Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:strongswan:configuration [2021/06/18 19:24] – Show cert subject philippdocs:guide-user:services:vpn:strongswan:configuration [2022/12/12 00:25] – Fix examples: 'keyingtries' -> 'keyingretries' pcrump
Line 2: Line 2:
 Linux Charon IPsec daemon can be configured through ''/etc/config/ipsec''. Linux Charon IPsec daemon can be configured through ''/etc/config/ipsec''.
  
-**Note**: this has been updated to the ''swanctl''-based configuration, and is current as of ''5.9.2-10'' packaging.  For previous versions, use the Wiki's page history functionality.+**Note**: this has been updated to the ''swanctl''-based configuration, and is current as of ''5.9.5'' packaging.  For previous versions, use the Wiki's page history functionality.
  
 ===== Sections ===== ===== Sections =====
Line 16: Line 16:
 ^Name^Type^Required^Default^Description^ ^Name^Type^Required^Default^Description^
 |enabled|boolean|yes|(none)|Configuration is enabled or not| |enabled|boolean|yes|(none)|Configuration is enabled or not|
-|gateway|ipaddr|yes|(none)|IP address or FQDN name of the tunnel remote endpoint|+|gateway|ipaddr|yes|(none)|IP address or FQDN name of the tunnel remote endpoint, or permitted subnets that peers can initiate this configuration from (analogue to local_leftip)|
 |local_gateway|ipaddr|no|(none)|IP address or FQDN of the tunnel local endpoint| |local_gateway|ipaddr|no|(none)|IP address or FQDN of the tunnel local endpoint|
-|local_sourceip|ipaddr|no|(none)|Virtual IP(s) to request in IKEv2 payloads| +|local_sourceip|ipaddr|no|(none)|Virtual IP(s) to request in IKEv2 configuration payloads requests, or in IKEv1 mode config (enables sending them/initiating it instead of quick mode)
-|local_leftip|ipaddr|no|(none)|Local address(es) to use in IKE negotiation when initiating; for responding, enumerates addresses we can negotiate from (and may by subnets or CIDRs)| +|local_ip|ipaddr|no|(none)|Local address(es) to use in IKE negotiation when initiating; for responding, enumerates addresses we can negotiate from (and may by subnets or CIDRs)| 
-|local_identifier|string|no|(none)|Local identifier for phase 1| +|local_identifier|string|no|(none)|Local identifier for IKE (phase 1)
-|remote_identifier|string|no|(none)|Lemote identifier for phase 1| +|remote_identifier|string|no|(none)|Remote identifier for IKE (phase 1)
-|authentication_method|string|yes|(none)|Phase 1 authentication. Only allowed value ath the moment is psk|+|authentication_method|string|yes|(none)|IKE authentication (phase 1). Only allowed value ath the moment is psk|
 |pre_shared_key|string|no|(none)|The preshared key for the tunnel if authentication is psk| |pre_shared_key|string|no|(none)|The preshared key for the tunnel if authentication is psk|
-|crypto_proposal|list|yes|(none)|Name of phase 1 proposal (see below)| +|crypto_proposal|list|yes|(none)|List of IKE (phase 1) proposals to use for authentication (see below)| 
-|tunnel|list|yes|(none)|Name of phase 2 section (see below)|+|tunnel|list|yes|(none)|Name of ESP/AH (phase 2section (see below)|
 |keyingretries|integer|no|3|Number of retransmissions to attempt during initial negotiation| |keyingretries|integer|no|3|Number of retransmissions to attempt during initial negotiation|
 |dpddelay|interval|no|30s|Liveness interval for IKE| |dpddelay|interval|no|30s|Liveness interval for IKE|
 |inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA| |inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA|
-|keyexchange|string|no|ikev2|Version of IKE to negotiation ("ikev1", "ikev2", or "ike" for both)| 
 |fragmentation|string|no|yes|Use IKE fragmentation (maybe "yes", "accept", "force", or "no")| |fragmentation|string|no|yes|Use IKE fragmentation (maybe "yes", "accept", "force", or "no")|
 |mobike|string|no|yes|Enable MOBIKE on IKEv2| |mobike|string|no|yes|Enable MOBIKE on IKEv2|
 |local_cert|string|no|(none)|List of cert pathnames to use for authentication| |local_cert|string|no|(none)|List of cert pathnames to use for authentication|
 |local_key|string|no|(none)|List of private key pathnames to use with above certificates| |local_key|string|no|(none)|List of private key pathnames to use with above certificates|
-|ca_cert|string|no|(none)|Pathname to CA list to use with above certificates|+|ca_cert|string|no|(none)|List of names of CA certificates that need to lie in remote peer's certificate's path of trust|
 |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime| |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime|
 |overtime|interval|no|(none)|Limit on time to complete rekeying/reauthentication (defaults to 10% of rekeytime)| |overtime|interval|no|(none)|Limit on time to complete rekeying/reauthentication (defaults to 10% of rekeytime)|
-|crypto_proposal|list|yes|(none)|List of IKE proposals to use for authentication|+|keyexchange|string|no|ikev2|Version of IKE to negotiation ("ikev1", "ikev2", or "ike" for both)|
  
 ==== crypto_proposal ==== ==== crypto_proposal ====
Line 44: Line 43:
 ^Name^Type^Required^Default^Description^ ^Name^Type^Required^Default^Description^
 |encryption_algorithm|string|yes|(none)|Encryption method (aes128, aes192, aes256, 3des)| |encryption_algorithm|string|yes|(none)|Encryption method (aes128, aes192, aes256, 3des)|
-|hash_alogrithm|string|yes|(none)|Hash alogrithm (md5, sha1, sha2, ...) not used with AEAD encryption|+|hash_algorithm|string|yes|(none)|Hash algorithm (md5, sha1, sha2, ...) not permitted when an AEAD algorithm is used |
 |dh_group|string|yes|(none)|Diffie-Hellman exponentiation (modp768, modp1024, ...)| |dh_group|string|yes|(none)|Diffie-Hellman exponentiation (modp768, modp1024, ...)|
 |prf_algorithm|string|no|(none)|Pseudo-Random Functions to use with IKE (prfmd5, prfsha1, prfsha256, ...); not applicable to ESP| |prf_algorithm|string|no|(none)|Pseudo-Random Functions to use with IKE (prfmd5, prfsha1, prfsha256, ...); not applicable to ESP|
Line 52: Line 51:
  
 ^Name^Type^Required^Default^Description^ ^Name^Type^Required^Default^Description^
-|local_subnet|subnet|yes|(none)|Local network| +|local_subnet|list|yes|(none)|Local network(s) one per line
-|remote_subnet|subnet|yes|(none)|Remote network|+|remote_subnet|list|yes|(none)|Remote network(s) one per line|
 |local_nat|subnet|no|(none)|NAT range for tunnels with [[docs:guide-user:services:vpn:strongswan:overlappingsubnets|overlapping IP addresses]]| |local_nat|subnet|no|(none)|NAT range for tunnels with [[docs:guide-user:services:vpn:strongswan:overlappingsubnets|overlapping IP addresses]]|
-|crypto_proposal|list|yes|(none)|List of ESP encryption proposals|+|crypto_proposal|list|yes|(none)|List of ESP (phase two) proposals|
 |startaction|string|no|route|Action on initial configuration load (none, start, route)| |startaction|string|no|route|Action on initial configuration load (none, start, route)|
 |updown|string|no|(none)|Path to script to run on CHILD_SA up/down events| |updown|string|no|(none)|Path to script to run on CHILD_SA up/down events|
Line 63: Line 62:
 |closeaction|string|no|route|Action done when CHILD_SA is closed (may be "add", "route", "start", "none", or "trap")| |closeaction|string|no|route|Action done when CHILD_SA is closed (may be "add", "route", "start", "none", or "trap")|
 |if_id|string|no|(none)|XFRM interface ID set on input and output interfaces (should be coordinated with "ifid" values in route entries on "xfrm" interfaces)| |if_id|string|no|(none)|XFRM interface ID set on input and output interfaces (should be coordinated with "ifid" values in route entries on "xfrm" interfaces)|
 +|priority|string|no|(none)|Priority of the CHILD_SA|
 +|ipcomp|bool|no|false|Enable ipcomp compression|
 +|hw_offload|bool|no|false|Enable H/W offload|
  
 Local configuration for ''/etc/config/ipsec'': Local configuration for ''/etc/config/ipsec'':
Line 76: Line 78:
   option 'enabled' '1'   option 'enabled' '1'
   # address of wan device   # address of wan device
-  option 'left_ip' '6.6.6.6'+  option 'local_ip' '6.6.6.6'
   # peer has routable DHCP'd address which changes   # peer has routable DHCP'd address which changes
   option 'gateway' 'any'   option 'gateway' 'any'
Line 86: Line 88:
   option 'ca_cert' 'acme.crt'   option 'ca_cert' 'acme.crt'
   option 'rekeytime' '4h'   option 'rekeytime' '4h'
-  option 'keyingtries' '0'+  option 'keyingretries' '0'
   option 'mobike' '0'   option 'mobike' '0'
   option 'fragmentation' '1'   option 'fragmentation' '1'
Line 100: Line 102:
 # we don't specify subnets because we're going to use XFRM-interfaced based routes instead # we don't specify subnets because we're going to use XFRM-interfaced based routes instead
 config 'tunnel' 'tun_soho' config 'tunnel' 'tun_soho'
-  option 'local_subnet' '0.0.0.0/0' +  list   'local_subnet' '0.0.0.0/0' 
-  option 'remote_subnet' '0.0.0.0/0'+  list   'remote_subnet' '0.0.0.0/0'
   option 'if_id' '357'   option 'if_id' '357'
   option 'rekeytime' '1h'   option 'rekeytime' '1h'
Line 223: Line 225:
 config 'remote' 'headquarters' config 'remote' 'headquarters'
   option 'enabled' '1'   option 'enabled' '1'
-  option 'local_leftip' '%any'+  option 'local_ip' '%any'
   option 'gateway' '6.6.6.6'   option 'gateway' '6.6.6.6'
   option 'local_identifier' 'C=US, O=Acme Corporation, CN=soho'   option 'local_identifier' 'C=US, O=Acme Corporation, CN=soho'
Line 233: Line 235:
   option 'ca_cert' 'acme.crt'   option 'ca_cert' 'acme.crt'
   option 'rekeytime' '4h'   option 'rekeytime' '4h'
-  option 'keyingtries' '0'+  option 'keyingretries' '0'
   option 'mobike' 0   option 'mobike' 0
   list 'crypto_proposal' 'ike_proposal'   list 'crypto_proposal' 'ike_proposal'
Line 245: Line 247:
      
 config tunnel 'tun_headquarters' config tunnel 'tun_headquarters'
-  option 'local_subnet' '0.0.0.0/0' +  list   'local_subnet' '0.0.0.0/0' 
-  option 'remote_subnet' '0.0.0.0/0'+  list   'remote_subnet' '0.0.0.0/0'
   option 'if_id' '308'   option 'if_id' '308'
   option 'rekeytime' '1h'   option 'rekeytime' '1h'
   option 'startaction' 'trap'   option 'startaction' 'trap'
   option 'closeaction' 'none'   option 'closeaction' 'none'
 +  option 'dpdaction' 'restart'
   list 'crypto_proposal' 'esp_proposal'   list 'crypto_proposal' 'esp_proposal'
  
  • Last modified: 2024/12/01 18:36
  • by kevinoid