:::: MENU ::::

Monthly Archives / February 2015

  • Feb 27 / 2015
  • 0

How to setup an IPSec tunnel with Strongswan with high-availability on Linux

It is possible to secure your communication between several sites (datacenters for example) by using an open-source VPN IPSec on your Linux System. We will see here how to:

  1. Set-up a VPN IPSec on Linux with Strongswan (https://www.strongswan.org)
  2. Set-up a high availability mechanism on top of this VPN connection to ensure the link will always be up with KeepAlived (http://www.keepalived.org/)


Here is the architecture example I will use in this post.

  • – – – represents a local link
  • === represents a VPN link

VPN Installation

First of all, install the package strongswan using the package manager you used to, or by compiling it from sources. In the same time, install the keepalived package to be able to set it highly available at the end of this post.

This will install the packages and the libraries needed to make them work.


First thing to do will be to generate certificates used for the encryption of communication within the VPN. This can be done in two ways:

CA Certificate

Once the packages are properly installed, we will have to create the different certificates that we will use to encrypt our connection between peers. For the example we will be using self-signed certificate here. The first certificate to generate wil be the CA certificate with which one we will sign any certificate we want to use in the VPN network.

Generate a 2048 bit RSA private key (caKey.der) for the CA certificate (caCert.der) and self-sign it with this key:

End Entity Certificate

For each peer (i.e. each gateway), a private key (peerKey.der) and a certificate (peerCert.der) will have to be generated using the CA previously created:

Install certificates

On each peer, store the following certficates and private keys in /etc/ipsec.d/ subdirectory as:

  • /etc/ipsec.d/private/peerKey.der for the private key of the peer
  • /etc/ipsec.d/certs/peerCert.der for the certificate of the peer
  • /etc/ipsec.d/cacerts/caCert.der for the CA certificate that signed the certificates

The CA private key (caKey.der) should never be stored on a server directly reachable from the Internet and be kept safe.

IPSec configuration

To configure IPSec, you will have to configure two files:

  • /etc/ipsec.conf for the configuration of your tunnels
  • /etc/ipsec.secrets for the configuration of your keys and/or PSK (pre-shared keys)

If you use certificate for your connection, here is what your configuration should look like:

If instead of using certificates you prefered to use Pre-Shared Key (as you will have to if you want to connect to AWS VPN Services), here are how should be configured both files:

IPsec commands and monitoring

First of all, each time you are changing part of the configuration, it’s strongly advised to reload configuration by doing:

Once this done, you can easily up/down a configuration by using:

A last command very useful is “statusall” that allows you to check and monitor VPN links:

High availability configuration

So that your VPN can be highly available, you will need to configure keepalived that you just installed at the beginning. You will have to configure it on both sides by using a virtual IP and a script to automate the restart on both nodes depending on the state of the cluster (option “notify”).

Here is the configuration for the master server:

The configuration for the slave (backup) server is almost similar but state and priority are changing:

And here is the script notifyipsec.sh for the “notify” option:

Now you can restart both services and your IPSec VPN inter-site is ready with a high-availability mechanism enabled!!

Obviously, you will have to do the same on the other node if you want your VPN to work properly, by reversing configuration.

  • Feb 19 / 2015
  • 0

How to capture results of a watch in a file

For debugging purposes, it can sometimes be useful to write the results of a command executed at a given time lapse. You can easily monitor a command by using the watch command.

By default a watch command is only displaying result, and you have to be in front of to see the results. If you want to write them in a file with a timestamp, you can easily do it by using this command that combines  a watch command with tee:

You can now open your file /tmp/logfilewatch and see the results you just got!
For example, here is what you could get with my previous command, checking all the connections on port TCP 443:

  • Feb 11 / 2015
  • 0

Find which process is using a specific port

If you need to know/find which process is using a specific port on your system, you can use some default tools for troubleshooting:

  • netstat
  • lsof

WARNING: For the use of these tools, you will need root rights (or sudo rights will be efficient)

First, with netstat you can use options tnlpu to display much informations on connections:

Then, with lsof you can easily find which connections are opened on a specified port with the option -i on your command-line:

Question ? Contact