vpn-you-should-be-using/)

