documentation:examples:gre_ipsec_and_openvpn
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
documentation:examples:gre_ipsec_and_openvpn [2020/09/14 21:57] – [Router 4] olivier | documentation:examples:gre_ipsec_and_openvpn [2022/07/08 12:40] – [Tunnel with IKEv2 (strongswan)] olivier | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== VPN with GRE, GIF, IPSec, OpenVPN and Wireguard ====== | ====== VPN with GRE, GIF, IPSec, OpenVPN and Wireguard ====== | ||
- | This lab shows some VPN examples with BSDRP 1.97. | + | This lab shows some VPN examples with BSDRP 1.991. |
===== Presentation ===== | ===== Presentation ===== | ||
Line 250: | Line 250: | ||
service routing restart | service routing restart | ||
config save | config save | ||
+ | </ | ||
+ | |||
+ | Take care of avoiding fragmentation, | ||
+ | < | ||
+ | set skip on lo0 | ||
+ | scrub on gif1 inet all max-mss 1200 | ||
+ | scrub on gif1 inet6 all max-mss 1180 | ||
+ | pass | ||
</ | </ | ||
==== Router 4 ==== | ==== Router 4 ==== | ||
Line 676: | Line 684: | ||
Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan. | Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan. | ||
- | |||
- | Strongswan use Left (for Local) and Right (for Remote). | ||
=== Router 2 === | === Router 2 === | ||
Line 689: | Line 695: | ||
< | < | ||
- | cat > / | + | cat > / |
- | config setup | + | connections { |
- | + | | |
- | conn %default | + | |
- | authby=secret | + | |
- | keyexchange=ikev2 | + | local { |
- | mobike=no | + | |
- | dpdaction=restart | + | |
- | dpddelay=5 | + | } |
+ | remote { | ||
+ | | ||
+ | | ||
+ | } | ||
+ | children { | ||
+ | net-net { | ||
+ | local_ts | ||
+ | remote_ts = 10.0.45.0/ | ||
+ | start_action = trap | ||
+ | } | ||
+ | } | ||
+ | version = 2 | ||
+ | mobike = no | ||
+ | } | ||
+ | } | ||
- | conn VM4 | + | secrets { |
- | | + | ike-1 { |
- | | + | |
- | | + | |
- | | + | } |
- | | + | } |
- | rightid=VM4 | + | EOF |
- | auto=start | + | |
- | 'EOF' | + | |
</ | </ | ||
- | Then define the password to use for the remote site: | + | Enable strongswan: |
< | < | ||
- | cat > / | + | service strongswan enable |
- | VM4 VM2 : PSK "This is a strong password" | + | service strongswan restart |
- | ' | + | |
</ | </ | ||
- | Enable strongswan: | + | And check if it correctly loaded its configuration: |
< | < | ||
- | sysrc strongswan_enable=YES | + | root@VM2:~ # swanctl --list-conns |
- | service strongswan restart | + | net-net: IKEv2, no reauthentication, |
+ | local: | ||
+ | remote: 10.0.34.4 | ||
+ | local pre-shared key authentication: | ||
+ | id: vm2 | ||
+ | remote pre-shared key authentication: | ||
+ | id: vm4 | ||
+ | net-net: TUNNEL, rekeying every 3600s | ||
+ | local: | ||
+ | remote: 10.0.45.0/ | ||
</ | </ | ||
Line 735: | Line 761: | ||
< | < | ||
- | cat > / | + | cat > / |
- | config setup | + | connections { |
+ | net-net { | ||
+ | remote_addrs = 10.0.23.2 | ||
+ | local_addrs = 10.0.34.4 | ||
+ | remote { | ||
+ | auth = psk | ||
+ | id = vm2 | ||
+ | } | ||
+ | local { | ||
+ | auth = psk | ||
+ | id = vm4 | ||
+ | } | ||
+ | children { | ||
+ | net-net { | ||
+ | remote_ts | ||
+ | local_ts = 10.0.45.0/ | ||
+ | start_action = trap | ||
+ | } | ||
+ | } | ||
+ | version = 2 | ||
+ | mobike = no | ||
+ | } | ||
+ | } | ||
- | conn %default | + | secrets { |
- | | + | ike-1 { |
- | | + | |
- | | + | |
- | | + | } |
- | | + | } |
- | conn VM2 | + | EOF |
- | left=10.0.34.4 | + | |
- | leftsubnet=10.0.45.0/ | + | |
- | leftid=VM4 | + | |
- | right=10.0.23.2 | + | |
- | rightsubnet=10.0.12.0/ | + | |
- | rightid=VM2 | + | |
- | auto=route | + | |
- | 'EOF' | + | |
- | </ | + | |
- | Then define the password to use for the remote site: | ||
- | |||
- | < | ||
- | cat > / | ||
- | VM4 VM2 : PSK "This is a strong password" | ||
- | ' | ||
</ | </ | ||
Line 766: | Line 799: | ||
< | < | ||
- | sysrc strongswan_enable=YES | + | service strongswan enable |
service strongswan restart | service strongswan restart | ||
+ | </ | ||
+ | |||
+ | And check the status: | ||
+ | < | ||
+ | root@VM4: # swanctl --list-conns | ||
+ | net-net: IKEv2, no reauthentication, | ||
+ | local: | ||
+ | remote: 10.0.23.2 | ||
+ | local pre-shared key authentication: | ||
+ | id: vm4 | ||
+ | remote pre-shared key authentication: | ||
+ | id: vm2 | ||
+ | net-net: TUNNEL, rekeying every 3600s | ||
+ | local: | ||
+ | remote: 10.0.12.0/ | ||
+ | |||
+ | root@VM4: # grep charon / | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | nstraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pf | ||
+ | key kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whit | ||
+ | elist addrblock counters | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:45 router charon[79963]: | ||
+ | Jul 8 12:39:45 router charon[79963]: | ||
+ | Jul 8 12:39:45 router charon[79963]: | ||
</ | </ | ||
documentation/examples/gre_ipsec_and_openvpn.txt · Last modified: 2023/07/10 12:40 by olivier