BSD Router Project

User Tools

Site Tools

Trace:
documentation:examples:gre_ipsec_and_openvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
documentation:examples:gre_ipsec_and_openvpn [2020/09/15 16:21] – [Router 2] olivierdocumentation:examples:gre_ipsec_and_openvpn [2022/07/08 12:43] – [Tunnel with IKEv2 (strongswan)] olivier
Line 1: Line 1:
 ====== VPN with GRE, GIF, IPSec, OpenVPN and Wireguard ====== ====== VPN with GRE, GIF, IPSec, OpenVPN and Wireguard ======
  
-This lab shows some VPN examples with BSDRP 1.97.+This lab shows some VPN examples with BSDRP 1.991.
  
 ===== Presentation ===== ===== Presentation =====
Line 254: Line 254:
 Take care of avoiding fragmentation, TCP-MSS should be reduced on a gif using inet6, like with this pf.conf example: Take care of avoiding fragmentation, TCP-MSS should be reduced on a gif using inet6, like with this pf.conf example:
 <code> <code>
-[root@VM2]~# cat /etc/pf.conf 
 set skip on lo0 set skip on lo0
 scrub on gif1 inet all max-mss 1200 scrub on gif1 inet all max-mss 1200
Line 685: Line 684:
  
 Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan. Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan.
- 
-Strongswan use Left (for Local) and Right (for Remote). 
  
 === Router 2 === === Router 2 ===
  
 Configure strongswan on VM2 with: Configure strongswan on VM2 with:
-  * IKEv2 +  * IKEv2 (version = 2) 
-  * Preshared-key +  * Preshared-key (psk) 
-  * Disabling Mobile IP +  * Disabling Mobile IP (mobike = no) 
-  * forcing the tunnel going UP (auto=start)+  * forcing the tunnel going UP (start_action trap)
   * configuring Dead-Peer-Detection at 5 seconds   * configuring Dead-Peer-Detection at 5 seconds
  
 <code> <code>
-cat > /usr/local/etc/ipsec.conf <<'EOF' +cat > /usr/local/etc/swanctl/conf.d/vm4.conf <<EOF 
-config setup +connections { 
- +  net-net { 
-conn %default +    local_addrs = 10.0.23.2 
-     authby=secret +    remote_addrs 10.0.34.4 
-     keyexchange=ikev2 +    local { 
-     mobike=no +      auth psk 
-     dpdaction=restart +      id = vm2 
-     dpddelay=5+    } 
 +    remote { 
 +      auth = psk 
 +      id = vm4 
 +    } 
 +    children { 
 +      net-net { 
 +        local_ts  = 10.0.12.0/24 
 +        remote_ts = 10.0.45.0/24 
 +        start_action = trap 
 +      } 
 +    } 
 +    version = 2 
 +    mobike = no 
 +    dpd_delay 5s 
 +  } 
 +}
  
-conn VM4 +secrets { 
-    left=10.0.23.2 +  ike-1 { 
-    leftsubnet=10.0.12.0/24 +    id-1 vm4 
-    leftid=VM2 +    secret "This is a strong password" 
-    right=10.0.34.4 +  } 
-    rightsubnet=10.0.45.0/24 +} 
-    rightid=VM4 +EOF
-    auto=start +
-'EOF'+
 </code> </code>
  
-Then define the password to use for the remote site:+Enable strongswan:
  
 <code> <code>
-cat > /usr/local/etc/ipsec.secrets <<'EOF' +service strongswan enable 
-VM4 VM2 : PSK "This is a strong password" +service strongswan restart
-'EOF'+
 </code> </code>
  
-Enable strongswan: +And check if it correctly loaded its configuration:
 <code> <code>
-sysrc strongswan_enable=YES +root@VM2:~ # swanctl --list-conns 
-service strongswan restart+net-net: IKEv2, no reauthentication, rekeying every 14400s 
 +  local:  10.0.23.2 
 +  remote: 10.0.34.4 
 +  local pre-shared key authentication: 
 +    id: vm2 
 +  remote pre-shared key authentication: 
 +    id: vm4 
 +  net-net: TUNNEL, rekeying every 3600s 
 +    local:  10.0.12.0/24 
 +    remote: 10.0.45.0/24
 </code> </code>
  
Line 740: Line 758:
   * Preshared-key   * Preshared-key
   * Disabling Mobile IP   * Disabling Mobile IP
-  * automatic traffic detection (auto=route)+  * automatic traffic detection
   * configuring Dead-Peer-Detection at 5 seconds   * configuring Dead-Peer-Detection at 5 seconds
  
 <code> <code>
-cat > /usr/local/etc/ipsec.conf <<'EOF' +cat > /usr/local/etc/swanctl/conf.d/vm2.conf <<EOF 
-config setup+connections { 
 +  net-net { 
 +    remote_addrs = 10.0.23.2 
 +    local_addrs = 10.0.34.4 
 +    remote { 
 +      auth = psk 
 +      id = vm2 
 +    } 
 +    local { 
 +      auth = psk 
 +      id = vm4 
 +    } 
 +    children { 
 +      net-net { 
 +        remote_ts  = 10.0.12.0/24 
 +        local_ts = 10.0.45.0/24 
 +        start_action = trap 
 +      } 
 +    } 
 +    version = 2 
 +    mobike = no 
 +    dpd_delay = 5s 
 +  } 
 +}
  
-conn %default +secrets { 
-    authby=secret +  ike-1 { 
-    keyexchange=ikev2 +    id-1 vm2 
-    mobike=no +    secret "This is a strong password" 
-    dpdaction=restart +  } 
-    dpddelay=5 +} 
-conn VM2 +EOF
-    left=10.0.34.4 +
-    leftsubnet=10.0.45.0/24 +
-    leftid=VM4 +
-    right=10.0.23.2 +
-    rightsubnet=10.0.12.0/24 +
-    rightid=VM2 +
-    auto=route +
-'EOF+
-</code>+
  
-Then define the password to use for the remote site: 
- 
-<code> 
-cat > /usr/local/etc/ipsec.secrets <<'EOF' 
-VM4 VM2 : PSK "This is a strong password" 
-'EOF' 
 </code> </code>
  
Line 775: Line 801:
  
 <code> <code>
-sysrc strongswan_enable=YES+service strongswan enable
 service strongswan restart service strongswan restart
 +</code>
 +
 +And check the status:
 +<code>
 +root@VM4: # swanctl --list-conns
 +net-net: IKEv2, no reauthentication, rekeying every 14400s
 +  local:  10.0.34.4
 +  remote: 10.0.23.2
 +  local pre-shared key authentication:
 +    id: vm4
 +  remote pre-shared key authentication:
 +    id: vm2
 +  net-net: TUNNEL, rekeying every 3600s
 +    local:  10.0.45.0/24
 +    remote: 10.0.12.0/24
 +
 +root@VM4: # grep charon /var/log/daemon.log
 +Jul  8 12:39:44 router charon[79963]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.6, FreeBSD 14.0-CURRENT, amd64)
 +Jul  8 12:39:44 router charon[79963]: 00[KNL] unable to set UDP_ENCAP: Invalid argument
 +Jul  8 12:39:44 router charon[79963]: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG]   loaded IKE secret for VM4 VM2
 +Jul  8 12:39:44 router charon[79963]: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation co
 +nstraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pf
 +key kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whit
 +elist addrblock counters
 +Jul  8 12:39:44 router charon[79963]: 00[JOB] spawning 16 worker threads
 +Jul  8 12:39:45 router charon[79963]: 13[CFG] loaded IKE shared key with id 'ike-1' for: 'vm2'
 +Jul  8 12:39:45 router charon[79963]: 12[CFG] added vici connection: net-net
 +Jul  8 12:39:45 router charon[79963]: 12[CFG] installing 'net-net'
 </code> </code>
  
documentation/examples/gre_ipsec_and_openvpn.txt · Last modified: 2023/07/10 12:40 by olivier
Except where otherwise noted, content on this wiki is licensed under the following license: BSD 2-Clause
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki