|
IPsec is a provider of network-layer security standards. It contains the Authentication Header (AH) and encapsulating security payload (ESP) module. AH provides integrity package, ESP components provide confidentiality package. IPsec security features to ensure the network layer.
Confidentiality
Packet integrity
Non-repudiation of Origin
Replay attack protection
Strongswan is an IPsec protocol source code, Strongswan mean strong safety WAN (StrongS / WAN). It supports IPsec VPN with two versions of the automatic key exchange (Network Key Exchange (IKE) V1 and V2).
Strongswan shared basically provides automatic key exchange between two VPN nodes / gateways, and then it uses the Linux kernel IPsec (AH and ESP) to achieve. After shared key for ESP data encryption IKE mechanism. In IKE phase, strongswan use OpenSSL encryption algorithms (AES, SHA, etc.) and other encryption libraries. In any case, security algorithm in IPsec ESP component uses the Linux kernel implementation. Strongswan main features are as follows:
x.509 certificates or pre-shared key-based authentication
It supports IKEv1 and IKEv2 key exchange protocol
Alternatively, plug-ins and libraries built for integrity and encryption test
Support for elliptic curve DH group and ECDSA certificate
RSA private key and certificate stored on a smart card
It can be used in a client / server (road warrior mode), and gateway to gateway scenario.
how to install
Almost all Linux distributions support Strongswan binary packages. In this tutorial, we will install from binary packages strongswan, strongswan also compiled from the source code with the appropriate characteristics.
Using binary packages
You can use the following command to install Strongswan to Ubuntu 14.04 LTS
$ Sudo aptitude install strongswan
Installation strongswan
strongswan global configuration (strongswan.conf) and ipsec configuration file (ipsec.conf / ipsec.secrets) files are in / etc / directory.
strongswan source compiler installation dependencies
GMP (precision math library strongswan used)
OpenSSL (encryption algorithm from the library)
PKCS (1,7,8,11,12) (integrated certificate and smart card encoding)
step
1) Use the following command in the terminal to / usr / src / directory
$ Cd / usr / src
2) using the following command from the Web site to download the source code strongswan
$ Sudo wget http://download.strongswan.org/strongswan-5.2.1.tar.gz
(Strongswan-5.2.1.tar.gz is the most current version.)
Download software
3) extract the downloaded software with the following command, and then enter the directory.
$ Sudo tar -xvzf strongswan-5.2.1.tar.gz; cd strongswan-5.2.1
4) use the configure command to configure each option strongswan want.
$ ./configure --prefix = / Usr / local - enable-pkcs11 --enable-openssl
Check strongswan package
If the GMP library is not installed, the following configuration script error will occur.
GMP library error
Therefore, first, use the following command to install GMP library and then execute the configuration script.
gmp installation
However, if you have installed GMP also reported the above error, then use the following command to create soft on Ubuntu, to the path / usr / lib, / lib /, / usr / lib / libgmp.so library x86_64-linux-gnu / under connection.
$ Sudo ln -s /usr/lib/x86_64-linux-gnu/libgmp.so.10.1.3/usr/lib/x86_64-linux-gnu/libgmp.so
softlink of libgmp.so library
After creating libgmp.so soft connection, and then run ./configure script perhaps find the gmp library. However, if the header files gmp other error like this.
GMP header file issu
To solve the above error, use the following command to install libgmp-dev package
$ Sudo aptitude install libgmp-dev
Installation of Development library of GMP
After you install the gmp development libraries, run the configuration script again, if no error occurred, these will see the following output.
Output of Configure scirpt
Use the following command to compile and install strongswan.
$ Sudo make; sudo make install
After installation strongswan, global configuration (strongswan.conf) and ipsec policy / password configuration file (ipsec.conf / ipsec.secretes) is placed in / usr / local / etc directory.
According to our security needs Strongswan can be used as a tunnel or transport mode. It provides a well-known site-2-site model and road warrior mode VPN. It is easy to use on Cisco, Juniper equipment. |
|
|
|