Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:strongswan:configuration [2020/10/09 22:34] – Fix spelling error philipp | docs:guide-user:services:vpn:strongswan:configuration [2022/12/12 00:25] – Fix examples: 'keyingtries' -> 'keyingretries' pcrump | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== strongSwan IPsec Configuration via UCI ====== | ====== strongSwan IPsec Configuration via UCI ====== | ||
| - | Linux Charon IPsec daemon can be configured through / | + | Linux Charon IPsec daemon can be configured through |
| + | |||
| + | **Note**: this has been updated to the '' | ||
| ===== Sections ===== | ===== Sections ===== | ||
| Line 6: | Line 8: | ||
| ^Name^Type^Required^Default^Description^ | ^Name^Type^Required^Default^Description^ | ||
| |zone|string|no|vpn|Firewall zone. Has to match the defined [[docs: | |zone|string|no|vpn|Firewall zone. Has to match the defined [[docs: | ||
| - | |listen|list|yes|'' | + | |listen|list|yes|(none)|Interface that accept VPN traffic (empty for all interfaces, multiple lines for several interfaces)| |
| - | |debug|string|no|0|Trace level. Logs are written to / | + | |debug|string|no|0|Trace level. Logs are written to '' |
| ==== remote ==== | ==== remote ==== | ||
| Line 14: | Line 16: | ||
| ^Name^Type^Required^Default^Description^ | ^Name^Type^Required^Default^Description^ | ||
| |enabled|boolean|yes|(none)|Configuration is enabled or not| | |enabled|boolean|yes|(none)|Configuration is enabled or not| | ||
| - | |gateway|ipaddr|yes|(none)|IP address or FQDN name of the tunnel remote endpoint. | | + | |gateway|ipaddr|yes|(none)|IP address or FQDN name of the tunnel remote endpoint, or permitted subnets that peers can initiate this configuration from (analogue to local_leftip)| |
| - | |exchange_mode|string|no|main|Phase 1 negotiation | + | |local_gateway|ipaddr|no|(none)|IP address or FQDN of the tunnel local endpoint| |
| - | |local_identifier|string|no|(none)|local identifier for phase 1 | | + | |local_sourceip|ipaddr|no|(none)|Virtual IP(s) to request in IKEv2 configuration payloads requests, or in IKEv1 mode config (enables sending them/ |
| - | |remote_identifier|string|no|(none)|remote | + | |local_ip|ipaddr|no|(none)|Local address(es) to use in IKE negotiation when initiating; for responding, enumerates addresses we can negotiate from (and may by subnets or CIDRs)| |
| - | |authentication_method|string|yes|(none)|Phase 1 authentication. Only allowed value ath the moment is psk| | + | |local_identifier|string|no|(none)|Local identifier for IKE (phase 1)| |
| + | |remote_identifier|string|no|(none)|Remote | ||
| + | |authentication_method|string|yes|(none)|IKE authentication | ||
| |pre_shared_key|string|no|(none)|The preshared key for the tunnel if authentication is psk| | |pre_shared_key|string|no|(none)|The preshared key for the tunnel if authentication is psk| | ||
| - | |p1_proposal|list|yes|(none)|Name of phase 1 proposal | + | |crypto_proposal|list|yes|(none)|List of IKE (phase 1) proposals to use for authentication |
| - | |tunnel|list|yes|(none)|Name of phase 2 section (see below)| | + | |tunnel|list|yes|(none)|Name of ESP/AH (phase 2) section (see below)| |
| + | |keyingretries|integer|no|3|Number of retransmissions to attempt during initial negotiation| | ||
| + | |dpddelay|interval|no|30s|Liveness interval for IKE| | ||
| + | |inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA| | ||
| + | |fragmentation|string|no|yes|Use IKE fragmentation (maybe " | ||
| + | |mobike|string|no|yes|Enable MOBIKE on IKEv2| | ||
| + | |local_cert|string|no|(none)|List of cert pathnames to use for authentication| | ||
| + | |local_key|string|no|(none)|List of private key pathnames to use with above certificates| | ||
| + | |ca_cert|string|no|(none)|List of names of CA certificates that need to lie in remote peer's certificate' | ||
| + | |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime| | ||
| + | |overtime|interval|no|(none)|Limit on time to complete rekeying/ | ||
| + | |keyexchange|string|no|ikev2|Version of IKE to negotiation (" | ||
| - | ==== p1_proposal | + | ==== crypto_proposal |
| - | Definition of phase 1 proposals. Derived from [[https:// | + | Definition of encryption |
| ^Name^Type^Required^Default^Description^ | ^Name^Type^Required^Default^Description^ | ||
| - | |encryption_algorithm|string|yes|(none)|Phase 1 encryption | + | |encryption_algorithm|string|yes|(none)|Encryption |
| - | |hash_alogrithm|string|yes|(none)|Phase 1 hash alogrithm | + | |hash_algorithm|string|yes|(none)|Hash algorithm |
| - | |dh_group|string|yes|(none)|Diffie-Hellman exponentiation (modp768, modp1024, ...| | + | |dh_group|string|yes|(none)|Diffie-Hellman exponentiation (modp768, modp1024, ...)| |
| + | |prf_algorithm|string|no|(none)|Pseudo-Random Functions to use with IKE (prfmd5, prfsha1, prfsha256, ...); not applicable to ESP| | ||
| ==== tunnel ==== | ==== tunnel ==== | ||
| Line 35: | Line 51: | ||
| ^Name^Type^Required^Default^Description^ | ^Name^Type^Required^Default^Description^ | ||
| - | |local_subnet|subnet|yes|(none)|Local network| | + | |local_subnet|list|yes|(none)|Local network(s) one per line| |
| - | |remote_subnet|subnet|yes|(none)|Remote network| | + | |remote_subnet|list|yes|(none)|Remote network(s) one per line| |
| |local_nat|subnet|no|(none)|NAT range for tunnels with [[docs: | |local_nat|subnet|no|(none)|NAT range for tunnels with [[docs: | ||
| - | |p2_proposal|string|yes|(none)|link to phase 2 proposal| | + | |crypto_proposal|list|yes|(none)|List of ESP (phase two) proposals| |
| + | |startaction|string|no|route|Action on initial configuration load (none, start, route)| | ||
| + | |updown|string|no|(none)|Path to script to run on CHILD_SA up/down events| | ||
| + | |lifetime|interval|no|(none)|Maximum duration of the CHILD_SA before closing (defaults to 110% of rekeytime)| | ||
| + | |rekeytime|interval|no|(none)|Duration of the CHILD_SA before rekeying| | ||
| + | |dpdaction|string|no|(none)|Action done when DPD timeout occurs (may be " | ||
| + | |closeaction|string|no|route|Action done when CHILD_SA is closed (may be " | ||
| + | |if_id|string|no|(none)|XFRM interface ID set on input and output interfaces (should be coordinated with " | ||
| + | |priority|string|no|(none)|Priority of the CHILD_SA| | ||
| + | |ipcomp|bool|no|false|Enable ipcomp compression| | ||
| + | |hw_offload|bool|no|false|Enable H/W offload| | ||
| - | ==== p2_proposal ==== | + | Local configuration for '' |
| - | Definition of phase 2 proposal. Derived from [[https://wiki.strongswan.org/projects/ | + | |
| - | ^Name^Type^Required^Default^Description^ | + | <code bash> |
| - | |pfs_group|string|yes|(none)|Comma separated list of of Diffie-Hellman exponentiations (you can omit this, when peer is Cisco ASA)| | + | config ' |
| - | |encryption_algorithm|string|yes|(none)|Comma separaeted list of encryption algorithms (aes128, aes192, aes256, 3des)| | + | # useful so traffic isn't sourced from internal addresses, |
| - | |authentication_algorithm|string|yes|(none)|Comma separated | + | # which would then requiring NATting and port 4500, etc. |
| + | list ' | ||
| + | option ' | ||
| - | Example | + | config ' |
| + | option ' | ||
| + | # address of wan device | ||
| + | option ' | ||
| + | # peer has routable DHCP'd address which changes | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | list ' | ||
| + | list ' | ||
| + | |||
| + | config ' | ||
| + | option ' | ||
| + | # no hash_algorithm allowed with AEAD | ||
| + | option ' | ||
| + | option prf_algorithm ' | ||
| + | |||
| + | # we don't specify subnets because we're going to use XFRM-interfaced based routes instead | ||
| + | config ' | ||
| + | list ' | ||
| + | list ' | ||
| + | option ' | ||
| + | option ' | ||
| + | # other end is behind NAT or we'd use ' | ||
| + | option ' | ||
| + | option ' | ||
| + | list ' | ||
| + | |||
| + | config ' | ||
| + | option ' | ||
| + | # no hash_algorithm with allowed with AEAD | ||
| + | option ' | ||
| + | </ | ||
| + | |||
| + | and to support XFRM-based interfaces with associated routing, we put the following into ''/ | ||
| + | |||
| + | <code bash> | ||
| + | config ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | # useful if you want to run Bonjour/ | ||
| + | option ' | ||
| + | |||
| + | config ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | |||
| + | config ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | </ | ||
| + | |||
| + | Lastly, ''/ | ||
| + | |||
| + | <code bash> | ||
| + | config ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | |||
| + | config ' | ||
| + | option ' | ||
| + | option ' | ||
| + | |||
| + | config ' | ||
| + | option ' | ||
| + | option ' | ||
| + | |||
| + | config ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | |||
| + | config ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | </ | ||
| + | |||
| + | Lastly generate the certificates for both ends on the hub: | ||
| + | |||
| + | <code bash> | ||
| + | root@HQ:~# gencerts -s US acme.com "Acme Corporation" | ||
| + | Generated as headquarters-certs.tar.gz | ||
| + | Generated as soho-certs.tar.gz | ||
| + | root@HQ:~# tar ztvf headquarters-certs.tar.gz | ||
| + | -r--r--r-- 0/0 1870 2021-06-17 19:01:38 swanctl/ | ||
| + | -r--r--r-- 0/0 1923 2021-06-17 19:01:53 swanctl/ | ||
| + | -r-------- 0/0 3243 2021-06-17 19:01:53 swanctl/ | ||
| + | root@HQ:~# tar ztvf soho-certs.tar.gz | ||
| + | -r--r--r-- 0/0 1870 2021-06-17 19:01:38 swanctl/ | ||
| + | -r--r--r-- 0/0 1903 2021-06-17 19:02:04 swanctl/ | ||
| + | -r-------- 0/0 3243 2021-06-17 19:02:04 swanctl/ | ||
| + | root@HQ:~# | ||
| + | </ | ||
| + | |||
| + | Note that the filenames in '' | ||
| + | |||
| + | <code bash> | ||
| + | root@HQ:~# openssl x509 -in / | ||
| + | subject=C = US, O = Acme Corporation, | ||
| + | root@OpenWrt2: | ||
| + | </ | ||
| + | |||
| + | As these files are present on the headquarters firewall already, you can remove '' | ||
| + | |||
| + | <code bash> | ||
| + | / | ||
| + | / | ||
| + | </ | ||
| + | |||
| + | as these are only needed on the remote end (SoHo). | ||
| + | |||
| + | Now copy the '' | ||
| + | |||
| + | <code bash> | ||
| + | root@SoHo: | ||
| + | </ | ||
| + | |||
| + | Lastly, configure ''/ | ||
| <code bash> | <code bash> | ||
| config ' | config ' | ||
| option ' | option ' | ||
| + | listen ' | ||
| - | config ' | + | config ' |
| option ' | option ' | ||
| - | option ' | + | |
| - | option ' | + | |
| - | option 'pre_shared_key' 'yourpasswordhere' | + | option ' |
| - | list | + | option ' |
| - | list ' | + | option ' |
| - | list ' | + | option 'fragmentation' '1' |
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | list 'crypto_proposal' 'ike_proposal' | ||
| + | list ' | ||
| + | |||
| + | config ' | ||
| + | option ' | ||
| + | # no hash_algorithm allowed with AEAD | ||
| + | option ' | ||
| + | option ' | ||
| + | |||
| + | config tunnel ' | ||
| + | list ' | ||
| + | list ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | list ' | ||
| - | config 'p1_proposal' 'pre_g2_aes_sha1' | + | config 'crypto_proposal' 'esp_proposal' |
| - | option ' | + | option ' |
| - | | + | |
| - | option ' | + | option ' |
| + | </ | ||
| - | config | + | Now modify |
| - | option ' | + | |
| - | option | + | |
| - | option ' | + | |
| - | config 'p2_proposal' 'g2_aes_sha1' | + | <code bash> |
| - | option 'pfs_group' 'modp1024' | + | config 'interface' 'xfrm0' |
| - | option 'encryption_algorithm' 'aes 128' | + | option 'ifid' '308' |
| - | option 'authentication_algorithm' 'sha1' | + | option 'tunlink' 'wan' |
| + | option 'mtu' ' | ||
| + | option ' | ||
| + | option ' | ||
| + | # useful if you want to run Bonjour/ | ||
| + | option ' | ||
| + | |||
| + | config ' | ||
| + | option ' | ||
| + | option ' | ||
| + | option ' | ||
| + | |||
| + | config ' | ||
| + | option ' | ||
| + | option ' | ||
| + | # assuming lan has the address 192.168.10.1/ | ||
| + | option ' | ||
| </ | </ | ||
| - | ===== Windows Native VPN Client Proposals ===== | + | And when this is all done, on both ends do: |
| - | The following table lists the phase 1 proposals offered by the Windows native VPN client (as tested with Windows 7) | + | |
| - | ^Proposal^Encryption^Hash^DH Group^ | + | <code bash> |
| - | |#1|aes256|sha1|20| | + | root@HQ:~# / |
| - | |#2|aes128|sha1|19| | + | root@HQ:~# / |
| - | |# | + | </ |
| - | |# | + | |
| - | |# | + | |