Linux - Automatic IPsec Configuration

Prerequisites

  1. Ubuntu 18.04 or newer installed on your device
  2. Ecosystem set up with proper security policies

Create Gateway for IPsec

If you didn’t do it yet, you need to create a new Gateway device on the Acreto platform.

  1. Login to the Acreto platform at wedge.acreto.net

  2. Select your ecosystem and go to Objects using the left menu.

  3. Click Add new Object and select Gateway.

  4. Fill at least:

    1. Name: the name of the IPSec connection needs to be compatible with Strongswan connection name requirements (basically, only letters and numbers)

    2. Category: IoT

    3. Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted)

    4. Local Networks: - your local network addresses that should be routed through this gateway

      Wedge - New Gateway Wedge - New Gateway

      Note: To simplify testing, add IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow testing connectivity from the gateway through Acreto using ping, traceroute, and similar tools.

  5. Save the created Gateway by pressing Add.

  6. Add a security policy that will allow communication from the Gateway device to the Internet. Wedge - New Gateway Wedge - New Gateway

  7. Commit pending changes (top of the screen) Wedge - New Gateway Wedge - New Gateway Note: to successfully test your connectivity, you also need to create a security policy that will allow traffic going through your device.

Generate Strongswan config files

  1. Log in to the Acreto platform at wedge.acreto.net

  2. Select your ecosystem and go to Objects using the left menu

  3. Open the gateway object which you want to use by clicking on its “Info” button.

    Wedge - Gateway Info button Wedge - Gateway Info button

  4. Generate the IPsec strongSwan config using Configuration Options > Bare Metal, OS and Software

    Wedge - Download configuration Wedge - Download configuration

    Then Click on [Play Button]

  5. Copy the link to the IPsec strongSwan config file

    Wedge - Copy the link to IPsec strongswan config Wedge - Copy the link to IPsec strongswan config

Installation using acreto-ipsec.sh script

  1. Execute the following commands on your Linux shell

    curl -fsSL https://kb.acreto.net/reference-material/downloads/acreto-ipsec.sh | sudo bash -s -- [URL_to_strongswan_config]

    where [URL_to_strongswan_config] is the URL copied in previous step.

    Example:

    curl -fsSL https://kb.acreto.net/reference-material/downloads/acreto-ipsec.sh | sudo bash -s -- https://api-is-rock-solid.acreto.net/v2/gateways/ipsec/config/strongswan?_token=s.WNJJeTxWsIeXMkgeIA96SOe8

IPsec tunnel and routing verification

  1. Ensure that traffic goes through Acreto (with traceroute or mtr)

    Execute the command:

    mtr 8.8.8.8

    The ouput should indicate that packets go through 100.65.0.x:

    Host                     Loss%   Snt   Last   Avg  Best  Wrst StDev
    1. 100.65.0.30            0.0%     9  225.1 225.1 224.6 225.8   0.3
    2. 100.65.0.1             0.0%     8  225.9 227.5 225.7 237.1   3.9
    3. ???
    4. nyk-b2-link.telia.net  0.0%     8  226.0 226.9 226.0 228.3   0.7
    5. 72.14.218.254          0.0%     8  227.1 227.8 226.4 230.4   1.2
    6. 108.170.248.97         0.0%     8  227.1 227.2 226.8 227.9   0.4
    7. 108.170.227.211        0.0%     8  226.5 226.9 226.0 227.7   0.6
    8. dns.google             0.0%     8  226.7 227.6 226.7 229.2   0.8

IPsec Operational Commands

  1. Restart IPsec service with the following command: ipsec restart

  2. Wait approximately 10 seconds, and check the status of IPsec: ipsec statusall

  3. If the connection did not start, try to take it up manually:

    CONN=`grep '^conn .*' /etc/ipsec.d/*.conf|cut -d' ' -f2`; echo $CONN
    ipsec up $CONN

    It should display information useful for debugging purposes.

  4. Ensure everything works fine with:

    ipsec statusall
    ip address show
    ip route show
  5. Check if you have Internet access

IPsec Watchdog

In case you Internet connection if very unstable or your ISP changes your public IP, then you may consider running an IPsec watchdog that verifies every minute if the tunnel is passing the traffic to Acreto Ecosystem.

Please download the script and follow the steps from the comments section at the beginning of this script.

Click on the button and save the script in your home directory:

Get ipsec-watchdog.sh

or open the terminal and download the script directly to your vGateway using the command:

cd /etc/ipsec.d/
wget https://kb.acreto.net/reference-material/downloads/ipsec-watchdog.sh