Differences

This shows you the differences between two versions of the page.

--- documentation:examples:gre_ipsec_and_openvpn [2022/07/08 11:59] – [Tunnel with IKEv2 (strongswan)] olivier
+++ documentation:examples:gre_ipsec_and_openvpn [2022/07/08 12:48] – [Tunnel with IKEv2 (strongswan)] olivier
@@ Line 1: / Line 1: @@
 ====== VPN with GRE, GIF, IPSec, OpenVPN and Wireguard ======
-This lab shows some VPN examples with BSDRP 1.97.
+This lab shows some VPN examples with BSDRP 1.991.
 ===== Presentation =====
@@ Line 684: / Line 684: @@
 Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan.
-Strongswan use Left (for Local) and Right (for Remote).
 === Router 2 ===
 Configure strongswan on VM2 with:
-  * IKEv2
+  * IKEv2 (version = 2)
-  * Preshared-key
+  * Preshared-key (psk)
-  * Disabling Mobile IP
+  * Disabling Mobile IP (mobike = no)
-  * forcing the tunnel going UP (auto=start)
+  * forcing the tunnel going UP (start_action = trap)
   * configuring Dead-Peer-Detection at 5 seconds
 <code>
-cat > /usr/local/etc/ipsec.conf <<EOF
+cat > /usr/local/etc/swanctl/conf.d/vm4.conf <<EOF
-config setup
+connections {
+  net-net {
+    local_addrs = 10.0.23.2
+    remote_addrs = 10.0.34.4
+    local {
+      auth = psk
+      id = vm2
+    }
+    remote {
+      auth = psk
+      id = vm4
+    }
+    children {
+      net-net {
+        local_ts  = 10.0.12.0/24
+        remote_ts = 10.0.45.0/24
+        start_action = trap
+      }
+    }
+    version = 2
+    mobike = no
+    dpd_delay = 5s
+  }
+}
-conn %default
+secrets {
-     authby=secret
+  ike-1 {
-     keyexchange=ikev2
+    id-1 = vm4
-     mobike=no
+    secret = "This is a strong password"
-     dpdaction=restart
+  }
-     dpddelay=5
+}
-conn VM4
-    left=10.0.23.2
-    leftsubnet=10.0.12.0/24
-    leftid=VM2
-    right=10.0.34.4
-    rightsubnet=10.0.45.0/24
-    rightid=VM4
-    auto=start
-EOF
-</code>
-Then define the password to use for the remote site:
-<code>
-cat > /usr/local/etc/ipsec.secrets <<EOF
-VM4 VM2 : PSK "This is a strong password"
 EOF
 </code>
@@ Line 731: / Line 735: @@
 service strongswan enable
 service strongswan restart
+</code>
+And check if it correctly loaded its configuration:
+<code>
+root@VM2:~ # swanctl --list-conns
+net-net: IKEv2, no reauthentication, rekeying every 14400s
+  local:  10.0.23.2
+  remote: 10.0.34.4
+  local pre-shared key authentication:
+    id: vm2
+  remote pre-shared key authentication:
+    id: vm4
+  net-net: TUNNEL, rekeying every 3600s
+    local:  10.0.12.0/24
+    remote: 10.0.45.0/24
 </code>
@@ Line 739: / Line 758: @@
   * Preshared-key
   * Disabling Mobile IP
-  * automatic traffic detection (auto=route)
+  * automatic traffic detection
   * configuring Dead-Peer-Detection at 5 seconds
 <code>
-cat > /usr/local/etc/ipsec.conf <<EOF
+cat > /usr/local/etc/swanctl/conf.d/vm2.conf <<EOF
-config setup
+connections {
+  net-net {
+    remote_addrs = 10.0.23.2
+    local_addrs = 10.0.34.4
+    remote {
+      auth = psk
+      id = vm2
+    }
+    local {
+      auth = psk
+      id = vm4
+    }
+    children {
+      net-net {
+        remote_ts  = 10.0.12.0/24
+        local_ts = 10.0.45.0/24
+        start_action = trap
+      }
+    }
+    version = 2
+    mobike = no
+    dpd_delay = 5s
+  }
+}
-conn %default
+secrets {
-    authby=secret
+  ike-1 {
-    keyexchange=ikev2
+    id-1 = vm2
-    mobike=no
+    secret = "This is a strong password"
-    dpdaction=restart
+  }
-    dpddelay=5
+}
-conn VM2
-    left=10.0.34.4
-    leftsubnet=10.0.45.0/24
-    leftid=VM4
-    right=10.0.23.2
-    rightsubnet=10.0.12.0/24
-    rightid=VM2
-    auto=route
 EOF
-</code>
-Then define the password to use for the remote site:
-<code>
-cat > /usr/local/etc/ipsec.secrets <<EOF
-VM4 VM2 : PSK "This is a strong password"
-EOF
 </code>
@@ Line 776: / Line 803: @@
 service strongswan enable
 service strongswan restart
+</code>
+And check the status:
+<code>
+root@VM4: # swanctl --list-conns
+net-net: IKEv2, no reauthentication, rekeying every 14400s
+  local:  10.0.34.4
+  remote: 10.0.23.2
+  local pre-shared key authentication:
+    id: vm4
+  remote pre-shared key authentication:
+    id: vm2
+  net-net: TUNNEL, rekeying every 3600s
+    local:  10.0.45.0/24
+    remote: 10.0.12.0/24
+root@VM4: # grep charon /var/log/daemon.log
+Jul  8 12:39:44 router charon[79963]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.6, FreeBSD 14.0-CURRENT, amd64)
+Jul  8 12:39:44 router charon[79963]: 00[KNL] unable to set UDP_ENCAP: Invalid argument
+Jul  8 12:39:44 router charon[79963]: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
+Jul  8 12:39:44 router charon[79963]: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
+Jul  8 12:39:44 router charon[79963]: 00[CFG]   loaded IKE secret for VM4 VM2
+Jul  8 12:39:44 router charon[79963]: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation co
+nstraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pf
+key kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whit
+elist addrblock counters
+Jul  8 12:39:44 router charon[79963]: 00[JOB] spawning 16 worker threads
+Jul  8 12:39:45 router charon[79963]: 13[CFG] loaded IKE shared key with id 'ike-1' for: 'vm2'
+Jul  8 12:39:45 router charon[79963]: 12[CFG] added vici connection: net-net
+Jul  8 12:39:45 router charon[79963]: 12[CFG] installing 'net-net'
 </code>
@@ Line 804: / Line 866: @@
 :46:56.918092 IP 10.0.23.2.500 > 10.0.34.4.500: isakmp: child_sa  inf2[I]
 :46:56.919263 IP 10.0.34.4.500 > 10.0.23.2.500: isakmp: child_sa  inf2[R]
-</code>
-Log file on VM2:
-<code>
-[root@VM2]~# tail -f /var/log/auth.log
-Jun  8 00:24:28 VM2 ipsec_starter[981]: no netkey IPsec stack detected
-Jun  8 00:24:28 VM2 ipsec_starter[981]: no KLIPS IPsec stack detected
-Jun  8 00:24:28 VM2 ipsec_starter[981]: no known IPsec stack detected, ignoring!
-Jun  8 00:24:28 VM2 ipsec_starter[984]: charon (986) started after 20 ms
-Jun  8 00:25:26 VM2 login: login on ttyu0 as root
-Jun  8 00:25:26 VM2 login: ROOT LOGIN (root) ON ttyu0
-Jun  8 00:34:53 VM2 charon: 12[IKE] initiating IKE_SA VM4[1] to 10.0.34.4
-Jun  8 00:34:53 VM2 charon: 12[IKE] establishing CHILD_SA VM4
-Jun  8 00:34:53 VM2 charon: 12[IKE] IKE_SA VM4[1] established between 10.0.23.2[VM2]...10.0.34.4[VM4]
-Jun  8 00:34:53 VM2 charon: 12[IKE] CHILD_SA VM4{1} established with SPIs c6d01ce8_i c2357cdd_o and TS 10.0.12.0/24 === 10.0.45.0/24
 </code>