EDIT : I've updated with this tutorial from Google, with the updown script on strongswan:
https://cloud.google.com/community/tutorials/using-cloud-vpn-with-strongswan
The VPN is between :
- localsite.domain.com
debian buster with strongswan 5.7.2-1
- remotesite.domain.com
Fortigate 6.2.3
Important :
This will not work if the Kernel does not have the CONFIG_NET_IPVTI module enabled.
On OVH you have to upgrade to debian Buster that has a Kernel 4.19 (as of today)
create a PKI :
CA.crt
local.crt
local.pem
remote.crt
Configure IPSEC :
ipsec.conf
config setup
#charondebug="ike 3, net 2, esp 2, chd 2, pts 3, cfg 0, asn 0"
uniqueids=yes
strictcrlpolicy=no
conn %default
# keyexchange=ikev2 # now ikev2 is default
forceencaps=yes
ike=aes256-sha256-modp2048!
ikelifetime=24h
# lifetime=43200s # default is 1h
esp=aes256-sha256-modp2048,aes256gcm128-sha256
leftauth=pubkey
rightauth=pubkey
closeaction=restart
conn homesite
#here
left=localsite.domain.com
# left|rightcert in /etc/ipsec.d/certs
leftcert=local.crt
# left|rightca in /etc/ipsec.d/cacerts
leftca=CA.crt
leftsubnet=0.0.0.0/0
#remote
right=remote.domain.com
rightid="<remote site certificate DN>" # TODO check if it can be taken from cert
rightcert=remote.crt
rightca=%same
rightsubnet=0.0.0.0/0
auto=route
mark = 42
/etc/ipsec.secrets
# cert has to be in /etc/ipsec.d/private/
: RSA local.pem
trust the CA
cp CA.crt /etc/ipsec.d/cacerts/CA.crt
check that the certificates are recognized with 'ipsec listcerts'.
The flag 'has private key' needs to be present for the certificates with a private key provided.
modify apparmor charon to install DNS provided by tunnel
I had an issue with apparmor that was not able to accept the dns settings, as the resolv.conf could not be modified in the charon apparmor module, so add at the bottom of the list, before the } in /etc/apparmor.d/usr.lib.ipsec.charon :
/etc/resolv.conf rwk,
modify the /etc/hosts to resolve to your external IP
1.2.3.4 cloud.domain.com
Configure Route-based VPN :
In my case the local has a static IP. Otherwise, you have to use a script.
/etc/network/interfaces.d/ipsec0.conf
auto ipsec0
iface ipsec0 inet manual
pre-up ip tunnel add ipsec0 local <ip of the localsite> remote 0.0.0.0 mode vti key 42
up ip link set ipsec0 up
up ip address add 10.2.0.2/24 dev ipsec0
up ip route add 192.168.1.0/24 dev ipsec0 via 10.2.0.1
up sysctl -w "net.ipv4.conf.ipsec0.disable_policy=1"
down ip route del 192.168.0.0./24 dev ipsec0
down ip address del 10.2.0.2/24 dev ipsec0
post-down ip tunnel del ipsec0
/etc/strongswan.d/charon.conf :
install_routes = no
install_virtual_ip = no
Fortigate config
Key exchange :
config vpn ipsec phase1-interface
edit "VPNikev2"
set type ddns
set interface "wan1"
set ike-version 2
set authmethod signature
set net-device disable
set proposal aes256-sha256
set remotegw-ddns "localsite.domain.com"
set certificate "remote.crt"
set peer "remote_side"
next
end
ChildSA :
config vpn ipsec phase2-interface
edit "VPNikev2p2"
set phase1name "VPNikev2"
set proposal aes256-sha256 aes256gcm
set keylifeseconds 3600
next
end
User config:
config user peer
edit "remote_side"
set ca "Root_CA"
set subject "<DN to match localsite cert>"
next
end
static route for RPF check:
config router static
edit 0
set dst 10.2.0.0 255.255.255.0
set device "VPNikev2"
next
end
