Project

General

Profile

Issue #3555

can we host Strongswan server on Google platform

Added by Sudeep Kote about 2 months ago. Updated 23 days ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.9.0
Resolution:
No change required

Description

Hello All,
I am new in this product, Could you please advice can we host ipsec ikev2 strongswan server on Google cloud platform(GCP instance ).
our all project is on Google cloud and we want make our environment is secure, can we setup strongswan vpn server for our laptop users ?
All laptops are Ubuntu is installed. Please suggest me any to referral document so that I can setup.
thank you

Gmail.png (33.1 KB) Gmail.png Sudeep Kote, 03.09.2020 10:14

History

#1 Updated by Tobias Brunner about 2 months ago

  • Status changed from New to Feedback

I guess, but I really have no idea. Maybe have a look at CloudPlatforms and/or UsableExamples. Or ask on the mailing list, maybe somebody else did that before.

#2 Updated by Sudeep Kote about 2 months ago

HI Many Thanks for the update,strongswan is works on Google cloud platform. I hosted strongswan ipsec ikev2 VPN server in compute engine instance. our clients laptops also able to connect strongswan vpn server but few sites are not working like mail.google.com and login.yahoo.com and other few sites , I can't browse these site , screen shot is attached and curl output also mentioned below . please help me where is causing issue and how to rectify this issue.

Client laptops Platform : Ubuntu 18.04 OS

I used Digital ocean tutorial to setup VPN server.
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-20-04

Curl output:
  • Trying 172.217.31.197:443...
  • TCP_NODELAY set
  • Connected to mail.google.com (172.217.31.197) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • OpenSSL SSL_connect: Connection reset by peer in connection to mail.google.com:443
  • Closing connection 0
    curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to mail.google.com:443
curl -v https://mail.google.com

#3 Updated by Tobias Brunner about 2 months ago

Please read ForwardingAndSplitTunneling (the tutorial also contains some stuff on forwarding/NAT that you should probably follow).

#4 Updated by Sudeep Kote about 2 months ago

Sure.. i will read this document.
Please confirm this not Certifiate error issue right ?
we can use self signed certificate which we created in strongswan server setup to browsing,connecting internet and all right , it will not cause any issue ?

thank you

#5 Updated by Tobias Brunner about 2 months ago

Please confirm this not Certifiate error issue right ?

I can only guess. But since you stated that you were able to connect, I suppose there is no such issue.

we can use self signed certificate which we created in strongswan server setup to browsing,connecting internet and all right , it will not cause any issue ?

How the IKE session is authenticated does not affect how traffic is transported afterwards, so, no, that doesn't make a difference (it does make a difference in terms of client administration and potentially security because depending on how the custom CA certificate was installed on the clients, arbitrary certificates could be issued by the CA and clients might trust them).

#6 Updated by Tobias Brunner 23 days ago

  • Category set to configuration
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF