strongSwan IPsec Configuration via UCI

Linux Charon IPsec daemon can be configured through /etc/config/ipsec.

zonestringnovpnFirewall zone. Has to match the defined firewall zone
listenlistyes''Interface that accept VPN traffic (empty for all interfaces, multiple lines for several interfaces)
debugstringno0Trace level. Logs are written to /var/log/charon.log

Contains tunnel definition.

enabledbooleanyes(none)Configuration is enabled or not
gatewayipaddryes(none)IP address or FQDN name of the tunnel remote endpoint.
exchange_modestringnomainPhase 1 negotiation (main, aggressive)
local_identifierstringno(none)local identifier for phase 1
remote_identifierstringno(none)remote identifier for phase 1
authentication_methodstringyes(none)Phase 1 authentication. Only allowed value ath the moment is psk
pre_shared_keystringno(none)The preshared key for the tunnel if authentication is psk
p1_proposallistyes(none)Name of phase 1 proposal (see below)
tunnellistyes(none)Name of phase 2 section (see below)

Definition of phase 1 proposals. Derived from strongSwan cipher suites

encryption_algorithmstringyes(none)Phase 1 encryption method (aes128, aes192, aes256, 3des)
hash_alogrithmstringyes(none)Phase 1 hash alogrithm (md5,sha1)
dh_groupstringyes(none)Diffie-Hellman exponentiation (modp768, modp1024, …

Contains network defintion per tunnel.

local_subnetsubnetyes(none)Local network
remote_subnetsubnetyes(none)Remote network
local_natsubnetno(none)NAT range for tunnels with overlapping IP addresses
p2_proposalstringyes(none)link to phase 2 proposal

Definition of phase 2 proposal. Derived from strongSwan cipher suites

pfs_groupstringyes(none)Comma separated list of of Diffie-Hellman exponentiations (you can omit this, when peer is Cisco ASA)
encryption_algorithmstringyes(none)Comma separaeted list of encryption algorithms (aes128, aes192, aes256, 3des)
authentication_algorithmstringyes(none)Comma separated list of authentications (md5, sha1)

Example 1 taken from the IPSec site to site howto.

config 'ipsec'
  option 'zone' 'vpn'
config 'remote' 'acme'
  option 'enabled' '1'
  option 'gateway' ''
  option 'authentication_method' 'psk'
  option 'pre_shared_key' 'yourpasswordhere'
  list   'p1_proposal' 'pre_g2_aes_sha1'
  list   'sainfo' 'acme_dmz'
  list   'sainfo' 'acme_lan'
config 'p1_proposal' 'pre_g2_aes_sha1'
  option 'encryption_algorithm' 'aes128'
  option 'hash_algorithm' 'sha1'
  option 'dh_group' 'modp1024'
config 'tunnel' 'acme_lan'
  option 'local_subnet' ''
  option 'remote_subnet' ''
  option 'p2_proposal' 'g2_aes_sha1'
config 'p2_proposal' 'g2_aes_sha1'
  option 'pfs_group' 'modp1024'
  option 'encryption_algorithm' 'aes 128'
  option 'authentication_algorithm' 'sha1'

The following table lists the phase 1 proposals offered by the Windows native VPN client (as tested with Windows 7)

ProposalEncryptionHashDH Group
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2020/11/25 02:56
  • by philipp