Strongswan Azure VPN Setup

  • OS: CentOS 7
  • Azure Remote IP Gateway: 13.73.247.202
  • Azure Remote IP Subnetz: 172.17.130.0/24
  • Lokale IP: 172.16.1.254
  • Lokaler IP Gateway: 82.3.127.171
  • Lokales Subnetz: 172.16.1.0/24

Packet Forwarding aktivieren

vi /etc/sysctl.d/99-local.conf
#
# ip_forward - BOOLEAN
#
# Forward Packets between interfaces.
#
# This variable is special, its change resets all configuration
# parameters to their default state (RFC1122 for hosts, RFC1812
# for routers)
net.ipv4.ip_forward = 1
sysctl -p

Firewall Einstellung

vi /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -s 172.17.130.0/24 -j ACCEPT
-A POSTROUTING -d 172.17.130.0/24 -j ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp --dport 500 -j ACCEPT
-A INPUT -p udp --dport 4500 -j ACCEPT
-A INPUT -p 50 -j ACCEPT
-A INPUT -p 51 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
-A INPUT -j LOG --log-prefix "iptables drop: " --log-level warning
-A INPUT -j DROP
COMMIT
systemctl reload iptables

Installation StrongSwan

yum install strongswan

Konfiguration StrongSwan

vi /etc/strongswan/ipsec.conf
conn azure
        authby=secret
        type=tunnel
        leftid=82.3.127.171
        left=172.16.1.254
        leftsubnet=172.16.1.0/24
        rightid=13.73.247.202
        right=13.73.247.202
        rightsubnet=172.17.130.0/24
        keyexchange=ikev2
        ikelifetime=28800s
        keylife=3600s
        keyingtries=3
        compress=yes
        auto=start
        ike=aes256-sha1-modp1024
        esp=aes256-sha1

Pre-Shared Key Konfigurieren:

vi /etc/strongswan/ipsec.secrets
82.3.127.171 13.73.247.202 : PSK "XXXXXXX"

Dienst starten und aktivieren:

systemctl start strongswan
systemctl enable strongswan

Status abfragen:

strongswan statusall

Sie haben weitere Fragen zu dieser Anleitung und möchten gerne mehr Informationen oder brauchen Unterstützung? Wir helfen Ihnen gerne, unsere Kontaktdaten finden Sie hier: https://df-informatik.ch/kontakt/