Connecting to IPSec IKEv2 VPN from CLI

Rohit

6/23/24, 3:03 PM

I have set up an IPSec VPN on an AWS ec2 instance following this https://github.com/hwdsl2/setup-ipsec-vpn. The VPN works fine I am able to connect to it from my Phone and Laptops ( Android, Windows, OSX). Now I want to connect to it from another ec2 instance. I tried this: https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#linux but it didn't work as it requires GUI which is not available for an ec2. I have transferred the .p12 file to the newly created ec2 instance but could not configure it.

while searching for a solution I got this from Chat GPT:

#!/bin/bash

# Set variables
VPN_SERVER="vpn.trebuchet.one"
P12_FILE="$HOME/vpn.p12"
P12_PASSWORD="<P12_PASSWORD>"

# Install StrongSwan
sudo apt-get update
sudo apt-get install -y strongswan

# Create VPN configuration directory
sudo mkdir -p /etc/ipsec.d/myvpn

# Copy .p12 file to VPN configuration directory
sudo cp "$P12_FILE" /etc/ipsec.d/myvpn/myvpn.p12

# Create VPN configuration file
sudo bash -c "cat > /etc/ipsec.d/myvpn/myvpn.conf << EOL
conn myvpn
    keyexchange=ikev2
    dpdaction=clear
    dpddelay=300s
    eap_identity=%identity
    leftauth=eap-tls
    leftcert=myvpn.p12
    leftsourceip=%config
    right=$VPN_SERVER
    rightauth=pubkey
    rightsubnet=0.0.0.0/0
    rightid=%any
    type=tunnel
    auto=add
EOL"

# Update /etc/ipsec.secrets file with .p12 password
sudo bash -c "echo ': P12 myvpn.p12 \"$P12_PASSWORD\"' >> /etc/ipsec.secrets"

# Restart StrongSwan service
sudo systemctl restart strongswan

# Initiate VPN connection
sudo ipsec up myvpn

echo "VPN connection established"

Running this I get:

no config named 'myvpn'

So can anyone help me configure the VPN client? It would be ideal if there was some setup scripts or something I could use since I am planning to automate this process in the future.

FYI:

I am trying to do this so that I can connect a local machine to the VPN and use the ec2 as a proxy server. The local severe is set up in my college and I need it to be accessible from the internet I can't request the college to assign a static IP to it. I haven't yet figured out how to exactly do the proxying. So if there is some better method than doing all this VPN stuff then that is ok as well.

122

1 + 0

vpn

amazon-ec2

ipsec

Score:1

Ubuntu

Rohit

7/2/24, 3:27 PM

I finally found a solution based on this here.

This is how I did it:

Install Network Manager and strong swan plugin

sudo apt install network-manager network-manager-strongswan

Edit the globally managed devices file and change unmanaged devices to none

echo "[keyfile]
unmanaged-devices=none" | sudo tee /usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf

Restart the network manager service

sudo systemctl restart NetworkManager

Import the .p12 certificate

CERT_PATH=path/to/your/.p12

openssl pkcs12 -in $CERT_PATH -cacerts -nokeys -out $HOME/ca.cer
openssl pkcs12 -in $CERT_PATH -clcerts -nokeys -out $HOME/client.cer
openssl pkcs12 -in $CERT_PATH -nocerts -nodes  -out $HOME/client.key
rm $CERT_PATH

sudo chown root:root ca.cer client.cer client.key
sudo chmod 600 ca.cer client.cer client.key

Create a VPN connection

Note: Here the name VPN can be anything you want

$SERVER="your server IP/domain"

sudo nmcli c add type vpn ifname -- vpn-type strongswan connection.id VPN connection.autoconnect no vpn.data 'address = $SERVER, certificate = $HOME/ca.cer, encap = no, esp = aes128gcm16, ipcomp = no, method = key, proposal = yes, usercert = $HOME/client.cer, userkey = $HOME/client.key, virtual = yes'

Connect to it

nmcli c up 'Wired connection 1'
nmcli c up VPN
nmcli c

Check if connected

ifconfig

You should see a new entry for your VPN, usually called tunnel

It is recommended to run all the steps here as root sudo su so that the $HOME will be /root.

Here is a complete script I created based on these steps, you can run it as ./vpn.sh path/to/.p12 vpn.yourdomain.com

vpn.sh

#!/bin/bash

# Check if the correct number of arguments were provided
if [ "$#" -ne 2 ]; then
    echo "Usage: $0 <certificate path> <server address>"
    exit 1
fi

CERT_PATH=$1
SERVER_ADDRESS=$2

# Step 1: Install Network manager and strongswan plugin
sudo apt update
sudo apt-get install -y network-manager network-manager-strongswan

# Step 2: Edit the globally managed devices file and change unmanaged devices to none
echo "[keyfile]
unmanaged-devices=none" | sudo tee /usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf

# Step 3: Restart the network manager service
sudo systemctl restart NetworkManager

# Step 4: Check if the devices are managed
nmcli d

# Step 6: Import the .p12 certificate
openssl pkcs12 -in $CERT_PATH -cacerts -nokeys -out $HOME/ca.cer
openssl pkcs12 -in $CERT_PATH -clcerts -nokeys -out $HOME/client.cer
openssl pkcs12 -in $CERT_PATH -nocerts -nodes  -out $HOME/client.key
rm $CERT_PATH

sudo chown $USER:$USER $HOME/ca.cer $HOME/client.cer $HOME/client.key
sudo chmod 600 $HOME/ca.cer $HOME/client.cer $HOME/client.key

# Step 7: Create a VPN connection in NetworkManager and enable it.
sudo nmcli c add type vpn ifname -- vpn-type strongswan connection.id VPN connection.autoconnect no vpn.data "address = $SERVER_ADDRESS, certificate = $HOME/ca.cer, encap = no, esp = aes128gcm16, ipcomp = no, method = key, proposal = yes, usercert = $HOME/client.cer, userkey = $HOME/client.key, virtual = yes"

nmcli c up 'Wired connection 1'
nmcli c up VPN
nmcli c

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Connecting to IPSec IKEv2 VPN from CLI

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.