Project

General

Profile

Usable Examples configurations » History » Version 16

Noel Kuntze, 20.01.2017 21:32

1 1 Noel Kuntze
h1. Sane Example configurations
2 1 Noel Kuntze
3 1 Noel Kuntze
Preliminary obligatory notes:
4 1 Noel Kuntze
* These examples follow the [[SecurityRecommendations|Security Recommendations]]. Follow them. They are there
5 1 Noel Kuntze
  for a reason.
6 1 Noel Kuntze
* You can have several conn sections in your @ipsec.conf@ file
7 2 Noel Kuntze
* In scenarios where the remote peer authenticates itself with a client certificate,
8 4 Noel Kuntze
  charon requires all certificates that are in the trust path of the client's certificate
9 4 Noel Kuntze
  to be present, readable and valid for authentication
10 2 Noel Kuntze
  to be successful. charon implicitely trusts all CA certificates that it loads
11 1 Noel Kuntze
  via local files or that are loaded via the VICI API.
12 4 Noel Kuntze
* In scenarios where charon authenticates itself with a certificate, it needs to have
13 4 Noel Kuntze
  all certificates in the trust path. 
14 4 Noel Kuntze
* charon only reads the first certificate in a file.
15 1 Noel Kuntze
* Your responder (the proper word for "server" in ipsec talk) needs to identify
16 1 Noel Kuntze
  and authenticate itself to the initiator (the proper word for "client" in ipsec talk)
17 1 Noel Kuntze
  with the apropriate identity. If your initiator wants to talk to "foo.bar.com",
18 1 Noel Kuntze
  your responder needs to identify and authenticate itself as _foo.bar.com_.
19 1 Noel Kuntze
* Credentials are bound to identities. You can not successfully authenticate yourself
20 1 Noel Kuntze
  as the identitiy _foo.bar.com_ with a certificate if that certificate is not issued for that
21 1 Noel Kuntze
  identity. The identities that a certificate provide are its complete DN and the SAN fields.
22 1 Noel Kuntze
* The used cipher suite must be supported by both sides. Some implementations
23 3 Noel Kuntze
  only support weak crypto. Do not make concessions, unless necessary for interoperability.
24 1 Noel Kuntze
* XAUTH credentials are handled internally as EAP credentials. Both are valid for
25 1 Noel Kuntze
  XAUTH, EAP-GTC, EAP-MSCHAPv2 and whatever other cleartext or digest based
26 1 Noel Kuntze
  authentication might be implemented in the future.
27 1 Noel Kuntze
* The cipher settings are deliberately ordered by performance.
28 6 Noel Kuntze
  Faster, but secure ciphers appear in the beginning of the cipher list.
29 6 Noel Kuntze
  That should make charon choose faster, but secure ones first.  
30 14 Noel Kuntze
* Do not use 3DES, CAST, DES or MD5. They are broken.
31 1 Noel Kuntze
* The algorithm your certificate uses and they algorithm the key exchange uses
32 1 Noel Kuntze
  do not have anything to do with each other.
33 1 Noel Kuntze
* strongSwan does not implement L2TP.
34 16 Noel Kuntze
* Multiple pools can be used at the same time.
35 16 Noel Kuntze
* The [[IpsecPool|ipsec pools]] tool with the [[attrsql]] plugin can be used to assign different DNS and NBNS servers,
36 16 Noel Kuntze
  as well as different arbitrary attributes to remote peers.
37 1 Noel Kuntze
* Read the documentation and use "the search function":https://wiki.strongswan.org/projects/strongswan/search.
38 1 Noel Kuntze
39 10 Noel Kuntze
40 1 Noel Kuntze
h2. Roadwarrior scenario
41 10 Noel Kuntze
    
42 10 Noel Kuntze
h3. Responder
43 9 Noel Kuntze
44 1 Noel Kuntze
This is an example configuration that provides support for several clients
45 1 Noel Kuntze
with several authentication styles.
46 1 Noel Kuntze
47 1 Noel Kuntze
{{collapse(ipsec.conf)
48 1 Noel Kuntze
<pre>
49 1 Noel Kuntze
conn rw-base
50 1 Noel Kuntze
    # enables IKE fragmentation 
51 1 Noel Kuntze
    fragmentation=yes
52 1 Noel Kuntze
    dpdaction=clear
53 1 Noel Kuntze
    # dpdtimeout is not honored for ikev2. For IKEv2, every message is used
54 1 Noel Kuntze
    # to determine the timeout, so the generic timeout value for IKEv2 messages
55 1 Noel Kuntze
    # is used. 
56 1 Noel Kuntze
    dpdtimeout=90s
57 1 Noel Kuntze
    dpddelay=30s
58 1 Noel Kuntze
59 1 Noel Kuntze
# this is used in every conn in which the client is assigned a "virtual" IP or
60 1 Noel Kuntze
# one or several DNS servers    
61 1 Noel Kuntze
# the cipher suits require the openssl plugin.
62 1 Noel Kuntze
conn rw-config
63 1 Noel Kuntze
    also=rw-base
64 1 Noel Kuntze
    rightsourceip=172.16.252.0/24
65 1 Noel Kuntze
    # set this to a local DNS server that the clients can reach with their assigned IPs.
66 1 Noel Kuntze
    # Think about routing.
67 1 Noel Kuntze
    rightdns=
68 1 Noel Kuntze
    leftsubnet=0.0.0.0/0
69 1 Noel Kuntze
    leftid=whatevertheclientusestoconnect
70 1 Noel Kuntze
    leftcert=mycertificate.pem
71 1 Noel Kuntze
    # not possible with asymmetric authentication
72 1 Noel Kuntze
    reauth=no
73 1 Noel Kuntze
    rekey=no
74 1 Noel Kuntze
    # sane cipher suits
75 1 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
76 1 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
77 1 Noel Kuntze
    leftsendcert=always
78 1 Noel Kuntze
    rightca="C=This, O=Is, OU=My, CN=CA"
79 1 Noel Kuntze
    
80 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
81 1 Noel Kuntze
# in the l2tp control connection. With L2TP, clients are usually not assigned
82 1 Noel Kuntze
# a virtual IP in IKE.
83 1 Noel Kuntze
# Charon is not an l2tp server. You need to install xl2tp for that and configure it correctly.
84 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
85 1 Noel Kuntze
conn ikev1-l2tp-chap-auth-in-xl2tpd
86 1 Noel Kuntze
    also=rw-base
87 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
88 1 Noel Kuntze
    ike=aes128-sha1-modp3072
89 1 Noel Kuntze
    esp=aes128-sha1-modp3073
90 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
91 11 Noel Kuntze
    rightsubnet=%dynamic
92 1 Noel Kuntze
    mark=%unique
93 1 Noel Kuntze
    leftauth=psk
94 1 Noel Kuntze
    rightauth=psk
95 1 Noel Kuntze
    type=transport
96 1 Noel Kuntze
    auto=add
97 1 Noel Kuntze
    
98 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
99 1 Noel Kuntze
# during the IKEv1 authentication. With L2TP, clients are usually not assigned
100 1 Noel Kuntze
# a virtual IP in IKE.
101 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
102 1 Noel Kuntze
# this requires the xauth-generic plugin.
103 1 Noel Kuntze
conn ikev1-l2tp-xauth-in-ike
104 1 Noel Kuntze
    also=rw-base
105 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
106 1 Noel Kuntze
    ike=aes128-sha1-modp3072
107 1 Noel Kuntze
    esp=aes128-sha1-modp3073
108 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
109 11 Noel Kuntze
    rightsubnet=%dynamic
110 1 Noel Kuntze
    mark=%unique
111 1 Noel Kuntze
    leftauth=psk
112 1 Noel Kuntze
    rightauth=psk
113 1 Noel Kuntze
    rightauth2=xauth-generic
114 9 Noel Kuntze
    xauth=server
115 1 Noel Kuntze
    # not possible with asymmetric authentication
116 1 Noel Kuntze
    reauth=no
117 1 Noel Kuntze
    rekey=no
118 1 Noel Kuntze
    type=transport
119 1 Noel Kuntze
    auto=add
120 1 Noel Kuntze
    
121 1 Noel Kuntze
# this requires the xauth-generic plugin.
122 1 Noel Kuntze
conn ikev1-psk-xauth
123 1 Noel Kuntze
    also=rw-config
124 1 Noel Kuntze
    leftauth=psk
125 1 Noel Kuntze
    rightauth=psk
126 1 Noel Kuntze
    rightauth2=xauth-generic
127 9 Noel Kuntze
    xauth=server
128 1 Noel Kuntze
    auto=add
129 1 Noel Kuntze
130 1 Noel Kuntze
# leftauth and rightauth default to "pubkey", so no change necessary.
131 1 Noel Kuntze
conn ikev1-pubkey
132 1 Noel Kuntze
    also=rw-config
133 1 Noel Kuntze
    auto=add
134 1 Noel Kuntze
135 1 Noel Kuntze
# this requires the xauth-generic plugin.
136 1 Noel Kuntze
conn ikev1-pubkey-xauth
137 1 Noel Kuntze
    also=rw-config
138 1 Noel Kuntze
    rightauth2=xauth-generic
139 9 Noel Kuntze
    xauth=server
140 1 Noel Kuntze
    auto=add
141 1 Noel Kuntze
142 1 Noel Kuntze
# this requires the xauth-generic plugin.
143 1 Noel Kuntze
conn ikev1-hybrid
144 1 Noel Kuntze
    also=rw-config
145 1 Noel Kuntze
    rightauth=xauth-generic
146 9 Noel Kuntze
    xauth=server
147 1 Noel Kuntze
148 1 Noel Kuntze
conn ikev2-pubkey
149 1 Noel Kuntze
    also=rw-config
150 1 Noel Kuntze
    auto=add
151 1 Noel Kuntze
152 1 Noel Kuntze
# this requires the eap-tls plugin.
153 1 Noel Kuntze
conn ikev2-eap-tls
154 1 Noel Kuntze
    also=rw-base
155 1 Noel Kuntze
    rightauth=eap-tls
156 1 Noel Kuntze
    eap_identity=%identity
157 1 Noel Kuntze
    auto=add
158 1 Noel Kuntze
159 1 Noel Kuntze
# this requires the eap-mschapv2 plugin.
160 1 Noel Kuntze
conn ikev2-eap-mschapv2
161 1 Noel Kuntze
    also=rw-config
162 1 Noel Kuntze
    rightauth=eap-mschapv2
163 1 Noel Kuntze
    eap_identity=%identity
164 1 Noel Kuntze
    auto=add
165 1 Noel Kuntze
</pre>
166 1 Noel Kuntze
}}
167 1 Noel Kuntze
168 1 Noel Kuntze
{{collapse(ipsec.secrets)
169 1 Noel Kuntze
<pre>
170 1 Noel Kuntze
: PSK "foobarblah"
171 1 Noel Kuntze
: RSA myprivatekey.pem
172 1 Noel Kuntze
carol : EAP "carolspassword"
173 1 Noel Kuntze
</pre>
174 1 Noel Kuntze
}}
175 9 Noel Kuntze
176 10 Noel Kuntze
h3. Initiator
177 1 Noel Kuntze
178 10 Noel Kuntze
These configuration files provide valid and usable configurations as use
179 10 Noel Kuntze
as a roadwarrior client against arbitrary IKE responders that are configured correctly.
180 10 Noel Kuntze
*You need to replace the marked values with the correct values*
181 10 Noel Kuntze
Remove conns that you do not require for your scenario. Some values
182 10 Noel Kuntze
might need to be changed, depending on the brokeness of the responder.
183 10 Noel Kuntze
*Read the comments in the files and read _ipsec.conf_ as well as _ipsec.secrets_.*
184 10 Noel Kuntze
185 10 Noel Kuntze
The configurations shown here are not exclusive. There are a lot more possible.
186 10 Noel Kuntze
Check out the [[PluginList|plugin list]] and the "test scenarios":https://strongswan.org/uml/testresults5/
187 10 Noel Kuntze
to see how they can be configured, but beware, those are just test scenarios
188 10 Noel Kuntze
and the configurations there are not usable in production as a whole. They need
189 10 Noel Kuntze
to be combined with the examples here to produce usable scenarios.
190 10 Noel Kuntze
191 10 Noel Kuntze
{{collapse(ipsec.conf)
192 10 Noel Kuntze
<pre>
193 10 Noel Kuntze
194 10 Noel Kuntze
conn rw-base
195 10 Noel Kuntze
    dpdaction=restart
196 10 Noel Kuntze
    dpddelay=30
197 10 Noel Kuntze
    dpdtimeout=90
198 10 Noel Kuntze
    fragmentation=yes
199 10 Noel Kuntze
200 10 Noel Kuntze
conn vip-base
201 10 Noel Kuntze
    also=rw-base
202 10 Noel Kuntze
    leftsourceip=%config
203 10 Noel Kuntze
204 10 Noel Kuntze
conn ikev1-psk-xauth
205 10 Noel Kuntze
# uncomment if the responder only supports crappy crypto. But seriously,
206 10 Noel Kuntze
# every single one of those algorithms is broken. Better spend some $$$
207 10 Noel Kuntze
# on a better solution.
208 10 Noel Kuntze
# 
209 10 Noel Kuntze
#   ike=3des-md5-modp1024!
210 10 Noel Kuntze
#   esp=3des-md5!
211 10 Noel Kuntze
# Use this, if you want PFS with DH group 2.
212 10 Noel Kuntze
#   esp=3des-md5-modp1024!
213 10 Noel Kuntze
    also=vip-base
214 10 Noel Kuntze
    keyexchange=ikev1
215 10 Noel Kuntze
    leftauth=psk
216 10 Noel Kuntze
    leftauth2=xauth
217 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
218 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
219 10 Noel Kuntze
#   rightid=foobar
220 10 Noel Kuntze
    rightauth=psk
221 10 Noel Kuntze
# this tunnels all the traffic. You might maybe want to also define a passthrough policy
222 10 Noel Kuntze
# for the local LAN traffic (or use the bypass-lan plugin when it's gone into the master branch)
223 10 Noel Kuntze
# Choose a smaller subnet, if required.
224 10 Noel Kuntze
# this config supports CISCO UNITY. 
225 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
226 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
227 10 Noel Kuntze
    auto=add
228 10 Noel Kuntze
    
229 12 Noel Kuntze
# aggressive mode is incredibly insecure.
230 12 Noel Kuntze
conn ikev1-psk-xauth-aggressive
231 12 Noel Kuntze
    aggressive=yes
232 10 Noel Kuntze
    also=ikev1-psk-xauth
233 10 Noel Kuntze
    auto=add
234 10 Noel Kuntze
235 10 Noel Kuntze
conn ikev1-rsa-xauth
236 10 Noel Kuntze
    also=vip-base
237 10 Noel Kuntze
    keyexchange=ikev1
238 10 Noel Kuntze
    leftauth=pubkey
239 10 Noel Kuntze
    leftauth2=xauth-generic
240 10 Noel Kuntze
    leftcert=thisithepathtomycertificate.pem
241 10 Noel Kuntze
    xauth_identity=thisismyusername
242 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
243 10 Noel Kuntze
# You might require this if the responder sends a wrong ID.
244 10 Noel Kuntze
#   rightid=somethingsomething
245 10 Noel Kuntze
    rightauth=pubkey
246 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
247 10 Noel Kuntze
# responder's certificate or just the certificate.
248 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
249 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
250 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
251 10 Noel Kuntze
# if you've only got the responder's certificate
252 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
253 10 Noel Kuntze
    auto=add
254 10 Noel Kuntze
255 10 Noel Kuntze
256 10 Noel Kuntze
conn ikev1-l2tp
257 10 Noel Kuntze
    also=rw-base
258 10 Noel Kuntze
    keyexchange=ikev1
259 1 Noel Kuntze
    type=transport
260 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
261 11 Noel Kuntze
    rightsubnet=%dynamic[/1701]
262 10 Noel Kuntze
    leftauth=psk
263 10 Noel Kuntze
    rightauth=psk
264 10 Noel Kuntze
    
265 10 Noel Kuntze
    
266 12 Noel Kuntze
# if your responder uses aggressive mode, add
267 12 Noel Kuntze
# aggressive=yes in the conn
268 10 Noel Kuntze
# user authentication happens in IKE using xauth
269 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-ike
270 10 Noel Kuntze
    also=ikev1-l2tp
271 10 Noel Kuntze
    leftauth2=xauth-generic
272 10 Noel Kuntze
    auto=add
273 10 Noel Kuntze
274 12 Noel Kuntze
# if your responder uses aggressive mode, add
275 12 Noel Kuntze
# aggressive=yes in the conn
276 10 Noel Kuntze
# user authentication happens in L2TP
277 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-l2tp
278 10 Noel Kuntze
    also=ikev1-l2tp
279 10 Noel Kuntze
    auto=add
280 10 Noel Kuntze
281 10 Noel Kuntze
282 10 Noel Kuntze
# Authentication with EAP-MSCHAPv2 is asymmetric. The responder
283 10 Noel Kuntze
# has to authenticate itself against the initiator with an X.509 certificate.
284 10 Noel Kuntze
conn ikev2-eap-mschapv2
285 10 Noel Kuntze
    also=vip-base
286 10 Noel Kuntze
    keyexchange=ikev2
287 10 Noel Kuntze
    leftauth=eap-mschapv2
288 10 Noel Kuntze
    rightauth=pubkey
289 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
290 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
291 10 Noel Kuntze
# responder's certificate or just the certificate.
292 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
293 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
294 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
295 10 Noel Kuntze
# if you've only got the responder's certificate
296 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
297 10 Noel Kuntze
298 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
299 10 Noel Kuntze
#   rightid=foobar
300 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
301 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
302 10 Noel Kuntze
    auto=add
303 10 Noel Kuntze
304 10 Noel Kuntze
# asymmetric authentication using eap-tls and pubkey auth
305 10 Noel Kuntze
conn ikev2-eap-tls-asymmetric
306 10 Noel Kuntze
    also=vip-base
307 10 Noel Kuntze
    keyexchange=ikev2
308 10 Noel Kuntze
    leftcert=mycert
309 10 Noel Kuntze
    leftauth=eap-tls
310 10 Noel Kuntze
    rightauth=pubkey
311 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
312 10 Noel Kuntze
# responder's certificate or just the certificate.
313 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
314 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
315 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
316 10 Noel Kuntze
# if you've only got the responder's certificate
317 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
318 10 Noel Kuntze
319 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
320 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
321 10 Noel Kuntze
#   rightid=foobar
322 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
323 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
324 10 Noel Kuntze
    auto=add
325 10 Noel Kuntze
326 10 Noel Kuntze
327 10 Noel Kuntze
# symmetric authentication using just eap-tls
328 10 Noel Kuntze
conn ikev2-eap-tls-symmetric
329 10 Noel Kuntze
    also=vip-base
330 10 Noel Kuntze
    keyexchange=ikev2
331 10 Noel Kuntze
    leftcert=mycert
332 10 Noel Kuntze
    leftauth=eap-tls
333 10 Noel Kuntze
    rightauth=eap-tls
334 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
335 10 Noel Kuntze
# responder's certificate or just the certificate.
336 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
337 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
338 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
339 10 Noel Kuntze
# if you've only got the responder's certificate
340 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
341 10 Noel Kuntze
342 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
343 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
344 10 Noel Kuntze
#   rightid=foobar
345 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
346 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
347 10 Noel Kuntze
    auto=add
348 10 Noel Kuntze
349 10 Noel Kuntze
</pre>
350 10 Noel Kuntze
}}
351 10 Noel Kuntze
352 10 Noel Kuntze
{{collapse(ipsec.secrets)
353 10 Noel Kuntze
<pre>
354 10 Noel Kuntze
RespondersIPorFQDNGoesHere : PSK "thisisthesharedpassword"
355 10 Noel Kuntze
thisismyusername : EAP "thisismypassword"
356 10 Noel Kuntze
: RSA myprivatekey
357 10 Noel Kuntze
</pre>
358 10 Noel Kuntze
}}
359 10 Noel Kuntze
360 10 Noel Kuntze
361 10 Noel Kuntze
362 1 Noel Kuntze
h2. Site-To-Site-Scenario
363 1 Noel Kuntze
364 1 Noel Kuntze
{{collapse(ipsec.conf)
365 1 Noel Kuntze
<pre>
366 1 Noel Kuntze
conn sts-base
367 1 Noel Kuntze
    fragmentation=yes
368 1 Noel Kuntze
    dpdaction=restart
369 1 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
370 1 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
371 1 Noel Kuntze
    keyingtries=%forever
372 1 Noel Kuntze
    leftcert=foobar.pem
373 1 Noel Kuntze
374 1 Noel Kuntze
# this conn is set up for a host with a static IP
375 1 Noel Kuntze
conn site-1-static-ip
376 1 Noel Kuntze
    also=sts-base
377 1 Noel Kuntze
    keyexchange=ikev2
378 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
379 1 Noel Kuntze
    rightsubnet=10.1.3.0/24
380 1 Noel Kuntze
    right=1.2.3.4
381 1 Noel Kuntze
    rightcert=1.2.3.4.pem
382 1 Noel Kuntze
    auto=route
383 1 Noel Kuntze
384 1 Noel Kuntze
# this conn is set up for a host with a dynamic IP
385 1 Noel Kuntze
conn site-2-dynamic-ip
386 1 Noel Kuntze
    also=sts-base
387 1 Noel Kuntze
    keyexchange=ikev2
388 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
389 1 Noel Kuntze
    rightsubnet=10.1.4.0/24
390 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
391 1 Noel Kuntze
    right=%example.com
392 1 Noel Kuntze
    rightcert=example.com.pem
393 1 Noel Kuntze
    auto=route
394 1 Noel Kuntze
395 1 Noel Kuntze
# this conn is set up for IKEv1 compatibility. It shows how to define several subnets
396 1 Noel Kuntze
# with IKEv1. site-3-legacy-1 and site-3-legacy-2 keep the data for the CHILD_SA.
397 1 Noel Kuntze
# The same can be accomplished with implicit merging by specifying the same IKE_SA
398 1 Noel Kuntze
# configuration in two different conns. This set up is cleaner, though.
399 1 Noel Kuntze
# If you put "auto=route" into the "site-3-legacy-base conn", charon will route the
400 1 Noel Kuntze
# conn with the ts being the local IP that is used to communicate with the remote
401 1 Noel Kuntze
# peer and the remote's peer. If such a CHILD_SA is not configured on the peer, ICMP
402 1 Noel Kuntze
# error messages from the remote peer to the local peer will not be able to be transmitted.
403 1 Noel Kuntze
# So don't do that, unless your remote peer is configured for that.
404 1 Noel Kuntze
# This is an IKEv1 connection with PSK authentication. That means, that you need to know
405 1 Noel Kuntze
# the other side's IP.
406 1 Noel Kuntze
conn site-3-legacy-base
407 1 Noel Kuntze
    also=sts-base
408 1 Noel Kuntze
    keyexchange=ikev1
409 1 Noel Kuntze
    # IKE and ESP cipher settings are reconfigured, because in IKEv1 every 
410 1 Noel Kuntze
    # single cipher suite needs to be enumerated.
411 1 Noel Kuntze
    # It is not possible to define all supported ciphers in one suite.
412 1 Noel Kuntze
    # select apropriate and strong ciphers for your scenario.
413 1 Noel Kuntze
    ike=aes192gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp521,aes192-sha256-modp3072
414 1 Noel Kuntze
    esp=aes192gcm16-ecp256,aes192-sha256-modp3072
415 1 Noel Kuntze
    rightsubnet=10.1.5.0/24
416 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
417 1 Noel Kuntze
    right=example.com
418 1 Noel Kuntze
    leftauth=psk
419 1 Noel Kuntze
    rightauth=psk
420 1 Noel Kuntze
421 1 Noel Kuntze
conn site-3-legacy-1
422 1 Noel Kuntze
    leftsubnet=10.1.1.0/24
423 1 Noel Kuntze
    also=site-3-legacy-base
424 1 Noel Kuntze
    auto=route
425 1 Noel Kuntze
426 1 Noel Kuntze
conn site-3-legacy-2
427 1 Noel Kuntze
    leftsubnet=10.1.2.0/24
428 1 Noel Kuntze
    also=site-3-legacy-base
429 1 Noel Kuntze
    auto=route
430 1 Noel Kuntze
</pre>
431 1 Noel Kuntze
}}
432 1 Noel Kuntze
433 1 Noel Kuntze
{{collapse(ipsec.secrets)
434 1 Noel Kuntze
<pre>
435 1 Noel Kuntze
: RSA foobar.key
436 15 Noel Kuntze
remote.com : PSK "example"
437 5 Noel Kuntze
</pre>
438 5 Noel Kuntze
}}
439 1 Noel Kuntze
440 10 Noel Kuntze
h2. Passthrough policy
441 5 Noel Kuntze
442 5 Noel Kuntze
{{collapse(ipsec.conf)
443 5 Noel Kuntze
<pre>
444 5 Noel Kuntze
conn passthrough-1
445 5 Noel Kuntze
    # makes sure those conns are excluded from every conn selection
446 5 Noel Kuntze
    left=127.0.0.1
447 5 Noel Kuntze
    right=127.0.0.1
448 5 Noel Kuntze
    # Those are just example values. Replace them with the apropriate ones!
449 5 Noel Kuntze
    leftsubnet=10.0.0.0/8
450 5 Noel Kuntze
    rightsubnet=10.0.0.0/8
451 5 Noel Kuntze
    # those two lines are critical.
452 5 Noel Kuntze
    type=passthrough
453 5 Noel Kuntze
    auto=route
454 5 Noel Kuntze
</pre>
455 1 Noel Kuntze
}}
456 7 Noel Kuntze
457 13 Noel Kuntze
h2. Host-To-Host transport mode
458 7 Noel Kuntze
459 7 Noel Kuntze
Based on "the trap-any test scenario":https://www.strongswan.org/testing/testresults/ikev2/trap-any/.
460 7 Noel Kuntze
461 7 Noel Kuntze
The hosts involved are in the 192.168.1.0/24 subnet.
462 8 Noel Kuntze
The notes from Tobias' comment in issue #196 apply:
463 8 Noel Kuntze
> The hosts can be limited by specifying rightsubnet (e.g. rightsubnet=192.168.1.0/24,192.168.2.0/30,10.0.2.2/32). It is even possible to limit this to a specific protocol/port (for any remote host use %dynamic[<proto>/<port>], not 0.0.0.0/0[...]). A new test scenario (ikev2/trap-any, bb1d9e45) provides some examples.
464 8 Noel Kuntze
> 
465 8 Noel Kuntze
> Authentication can easily be done via certificates, but using PSKs is also possible. However, because there is no pattern/subnet matching for IP-based identities you need to either use a single secret for all hosts or use identities appropriately if you want to use different PSKs for different groups of hosts (e.g. use leftid=<host>@<group>.example.com and rightid=*@<group>.example.com in ipsec.conf and *@<group>.example.com : PSK "..." in ipsec.secrets).
466 7 Noel Kuntze
467 7 Noel Kuntze
{{collapse(ipsec.conf)
468 7 Noel Kuntze
<pre>conn host-to-host
469 7 Noel Kuntze
	ikelifetime=60m
470 7 Noel Kuntze
	keylife=20m
471 7 Noel Kuntze
	rekeymargin=3m
472 7 Noel Kuntze
	keyingtries=1
473 7 Noel Kuntze
474 7 Noel Kuntze
conn trap-any
475 7 Noel Kuntze
    also=host-to-host
476 7 Noel Kuntze
	right=%any
477 7 Noel Kuntze
	leftsubnet=192.168.1.0/24
478 7 Noel Kuntze
	rightsubnet=192.168.1.0/24
479 7 Noel Kuntze
	type=transport
480 7 Noel Kuntze
	authby=psk
481 7 Noel Kuntze
	auto=route
482 7 Noel Kuntze
</pre>
483 7 Noel Kuntze
}}