Virtual Private Network (VPN) is the technology that you can use to access the office or home network remotely and securely over the Internet so that the communication data is protected from sniffing or hijacking by hackers.
Disclaimer: We would like to inform you that this configuration/software/application is not within the scope of official Zyxel Technical Support. These settings are based on our personal experience and are the result of our experiments. If you have questions about the operation and configuration of other manufacturers' software/devices, please contact their support service.
When the VPN connection is established to a site, a secured tunnel will be created with the capability to encrypt the traffic, preserve data integrity (no data change during transmission) and ensure the communication only happen between client to site. This example shows how to use the VPN Setup Wizard to create a client to site VPN between ATP and Linux Ubuntu 18.04.3. The example instructs how to configure the VPN Tunnel. When the VPN tunnel is configured, the office network can be accessed securely.
Scenario and Topology
The topology and the setup steps are shown below.
Note: All network IP address and subnet masks are used as example in this article.
Please replace them with your actual network IP addresses and subnet masks. This example was tested using ATP800(Firmware Version: ZLD 4.35 C0) and Linux Ubuntu (18.04.3 LTS)
Configuration
Set up the IPSec VPN Tunnel on the ATP
Step 1. In the ATP, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with Ubuntu. Click Next.
Step 2. Choose Advanced to create a VPN rule with customized phase1, phase2 settings and authentication method. Click Next.
Step 3. Type the Rule Name used to identify this VPN connection (and VPN gateway).
You may use 1-31alphanumeric characters. This value is case-sensitive.
Select the rule to be Remote Access (Server Role) and Select the IKE Version to be IKEv1. Click Next.
Step 4. Select My Address to be the interface connected to the Internet. Set the Desired Negotiation, Encryption, Authentication, Key Group and SA Life Time Setting. Type a secure Pre-Shared Key (8-32 characters) which must match your Linux Ubuntu Pre-Shared Key. Click OK.
Step 5. Continue to Phase 2 Settings to select the desired encapsulation, Encryption, Authentication and Perfect Forward Secrecy (PFS) settings. Set Local Policy to be the IP address range of the network connected to the ATP. Click OK.
Step 6. This screen provides a read-only summary of the VPN tunnel. Clicks save.
Step 7. Add address pool for phase 2 mode config. Go to “CONFIGURATION > Object > Address”, click add to create address pool object
Step 8. Apply VPN address pool on phase 2 VPN connection.
Go to “CONFIGURATION > VPN > IPSec VPN > VPN Connection”
Set up the Host to Network VPN Tunnel on the Ubuntu 18.04
Step 1. Install StrongSwan
root@usg:~# apt-get install strongswan -y
You must have root access to install and configure related settings.
After completed installation, you can check the StrongSwan version by CLI “ipsec version”
root@usg:~# ipsec version
Linux strongSwan U5.6.2/K4.15.0-66-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec--copyright' for copyright
root@usg:~#
Step 2. Configure StrongSwan on Ubuntu 18.04
Define the Preshared key
root@usg:~# vi /etc/ipsec.secrects
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: PSK 123456789
vpnclient : XAUTH "1qaz2wsx"
Define the CONNECTION parameters
config setup
conn %default
ikelifetime=60m
keylife=20
rekeymargin=1
keyexchange=ikev1
modeconfig=pull
#Add connections here.
conn home
left=10.214.48.60
leftid=vpnclient
laftauth=psk
leftauth2=xauth
leftsourceip=%config
leftfirewall=yes
right=10.214.48.28
rightsubnet=192.168.1.0/24
rightid=10.214.48.28
rightauth=psk
auto=add
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
#Sample VPN connections
Other useful CLI
Set the service to start on boot
root@usg:~# systemctl enable strongswan
Restart the VPN
root@usg:~# ipsec restart
Stopping strongSwan IPSec...
Starting strongSwan 5.6.2 IPSec (starter)...
root@usg:~#
Check the VPN tunnel status
root@usg:~# ipsec status
Security Associations (1 up, 0 connecting):
home[1]: ESTABLISHED 13 seconds ago, 10.214.48.60[vpnclient] 10.214.48.28[10.214.48.28]
home{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ceda2bbf_i d8acc423_o
home{1}: 192.168.99.17/32 === 192.168.1.0/24
root@usg:~#
Tells the IKE daemon to start up connetion
root@usg:~# ipsec up <name>
Tells the IKE daemon to terminate connection
root@usg:~# ipsec down <name>
Verification
a. Make sure IPSec VPN tunnel is up on ATP and Linux Ubuntu.
- ATP VPN status check
- Ubuntu VPN status check.
root@usg:~# ipsec status
Security Associations (1 up, 0 connecting):
home[1]: ESTABLISHED 54 minutes ago, 10.214.48.60[vpnclient] 10.214.48.28[10.214.48.28]
home{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc26c56a_i 6a5fb4f2_o
home{2}: 192.168.99.17/32 === 192.168.1.0/24
b. Ping to ATP LAN IP 192.168.1.1
rtt min/avg/max/mdev = 0.724/0.754/0.788/0.036 ms
Note
If the Host-to-Network VPN tunnel cannot be established successfully, please check the following items.
- Both ATP and Linux Ubuntu must use the same Pre-Shared Key, Encryption, Authentication method and DH Key group.
- Make sure ATP WAN to ZyWALL security policy allows IKE, AH and ESP.
- Must enable mode config on Ubuntu. Add modeconfig=pull into
/etc/ipsec.conf
For IKEv2 configuration, just have a look in our community forum here:
https://community.zyxel.com/en/discussion/10754/vpn-linux-strongswan-usg60
Comments
0 comments
Please sign in to leave a comment.