Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:guide-user:services:vpn:ipsec:strongswan:basics [2020/09/22 15:49] – [IKE Daemon] kaipeedocs:guide-user:services:vpn:strongswan:basics [2022/03/03 15:18] (current) – [Configuration concept] typos fixed denisab85
Line 1: Line 1:
-====== IPsec Basics ====== +====== IPsec basics ====== 
-| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[docs:guide-user:services:vpn:overview]] | +A quick starters guide based on OpenWrt Barrier Breaker 14.07. 
- +Maybe it will save you and me time if one has to setup an IPsec VPN in the future. 
-A quick starters guide based on OpenWrt Barrier Breaker 14.07. Maybe it will save you and me time if one has to setup an IPsec VPN in the future. Hopefully it will encourage other people to use Openwrt as an IPsec VPN router. We cannot provide a graphical user interface at the moment but at least it is a solid alternative to commercial IPsec appliances. +Hopefully it will encourage other people to use OpenWrt as an IPsec VPN router. 
 +We cannot provide a graphical user interface at the moment but at least it is a solid alternative to commercial IPsec appliances.  
 +strongSwan is a recommended IPsec implementation.
  
 ===== Packages ===== ===== Packages =====
-If not already installed on your router you need at least the following packages. +If not already installed on your router you need the following packages. 
 +==== Required ====
   * strongswan-default: everything needed for IPsec tunnels    * strongswan-default: everything needed for IPsec tunnels 
   * ip: Required to make scripting easier   * ip: Required to make scripting easier
-  * iptables-mod-nat-extra: For VPN networks with [[docs:guide-user:services:vpn:ipsec:strongswan:overlappingsubnets|overlapping IP addresses]]+  * iptables-mod-nat-extra: For VPN networks with [[docs:guide-user:services:vpn:strongswan:overlappingsubnets|overlapping IP addresses]]
   * djbdns-tools: for simpler name resolving than nslookup   * djbdns-tools: for simpler name resolving than nslookup
-  * strongswan-utils: only if you are running Chaos Calmer or you experience "ipsec: not found" error .+<code bash> 
 +opkg install strongswan-default ip iptables-mod-nat-extra djbdns-tools 
 +</code> 
 +==== Optional ==== 
 +  * strongswan-utils: only if you are running Chaos Calmer or you experience "ipsec: not found" error. 
 +<code bash> 
 +opkg install strongswan-utils 
 +</code>
   * kmod-crypto-echainiv: only for Turris Omnia if you receive an "SAD entry with SPI" error.   * kmod-crypto-echainiv: only for Turris Omnia if you receive an "SAD entry with SPI" error.
 +<code bash> 
 +opkg install kmod-crypto-echainiv 
 +</code>
 Altogether those packages will eat up about some MB of your router's flash memory. Maybe it is time for an [[docs:guide-user:additional-software:extroot_configuration]] installation? Altogether those packages will eat up about some MB of your router's flash memory. Maybe it is time for an [[docs:guide-user:additional-software:extroot_configuration]] installation?
- 
- 
  
 ===== Configuration concept ===== ===== Configuration concept =====
- +If you already worked with strongSwan you should know the different files you need to configure. 
-If you already worked with strongSwan you should know the different files you need to configure. They include +They include:
   * **/etc/strongswan.conf**: Central configuration file    * **/etc/strongswan.conf**: Central configuration file 
   * **/etc/ipsec.conf**: Tunnel definitions   * **/etc/ipsec.conf**: Tunnel definitions
Line 26: Line 35:
   * **/etc/ipsec.d**: Folder for certificates   * **/etc/ipsec.d**: Folder for certificates
  
-:!: Remark! If you you want to stay with that configuration you have reached the wrong place.  +:!: Remark! If youwant to stay with that configuration you have reached the wrong place. 
- +
-The major challenge is handling all of those files automatically with a clean integration into the OpenWrt configuration concept. To solve this we will use a hierarchical configuration process. That involves+
  
 +The major challenge is handling all of those files automatically with a clean integration into the OpenWrt configuration concept. To solve this we will use a hierarchical configuration process.
 +That involves:
   * **/etc/config/ipsec**: The OpenWrt configuration file for strongSwan   * **/etc/config/ipsec**: The OpenWrt configuration file for strongSwan
   * **/etc/init.d/ipsec**: The Strongswan start script. It will generate the required configuration files for strongSwan   * **/etc/init.d/ipsec**: The Strongswan start script. It will generate the required configuration files for strongSwan
Line 36: Line 45:
   * **/var/strongswan.conf** : The generated central configuration file   * **/var/strongswan.conf** : The generated central configuration file
    
-Here a short example of the configuration methodology when having two VPN tunnels to ACME and Yabadoo networks +Here is a short example of the configuration methodology when having two VPN tunnels to ACME and Yabadoo networks 
  
 <code> <code>
Line 56: Line 65:
 </code> </code>
  
-Read more about the complete syntax for [[docs:guide-user:services:vpn:ipsec:strongswan:basic|/etc/config/ipsec]]. +Read more about the complete syntax for [[docs:guide-user:services:vpn:strongswan:configuration|/etc/config/ipsec]].
  
 ===== IKE Daemon ===== ===== IKE Daemon =====
- 
 To let Charon run as a background daemon we can place a hook in the init environment. Therefore create the file **/etc/init.d/ipsec** and set the executable bit. Remark: This script is in an early alpha state. It currently works for site to site tunnels with preshared keys. Feel free to enhance it. To let Charon run as a background daemon we can place a hook in the init environment. Therefore create the file **/etc/init.d/ipsec** and set the executable bit. Remark: This script is in an early alpha state. It currently works for site to site tunnels with preshared keys. Feel free to enhance it.
  
Line 101: Line 108:
   fi   fi
 } }
-  +
- +
 ConfigPhase1() { ConfigPhase1() {
   local encryption_algorithm   local encryption_algorithm
Line 319: Line 325:
  
 ===== What's next ===== ===== What's next =====
-After the basic setup you should make sure you understand the [[docs:guide-user:services:vpn:ipsec:strongswan:performance|expected performance]] of low budget routers.+After the basic setup you should make sure you understand the [[docs:guide-user:services:vpn:strongswan:performance|expected performance]] of low budget routers.
  
  • Last modified: 2022/03/03 15:18
  • by denisab85