IPSec VPN

Module: Cryptography
Module Code: COMP09106
Activity No.: LAB/09106/2425T1-W9
Week: 09
Topic: IP Security and IKE (Internet Key Exchange)
Duration: Regular Class Time
Instructor: Dr. Althaff Mohideen
Submission: via Aula
Assessment: Summative (5%)
Important: These labs are designed to be completed on lab or home
desktop/laptop environments.

Please do report any errata and spelling mistakes in the lab sheet.

Student Name:
Student ID:
After completing this lab, you will be able to:
• Successfully understand the use of cryptography in securing IP security and setting up a
VPN (Virtual Private Network).
For this lab, we will use “VPN Server VM” and “Client VM”. For the “VPN Server VM” you
must set up a new VM and use Ubuntu 20.04 LTS from the shared drive. Remember, Your
VPN Server VM must be assigned a static IP (192.168.56.100). This lab will use PKI
commands and strongSwan libraries to set up a VPN.

Task 01: Learn about VPN, and what is IKEv2

A VPN (Virtual Private Network) is a technology that creates a secure and private connection
over a public network, such as the Internet. The VPN encrypts the data traffic and hides the
online identity, making it difficult for third parties, such as hackers, ISPs (Internet Service
Providers), or government agencies, to track user activities or steal user data.

How a VPN Works:

1. Encryption: When a VPN is used, the data is encrypted before it leaves the sending
device. This means that even if someone intercepts the network traffic (MIM), the adversary
won’t be able to read or access the information.

2. VPN Server: The encrypted data is sent to a VPN server located in a different
geographical location (which you can choose). The server decrypts the data and sends it to
the destination website or service. The response from the website is then encrypted again and
sent back to the user.

3. Hiding the IP Address: By connecting to a VPN server, the user’s actual IP address
(which reveals the user’s location) is masked. Instead, websites see the IP address of the VPN
server, making it appear as if the user is browsing from that server’s location.

Why Use a VPN?

1. Privacy and Anonymity: A VPN hides a user’s online activities from your ISP,
government agencies, or anyone else who might be monitoring the user’s connection. This
can help protect browsing history, location, and personal data.

2. Security: VPNs encrypt the network connection, which is especially useful when
using public Wi-Fi networks, such as those in coffee shops or airports. Encryption prevents
hackers from intercepting sensitive information like passwords or credit card details.

3. Bypassing Censorship and Geo-Restrictions: VPNs allow you to access content that
may be restricted or blocked in a location, such as certain websites, streaming services, or
social media platforms. For example, one can watch region-specific content on Netflix or
bypass internet censorship in some countries.

4. Secure Remote Access: Many businesses use VPNs to give employees secure access
to the company's internal network when working remotely. This protects sensitive business
information from being exposed.
5. Prevent Bandwidth Throttling: ISPs sometimes throttle (slow down) your internet
speed based on user activities, such as streaming or downloading large files. Using a VPN
can hide user activity from the ISP, potentially preventing throttling.

Limitations of VPNs:

- Reduced Speed: Encryption and rerouting data can slow down the network connection. -
VPN Restrictions: Some websites and services actively block VPN traffic.

In summary, a VPN is a powerful tool for protecting online privacy, securing network traffic,
and bypassing internet restrictions.

IKEv2 (Internet Key Exchange version 2) is a protocol that helps establish and manage secure
communications in a virtual private network (VPN). It is part of the IPsec (Internet Protocol
Security) suite, which provides data encryption, authentication, and protection for secure
communications over IP networks like the Internet.

Key Features of IKEv2:

1. Secure Key Exchange: IKEv2 is responsible for securely negotiating and exchanging keys
between two parties (e.g., a client and a VPN server).

2. Efficient Connection Handling: It supports efficient handling of VPN connections, making

it especially useful for devices that move between different networks, such as laptops and
mobile phones.

3. Mobility and Multihoming: IKEv2 supports the MOBIKE (Mobility and Multihoming)
protocol, which allows the VPN connection to maintain stability even when the user's IP
address changes.

4. Strong Security: It uses strong encryption and authentication methods, such as AES
(Advanced Encryption Standard) and digital certificates, to ensure secure communication.

5. Performance: IKEv2 is known for being more efficient and faster than its predecessor,
IKEv1, with reduced latency and improved performance.

How IKEv2 Works:

IKEv2 operates in two main modes:

1. Mode 1: The VPN client and server authenticate each other and establish a secure
communication channel. They negotiate cryptographic algorithms and generate shared secret
keys.
2. Mode 2: The secure channel is used to establish one or more IPsec security
associations (SAs), which are used to encrypt and decrypt the data transferred between the
client and the server.

Benefits of IKEv2:

- Reliability: Good for maintaining long-lived connections even with changes in

network connectivity.

- Compatibility: Works well with modern networks and is supported on many

platforms, including Windows, macOS, iOS, and Android.

- Security: Offers robust security mechanisms, making it suitable for protecting

sensitive data.

Overall, IKEv2 is a popular and secure choice for establishing VPN connections, especially
for mobile and roaming users.

Task 02: Setup IKEv2 VPN Server

Carry out the following tasks on your VPN server.

apt-get update -y apt-get

upgrade -y

Once your VPN server is updated, edit the /etc/sysctl.conf file and enable the packet
forwarding:

sudo vim /etc/sysctl.conf (you can use nano or gedit in place of vim)

make the following changes in the /etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects
= 0

Save and close the file then run the following command to apply the configuration:

sudo sysctl -f

Checkpoint 01: Provide screenshot of edited /etc/sysctl.conf file.

Date:
 Evidence/Snaps
hot:
(Checkpoint)

Description/Det Static IP Address is Set

ail: Required variables are given the given values
Note: Copy/Paste this table to provide multiple evidence or snapshots.
Task 02: Installing strongSwan, PKI packages and setting up the Certificate Authority
(CA)

First, install the strongSwan and public key infrastructure (PKI) components on the VPN
server. Install them by running the following command:
sudo apt install strongswan strongswan-pki libcharon-extra-plugins
libcharon-extauth-plugins libstrongswan-extra-plugins libtss2-
tctitabrmd-dev
Once all the packages are installed, we can create a VPN certificate.

A certificate for the IKEv2 server must be created to identify itself to the clients. The
strongswan-pki provides a PKI utility that helps to create a CA and certificates.

First, set up the directories to save the CA and certificates.

sudo mkdir -p /root/pki/{cacerts,certs,private}

Next, generate a root key to sign the root certificate authority with the following command:

sudo pki --gen --type rsa --size 4096 --outform pem >
/root/pki/private/ca-key.pem
Use the root key and create a root certificate authority using the following command:

sudo pki --self --ca --lifetime 3650 --in /root/pki/private/ca-key.pem

--type rsa --dn "CN=VPN root CA" --outform pem >
/root/pki/cacerts/cacert.pem

Next, create a certificate and key for the VPN server. This certificate will be used to verify the
server’s authenticity using the CA certificate.

Create a private key for the server using the following command:

sudo pki --gen --type rsa --size 4096 --outform pem >
/root/pki/private/server-key.pem

Next, create and sign the VPN server certificate using the CA that you created earlier:

sudo pki --pub --in /root/pki/private/server-key.pem --type rsa | pki -

issue --lifetime 1825 --cacert /root/pki/cacerts/ca-cert.pem --cakey
/root/pki/private/ca-key.pem --dn "CN=45.58.41.152" --san 45.58.41.152
--flag serverAuth --flag ikeIntermediate --outform pem >
/root/pki/certs/server-cert.pem

Now, copy all the certificates to the /etc/ipsec.d directory:

sudo cp -r /root/pki/* /etc/ipsec.d/

Checkpoint 02: Provide screenshots of the successful creation of certificates.

Date:
Evidence/Snapsho
t: (Checkpoint)

Have you used another tool in the past labs to set up a CA? describe
briefly what you have learned about PKI command?

The pki commands in strongSwan help you create, manage, and

verify certificates used for securing communication in a VPN setup
(IPsec). These certificates are part of the Public Key Infrastructure
(PKI) system, where each participant (server or client) has a private
and public key.

Description/Detail All the certificates are made successfully

: And then copied too, but the copy command was not working in one
go. So divied it in parts and then applied
 Note: Copy/Paste this table to provide multiple evidence or snapshots.

At this point, all certificates and CA are required by strongSwan to secure communications
between the client and the server are created. Next, proceed to configure the strongSwan VPN
server.

Task 03: Configure strongSwan VPN Server

In this task, you will learn to configure and set up IKEv2 VPN Server. It is recommended to
preserve the default configuration file and create a new configuration file. To make a backup
copy of the strongSwan default configuration file, run the following command:

sudo mv /etc/ipsec.conf /etc/ipsec.conf.bak

Next, create a new configuration file using the following command:

sudo vim /etc/ipsec.conf (you can use nano or gedit in place of vim)

and add the following configurations:

config setup
charondebug="ike 1, knl 1, cfg 0" uniqueids=no
conn ikev2-vpn auto=add
compress=no type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s rekey=no
left=%any
leftid=192.168.56.100
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0
/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-
sha384prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-
sha1modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-
sha256,aes256sha1,3des-sha1!

save and close the file when you are finished.

A brief explanation of each option is shown below:

left=%any – The %any means the server will use any network interface to
receive incoming connections.
leftid=192.168.56.100 – Specify the IP address of the VPN
server.
leftcert=server-cert.pem – Specify the name of the public
certificate.

leftsendcert=always – The always means that any remote clients will

receive a copy of the server’s public certificate.

leftsubnet=0.0.0.0/0 – It specifies the entire set of IPv4 addresses

rightauth=eap-mschapv2 – Define the authentication method used by the

client to authenticate the server.

rightsourceip=10.10.10.0/24 – This will tell the server to assign

private IP to clients from the 10.10.10.0/24 network.
rightdns=8.8.8.8,8.8.4.4 – It specifies Google’s DNS IP
address.

Next, configure the authentication mechanism for strongSwan VPN. Edit the
ipsec.secrets file and define the name of the private key file and define the user that is
allowed to connect to the VPN server.

sudo vim /etc/ipsec.secrets (you can use nano or gedit in place of vim)

add the following lines:

: RSA "server-key.pem"
vpnusername : EAP "SomeSecurePassword"
Save and close the file and then restart the strongSwan service with the following command:

sudo systemctl restart strongswan-starter

Check the status of the strongSwan VPN service for any configuration error using the
following command:

sudo systemctl status strongswan-starter

Checkpoint 03: Provide screenshots of the successful running status of strongSwoan.

Date:
 Evidence/Snapsho
t: (Checkpoint)

Description/Detail strongmanSwan Successfully RUNNING

:
Note: Copy/Paste this table to provide multiple evidence or snapshots.

At this point, strongSwan VPN server is installed, configured and ready for use by a client.

Task 04: Install and Configure strongSwan VPN Client and connect.

In this task, you will learn to install, configure strongSwan client package and connect it to
the strongSwan VPN server.

Install the strongSwan VPN client package using the following command on the client
machine:

sudo apt-get install strongswan libcharon-extra-plugins -y

Copy the CA certificate file from the server machine to the client machine:

scp [email protected]:/etc/ipsec.d/cacerts/ca-cert.pem
/etc/ipsec.d/cacerts

Next, edit the ipsec.secrets file and provide your username and password which you have
defined on the server machine.

sudo vim /etc/ipsec.secrets

Add the following to the file:

vpnusername : EAP "SomeSecurePassword"

Save and close the file, and edit the strongSwan configuration file with the following
command:

sudo vim /etc/ipsec.conf

Add the following to the file:

conn ipsec-ikev2-vpn-client
auto=start right=192.168.56.100
rightid=192.168.56.100
rightsubnet=0.0.0.0/0
rightauth=pubkey
leftsourceip=%config
leftid=vpnusername
leftauth=eap-mschapv2
eap_identity=%identity
Save and close the file and restart the strongSwan service.

sudo systemctl restart strongswan-starter

Checkpoint 04: Provide screenshots of the successful running status of strongSwoan on the
Client.

Date:
Evidence/Snapsho
t: (Checkpoint)

use ipsec statusall command to

see the status

Description/Detail
:
Note: Copy/Paste this table to provide multiple evidence or snapshots.
Task 05 (Challenge Task): Access the joblet web server.

Use the VPN connection to access your web server and provide screenshots of successful
access to show the connection is encrypted using IPSec.

Checkpoint 05: Provide screenshots of successful access to the Web Server and show the
connection is encrypted using IPSec.

Date:
Evidence/Snapshot:
(Checkpoint)

Description/Detail:
Note: Copy/Paste this table to provide multiple evidence or snapshots.