User Tools

Site Tools


documentation:examples:gre_ipsec_and_openvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
documentation:examples:gre_ipsec_and_openvpn [2020/09/14 21:57] – [Router 4] olivierdocumentation:examples:gre_ipsec_and_openvpn [2022/07/08 12:40] – [Tunnel with IKEv2 (strongswan)] olivier
Line 1: Line 1:
 ====== VPN with GRE, GIF, IPSec, OpenVPN and Wireguard ====== ====== VPN with GRE, GIF, IPSec, OpenVPN and Wireguard ======
  
-This lab shows some VPN examples with BSDRP 1.97.+This lab shows some VPN examples with BSDRP 1.991.
  
 ===== Presentation ===== ===== Presentation =====
Line 250: Line 250:
 service routing restart service routing restart
 config save config save
 +</code>
 +
 +Take care of avoiding fragmentation, TCP-MSS should be reduced on a gif using inet6, like with this pf.conf example:
 +<code>
 +set skip on lo0
 +scrub on gif1 inet all max-mss 1200
 +scrub on gif1 inet6 all max-mss 1180
 +pass
 </code> </code>
 ==== Router 4 ==== ==== Router 4 ====
Line 676: Line 684:
  
 Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan. Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan.
- 
-Strongswan use Left (for Local) and Right (for Remote). 
  
 === Router 2 === === Router 2 ===
Line 689: Line 695:
  
 <code> <code>
-cat > /usr/local/etc/ipsec.conf <<'EOF' +cat > /usr/local/etc/swanctl/conf.d/vm4.conf <<EOF 
-config setup +connections { 
- +  net-net { 
-conn %default +    local_addrs = 10.0.23.2 
-     authby=secret +    remote_addrs 10.0.34.4 
-     keyexchange=ikev2 +    local { 
-     mobike=no +      auth psk 
-     dpdaction=restart +      id vm2 
-     dpddelay=5+    } 
 +    remote { 
 +      auth psk 
 +      id vm4 
 +    } 
 +    children { 
 +      net-net { 
 +        local_ts  = 10.0.12.0/24 
 +        remote_ts = 10.0.45.0/24 
 +        start_action = trap 
 +      } 
 +    } 
 +    version = 2 
 +    mobike = no 
 +  } 
 +}
  
-conn VM4 +secrets { 
-    left=10.0.23.2 +  ike-1 { 
-    leftsubnet=10.0.12.0/24 +    id-1 vm4 
-    leftid=VM2 +    secret "This is a strong password" 
-    right=10.0.34.4 +  } 
-    rightsubnet=10.0.45.0/24 +} 
-    rightid=VM4 +EOF
-    auto=start +
-'EOF'+
 </code> </code>
  
-Then define the password to use for the remote site:+Enable strongswan:
  
 <code> <code>
-cat > /usr/local/etc/ipsec.secrets <<'EOF' +service strongswan enable 
-VM4 VM2 : PSK "This is a strong password" +service strongswan restart
-'EOF'+
 </code> </code>
  
-Enable strongswan: +And check if it correctly loaded its configuration:
 <code> <code>
-sysrc strongswan_enable=YES +root@VM2:~ # swanctl --list-conns 
-service strongswan restart+net-net: IKEv2, no reauthentication, rekeying every 14400s 
 +  local:  10.0.23.2 
 +  remote: 10.0.34.4 
 +  local pre-shared key authentication: 
 +    id: vm2 
 +  remote pre-shared key authentication: 
 +    id: vm4 
 +  net-net: TUNNEL, rekeying every 3600s 
 +    local:  10.0.12.0/24 
 +    remote: 10.0.45.0/24
 </code> </code>
  
Line 735: Line 761:
  
 <code> <code>
-cat > /usr/local/etc/ipsec.conf <<'EOF' +cat > /usr/local/etc/swanctl/conf.d/vm2.conf <<EOF 
-config setup+connections { 
 +  net-net { 
 +    remote_addrs = 10.0.23.2 
 +    local_addrs = 10.0.34.4 
 +    remote { 
 +      auth = psk 
 +      id = vm2 
 +    } 
 +    local { 
 +      auth = psk 
 +      id = vm4 
 +    } 
 +    children { 
 +      net-net { 
 +        remote_ts  = 10.0.12.0/24 
 +        local_ts = 10.0.45.0/24 
 +        start_action = trap 
 +      } 
 +    } 
 +    version = 2 
 +    mobike = no 
 +  } 
 +}
  
-conn %default +secrets { 
-    authby=secret +  ike-1 { 
-    keyexchange=ikev2 +    id-1 vm2 
-    mobike=no +    secret "This is a strong password" 
-    dpdaction=restart +  } 
-    dpddelay=5 +} 
-conn VM2 +EOF
-    left=10.0.34.4 +
-    leftsubnet=10.0.45.0/24 +
-    leftid=VM4 +
-    right=10.0.23.2 +
-    rightsubnet=10.0.12.0/24 +
-    rightid=VM2 +
-    auto=route +
-'EOF+
-</code>+
  
-Then define the password to use for the remote site: 
- 
-<code> 
-cat > /usr/local/etc/ipsec.secrets <<'EOF' 
-VM4 VM2 : PSK "This is a strong password" 
-'EOF' 
 </code> </code>
  
Line 766: Line 799:
  
 <code> <code>
-sysrc strongswan_enable=YES+service strongswan enable
 service strongswan restart service strongswan restart
 +</code>
 +
 +And check the status:
 +<code>
 +root@VM4: # swanctl --list-conns
 +net-net: IKEv2, no reauthentication, rekeying every 14400s
 +  local:  10.0.34.4
 +  remote: 10.0.23.2
 +  local pre-shared key authentication:
 +    id: vm4
 +  remote pre-shared key authentication:
 +    id: vm2
 +  net-net: TUNNEL, rekeying every 3600s
 +    local:  10.0.45.0/24
 +    remote: 10.0.12.0/24
 +
 +root@VM4: # grep charon /var/log/daemon.log
 +Jul  8 12:39:44 router charon[79963]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.6, FreeBSD 14.0-CURRENT, amd64)
 +Jul  8 12:39:44 router charon[79963]: 00[KNL] unable to set UDP_ENCAP: Invalid argument
 +Jul  8 12:39:44 router charon[79963]: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG]   loaded IKE secret for VM4 VM2
 +Jul  8 12:39:44 router charon[79963]: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation co
 +nstraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pf
 +key kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whit
 +elist addrblock counters
 +Jul  8 12:39:44 router charon[79963]: 00[JOB] spawning 16 worker threads
 +Jul  8 12:39:45 router charon[79963]: 13[CFG] loaded IKE shared key with id 'ike-1' for: 'vm2'
 +Jul  8 12:39:45 router charon[79963]: 12[CFG] added vici connection: net-net
 +Jul  8 12:39:45 router charon[79963]: 12[CFG] installing 'net-net'
 </code> </code>
  
documentation/examples/gre_ipsec_and_openvpn.txt · Last modified: 2023/07/10 12:40 by olivier

Except where otherwise noted, content on this wiki is licensed under the following license: BSD 2-Clause
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki