End to end with Acheron - acis-acheron/acheron GitHub Wiki

About

This is a brief guide to getting Acheron running using the strongSwan Styx backend on a Debian Squeeze machine.

Building and Installing strongSwan from source

If building Contrail's strongSwan fork from source, you must first install the build dependencies, including installing and pinning the backports repository. How to do this is detailed in our building strongSwan guide.

Configuring strongSwan

Once strongSwan is installed, copy the default strongSwan configuration from the default-strongswan-config directory. This is done easily as root via

cp -r default-strongswan-config/* /

Be sure to remove /etc/ipsec.d/cacerts/strongswanCert.pem and place your actual CA certificate into /etc/ipsec.d/cacerts. This resultant default configuration should be present on all virtual machines.

Once the default configuration is in place, you can proceed to set up the keys and certificates specific to each machine. This machine-specific configuration includes a signed (by the CA) certificate in /etc/ipsec.d/certs (as a PEM file), a private key in /etc/ipsec.d/private (also as a PEM file), and a listing for the private key in /etc/ipsec.secrets. You can find examples in demo-alice-ipsec-certs and demo-bob-ipsec-certs. It's important to note that the name of the certificate in the machine-specific configuration is myCert.pem, and this is necessary for the default configuration to work correctly.

Installing GroupVPN

Since GroupVPN has a nasty habit of mangling /etc/resolv.conf, first back it up and install resolvconf (which will be useful later) by running

cp /etc/resolv.conf /etc/resolv.conf.bak
aptitude install resolvconf

as root.

Acheron requires a slightly modified version of IPOP that broadcasts the the IPs of outgoing P2P connections locally. For convenience, we provide a .deb package.

The easiest way to install the modified version of IPOP is to first install mono-complete, and then force the installation of the downloaded package, letting apt-get take care of the other required dependencies automatically. You can do this with

aptitude install mono-complete
dpkg -i --force-depends ipop-squeeze.deb
apt-get install -fy # aptitude will want to remove the IPOP package

You can then continue to configure GroupVPN in the usual manner. Once finished, be sure to fix the mangled /etc/resolv.conf via

resolvconf -a eth0 < /etc/resolv.conf.bak

The groupvpn.sh script in our vagrant repository automates this entire process using a demo configuration.

Installing Acheron

To install Acheron, you only need to clone the repository, and run ./install.sh from within the acheron directory.

Starting Acheron

First, ensure strongSwan and GroupVPN are running, and then start Acheron (as root):

/etc/init.d/ipsec start
/etc/init.d/groupvpn.sh start
/etc/init.d/acheron start

You can check that the daemon is running via /etc/init.d/acheron status and you'll find Acheron's log file in /var/log/acheron.log.