Remote Observing IPSec VPN How To

Index

PC/Windows
Installing and configuring Forticlient on Windows
  1. Download the latest FortiClient VPN-Only client for windows FortiClient Download
  2. Open and run the Installer, following the installer prompts accordingly.
    Note: Installing this software will require local administrative permissions on your computer.
  3. Download and Install the latest C++ runtime libraries from Microsoft.
    Note: This library dependency ensures Forticlient can run necessary components needed to establish a VPN connection on Windows.

  4. Open FortiClient from the Start Menu

  5. Accept & Acknowledge Terms of Service. Then, click "Configure VPN"

  6. Add a new IPSEC VPN as indicated on the image bellow, Pre-Shared Key is sent with daily credentials.
  7. Click on advanced settings and check the following configuration is set by default, adjust if needed
  8. Click Save
MacOs

Installing and configuring Forticlient on Mac
  1. Download the latest FortiClient VPN-Only client for Mac FortiClient Download
  2. Open and run the Installer, following the installer prompts accordingly.
    Note: Installing this software will require local administrative permissions on your computer.
  3. Once you’ve completed installer steps, macOS will prompt you to allow certain permissions and network extensions in order for Forticlient to run seamlessly:
    instaling Forticlient Mac

  4. Open FortiClient from the Applications Folder

  5. Accept & Acknowledge Terms of Service. Then, click "Configure VPN

  6. Add a new IPSEC VPN as indicated on the image bellow, Pre-Shared Key is sent with daily credentials.
  7. Click on advanced settings and check the following configuration is set by default, adjust if needed.
  8. Click save
Linux Installing and configuring StrongSwan in Ubuntu Linux
  1. Install Strongswan on Ubuntu using apt package manager.

    $ sudo apt install strongswan

    Also, install the below package.

    $ sudo apt install charon-systemd

    To Enable the kernel to do packet forwarding edit the /etc/sysctl.conf and uncomment the below lines. To edit sysctl.conf use the following command : sudo nano /etc/sysctl.conf

    net.ipv4.ip_forward = 1
    net.ipv6.conf.all.forwarding = 1
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.all.send_redirects = 0

    To check the status of strongswan service run the below command.

    # systemctl status strongswan.service

    The below message will appear if the process is running.

    strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
    Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
    Active: active (running) since Sat 2022-03-19 08:19:10 CET; 46s ago
    Process: 6903 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS)
    Main PID: 6886 (charon-systemd)
    Status: "charon-systemd running, strongSwan 5.8.2, Linux 5.4.0-104-generic, x86_64"
    Tasks: 17 (limit: 2268)
    Memory: 2.5M
    CGroup: /system.slice/strongswan.service
    └─6886 /usr/sbin/charon-systemd

    Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded IKE secret for 10.5.21.252
    Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded EAP secret for ubuntu_VPN
    Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded plugins: charon-systemd aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 p>
    Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: dropped capabilities, running as uid 0, gid 0
    Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: spawning 16 worker threads
    Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no files found matching '/etc/swanctl/conf.d/*.conf'
    Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no authorities found, 0 unloaded
    Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no pools found, 0 unloaded
    Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no connections found, 0 unloaded
    Mar 19 08:19:10 xenon-kvm33 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
    ...skipping...

    strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
    Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
    Active: active (running) since Sat 2022-03-19 08:19:10 CET; 46s ago
    Process: 6903 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS)
    Main PID: 6886 (charon-systemd)
    Status: "charon-systemd running, strongSwan 5.8.2, Linux 5.4.0-104-generic, x86_64"
    Tasks: 17 (limit: 2268)
    Memory: 2.5M
    CGroup: /system.slice/strongswan.service
    └─6886 /usr/sbin/charon-systemd

    Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded IKE secret for 10.5.21.252
    Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded EAP secret for ubuntu_VPN
    Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded plugins: charon-systemd aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 p>
    Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: dropped capabilities, running as uid 0, gid 0
    Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: spawning 16 worker threads
    Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no files found matching '/etc/swanctl/conf.d/*.conf'
    Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no authorities found, 0 unloaded
    Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no pools found, 0 unloaded
    Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no connections found, 0 unloaded
    Mar 19 08:19:10 xenon-kvm33 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.

    Further strongswan has two files that can be edited to configure VPN.

    The first file that has to be edited is /etc/ipsec.conf.

    It can be edited via vi text editor, Paste the below lines for the connection.

    conn LCOIPSEC                                                                                  
    keyexchange=ikev1
    ikelifetime=1440m
    keylife=60m
    aggressive=no
    ike=aes256-sha256-modp1024
    esp=aes256-sha256
    xauth=client
    left=%defaultroute
    leftsourceip=%config
    leftauth=psk
    rightauth=psk
    leftauth2=xauth
    right=139.229.100.249
    rightsubnet=0.0.0.0/0
    xauth_identity= ********* (username send by email)
    auto=add

    Another file that has to be edited is /etc/ipsec.secrets with the below lines.

    139.229.100.249 : PSK "********" (Pre-Shared key Send by email)
    <TELESCOPE>.observer: XAUTH "********" (Password send by email)

    Once completed, it is necessary to restart the strongswan service with the below commands as root.

    $ sudo systemctl restart strongswan
    $ sudo ipsec update
    $ sudo ipsec reload

    To connect the tunnel run the below command as root.

    $ sudo ipsec up LCOIPSEC

    Here 'LCOIPSEC is the tunnel name configured in /etc/ipsec.conf.

    Bringing up the tunnel will show the below information.

    initiating Main Mode IKE_SA LCOIPSEC[1] to 139.229.100.249
    ........
    CHILD_SA LCOIPSEC{1} established with SPIs c72cb7eb_i 32618946_o and TS x.x.x.x/32 === 0.0.0.0/20
    generating QUICK_MODE request 3030603905 [ HASH ]
    connection 'LCOIPSEC' established successfully

    It is possible to check the status of the tunnel using the below command.

    $ sudo ipsec status

    Testing connectivity using ping from Ubuntu CLI.

    #ping obsverver.lco.cl
    PING obsverver.lco.cl (x.x.x.x) 56(84) bytes of data.
    64 bytes from x.x.x.x: icmp_seq=1 ttl=255 time=0.839 ms
    64 bytes from x.x.x.x: icmp_seq=2 ttl=255 time=0.432 ms
    64 bytes from x.x.x.x: icmp_seq=3 ttl=255 time=0.493 ms

    To bring down the tunnel use the command.

    $ sudo ipsec down LCOIPSEC