Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:strongswan:configuration [2021/06/18 01:44] – Fix table philipp | docs:guide-user:services:vpn:strongswan:configuration [2022/12/12 00:25] – Fix examples: 'keyingtries' -> 'keyingretries' pcrump | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| Linux Charon IPsec daemon can be configured through ''/ | Linux Charon IPsec daemon can be configured through ''/ | ||
| - | **Note**: this has been updated to the '' | + | **Note**: this has been updated to the '' |
| ===== Sections ===== | ===== Sections ===== | ||
| ==== ipsec ==== | ==== ipsec ==== | ||
| ^Name^Type^Required^Default^Description^ | ^Name^Type^Required^Default^Description^ | ||
| |zone|string|no|vpn|Firewall zone. Has to match the defined [[docs: | |zone|string|no|vpn|Firewall zone. Has to match the defined [[docs: | ||
| - | |listen|list|yes|'' | + | |listen|list|yes|(none)|Interface that accept VPN traffic (empty for all interfaces, multiple lines for several interfaces)| |
| - | |debug|string|no|0|Trace level. Logs are written to / | + | |debug|string|no|0|Trace level. Logs are written to '' |
| ==== remote ==== | ==== remote ==== | ||
| Line 15: | Line 16: | ||
| ^Name^Type^Required^Default^Description^ | ^Name^Type^Required^Default^Description^ | ||
| |enabled|boolean|yes|(none)|Configuration is enabled or not| | |enabled|boolean|yes|(none)|Configuration is enabled or not| | ||
| - | |gateway|ipaddr|yes|(none)|IP address or FQDN name of the tunnel remote endpoint| | + | |gateway|ipaddr|yes|(none)|IP address or FQDN name of the tunnel remote endpoint, or permitted subnets that peers can initiate this configuration from (analogue to local_leftip)| |
| |local_gateway|ipaddr|no|(none)|IP address or FQDN of the tunnel local endpoint| | |local_gateway|ipaddr|no|(none)|IP address or FQDN of the tunnel local endpoint| | ||
| - | |local_sourceip|ipaddr|no|(none)|Virtual IP(s) to request in IKEv2 payloads| | + | |local_sourceip|ipaddr|no|(none)|Virtual IP(s) to request in IKEv2 configuration |
| - | |local_leftip|ipaddr|no|(none)|Local address(es) to use in IKE negotiation when initiating; for responding, enumerates addresses we can negotiate from (and may by subnets or CIDRs)| | + | |local_ip|ipaddr|no|(none)|Local address(es) to use in IKE negotiation when initiating; for responding, enumerates addresses we can negotiate from (and may by subnets or CIDRs)| |
| - | |local_identifier|string|no|(none)|Local identifier for phase 1| | + | |local_identifier|string|no|(none)|Local identifier for IKE (phase 1)| |
| - | |remote_identifier|string|no|(none)|Lemote | + | |remote_identifier|string|no|(none)|Remote |
| - | |authentication_method|string|yes|(none)|Phase 1 authentication. Only allowed value ath the moment is psk| | + | |authentication_method|string|yes|(none)|IKE authentication |
| |pre_shared_key|string|no|(none)|The preshared key for the tunnel if authentication is psk| | |pre_shared_key|string|no|(none)|The preshared key for the tunnel if authentication is psk| | ||
| - | |crypto_proposal|list|yes|(none)|Name of phase 1 proposal | + | |crypto_proposal|list|yes|(none)|List of IKE (phase 1) proposals to use for authentication |
| - | |tunnel|list|yes|(none)|Name of phase 2 section (see below)| | + | |tunnel|list|yes|(none)|Name of ESP/AH (phase 2) section (see below)| |
| |keyingretries|integer|no|3|Number of retransmissions to attempt during initial negotiation| | |keyingretries|integer|no|3|Number of retransmissions to attempt during initial negotiation| | ||
| |dpddelay|interval|no|30s|Liveness interval for IKE| | |dpddelay|interval|no|30s|Liveness interval for IKE| | ||
| |inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA| | |inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA| | ||
| - | |keyexchange|string|no|ikev2|Version of IKE to negotiation (" | + | |fragmentation|string|no|yes|Use IKE fragmentation (maybe " |
| - | |fragmentation|string|yes|Use IKE fragmentation (maybe " | + | |
| |mobike|string|no|yes|Enable MOBIKE on IKEv2| | |mobike|string|no|yes|Enable MOBIKE on IKEv2| | ||
| |local_cert|string|no|(none)|List of cert pathnames to use for authentication| | |local_cert|string|no|(none)|List of cert pathnames to use for authentication| | ||
| |local_key|string|no|(none)|List of private key pathnames to use with above certificates| | |local_key|string|no|(none)|List of private key pathnames to use with above certificates| | ||
| - | |ca_cert|string|no|(none)|Pathname to CA list to use with above certificates| | + | |ca_cert|string|no|(none)|List of names of CA certificates that need to lie in remote peer's certificate' |
| |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime| | |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime| | ||
| |overtime|interval|no|(none)|Limit on time to complete rekeying/ | |overtime|interval|no|(none)|Limit on time to complete rekeying/ | ||
| - | |crypto_proposal|list|yes|(none)|List of IKE proposals | + | |keyexchange|string|no|ikev2|Version |
| ==== crypto_proposal ==== | ==== crypto_proposal ==== | ||
| Line 43: | Line 43: | ||
| ^Name^Type^Required^Default^Description^ | ^Name^Type^Required^Default^Description^ | ||
| |encryption_algorithm|string|yes|(none)|Encryption method (aes128, aes192, aes256, 3des)| | |encryption_algorithm|string|yes|(none)|Encryption method (aes128, aes192, aes256, 3des)| | ||
| - | |hash_alogrithm|string|yes|(none)|Hash | + | |hash_algorithm|string|yes|(none)|Hash |
| |dh_group|string|yes|(none)|Diffie-Hellman exponentiation (modp768, modp1024, ...)| | |dh_group|string|yes|(none)|Diffie-Hellman exponentiation (modp768, modp1024, ...)| | ||
| |prf_algorithm|string|no|(none)|Pseudo-Random Functions to use with IKE (prfmd5, prfsha1, prfsha256, ...); not applicable to ESP| | |prf_algorithm|string|no|(none)|Pseudo-Random Functions to use with IKE (prfmd5, prfsha1, prfsha256, ...); not applicable to ESP| | ||
| Line 51: | Line 51: | ||
| ^Name^Type^Required^Default^Description^ | ^Name^Type^Required^Default^Description^ | ||
| - | |local_subnet|subnet|yes|(none)|Local network| | + | |local_subnet|list|yes|(none)|Local network(s) one per line| |
| - | |remote_subnet|subnet|yes|(none)|Remote network| | + | |remote_subnet|list|yes|(none)|Remote network(s) one per line| |
| |local_nat|subnet|no|(none)|NAT range for tunnels with [[docs: | |local_nat|subnet|no|(none)|NAT range for tunnels with [[docs: | ||
| - | |crypto_proposal|list|yes|(none)|List of ESP encryption | + | |crypto_proposal|list|yes|(none)|List of ESP (phase two) proposals| |
| |startaction|string|no|route|Action on initial configuration load (none, start, route)| | |startaction|string|no|route|Action on initial configuration load (none, start, route)| | ||
| |updown|string|no|(none)|Path to script to run on CHILD_SA up/down events| | |updown|string|no|(none)|Path to script to run on CHILD_SA up/down events| | ||
| Line 62: | Line 62: | ||
| |closeaction|string|no|route|Action done when CHILD_SA is closed (may be " | |closeaction|string|no|route|Action done when CHILD_SA is closed (may be " | ||
| |if_id|string|no|(none)|XFRM interface ID set on input and output interfaces (should be coordinated with " | |if_id|string|no|(none)|XFRM interface ID set on input and output interfaces (should be coordinated with " | ||
| + | |priority|string|no|(none)|Priority of the CHILD_SA| | ||
| + | |ipcomp|bool|no|false|Enable ipcomp compression| | ||
| + | |hw_offload|bool|no|false|Enable H/W offload| | ||
| - | Local configuration for `/ | + | Local configuration for '' |
| <code bash> | <code bash> | ||
| Line 75: | Line 78: | ||
| option ' | option ' | ||
| # address of wan device | # address of wan device | ||
| - | option 'left_ip' ' | + | option 'local_ip' ' |
| # peer has routable DHCP'd address which changes | # peer has routable DHCP'd address which changes | ||
| option ' | option ' | ||
| Line 85: | Line 88: | ||
| option ' | option ' | ||
| option ' | option ' | ||
| - | option 'keyingtries' ' | + | option 'keyingretries' ' |
| option ' | option ' | ||
| option ' | option ' | ||
| Line 99: | Line 102: | ||
| # we don't specify subnets because we're going to use XFRM-interfaced based routes instead | # we don't specify subnets because we're going to use XFRM-interfaced based routes instead | ||
| config ' | config ' | ||
| - | | + | |
| - | | + | |
| option ' | option ' | ||
| option ' | option ' | ||
| Line 114: | Line 117: | ||
| </ | </ | ||
| - | and to support XFRM-based interfaces with associated routing, we put the following into `/ | + | and to support XFRM-based interfaces with associated routing, we put the following into '' |
| <code bash> | <code bash> | ||
| Line 137: | Line 140: | ||
| </ | </ | ||
| - | Lastly, | + | Lastly, |
| <code bash> | <code bash> | ||
| Line 176: | Line 179: | ||
| <code bash> | <code bash> | ||
| - | root@OpenWrt2:~# gencerts -s US acme.com "Acme Corporation" | + | root@HQ:~# gencerts -s US acme.com "Acme Corporation" |
| Generated as headquarters-certs.tar.gz | Generated as headquarters-certs.tar.gz | ||
| Generated as soho-certs.tar.gz | Generated as soho-certs.tar.gz | ||
| - | root@OpenWrt2:~# tar ztvf headquarters-certs.tar.gz | + | root@HQ:~# tar ztvf headquarters-certs.tar.gz |
| -r--r--r-- 0/0 1870 2021-06-17 19:01:38 swanctl/ | -r--r--r-- 0/0 1870 2021-06-17 19:01:38 swanctl/ | ||
| -r--r--r-- 0/0 1923 2021-06-17 19:01:53 swanctl/ | -r--r--r-- 0/0 1923 2021-06-17 19:01:53 swanctl/ | ||
| -r-------- 0/0 3243 2021-06-17 19:01:53 swanctl/ | -r-------- 0/0 3243 2021-06-17 19:01:53 swanctl/ | ||
| - | root@OpenWrt2:~# tar ztvf soho-certs.tar.gz | + | root@HQ:~# tar ztvf soho-certs.tar.gz |
| -r--r--r-- 0/0 1870 2021-06-17 19:01:38 swanctl/ | -r--r--r-- 0/0 1870 2021-06-17 19:01:38 swanctl/ | ||
| -r--r--r-- 0/0 1903 2021-06-17 19:02:04 swanctl/ | -r--r--r-- 0/0 1903 2021-06-17 19:02:04 swanctl/ | ||
| -r-------- 0/0 3243 2021-06-17 19:02:04 swanctl/ | -r-------- 0/0 3243 2021-06-17 19:02:04 swanctl/ | ||
| + | root@HQ: | ||
| + | </ | ||
| + | |||
| + | Note that the filenames in '' | ||
| + | |||
| + | <code bash> | ||
| + | root@HQ:~# openssl x509 -in / | ||
| + | subject=C = US, O = Acme Corporation, | ||
| root@OpenWrt2: | root@OpenWrt2: | ||
| </ | </ | ||
| - | Note that the filenames in `headquarters.tar.gz` correspond to `local_cert`, | + | As these files are present on the headquarters firewall already, you can remove |
| <code bash> | <code bash> | ||
| Line 197: | Line 208: | ||
| </ | </ | ||
| - | as these are only needed on the remote end. | + | as these are only needed on the remote end (SoHo). |
| - | Now copy the `soho-certs.tar.gz` file over to the SoHo router, and unpack it with: | + | Now copy the '' |
| <code bash> | <code bash> | ||
| Line 205: | Line 216: | ||
| </ | </ | ||
| - | Lastly, configure | + | Lastly, configure |
| <code bash> | <code bash> | ||
| Line 214: | Line 225: | ||
| config ' | config ' | ||
| option ' | option ' | ||
| - | option 'local_leftip' ' | + | option 'local_ip' ' |
| option ' | option ' | ||
| option ' | option ' | ||
| Line 224: | Line 235: | ||
| option ' | option ' | ||
| option ' | option ' | ||
| - | option 'keyingtries' ' | + | option 'keyingretries' ' |
| option ' | option ' | ||
| list ' | list ' | ||
| Line 236: | Line 247: | ||
| | | ||
| config tunnel ' | config tunnel ' | ||
| - | | + | |
| - | | + | |
| option ' | option ' | ||
| option ' | option ' | ||
| option ' | option ' | ||
| option ' | option ' | ||
| + | option ' | ||
| list ' | list ' | ||
| Line 250: | Line 262: | ||
| </ | </ | ||
| - | Now modify | + | Now modify |
| <code bash> | <code bash> | ||
| Line 277: | Line 289: | ||
| <code bash> | <code bash> | ||
| - | # / | + | root@HQ:~# / |
| - | # / | + | root@HQ:~# / |
| </ | </ | ||