Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:strongswan:configuration [2021/06/18 01:29] – And... finally completely rewritten to include X.509 and cert generation philippdocs:guide-user:services:vpn:strongswan:configuration [2022/12/12 00:25] – Fix examples: 'keyingtries' -> 'keyingretries' pcrump
Line 2: Line 2:
 Linux Charon IPsec daemon can be configured through ''/etc/config/ipsec''. Linux Charon IPsec daemon can be configured through ''/etc/config/ipsec''.
  
-**Note**: this has been updated to the ''swanctl''-based configuration.  For previous versions, use the Wiki's page history functionality.+**Note**: this has been updated to the ''swanctl''-based configuration, and is current as of ''5.9.5'' packaging.  For previous versions, use the Wiki's page history functionality. 
 ===== Sections ===== ===== Sections =====
 ==== ipsec ==== ==== ipsec ====
 ^Name^Type^Required^Default^Description^ ^Name^Type^Required^Default^Description^
 |zone|string|no|vpn|Firewall zone. Has to match the defined [[docs:guide-user:services:vpn:strongswan:firewall#zones|firewall zone]]| |zone|string|no|vpn|Firewall zone. Has to match the defined [[docs:guide-user:services:vpn:strongswan:firewall#zones|firewall zone]]|
-|listen|list|yes|''|Interface that accept VPN traffic (empty for all interfaces, multiple lines for several interfaces)| +|listen|list|yes|(none)|Interface that accept VPN traffic (empty for all interfaces, multiple lines for several interfaces)| 
-|debug|string|no|0|Trace level. Logs are written to /var/log/charon.log|+|debug|string|no|0|Trace level. Logs are written to ''/var/log/charon.log''|
  
 ==== remote ==== ==== remote ====
Line 15: Line 16:
 ^Name^Type^Required^Default^Description^ ^Name^Type^Required^Default^Description^
 |enabled|boolean|yes|(none)|Configuration is enabled or not| |enabled|boolean|yes|(none)|Configuration is enabled or not|
-|gateway|ipaddr|yes|(none)|IP address or FQDN name of the tunnel remote endpoint|+|gateway|ipaddr|yes|(none)|IP address or FQDN name of the tunnel remote endpoint, or permitted subnets that peers can initiate this configuration from (analogue to local_leftip)|
 |local_gateway|ipaddr|no|(none)|IP address or FQDN of the tunnel local endpoint| |local_gateway|ipaddr|no|(none)|IP address or FQDN of the tunnel local endpoint|
-|local_sourceip|ipaddr|no|(none)|Virtual IP(s) to request in IKEv2 payloads| +|local_sourceip|ipaddr|no|(none)|Virtual IP(s) to request in IKEv2 configuration payloads requests, or in IKEv1 mode config (enables sending them/initiating it instead of quick mode)
-|local_leftip|ipaddr|no|(none)|Local address(es) to use in IKE negotiation when initiating; for responding, enumerates addresses we can negotiate from (and may by subnets or CIDRs)| +|local_ip|ipaddr|no|(none)|Local address(es) to use in IKE negotiation when initiating; for responding, enumerates addresses we can negotiate from (and may by subnets or CIDRs)| 
-|local_identifier|string|no|(none)|Local identifier for phase 1| +|local_identifier|string|no|(none)|Local identifier for IKE (phase 1)
-|remote_identifier|string|no|(none)|Lemote identifier for phase 1| +|remote_identifier|string|no|(none)|Remote identifier for IKE (phase 1)
-|authentication_method|string|yes|(none)|Phase 1 authentication. Only allowed value ath the moment is psk|+|authentication_method|string|yes|(none)|IKE authentication (phase 1). Only allowed value ath the moment is psk|
 |pre_shared_key|string|no|(none)|The preshared key for the tunnel if authentication is psk| |pre_shared_key|string|no|(none)|The preshared key for the tunnel if authentication is psk|
-|crypto_proposal|list|yes|(none)|Name of phase 1 proposal (see below)| +|crypto_proposal|list|yes|(none)|List of IKE (phase 1) proposals to use for authentication (see below)| 
-|tunnel|list|yes|(none)|Name of phase 2 section (see below)|+|tunnel|list|yes|(none)|Name of ESP/AH (phase 2section (see below)|
 |keyingretries|integer|no|3|Number of retransmissions to attempt during initial negotiation| |keyingretries|integer|no|3|Number of retransmissions to attempt during initial negotiation|
 |dpddelay|interval|no|30s|Liveness interval for IKE| |dpddelay|interval|no|30s|Liveness interval for IKE|
 |inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA| |inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA|
-|keyexchange|string|no|ikev2|Version of IKE to negotiation ("ikev1", "ikev2", or "ike" for both)| +|fragmentation|string|no|yes|Use IKE fragmentation (maybe "yes", "accept", "force", or "no")|
-|fragmentation|string|yes|Use IKE fragmentation (maybe "yes", "accept", "force", or "no")|+
 |mobike|string|no|yes|Enable MOBIKE on IKEv2| |mobike|string|no|yes|Enable MOBIKE on IKEv2|
 |local_cert|string|no|(none)|List of cert pathnames to use for authentication| |local_cert|string|no|(none)|List of cert pathnames to use for authentication|
 |local_key|string|no|(none)|List of private key pathnames to use with above certificates| |local_key|string|no|(none)|List of private key pathnames to use with above certificates|
-|ca_cert|string|no|(none)|Pathname to CA list to use with above certificates|+|ca_cert|string|no|(none)|List of names of CA certificates that need to lie in remote peer's certificate's path of trust|
 |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime| |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime|
 |overtime|interval|no|(none)|Limit on time to complete rekeying/reauthentication (defaults to 10% of rekeytime)| |overtime|interval|no|(none)|Limit on time to complete rekeying/reauthentication (defaults to 10% of rekeytime)|
-|crypto_proposal|list|yes|(none)|List of IKE proposals to use for authentication|+|keyexchange|string|no|ikev2|Version of IKE to negotiation ("ikev1", "ikev2", or "ike" for both)|
  
 ==== crypto_proposal ==== ==== crypto_proposal ====
Line 43: Line 43:
 ^Name^Type^Required^Default^Description^ ^Name^Type^Required^Default^Description^
 |encryption_algorithm|string|yes|(none)|Encryption method (aes128, aes192, aes256, 3des)| |encryption_algorithm|string|yes|(none)|Encryption method (aes128, aes192, aes256, 3des)|
-|hash_alogrithm|string|yes|(none)|Hash alogrithm (md5, sha1, sha2, ...) not used with AEAD encryption|+|hash_algorithm|string|yes|(none)|Hash algorithm (md5, sha1, sha2, ...) not permitted when an AEAD algorithm is used |
 |dh_group|string|yes|(none)|Diffie-Hellman exponentiation (modp768, modp1024, ...)| |dh_group|string|yes|(none)|Diffie-Hellman exponentiation (modp768, modp1024, ...)|
 |prf_algorithm|string|no|(none)|Pseudo-Random Functions to use with IKE (prfmd5, prfsha1, prfsha256, ...); not applicable to ESP| |prf_algorithm|string|no|(none)|Pseudo-Random Functions to use with IKE (prfmd5, prfsha1, prfsha256, ...); not applicable to ESP|
Line 51: Line 51:
  
 ^Name^Type^Required^Default^Description^ ^Name^Type^Required^Default^Description^
-|local_subnet|subnet|yes|(none)|Local network| +|local_subnet|list|yes|(none)|Local network(s) one per line
-|remote_subnet|subnet|yes|(none)|Remote network|+|remote_subnet|list|yes|(none)|Remote network(s) one per line|
 |local_nat|subnet|no|(none)|NAT range for tunnels with [[docs:guide-user:services:vpn:strongswan:overlappingsubnets|overlapping IP addresses]]| |local_nat|subnet|no|(none)|NAT range for tunnels with [[docs:guide-user:services:vpn:strongswan:overlappingsubnets|overlapping IP addresses]]|
-|crypto_proposal|list|yes|(none)|List of ESP encryption proposals|+|crypto_proposal|list|yes|(none)|List of ESP (phase two) proposals|
 |startaction|string|no|route|Action on initial configuration load (none, start, route)| |startaction|string|no|route|Action on initial configuration load (none, start, route)|
 |updown|string|no|(none)|Path to script to run on CHILD_SA up/down events| |updown|string|no|(none)|Path to script to run on CHILD_SA up/down events|
 |lifetime|interval|no|(none)|Maximum duration of the CHILD_SA before closing (defaults to 110% of rekeytime)| |lifetime|interval|no|(none)|Maximum duration of the CHILD_SA before closing (defaults to 110% of rekeytime)|
 |rekeytime|interval|no|(none)|Duration of the CHILD_SA before rekeying| |rekeytime|interval|no|(none)|Duration of the CHILD_SA before rekeying|
-|dpdaction|string|no|(none)|Action done when DPD timeout occurs (may be "none", "clear", "hold", "restart", "trap", or "start"+|dpdaction|string|no|(none)|Action done when DPD timeout occurs (may be "none", "clear", "hold", "restart", "trap", or "start")| 
-|closeaction|string|no|route|Action done when CHILD_SA is closed (may be "add", "route", "start", "none", or "trap")+|closeaction|string|no|route|Action done when CHILD_SA is closed (may be "add", "route", "start", "none", or "trap")|
 |if_id|string|no|(none)|XFRM interface ID set on input and output interfaces (should be coordinated with "ifid" values in route entries on "xfrm" interfaces)| |if_id|string|no|(none)|XFRM interface ID set on input and output interfaces (should be coordinated with "ifid" values in route entries on "xfrm" interfaces)|
 +|priority|string|no|(none)|Priority of the CHILD_SA|
 +|ipcomp|bool|no|false|Enable ipcomp compression|
 +|hw_offload|bool|no|false|Enable H/W offload|
  
-Local configuration for `/etc/config/ipsec`:+Local configuration for ''/etc/config/ipsec'':
  
 <code bash> <code bash>
Line 75: Line 78:
   option 'enabled' '1'   option 'enabled' '1'
   # address of wan device   # address of wan device
-  option 'left_ip' '6.6.6.6'+  option 'local_ip' '6.6.6.6'
   # peer has routable DHCP'd address which changes   # peer has routable DHCP'd address which changes
   option 'gateway' 'any'   option 'gateway' 'any'
Line 85: Line 88:
   option 'ca_cert' 'acme.crt'   option 'ca_cert' 'acme.crt'
   option 'rekeytime' '4h'   option 'rekeytime' '4h'
-  option 'keyingtries' '0'+  option 'keyingretries' '0'
   option 'mobike' '0'   option 'mobike' '0'
   option 'fragmentation' '1'   option 'fragmentation' '1'
Line 99: Line 102:
 # we don't specify subnets because we're going to use XFRM-interfaced based routes instead # we don't specify subnets because we're going to use XFRM-interfaced based routes instead
 config 'tunnel' 'tun_soho' config 'tunnel' 'tun_soho'
-  option 'local_subnet' '0.0.0.0/0' +  list   'local_subnet' '0.0.0.0/0' 
-  option 'remote_subnet' '0.0.0.0/0'+  list   'remote_subnet' '0.0.0.0/0'
   option 'if_id' '357'   option 'if_id' '357'
   option 'rekeytime' '1h'   option 'rekeytime' '1h'
Line 114: Line 117:
 </code> </code>
  
-and to support XFRM-based interfaces with associated routing, we put the following into `/etc/config/network`:+and to support XFRM-based interfaces with associated routing, we put the following into ''/etc/config/network'':
  
 <code bash> <code bash>
Line 137: Line 140:
 </code> </code>
  
-Lastly, `/etc/config/firewallrequires:+Lastly, ''/etc/config/firewall'' requires:
  
 <code bash> <code bash>
Line 176: Line 179:
  
 <code bash> <code bash>
-root@OpenWrt2:~# gencerts -s US acme.com "Acme Corporation" headquarters soho+root@HQ:~# gencerts -s US acme.com "Acme Corporation" headquarters soho
 Generated as headquarters-certs.tar.gz Generated as headquarters-certs.tar.gz
 Generated as soho-certs.tar.gz Generated as soho-certs.tar.gz
-root@OpenWrt2:~# tar ztvf headquarters-certs.tar.gz +root@HQ:~# tar ztvf headquarters-certs.tar.gz 
 -r--r--r-- 0/0      1870 2021-06-17 19:01:38 swanctl/x509ca/acme.crt -r--r--r-- 0/0      1870 2021-06-17 19:01:38 swanctl/x509ca/acme.crt
 -r--r--r-- 0/0      1923 2021-06-17 19:01:53 swanctl/x509/headquarters.crt -r--r--r-- 0/0      1923 2021-06-17 19:01:53 swanctl/x509/headquarters.crt
 -r-------- 0/0      3243 2021-06-17 19:01:53 swanctl/private/headquarters.key -r-------- 0/0      3243 2021-06-17 19:01:53 swanctl/private/headquarters.key
-root@OpenWrt2:~# tar ztvf soho-certs.tar.gz +root@HQ:~# tar ztvf soho-certs.tar.gz 
 -r--r--r-- 0/0      1870 2021-06-17 19:01:38 swanctl/x509ca/acme.crt -r--r--r-- 0/0      1870 2021-06-17 19:01:38 swanctl/x509ca/acme.crt
 -r--r--r-- 0/0      1903 2021-06-17 19:02:04 swanctl/x509/soho.crt -r--r--r-- 0/0      1903 2021-06-17 19:02:04 swanctl/x509/soho.crt
 -r-------- 0/0      3243 2021-06-17 19:02:04 swanctl/private/soho.key -r-------- 0/0      3243 2021-06-17 19:02:04 swanctl/private/soho.key
 +root@HQ:~# 
 +</code>
 +
 +Note that the filenames in ''headquarters.tar.gz'' correspond to ''local_cert'', ''local_key'', and ''ca_cert'' above.  Similarly, the certificate's subject corresponds to the ''local_identifier'':
 +
 +<code bash>
 +root@HQ:~# openssl x509 -in /etc/swanctl/x509/headquarters.crt -noout -subject
 +subject=C = US, O = Acme Corporation, CN = headquarters
 root@OpenWrt2:~#  root@OpenWrt2:~# 
 </code> </code>
  
-Note that the filenames in `headquarters.tar.gz` correspond to `local_cert`, `local_key`, and `ca_cert` above.  As these files are present on the headquarters firewall already, you can remove `headquarters.tar.gz`.  You can also remove:+As these files are present on the headquarters firewall already, you can remove ''headquarters.tar.gz''.  You can also remove:
  
 <code bash> <code bash>
Line 197: Line 208:
 </code> </code>
  
-as these are only needed on the remote end.+as these are only needed on the remote end (SoHo).
  
-Now copy the `soho-certs.tar.gzfile over to the SoHo router, and unpack it with:+Now copy the ''soho-certs.tar.gz'' file over to the SoHo router, and unpack it with:
  
 <code bash> <code bash>
Line 205: Line 216:
 </code> </code>
  
-Lastly, configure `/etc/config/ipsecon the SoHo router:+Lastly, configure ''/etc/config/ipsec'' on the SoHo router:
  
 <code bash> <code bash>
Line 214: Line 225:
 config 'remote' 'headquarters' config 'remote' 'headquarters'
   option 'enabled' '1'   option 'enabled' '1'
-  option 'local_leftip' '%any'+  option 'local_ip' '%any'
   option 'gateway' '6.6.6.6'   option 'gateway' '6.6.6.6'
   option 'local_identifier' 'C=US, O=Acme Corporation, CN=soho'   option 'local_identifier' 'C=US, O=Acme Corporation, CN=soho'
Line 224: Line 235:
   option 'ca_cert' 'acme.crt'   option 'ca_cert' 'acme.crt'
   option 'rekeytime' '4h'   option 'rekeytime' '4h'
-  option 'keyingtries' '0'+  option 'keyingretries' '0'
   option 'mobike' 0   option 'mobike' 0
   list 'crypto_proposal' 'ike_proposal'   list 'crypto_proposal' 'ike_proposal'
Line 236: Line 247:
      
 config tunnel 'tun_headquarters' config tunnel 'tun_headquarters'
-  option 'local_subnet' '0.0.0.0/0' +  list   'local_subnet' '0.0.0.0/0' 
-  option 'remote_subnet' '0.0.0.0/0'+  list   'remote_subnet' '0.0.0.0/0'
   option 'if_id' '308'   option 'if_id' '308'
   option 'rekeytime' '1h'   option 'rekeytime' '1h'
   option 'startaction' 'trap'   option 'startaction' 'trap'
   option 'closeaction' 'none'   option 'closeaction' 'none'
 +  option 'dpdaction' 'restart'
   list 'crypto_proposal' 'esp_proposal'   list 'crypto_proposal' 'esp_proposal'
  
Line 250: Line 262:
 </code> </code>
  
-Now modify `/etc/config/firewallas above, and `/etc/config/networkas:+Now modify ''/etc/config/firewall'' as above, and ''/etc/config/network'' as:
  
 <code bash> <code bash>
Line 277: Line 289:
  
 <code bash> <code bash>
-# /etc/init.d/swanctl enable +root@HQ:~# /etc/init.d/swanctl enable 
-# /etc/init.d/swanctl restart+root@HQ:~# /etc/init.d/swanctl restart
 </code> </code>
  
  • Last modified: 2024/12/01 18:36
  • by kevinoid