Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:ipsec:strongswan:basics [2020/10/05 01:12] – [IPsec Basics] update vgaeteradocs:guide-user:services:vpn:strongswan:basics [2020/10/08 13:20] – ↷ Links adapted because of a move operation tmomas
Line 1: Line 1:
-====== IPsec Basics ======+====== IPsec basics ======
 A quick starters guide based on OpenWrt Barrier Breaker 14.07. A quick starters guide based on OpenWrt Barrier Breaker 14.07.
 Maybe it will save you and me time if one has to setup an IPsec VPN in the future. Maybe it will save you and me time if one has to setup an IPsec VPN in the future.
-Hopefully it will encourage other people to use Openwrt as an IPsec VPN router.+Hopefully it will encourage other people to use OpenWrt as an IPsec VPN router.
 We cannot provide a graphical user interface at the moment but at least it is a solid alternative to commercial IPsec appliances.  We cannot provide a graphical user interface at the moment but at least it is a solid alternative to commercial IPsec appliances. 
 strongSwan is a recommended IPsec implementation. strongSwan is a recommended IPsec implementation.
Line 10: Line 10:
   * strongswan-default: everything needed for IPsec tunnels    * strongswan-default: everything needed for IPsec tunnels 
   * ip: Required to make scripting easier   * ip: Required to make scripting easier
-  * iptables-mod-nat-extra: For VPN networks with [[docs:guide-user:services:vpn:ipsec:strongswan:overlappingsubnets|overlapping IP addresses]]+  * iptables-mod-nat-extra: For VPN networks with [[docs:guide-user:services:vpn:strongswan:overlappingsubnets|overlapping IP addresses]]
   * djbdns-tools: for simpler name resolving than nslookup   * djbdns-tools: for simpler name resolving than nslookup
   * strongswan-utils: only if you are running Chaos Calmer or you experience "ipsec: not found" error .   * strongswan-utils: only if you are running Chaos Calmer or you experience "ipsec: not found" error .
Line 16: Line 16:
  
 Altogether those packages will eat up about some MB of your router's flash memory. Maybe it is time for an [[docs:guide-user:additional-software:extroot_configuration]] installation? Altogether those packages will eat up about some MB of your router's flash memory. Maybe it is time for an [[docs:guide-user:additional-software:extroot_configuration]] installation?
- 
- 
  
 ===== Configuration concept ===== ===== Configuration concept =====
- +If you already worked with strongSwan you should know the different files you need to configure. 
-If you already worked with strongSwan you should know the different files you need to configure. They include +They include:
   * **/etc/strongswan.conf**: Central configuration file    * **/etc/strongswan.conf**: Central configuration file 
   * **/etc/ipsec.conf**: Tunnel definitions   * **/etc/ipsec.conf**: Tunnel definitions
Line 30: Line 27:
 :!: Remark! If you you want to stay with that configuration you have reached the wrong place.  :!: Remark! If you you want to stay with that configuration you have reached the wrong place. 
  
-The major challenge is handling all of those files automatically with a clean integration into the OpenWrt configuration concept. To solve this we will use a hierarchical configuration process. That involves +The major challenge is handling all of those files automatically with a clean integration into the OpenWrt configuration concept. To solve this we will use a hierarchical configuration process. 
 +That involves:
   * **/etc/config/ipsec**: The OpenWrt configuration file for strongSwan   * **/etc/config/ipsec**: The OpenWrt configuration file for strongSwan
   * **/etc/init.d/ipsec**: The Strongswan start script. It will generate the required configuration files for strongSwan   * **/etc/init.d/ipsec**: The Strongswan start script. It will generate the required configuration files for strongSwan
Line 58: Line 55:
 </code> </code>
  
-Read more about the complete syntax for [[docs:guide-user:services:vpn:ipsec:strongswan:basic|/etc/config/ipsec]]. +Read more about the complete syntax for [[docs:guide-user:services:vpn:strongswan:configuration|/etc/config/ipsec]].
  
 ===== IKE Daemon ===== ===== IKE Daemon =====
- 
 To let Charon run as a background daemon we can place a hook in the init environment. Therefore create the file **/etc/init.d/ipsec** and set the executable bit. Remark: This script is in an early alpha state. It currently works for site to site tunnels with preshared keys. Feel free to enhance it. To let Charon run as a background daemon we can place a hook in the init environment. Therefore create the file **/etc/init.d/ipsec** and set the executable bit. Remark: This script is in an early alpha state. It currently works for site to site tunnels with preshared keys. Feel free to enhance it.
  
Line 103: Line 98:
   fi   fi
 } }
-  +
- +
 ConfigPhase1() { ConfigPhase1() {
   local encryption_algorithm   local encryption_algorithm
Line 321: Line 315:
  
 ===== What's next ===== ===== What's next =====
-After the basic setup you should make sure you understand the [[docs:guide-user:services:vpn:ipsec:strongswan:performance|expected performance]] of low budget routers.+After the basic setup you should make sure you understand the [[docs:guide-user:services:vpn:strongswan:performance|expected performance]] of low budget routers.
  
  • Last modified: 2022/03/03 15:18
  • by denisab85