Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:guide-user:services:vpn:ipsec:strongswan:basic [2020/03/17 15:38] – Change title lukepiccidocs:guide-user:services:vpn:strongswan:configuration [2024/12/01 18:36] (current) – keyingretries -> keyingtries to match init script https://github.com/openwrt/packages/blob/55a6cd43c6b51f9d57a89093ebe2cd9e06d7b5d4/net/strongswan/files/ipsec.init#L134 kevinoid
Line 1: Line 1:
 ====== strongSwan IPsec Configuration via UCI ====== ====== strongSwan IPsec Configuration via UCI ======
-Linux Charon IPsec daemon can be configured through /etc/config/ipsec.+Linux Charon IPsec daemon can be configured through ''/etc/config/ipsec''
 + 
 +**Note**: this has been updated to the ''swanctl''-based configuration, and is current as of ''5.9.5'' packaging.  For previous versions, use the Wiki's page history functionality.
  
 ===== Sections ===== ===== Sections =====
 ==== ipsec ==== ==== ipsec ====
-^Name^Type^Required^Default^Description^ +| **Type**  ^ Name    ^ Type    ^ Required  ^ Default  ^ Description                                                                                                       
-|zone|string|no|vpn|Firewall zone. Has to match the defined [[docs:guide-user:services:vpn:ipsec:strongswan:firewall#zones|firewall zone]]| +| option    | zone    | string  | no        | vpn      | Firewall zone. Has to match the defined [[docs:guide-user:services:vpn:strongswan:firewall#zones|firewall zone]]  
-|listen|list|yes|''|Interface that accept VPN traffic (empty for all interfaces, multiple lines for several interfaces)| +| list      | listen  string  | yes       (none)   | Interface that accept VPN traffic (empty for all interfaces, multiple lines for several interfaces)               
-|debug|string|no|0|Trace level. Logs are written to /var/log/charon.log|+| option    | debug   number  | no        | 0        | Trace level: 0 is least verbose, 4 is most - logs visible from output of logread -f                               |
  
 ==== remote ==== ==== remote ====
Line 14: Line 16:
 ^Name^Type^Required^Default^Description^ ^Name^Type^Required^Default^Description^
 |enabled|boolean|yes|(none)|Configuration is enabled or not| |enabled|boolean|yes|(none)|Configuration is enabled or not|
-|gateway|ipaddr|yes|(none)|IP address or FQDN name of the tunnel remote endpoint+|gateway|ipaddr|yes|(none)|IP address or FQDN name of the tunnel remote endpoint, or permitted subnets that peers can initiate this configuration from (analogue to local_leftip)
-|exchange_mode|string|no|main|Phase 1 negotiation (mainaggressive)|  +|local_gateway|ipaddr|no|(none)|IP address or FQDN of the tunnel local endpoint| 
-|local_identifier|string|no|(none)|local identifier for phase 1 | +|local_sourceip|ipaddr|no|(none)|Virtual IP(s) to request in IKEv2 configuration payloads requestsor in IKEv1 mode config (enables sending them/initiating it instead of quick mode)| 
-|remote_identifier|string|no|(none)|remote identifier for phase 1 | +|local_ip|ipaddr|no|(none)|Local address(es) to use in IKE negotiation when initiating; for responding, enumerates addresses we can negotiate from (and may by subnets or CIDRs)| 
-|authentication_method|string|yes|(none)|Phase 1 authentication. Only allowed value ath the moment is psk|+|local_identifier|string|no|(none)|Local identifier for IKE (phase 1)
 +|remote_identifier|string|no|(none)|Remote identifier for IKE (phase 1)
 +|authentication_method|string|yes|(none)|IKE authentication (phase 1). Only allowed value ath the moment is psk|
 |pre_shared_key|string|no|(none)|The preshared key for the tunnel if authentication is psk| |pre_shared_key|string|no|(none)|The preshared key for the tunnel if authentication is psk|
-|p1_proposal|list|yes|(none)|Name of phase 1 proposal (see below)| +|crypto_proposal|list|yes|(none)|List of IKE (phase 1) proposals to use for authentication (see below)| 
-|tunnel|list|yes|(none)|Name of phase 2 section (see below)|+|tunnel|list|yes|(none)|Name of ESP/AH (phase 2section (see below)| 
 +|keyingtries|integer|no|3|Number of retransmissions to attempt during initial negotiation| 
 +|dpddelay|interval|no|30s|Liveness interval for IKE| 
 +|inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA| 
 +|fragmentation|string|no|yes|Use IKE fragmentation (maybe "yes", "accept", "force", or "no")| 
 +|mobike|string|no|yes|Enable MOBIKE on IKEv2| 
 +|local_cert|string|no|(none)|List of cert pathnames to use for authentication| 
 +|local_key|string|no|(none)|List of private key pathnames to use with above certificates| 
 +|ca_cert|string|no|(none)|List of names of CA certificates that need to lie in remote peer's certificate's path of trust| 
 +|rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime| 
 +|overtime|interval|no|(none)|Limit on time to complete rekeying/reauthentication (defaults to 10% of rekeytime)| 
 +|keyexchange|string|no|ikev2|Version of IKE to negotiation ("ikev1", "ikev2", or "ike" for both)|
  
-==== p1_proposal ==== +==== crypto_proposal ==== 
-Definition of phase 1 proposals. Derived from [[https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites|stronSwan cipher suites]]+Definition of encryption proposals. Derived from [[https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites|strongSwan cipher suites]]
  
 ^Name^Type^Required^Default^Description^ ^Name^Type^Required^Default^Description^
-|encryption_algorithm|string|yes|(none)|Phase 1 encryption method (aes128, aes192, aes256, 3des)| +|encryption_algorithm|string|yes|(none)|Encryption method (aes128, aes192, aes256, 3des)| 
-|hash_alogrithm|string|yes|(none)|Phase 1 hash alogrithm (md5,sha1) | +|hash_algorithm|string|yes|(none)|Hash algorithm (md5, sha1, sha2, ...not permitted when an AEAD algorithm is used 
-|dh_group|string|yes|(none)|Diffie-Hellman exponentiation (modp768, modp1024, ...|+|dh_group|string|yes|(none)|Diffie-Hellman exponentiation (modp768, modp1024, ...)| 
 +|prf_algorithm|string|no|(none)|Pseudo-Random Functions to use with IKE (prfmd5, prfsha1, prfsha256, ...); not applicable to ESP|
  
 ==== tunnel ==== ==== tunnel ====
Line 35: Line 51:
  
 ^Name^Type^Required^Default^Description^ ^Name^Type^Required^Default^Description^
-|local_subnet|subnet|yes|(none)|Local network| +|local_subnet|list|yes|(none)|Local network(s) one per line
-|remote_subnet|subnet|yes|(none)|Remote network| +|remote_subnet|list|yes|(none)|Remote network(s) one per line
-|local_nat|subnet|no|(none)|NAT range for tunnels with [[docs:guide-user:services:vpn:ipsec:strongswan:overlappingsubnets|overlapping IP addresses]]| +|local_nat|subnet|no|(none)|NAT range for tunnels with [[docs:guide-user:services:vpn:strongswan:overlappingsubnets|overlapping IP addresses]]| 
-|p2_proposal|string|yes|(none)|link to phase 2 proposal|+|crypto_proposal|list|yes|(none)|List of ESP (phase two) proposals| 
 +|startaction|string|no|route|Action on initial configuration load (none, start, route)| 
 +|updown|string|no|(none)|Path to script to run on CHILD_SA up/down events| 
 +|lifetime|interval|no|(none)|Maximum duration of the CHILD_SA before closing (defaults to 110% of rekeytime)| 
 +|rekeytime|interval|no|(none)|Duration of the CHILD_SA before rekeying| 
 +|dpdaction|string|no|(none)|Action done when DPD timeout occurs (may be "none", "clear", "hold", "restart", "trap", or "start")| 
 +|closeaction|string|no|route|Action done when CHILD_SA is closed (may be "add", "route", "start", "none", or "trap")| 
 +|if_id|string|no|(none)|XFRM interface ID set on input and output interfaces (should be coordinated with "ifid" values in route entries on "xfrm" interfaces)| 
 +|priority|string|no|(none)|Priority of the CHILD_SA| 
 +|ipcomp|bool|no|false|Enable ipcomp compression| 
 +|hw_offload|bool|no|false|Enable H/W offload|
  
-==== p2_proposal ==== +Local configuration for ''/etc/config/ipsec'':
-Definition of phase 2 proposal. Derived from [[https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites|stronSwan cipher suites]]+
  
-^Name^Type^Required^Default^Description^ +<code bash> 
-|pfs_group|string|yes|(none)|Comma separated list of of Diffie-Hellman exponentiations (you can omit thiswhen peer is Cisco ASA)| +config 'ipsec' 
-|encryption_algorithm|string|yes|(none)|Comma separaeted list of encryption algorithms (aes128aes192, aes256, 3des)| +  # useful so traffic isn't sourced from internal addresses
-|authentication_algorithm|string|yes|(none)|Comma separated list of authentications (md5, sha1)|+  # which would then requiring NATting and port 4500etc. 
 +  list 'interface' 'wan' 
 +  option 'zone' 'vpn'
  
-Example taken from the [[docs:guide-user:services:vpn:ipsec:strongswan:site2site|IPSec site to site howto]].+config 'remote' 'acme' 
 +  option 'enabled' '1
 +  # address of wan device 
 +  option 'local_ip' '6.6.6.6' 
 +  # peer has routable DHCP'd address which changes 
 +  option 'gateway' 'any' 
 +  option 'authentication_method' 'pubkey' 
 +  option 'local_identifier' 'C=US, O=Acme Corporation, CN=headquarters' 
 +  option 'remote_identifier' 'C=US, O=Acme Corporation, CN=soho' 
 +  option 'local_cert' 'headquarters.crt' 
 +  option 'local_key' 'headquarters.key' 
 +  option 'ca_cert' 'acme.crt' 
 +  option 'rekeytime' '4h' 
 +  option 'keyingtries' '0' 
 +  option 'mobike' '0' 
 +  option 'fragmentation' '1' 
 +  list   'crypto_proposal' 'ike_proposal' 
 +  list   'tunnel' 'tun_soho' 
 + 
 +config 'crypto_proposal' 'ike_proposal' 
 +  option 'encryption_algorithm' 'aes256gcm' 
 +  # no hash_algorithm allowed with AEAD 
 +  option 'dh_group' 'modp3072' 
 +  option prf_algorithm 'prfsha512' 
 + 
 +# we don't specify subnets because we're going to use XFRM-interfaced based routes instead 
 +config 'tunnel' 'tun_soho' 
 +  list   'local_subnet' '0.0.0.0/0' 
 +  list   'remote_subnet' '0.0.0.0/0' 
 +  option 'if_id' '357' 
 +  option 'rekeytime' '1h' 
 +  # other end is behind NAT or we'd use 'route' to initiate 
 +  option 'startaction' 'none' 
 +  option 'closeaction' 'none' 
 +  list   'crypto_proposal' 'esp_proposal' 
 + 
 +config 'crypto_proposal' 'esp_proposal' 
 +  option 'encryption_algorithm' 'aes256gcm' 
 +  # no hash_algorithm with allowed with AEAD 
 +  option 'dh_group' 'modp3072' 
 +</code> 
 + 
 +and to support XFRM-based interfaces with associated routing, we put the following into ''/etc/config/network'': 
 + 
 +<code bash> 
 +config 'interface' 'xfrm0' 
 +  option 'ifid' '357' 
 +  option 'tunlink' 'wan' 
 +  option 'mtu' '1438' 
 +  option 'zone' 'vpn' 
 +  option 'proto' 'xfrm' 
 +  # useful if you want to run Bonjour/mDNS across VPN tunnels 
 +  option 'multicast' 'true' 
 + 
 +config 'interface' 'xfrm0_s' 
 +  option 'ifname' '@xfrm0' 
 +  option 'proto' 'static' 
 +  option 'ipaddr' '192.168.254.1/30' 
 + 
 +config 'route' 
 +  option 'interface' 'xfrm0' 
 +  option 'target' '192.168.10.0/24' 
 +  option 'source' '192.168.1.1' 
 +</code> 
 + 
 +Lastly, ''/etc/config/firewall'' requires: 
 + 
 +<code bash> 
 +config 'zone' 
 +  option 'name' 'vpn' 
 +  option 'network' 'xfrm0' 
 +  option 'input' 'ACCEPT' 
 +  option 'output' 'ACCEPT' 
 +  option 'forward' 'ACCEPT' 
 +  option 'mtu_fix' '1' 
 + 
 +config 'forwarding' 
 +  option 'src' 'lan' 
 +  option 'dest' 'vpn' 
 + 
 +config 'forwarding' 
 +  option 'src' 'vpn' 
 +  option 'dest' 'lan' 
 + 
 +config 'rule' 
 +  option 'name' 'Allow-IPSec-ESP' 
 +  option 'src' 'wan' 
 +  option 'proto' 'esp' 
 +  option 'family' 'ipv4' 
 +  option 'target' 'ACCEPT' 
 + 
 +config 'rule' 
 +  option 'name' 'Allow-ISP-ISAKMP' 
 +  option 'src' 'wan' 
 +  option 'src_port' '500' 
 +  option 'dest_port' '500' 
 +  option 'proto' 'udp' 
 +  option 'family' 'ipv4' 
 +  option 'target' 'ACCEPT' 
 +</code> 
 + 
 +Lastly generate the certificates for both ends on the hub: 
 + 
 +<code bash> 
 +root@HQ:~# gencerts -s US acme.com "Acme Corporation" headquarters soho 
 +Generated as headquarters-certs.tar.gz 
 +Generated as soho-certs.tar.gz 
 +root@HQ:~# tar ztvf headquarters-certs.tar.gz  
 +-r--r--r-- 0/0      1870 2021-06-17 19:01:38 swanctl/x509ca/acme.crt 
 +-r--r--r-- 0/0      1923 2021-06-17 19:01:53 swanctl/x509/headquarters.crt 
 +-r-------- 0/0      3243 2021-06-17 19:01:53 swanctl/private/headquarters.key 
 +root@HQ:~# tar ztvf soho-certs.tar.gz  
 +-r--r--r-- 0/0      1870 2021-06-17 19:01:38 swanctl/x509ca/acme.crt 
 +-r--r--r-- 0/0      1903 2021-06-17 19:02:04 swanctl/x509/soho.crt 
 +-r-------- 0/0      3243 2021-06-17 19:02:04 swanctl/private/soho.key 
 +root@HQ:~#  
 +</code> 
 + 
 +Note that the filenames in ''headquarters.tar.gz'' correspond to ''local_cert'', ''local_key'', and ''ca_cert'' above Similarly, the certificate's subject corresponds to the ''local_identifier'': 
 + 
 +<code bash> 
 +root@HQ:~# openssl x509 -in /etc/swanctl/x509/headquarters.crt -noout -subject 
 +subject=C = US, O = Acme Corporation, CN = headquarters 
 +root@OpenWrt2:~#  
 +</code> 
 + 
 +As these files are present on the headquarters firewall already, you can remove ''headquarters.tar.gz'' You can also remove: 
 + 
 +<code bash> 
 +/etc/swanctl/x509/soho.crt 
 +/etc/swanctl/private/soho.key 
 +</code> 
 + 
 +as these are only needed on the remote end (SoHo). 
 + 
 +Now copy the ''soho-certs.tar.gz'' file over to the SoHo router, and unpack it with: 
 + 
 +<code bash> 
 +root@SoHo:~# tar -zxf soho-certs.tar.gz -C /etc 
 +</code> 
 + 
 +Lastly, configure ''/etc/config/ipsec'' on the SoHo router:
  
 <code bash> <code bash>
 config 'ipsec' config 'ipsec'
   option 'zone' 'vpn'   option 'zone' 'vpn'
 +  listen 'interface' 'wan'
  
-config 'remote' 'acme'+config 'remote' 'headquarters'
   option 'enabled' '1'   option 'enabled' '1'
-  option 'gateway' '7.7.7.7+  option 'local_ip' '%any' 
-  option 'authentication_method' 'psk+  option 'gateway' '6.6.6.6' 
-  option 'pre_shared_key' 'yourpasswordhere+  option 'local_identifier' 'C=US, O=Acme Corporation, CN=soho' 
-  list   'p1_proposal' 'pre_g2_aes_sha1+  option 'remote_identifier' 'C=US, O=Acme Corporation, CN=headquarters
-  list   'sainfo' 'acme_dmz+  option 'authentication_method' 'pubkey
-  list   'sainfo' 'acme_lan'+  option 'fragmentation' '1' 
 +  option 'local_cert' 'soho.crt' 
 +  option 'local_key' 'soho.key' 
 +  option 'ca_cert' 'acme.crt' 
 +  option 'rekeytime' '4h' 
 +  option 'keyingtries' '0' 
 +  option 'mobike' 0 
 +  list 'crypto_proposal' 'ike_proposal' 
 +  list 'tunnel' 'tun_headquarters' 
 +   
 +config 'crypto_proposal' 'ike_proposal' 
 +  option 'encryption_algorithm' 'aes256gcm128' 
 +  # no hash_algorithm allowed with AEAD 
 +  option 'dh_group' 'modp3072' 
 +  option 'prf_algorithm' 'prfsha512' 
 +   
 +config tunnel 'tun_headquarters
 +  list   'local_subnet' '0.0.0.0/0
 +  list   'remote_subnet' '0.0.0.0/0' 
 +  option 'if_id' '308' 
 +  option 'rekeytime' '1h' 
 +  option 'startaction' 'trap' 
 +  option 'closeaction' 'none' 
 +  option 'dpdaction' 'restart' 
 +  list 'crypto_proposal' 'esp_proposal'
  
-config 'p1_proposal' 'pre_g2_aes_sha1+config 'crypto_proposal' 'esp_proposal
-  option 'encryption_algorithm' 'aes128+  option 'encryption_algorithm' 'aes256gcm128
-  option 'hash_algorithm' 'sha1' +  # no hash_algorithm allowed with AEAD 
-  option 'dh_group' 'modp1024'+  option 'dh_group' 'modp3072' 
 +</code>
  
-config 'tunnel'acme_lan' +Now modify ''/etc/config/firewall'' as above, and ''/etc/config/network'' as:
-  option 'local_subnet' '192.168.2.64/26' +
-  option 'remote_subnet' '10.1.2.0/24' +
-  option 'p2_proposal' 'g2_aes_sha1'+
  
-config 'p2_proposal' 'g2_aes_sha1+<code bash> 
-  option 'pfs_group' 'modp1024+config 'interface' 'xfrm0
-  option 'encryption_algorithm' 'aes 128+  option 'ifid' '308
-  option 'authentication_algorithm' 'sha1'+  option 'tunlink' 'wan
 +  option 'mtu' '1438' 
 +  option 'zone' 'vpn' 
 +  option 'proto' 'xfrm' 
 +  # useful if you want to run Bonjour/mDNS across VPN tunnels 
 +  option 'multicast' 'true' 
 + 
 +config 'interface' 'xfrm0_s' 
 +  option 'ifname' '@xfrm0' 
 +  option 'proto' 'static' 
 +  option 'ipaddr' '192.168.254.2/30' 
 + 
 +config 'route' 
 +  option 'interface' 'xfrm0' 
 +  option 'target' '192.168.1.0/24' 
 +  # assuming lan has the address 192.168.10.1/24 
 +  option 'source' '192.168.10.1'
 </code> </code>
  
-===== Windows Native VPN Client Proposals ===== +And when this is all done, on both ends do:
-The following table lists the phase 1 proposals offered by the Windows native VPN client (as tested with Windows 7)+
  
-^Proposal^Encryption^Hash^DH Group^ +<code bash> 
-|#1|aes256|sha1|20| +root@HQ:~/etc/init.d/swanctl enable 
-|#2|aes128|sha1|19| +root@HQ:~/etc/init.d/swanctl restart 
-|#3|aes256|sha1|modp2048| +</code>
-|#4|3des|sha1|modp2048| +
-|#5|3des|sha1|modp1024|+
  
  • Last modified: 2024/12/01 18:36
  • by kevinoid