Differences

This shows you the differences between two versions of the page.

--- documentation:examples:gre_ipsec_and_openvpn [2020/09/14 21:57] – [Router 4] olivier
+++ documentation:examples:gre_ipsec_and_openvpn [2022/07/08 12:40] – [Tunnel with IKEv2 (strongswan)] olivier
@@ Line 1: / Line 1: @@
 ====== VPN with GRE, GIF, IPSec, OpenVPN and Wireguard ======
-This lab shows some VPN examples with BSDRP 1.97.
+This lab shows some VPN examples with BSDRP 1.991.
 ===== Presentation =====
@@ Line 250: / Line 250: @@
 service routing restart
 config save
+</code>
+Take care of avoiding fragmentation, TCP-MSS should be reduced on a gif using inet6, like with this pf.conf example:
+<code>
+set skip on lo0
+scrub on gif1 inet all max-mss 1200
+scrub on gif1 inet6 all max-mss 1180
+pass
 </code>
 ==== Router 4 ====
@@ Line 676: / Line 684: @@
 Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan.
-Strongswan use Left (for Local) and Right (for Remote).
 === Router 2 ===
@@ Line 689: / Line 695: @@
 <code>
-cat > /usr/local/etc/ipsec.conf <<'EOF'
+cat > /usr/local/etc/swanctl/conf.d/vm4.conf <<EOF
-config setup
+connections {
+  net-net {
-conn %default
+    local_addrs = 10.0.23.2
-     authby=secret
+    remote_addrs = 10.0.34.4
-     keyexchange=ikev2
+    local {
-     mobike=no
+      auth = psk
-     dpdaction=restart
+      id = vm2
-     dpddelay=5
+    }
+    remote {
+      auth = psk
+      id = vm4
+    }
+    children {
+      net-net {
+        local_ts  = 10.0.12.0/24
+        remote_ts = 10.0.45.0/24
+        start_action = trap
+      }
+    }
+    version = 2
+    mobike = no
+  }
+}
-conn VM4
+secrets {
-    left=10.0.23.2
+  ike-1 {
-    leftsubnet=10.0.12.0/24
+    id-1 = vm4
-    leftid=VM2
+    secret = "This is a strong password"
-    right=10.0.34.4
+  }
-    rightsubnet=10.0.45.0/24
+}
-    rightid=VM4
+EOF
-    auto=start
-'EOF'
 </code>
-Then define the password to use for the remote site:
+Enable strongswan:
 <code>
-cat > /usr/local/etc/ipsec.secrets <<'EOF'
+service strongswan enable
-VM4 VM2 : PSK "This is a strong password"
+service strongswan restart
-'EOF'
 </code>
-Enable strongswan:
+And check if it correctly loaded its configuration:
 <code>
-sysrc strongswan_enable=YES
+root@VM2:~ # swanctl --list-conns
-service strongswan restart
+net-net: IKEv2, no reauthentication, rekeying every 14400s
+  local:  10.0.23.2
+  remote: 10.0.34.4
+  local pre-shared key authentication:
+    id: vm2
+  remote pre-shared key authentication:
+    id: vm4
+  net-net: TUNNEL, rekeying every 3600s
+    local:  10.0.12.0/24
+    remote: 10.0.45.0/24
 </code>
@@ Line 735: / Line 761: @@
 <code>
-cat > /usr/local/etc/ipsec.conf <<'EOF'
+cat > /usr/local/etc/swanctl/conf.d/vm2.conf <<EOF
-config setup
+connections {
+  net-net {
+    remote_addrs = 10.0.23.2
+    local_addrs = 10.0.34.4
+    remote {
+      auth = psk
+      id = vm2
+    }
+    local {
+      auth = psk
+      id = vm4
+    }
+    children {
+      net-net {
+        remote_ts  = 10.0.12.0/24
+        local_ts = 10.0.45.0/24
+        start_action = trap
+      }
+    }
+    version = 2
+    mobike = no
+  }
+}
-conn %default
+secrets {
-    authby=secret
+  ike-1 {
-    keyexchange=ikev2
+    id-1 = vm2
-    mobike=no
+    secret = "This is a strong password"
-    dpdaction=restart
+  }
-    dpddelay=5
+}
-conn VM2
+EOF
-    left=10.0.34.4
-    leftsubnet=10.0.45.0/24
-    leftid=VM4
-    right=10.0.23.2
-    rightsubnet=10.0.12.0/24
-    rightid=VM2
-    auto=route
-'EOF'
-</code>
-Then define the password to use for the remote site:
-<code>
-cat > /usr/local/etc/ipsec.secrets <<'EOF'
-VM4 VM2 : PSK "This is a strong password"
-'EOF'
 </code>
@@ Line 766: / Line 799: @@
 <code>
-sysrc strongswan_enable=YES
+service strongswan enable
 service strongswan restart
+</code>
+And check the status:
+<code>
+root@VM4: # swanctl --list-conns
+net-net: IKEv2, no reauthentication, rekeying every 14400s
+  local:  10.0.34.4
+  remote: 10.0.23.2
+  local pre-shared key authentication:
+    id: vm4
+  remote pre-shared key authentication:
+    id: vm2
+  net-net: TUNNEL, rekeying every 3600s
+    local:  10.0.45.0/24
+    remote: 10.0.12.0/24
+root@VM4: # grep charon /var/log/daemon.log
+Jul  8 12:39:44 router charon[79963]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.6, FreeBSD 14.0-CURRENT, amd64)
+Jul  8 12:39:44 router charon[79963]: 00[KNL] unable to set UDP_ENCAP: Invalid argument
+Jul  8 12:39:44 router charon[79963]: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
+Jul  8 12:39:44 router charon[79963]: 00[CFG]   loaded IKE secret for VM4 VM2
+Jul  8 12:39:44 router charon[79963]: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation co
+nstraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pf
+key kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whit
+elist addrblock counters
+Jul  8 12:39:44 router charon[79963]: 00[JOB] spawning 16 worker threads
+Jul  8 12:39:45 router charon[79963]: 13[CFG] loaded IKE shared key with id 'ike-1' for: 'vm2'
+Jul  8 12:39:45 router charon[79963]: 12[CFG] added vici connection: net-net
+Jul  8 12:39:45 router charon[79963]: 12[CFG] installing 'net-net'
 </code>