Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:strongswan:configuration [2021/06/25 20:52] – [remote] thermidocs:guide-user:services:vpn:strongswan:configuration [2022/12/12 00:25] – Fix examples: 'keyingtries' -> 'keyingretries' pcrump
Line 2: Line 2:
 Linux Charon IPsec daemon can be configured through ''/etc/config/ipsec''. Linux Charon IPsec daemon can be configured through ''/etc/config/ipsec''.
  
-**Note**: this has been updated to the ''swanctl''-based configuration, and is current as of ''5.9.2-10'' packaging.  For previous versions, use the Wiki's page history functionality.+**Note**: this has been updated to the ''swanctl''-based configuration, and is current as of ''5.9.5'' packaging.  For previous versions, use the Wiki's page history functionality.
  
 ===== Sections ===== ===== Sections =====
Line 19: Line 19:
 |local_gateway|ipaddr|no|(none)|IP address or FQDN of the tunnel local endpoint| |local_gateway|ipaddr|no|(none)|IP address or FQDN of the tunnel local endpoint|
 |local_sourceip|ipaddr|no|(none)|Virtual IP(s) to request in IKEv2 configuration payloads requests, or in IKEv1 mode config (enables sending them/initiating it instead of quick mode)| |local_sourceip|ipaddr|no|(none)|Virtual IP(s) to request in IKEv2 configuration payloads requests, or in IKEv1 mode config (enables sending them/initiating it instead of quick mode)|
-|local_leftip|ipaddr|no|(none)|Local address(es) to use in IKE negotiation when initiating; for responding, enumerates addresses we can negotiate from (and may by subnets or CIDRs)|+|local_ip|ipaddr|no|(none)|Local address(es) to use in IKE negotiation when initiating; for responding, enumerates addresses we can negotiate from (and may by subnets or CIDRs)|
 |local_identifier|string|no|(none)|Local identifier for IKE (phase 1)| |local_identifier|string|no|(none)|Local identifier for IKE (phase 1)|
 |remote_identifier|string|no|(none)|Remote identifier for IKE (phase 1)| |remote_identifier|string|no|(none)|Remote identifier for IKE (phase 1)|
Line 29: Line 29:
 |dpddelay|interval|no|30s|Liveness interval for IKE| |dpddelay|interval|no|30s|Liveness interval for IKE|
 |inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA| |inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA|
-|keyexchange|string|no|ikev2|Version of IKE to negotiation ("ikev1", "ikev2", or "ike" for both)| 
 |fragmentation|string|no|yes|Use IKE fragmentation (maybe "yes", "accept", "force", or "no")| |fragmentation|string|no|yes|Use IKE fragmentation (maybe "yes", "accept", "force", or "no")|
 |mobike|string|no|yes|Enable MOBIKE on IKEv2| |mobike|string|no|yes|Enable MOBIKE on IKEv2|
Line 37: Line 36:
 |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime| |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime|
 |overtime|interval|no|(none)|Limit on time to complete rekeying/reauthentication (defaults to 10% of rekeytime)| |overtime|interval|no|(none)|Limit on time to complete rekeying/reauthentication (defaults to 10% of rekeytime)|
 +|keyexchange|string|no|ikev2|Version of IKE to negotiation ("ikev1", "ikev2", or "ike" for both)|
  
 ==== crypto_proposal ==== ==== crypto_proposal ====
Line 51: Line 51:
  
 ^Name^Type^Required^Default^Description^ ^Name^Type^Required^Default^Description^
-|local_subnet|subnet|yes|(none)|Local network (can be a comma seperated list)| +|local_subnet|list|yes|(none)|Local network(sone per line
-|remote_subnet|subnet|yes|(none)|Remote network (can be a comma seperated list)|+|remote_subnet|list|yes|(none)|Remote network(sone per line|
 |local_nat|subnet|no|(none)|NAT range for tunnels with [[docs:guide-user:services:vpn:strongswan:overlappingsubnets|overlapping IP addresses]]| |local_nat|subnet|no|(none)|NAT range for tunnels with [[docs:guide-user:services:vpn:strongswan:overlappingsubnets|overlapping IP addresses]]|
 |crypto_proposal|list|yes|(none)|List of ESP (phase two) proposals| |crypto_proposal|list|yes|(none)|List of ESP (phase two) proposals|
Line 62: Line 62:
 |closeaction|string|no|route|Action done when CHILD_SA is closed (may be "add", "route", "start", "none", or "trap")| |closeaction|string|no|route|Action done when CHILD_SA is closed (may be "add", "route", "start", "none", or "trap")|
 |if_id|string|no|(none)|XFRM interface ID set on input and output interfaces (should be coordinated with "ifid" values in route entries on "xfrm" interfaces)| |if_id|string|no|(none)|XFRM interface ID set on input and output interfaces (should be coordinated with "ifid" values in route entries on "xfrm" interfaces)|
 +|priority|string|no|(none)|Priority of the CHILD_SA|
 +|ipcomp|bool|no|false|Enable ipcomp compression|
 +|hw_offload|bool|no|false|Enable H/W offload|
  
 Local configuration for ''/etc/config/ipsec'': Local configuration for ''/etc/config/ipsec'':
Line 75: Line 78:
   option 'enabled' '1'   option 'enabled' '1'
   # address of wan device   # address of wan device
-  option 'left_ip' '6.6.6.6'+  option 'local_ip' '6.6.6.6'
   # peer has routable DHCP'd address which changes   # peer has routable DHCP'd address which changes
   option 'gateway' 'any'   option 'gateway' 'any'
Line 85: Line 88:
   option 'ca_cert' 'acme.crt'   option 'ca_cert' 'acme.crt'
   option 'rekeytime' '4h'   option 'rekeytime' '4h'
-  option 'keyingtries' '0'+  option 'keyingretries' '0'
   option 'mobike' '0'   option 'mobike' '0'
   option 'fragmentation' '1'   option 'fragmentation' '1'
Line 99: Line 102:
 # we don't specify subnets because we're going to use XFRM-interfaced based routes instead # we don't specify subnets because we're going to use XFRM-interfaced based routes instead
 config 'tunnel' 'tun_soho' config 'tunnel' 'tun_soho'
-  option 'local_subnet' '0.0.0.0/0' +  list   'local_subnet' '0.0.0.0/0' 
-  option 'remote_subnet' '0.0.0.0/0'+  list   'remote_subnet' '0.0.0.0/0'
   option 'if_id' '357'   option 'if_id' '357'
   option 'rekeytime' '1h'   option 'rekeytime' '1h'
Line 222: Line 225:
 config 'remote' 'headquarters' config 'remote' 'headquarters'
   option 'enabled' '1'   option 'enabled' '1'
-  option 'local_leftip' '%any'+  option 'local_ip' '%any'
   option 'gateway' '6.6.6.6'   option 'gateway' '6.6.6.6'
   option 'local_identifier' 'C=US, O=Acme Corporation, CN=soho'   option 'local_identifier' 'C=US, O=Acme Corporation, CN=soho'
Line 232: Line 235:
   option 'ca_cert' 'acme.crt'   option 'ca_cert' 'acme.crt'
   option 'rekeytime' '4h'   option 'rekeytime' '4h'
-  option 'keyingtries' '0'+  option 'keyingretries' '0'
   option 'mobike' 0   option 'mobike' 0
   list 'crypto_proposal' 'ike_proposal'   list 'crypto_proposal' 'ike_proposal'
Line 244: Line 247:
      
 config tunnel 'tun_headquarters' config tunnel 'tun_headquarters'
-  option 'local_subnet' '0.0.0.0/0' +  list   'local_subnet' '0.0.0.0/0' 
-  option 'remote_subnet' '0.0.0.0/0'+  list   'remote_subnet' '0.0.0.0/0'
   option 'if_id' '308'   option 'if_id' '308'
   option 'rekeytime' '1h'   option 'rekeytime' '1h'
   option 'startaction' 'trap'   option 'startaction' 'trap'
   option 'closeaction' 'none'   option 'closeaction' 'none'
 +  option 'dpdaction' 'restart'
   list 'crypto_proposal' 'esp_proposal'   list 'crypto_proposal' 'esp_proposal'
  
  • Last modified: 2024/12/01 18:36
  • by kevinoid