Project

General

Profile

Usable Examples configurations » History » Version 20

Noel Kuntze, 09.03.2017 16:56
Edit.

1 20 Noel Kuntze
h1. Usable Examples configurations
2 1 Noel Kuntze
3 1 Noel Kuntze
Preliminary obligatory notes:
4 1 Noel Kuntze
* These examples follow the [[SecurityRecommendations|Security Recommendations]]. Follow them. They are there
5 1 Noel Kuntze
  for a reason.
6 1 Noel Kuntze
* You can have several conn sections in your @ipsec.conf@ file
7 2 Noel Kuntze
* In scenarios where the remote peer authenticates itself with a client certificate,
8 4 Noel Kuntze
  charon requires all certificates that are in the trust path of the client's certificate
9 4 Noel Kuntze
  to be present, readable and valid for authentication
10 2 Noel Kuntze
  to be successful. charon implicitely trusts all CA certificates that it loads
11 1 Noel Kuntze
  via local files or that are loaded via the VICI API.
12 4 Noel Kuntze
* In scenarios where charon authenticates itself with a certificate, it needs to have
13 4 Noel Kuntze
  all certificates in the trust path. 
14 4 Noel Kuntze
* charon only reads the first certificate in a file.
15 1 Noel Kuntze
* Your responder (the proper word for "server" in ipsec talk) needs to identify
16 1 Noel Kuntze
  and authenticate itself to the initiator (the proper word for "client" in ipsec talk)
17 1 Noel Kuntze
  with the apropriate identity. If your initiator wants to talk to "foo.bar.com",
18 1 Noel Kuntze
  your responder needs to identify and authenticate itself as _foo.bar.com_.
19 1 Noel Kuntze
* Credentials are bound to identities. You can not successfully authenticate yourself
20 1 Noel Kuntze
  as the identitiy _foo.bar.com_ with a certificate if that certificate is not issued for that
21 1 Noel Kuntze
  identity. The identities that a certificate provide are its complete DN and the SAN fields.
22 1 Noel Kuntze
* The used cipher suite must be supported by both sides. Some implementations
23 3 Noel Kuntze
  only support weak crypto. Do not make concessions, unless necessary for interoperability.
24 1 Noel Kuntze
* XAUTH credentials are handled internally as EAP credentials. Both are valid for
25 1 Noel Kuntze
  XAUTH, EAP-GTC, EAP-MSCHAPv2 and whatever other cleartext or digest based
26 1 Noel Kuntze
  authentication might be implemented in the future.
27 1 Noel Kuntze
* The cipher settings are deliberately ordered by performance.
28 6 Noel Kuntze
  Faster, but secure ciphers appear in the beginning of the cipher list.
29 6 Noel Kuntze
  That should make charon choose faster, but secure ones first.  
30 14 Noel Kuntze
* Do not use 3DES, CAST, DES or MD5. They are broken.
31 1 Noel Kuntze
* The algorithm your certificate uses and they algorithm the key exchange uses
32 1 Noel Kuntze
  do not have anything to do with each other.
33 1 Noel Kuntze
* strongSwan does not implement L2TP.
34 16 Noel Kuntze
* Multiple pools can be used at the same time.
35 16 Noel Kuntze
* The [[IpsecPool|ipsec pools]] tool with the [[attrsql]] plugin can be used to assign different DNS and NBNS servers,
36 16 Noel Kuntze
  as well as different arbitrary attributes to remote peers.
37 1 Noel Kuntze
* Read the documentation and use "the search function":https://wiki.strongswan.org/projects/strongswan/search.
38 1 Noel Kuntze
39 10 Noel Kuntze
40 1 Noel Kuntze
h2. Roadwarrior scenario
41 17 Noel Kuntze
42 10 Noel Kuntze
h3. Responder
43 9 Noel Kuntze
44 1 Noel Kuntze
This is an example configuration that provides support for several clients
45 1 Noel Kuntze
with several authentication styles.
46 1 Noel Kuntze
47 1 Noel Kuntze
{{collapse(ipsec.conf)
48 1 Noel Kuntze
<pre>
49 1 Noel Kuntze
conn rw-base
50 1 Noel Kuntze
    # enables IKE fragmentation 
51 1 Noel Kuntze
    fragmentation=yes
52 1 Noel Kuntze
    dpdaction=clear
53 1 Noel Kuntze
    # dpdtimeout is not honored for ikev2. For IKEv2, every message is used
54 1 Noel Kuntze
    # to determine the timeout, so the generic timeout value for IKEv2 messages
55 1 Noel Kuntze
    # is used. 
56 1 Noel Kuntze
    dpdtimeout=90s
57 1 Noel Kuntze
    dpddelay=30s
58 1 Noel Kuntze
59 1 Noel Kuntze
# this is used in every conn in which the client is assigned a "virtual" IP or
60 1 Noel Kuntze
# one or several DNS servers    
61 1 Noel Kuntze
# the cipher suits require the openssl plugin.
62 1 Noel Kuntze
conn rw-config
63 1 Noel Kuntze
    also=rw-base
64 1 Noel Kuntze
    rightsourceip=172.16.252.0/24
65 1 Noel Kuntze
    # set this to a local DNS server that the clients can reach with their assigned IPs.
66 1 Noel Kuntze
    # Think about routing.
67 1 Noel Kuntze
    rightdns=
68 1 Noel Kuntze
    leftsubnet=0.0.0.0/0
69 1 Noel Kuntze
    leftid=whatevertheclientusestoconnect
70 1 Noel Kuntze
    leftcert=mycertificate.pem
71 1 Noel Kuntze
    # not possible with asymmetric authentication
72 1 Noel Kuntze
    reauth=no
73 1 Noel Kuntze
    rekey=no
74 20 Noel Kuntze
    # secure cipher suits
75 1 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
76 1 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
77 1 Noel Kuntze
    leftsendcert=always
78 1 Noel Kuntze
    rightca="C=This, O=Is, OU=My, CN=CA"
79 1 Noel Kuntze
    
80 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
81 1 Noel Kuntze
# in the l2tp control connection. With L2TP, clients are usually not assigned
82 1 Noel Kuntze
# a virtual IP in IKE.
83 1 Noel Kuntze
# Charon is not an l2tp server. You need to install xl2tp for that and configure it correctly.
84 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
85 1 Noel Kuntze
conn ikev1-l2tp-chap-auth-in-xl2tpd
86 1 Noel Kuntze
    also=rw-base
87 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
88 1 Noel Kuntze
    ike=aes128-sha1-modp3072
89 17 Noel Kuntze
    esp=aes128-sha1-modp3072
90 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
91 11 Noel Kuntze
    rightsubnet=%dynamic
92 1 Noel Kuntze
    mark=%unique
93 1 Noel Kuntze
    leftauth=psk
94 1 Noel Kuntze
    rightauth=psk
95 1 Noel Kuntze
    type=transport
96 1 Noel Kuntze
    auto=add
97 1 Noel Kuntze
    
98 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
99 1 Noel Kuntze
# during the IKEv1 authentication. With L2TP, clients are usually not assigned
100 1 Noel Kuntze
# a virtual IP in IKE.
101 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
102 1 Noel Kuntze
# this requires the xauth-generic plugin.
103 1 Noel Kuntze
conn ikev1-l2tp-xauth-in-ike
104 1 Noel Kuntze
    also=rw-base
105 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
106 1 Noel Kuntze
    ike=aes128-sha1-modp3072
107 17 Noel Kuntze
    esp=aes128-sha1-modp3072
108 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
109 11 Noel Kuntze
    rightsubnet=%dynamic
110 1 Noel Kuntze
    mark=%unique
111 1 Noel Kuntze
    leftauth=psk
112 1 Noel Kuntze
    rightauth=psk
113 1 Noel Kuntze
    rightauth2=xauth-generic
114 9 Noel Kuntze
    xauth=server
115 1 Noel Kuntze
    # not possible with asymmetric authentication
116 1 Noel Kuntze
    reauth=no
117 1 Noel Kuntze
    rekey=no
118 1 Noel Kuntze
    type=transport
119 1 Noel Kuntze
    auto=add
120 1 Noel Kuntze
    
121 1 Noel Kuntze
# this requires the xauth-generic plugin.
122 1 Noel Kuntze
conn ikev1-psk-xauth
123 1 Noel Kuntze
    also=rw-config
124 1 Noel Kuntze
    leftauth=psk
125 1 Noel Kuntze
    rightauth=psk
126 1 Noel Kuntze
    rightauth2=xauth-generic
127 9 Noel Kuntze
    xauth=server
128 1 Noel Kuntze
    auto=add
129 1 Noel Kuntze
130 1 Noel Kuntze
# leftauth and rightauth default to "pubkey", so no change necessary.
131 1 Noel Kuntze
conn ikev1-pubkey
132 1 Noel Kuntze
    also=rw-config
133 1 Noel Kuntze
    auto=add
134 1 Noel Kuntze
135 1 Noel Kuntze
# this requires the xauth-generic plugin.
136 1 Noel Kuntze
conn ikev1-pubkey-xauth
137 1 Noel Kuntze
    also=rw-config
138 1 Noel Kuntze
    rightauth2=xauth-generic
139 9 Noel Kuntze
    xauth=server
140 1 Noel Kuntze
    auto=add
141 1 Noel Kuntze
142 1 Noel Kuntze
# this requires the xauth-generic plugin.
143 1 Noel Kuntze
conn ikev1-hybrid
144 1 Noel Kuntze
    also=rw-config
145 1 Noel Kuntze
    rightauth=xauth-generic
146 9 Noel Kuntze
    xauth=server
147 1 Noel Kuntze
148 1 Noel Kuntze
conn ikev2-pubkey
149 1 Noel Kuntze
    also=rw-config
150 1 Noel Kuntze
    auto=add
151 1 Noel Kuntze
152 1 Noel Kuntze
# this requires the eap-tls plugin.
153 1 Noel Kuntze
conn ikev2-eap-tls
154 1 Noel Kuntze
    also=rw-base
155 1 Noel Kuntze
    rightauth=eap-tls
156 1 Noel Kuntze
    eap_identity=%identity
157 1 Noel Kuntze
    auto=add
158 1 Noel Kuntze
159 1 Noel Kuntze
# this requires the eap-mschapv2 plugin.
160 1 Noel Kuntze
conn ikev2-eap-mschapv2
161 1 Noel Kuntze
    also=rw-config
162 1 Noel Kuntze
    rightauth=eap-mschapv2
163 1 Noel Kuntze
    eap_identity=%identity
164 1 Noel Kuntze
    auto=add
165 18 Noel Kuntze
# IF you need to support several EAP methods at the same time, you need to use eap-dynamic
166 18 Noel Kuntze
# and not use any other conn with eap settings. Add the settings for the eap-dynamic plugin to your strongswan.conf file.
167 18 Noel Kuntze
168 18 Noel Kuntze
conn ikev2-eap
169 18 Noel Kuntze
    also=rw-config
170 18 Noel Kuntze
    rightauth=eap-dynamic
171 18 Noel Kuntze
    eap_identity=%identity
172 18 Noel Kuntze
    auto=add
173 1 Noel Kuntze
</pre>
174 1 Noel Kuntze
}}
175 1 Noel Kuntze
176 18 Noel Kuntze
{{collapse(strongswan.conf)
177 18 Noel Kuntze
charon {
178 18 Noel Kuntze
179 18 Noel Kuntze
    plugins {
180 18 Noel Kuntze
        eap_dynamic {
181 18 Noel Kuntze
            preferred = eap-mschapv2, eap-tls
182 18 Noel Kuntze
        }
183 18 Noel Kuntze
    }
184 18 Noel Kuntze
}
185 18 Noel Kuntze
}}
186 1 Noel Kuntze
{{collapse(ipsec.secrets)
187 1 Noel Kuntze
<pre>
188 1 Noel Kuntze
: PSK "foobarblah"
189 1 Noel Kuntze
: RSA myprivatekey.pem
190 1 Noel Kuntze
carol : EAP "carolspassword"
191 1 Noel Kuntze
</pre>
192 1 Noel Kuntze
}}
193 9 Noel Kuntze
194 10 Noel Kuntze
h3. Initiator
195 1 Noel Kuntze
196 10 Noel Kuntze
These configuration files provide valid and usable configurations as use
197 10 Noel Kuntze
as a roadwarrior client against arbitrary IKE responders that are configured correctly.
198 10 Noel Kuntze
*You need to replace the marked values with the correct values*
199 10 Noel Kuntze
Remove conns that you do not require for your scenario. Some values
200 10 Noel Kuntze
might need to be changed, depending on the brokeness of the responder.
201 10 Noel Kuntze
*Read the comments in the files and read _ipsec.conf_ as well as _ipsec.secrets_.*
202 10 Noel Kuntze
203 10 Noel Kuntze
The configurations shown here are not exclusive. There are a lot more possible.
204 10 Noel Kuntze
Check out the [[PluginList|plugin list]] and the "test scenarios":https://strongswan.org/uml/testresults5/
205 10 Noel Kuntze
to see how they can be configured, but beware, those are just test scenarios
206 10 Noel Kuntze
and the configurations there are not usable in production as a whole. They need
207 10 Noel Kuntze
to be combined with the examples here to produce usable scenarios.
208 10 Noel Kuntze
209 10 Noel Kuntze
{{collapse(ipsec.conf)
210 10 Noel Kuntze
<pre>
211 10 Noel Kuntze
212 10 Noel Kuntze
conn rw-base
213 10 Noel Kuntze
    dpdaction=restart
214 10 Noel Kuntze
    dpddelay=30
215 10 Noel Kuntze
    dpdtimeout=90
216 10 Noel Kuntze
    fragmentation=yes
217 10 Noel Kuntze
218 10 Noel Kuntze
conn vip-base
219 10 Noel Kuntze
    also=rw-base
220 10 Noel Kuntze
    leftsourceip=%config
221 10 Noel Kuntze
222 10 Noel Kuntze
conn ikev1-psk-xauth
223 10 Noel Kuntze
# uncomment if the responder only supports crappy crypto. But seriously,
224 10 Noel Kuntze
# every single one of those algorithms is broken. Better spend some $$$
225 10 Noel Kuntze
# on a better solution.
226 10 Noel Kuntze
# 
227 10 Noel Kuntze
#   ike=3des-md5-modp1024!
228 10 Noel Kuntze
#   esp=3des-md5!
229 10 Noel Kuntze
# Use this, if you want PFS with DH group 2.
230 10 Noel Kuntze
#   esp=3des-md5-modp1024!
231 10 Noel Kuntze
    also=vip-base
232 10 Noel Kuntze
    keyexchange=ikev1
233 10 Noel Kuntze
    leftauth=psk
234 10 Noel Kuntze
    leftauth2=xauth
235 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
236 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
237 10 Noel Kuntze
#   rightid=foobar
238 10 Noel Kuntze
    rightauth=psk
239 10 Noel Kuntze
# this tunnels all the traffic. You might maybe want to also define a passthrough policy
240 10 Noel Kuntze
# for the local LAN traffic (or use the bypass-lan plugin when it's gone into the master branch)
241 10 Noel Kuntze
# Choose a smaller subnet, if required.
242 10 Noel Kuntze
# this config supports CISCO UNITY. 
243 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
244 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
245 10 Noel Kuntze
    auto=add
246 10 Noel Kuntze
    
247 12 Noel Kuntze
# aggressive mode is incredibly insecure.
248 12 Noel Kuntze
conn ikev1-psk-xauth-aggressive
249 12 Noel Kuntze
    aggressive=yes
250 10 Noel Kuntze
    also=ikev1-psk-xauth
251 10 Noel Kuntze
    auto=add
252 10 Noel Kuntze
253 10 Noel Kuntze
conn ikev1-rsa-xauth
254 10 Noel Kuntze
    also=vip-base
255 10 Noel Kuntze
    keyexchange=ikev1
256 10 Noel Kuntze
    leftauth=pubkey
257 10 Noel Kuntze
    leftauth2=xauth-generic
258 10 Noel Kuntze
    leftcert=thisithepathtomycertificate.pem
259 10 Noel Kuntze
    xauth_identity=thisismyusername
260 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
261 10 Noel Kuntze
# You might require this if the responder sends a wrong ID.
262 10 Noel Kuntze
#   rightid=somethingsomething
263 10 Noel Kuntze
    rightauth=pubkey
264 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
265 10 Noel Kuntze
# responder's certificate or just the certificate.
266 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
267 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
268 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
269 10 Noel Kuntze
# if you've only got the responder's certificate
270 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
271 10 Noel Kuntze
    auto=add
272 10 Noel Kuntze
273 10 Noel Kuntze
274 10 Noel Kuntze
conn ikev1-l2tp
275 10 Noel Kuntze
    also=rw-base
276 10 Noel Kuntze
    keyexchange=ikev1
277 1 Noel Kuntze
    type=transport
278 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
279 11 Noel Kuntze
    rightsubnet=%dynamic[/1701]
280 10 Noel Kuntze
    leftauth=psk
281 10 Noel Kuntze
    rightauth=psk
282 10 Noel Kuntze
    
283 10 Noel Kuntze
    
284 12 Noel Kuntze
# if your responder uses aggressive mode, add
285 12 Noel Kuntze
# aggressive=yes in the conn
286 10 Noel Kuntze
# user authentication happens in IKE using xauth
287 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-ike
288 10 Noel Kuntze
    also=ikev1-l2tp
289 10 Noel Kuntze
    leftauth2=xauth-generic
290 10 Noel Kuntze
    auto=add
291 10 Noel Kuntze
292 12 Noel Kuntze
# if your responder uses aggressive mode, add
293 12 Noel Kuntze
# aggressive=yes in the conn
294 10 Noel Kuntze
# user authentication happens in L2TP
295 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-l2tp
296 10 Noel Kuntze
    also=ikev1-l2tp
297 10 Noel Kuntze
    auto=add
298 10 Noel Kuntze
299 10 Noel Kuntze
300 10 Noel Kuntze
# Authentication with EAP-MSCHAPv2 is asymmetric. The responder
301 10 Noel Kuntze
# has to authenticate itself against the initiator with an X.509 certificate.
302 10 Noel Kuntze
conn ikev2-eap-mschapv2
303 10 Noel Kuntze
    also=vip-base
304 10 Noel Kuntze
    keyexchange=ikev2
305 10 Noel Kuntze
    leftauth=eap-mschapv2
306 10 Noel Kuntze
    rightauth=pubkey
307 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
308 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
309 10 Noel Kuntze
# responder's certificate or just the certificate.
310 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
311 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
312 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
313 10 Noel Kuntze
# if you've only got the responder's certificate
314 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
315 10 Noel Kuntze
316 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
317 10 Noel Kuntze
#   rightid=foobar
318 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
319 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
320 10 Noel Kuntze
    auto=add
321 10 Noel Kuntze
322 10 Noel Kuntze
# asymmetric authentication using eap-tls and pubkey auth
323 10 Noel Kuntze
conn ikev2-eap-tls-asymmetric
324 10 Noel Kuntze
    also=vip-base
325 10 Noel Kuntze
    keyexchange=ikev2
326 10 Noel Kuntze
    leftcert=mycert
327 10 Noel Kuntze
    leftauth=eap-tls
328 10 Noel Kuntze
    rightauth=pubkey
329 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
330 10 Noel Kuntze
# responder's certificate or just the certificate.
331 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
332 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
333 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
334 10 Noel Kuntze
# if you've only got the responder's certificate
335 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
336 10 Noel Kuntze
337 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
338 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
339 10 Noel Kuntze
#   rightid=foobar
340 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
341 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
342 10 Noel Kuntze
    auto=add
343 10 Noel Kuntze
344 10 Noel Kuntze
345 10 Noel Kuntze
# symmetric authentication using just eap-tls
346 10 Noel Kuntze
conn ikev2-eap-tls-symmetric
347 10 Noel Kuntze
    also=vip-base
348 10 Noel Kuntze
    keyexchange=ikev2
349 10 Noel Kuntze
    leftcert=mycert
350 10 Noel Kuntze
    leftauth=eap-tls
351 10 Noel Kuntze
    rightauth=eap-tls
352 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
353 10 Noel Kuntze
# responder's certificate or just the certificate.
354 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
355 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
356 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
357 10 Noel Kuntze
# if you've only got the responder's certificate
358 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
359 10 Noel Kuntze
360 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
361 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
362 10 Noel Kuntze
#   rightid=foobar
363 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
364 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
365 10 Noel Kuntze
    auto=add
366 10 Noel Kuntze
367 10 Noel Kuntze
</pre>
368 10 Noel Kuntze
}}
369 10 Noel Kuntze
370 10 Noel Kuntze
{{collapse(ipsec.secrets)
371 10 Noel Kuntze
<pre>
372 10 Noel Kuntze
RespondersIPorFQDNGoesHere : PSK "thisisthesharedpassword"
373 10 Noel Kuntze
thisismyusername : EAP "thisismypassword"
374 10 Noel Kuntze
: RSA myprivatekey
375 10 Noel Kuntze
</pre>
376 10 Noel Kuntze
}}
377 10 Noel Kuntze
378 10 Noel Kuntze
379 10 Noel Kuntze
380 1 Noel Kuntze
h2. Site-To-Site-Scenario
381 1 Noel Kuntze
382 1 Noel Kuntze
{{collapse(ipsec.conf)
383 1 Noel Kuntze
<pre>
384 1 Noel Kuntze
conn sts-base
385 1 Noel Kuntze
    fragmentation=yes
386 1 Noel Kuntze
    dpdaction=restart
387 1 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
388 1 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
389 1 Noel Kuntze
    keyingtries=%forever
390 1 Noel Kuntze
    leftcert=foobar.pem
391 1 Noel Kuntze
392 19 Noel Kuntze
# this conn is set up for a remote host with a static IP
393 1 Noel Kuntze
conn site-1-static-ip
394 1 Noel Kuntze
    also=sts-base
395 1 Noel Kuntze
    keyexchange=ikev2
396 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
397 1 Noel Kuntze
    rightsubnet=10.1.3.0/24
398 1 Noel Kuntze
    right=1.2.3.4
399 1 Noel Kuntze
    rightcert=1.2.3.4.pem
400 1 Noel Kuntze
    auto=route
401 1 Noel Kuntze
402 19 Noel Kuntze
# this conn is set up for a remote host with a dynamic IP
403 1 Noel Kuntze
conn site-2-dynamic-ip
404 1 Noel Kuntze
    also=sts-base
405 1 Noel Kuntze
    keyexchange=ikev2
406 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
407 1 Noel Kuntze
    rightsubnet=10.1.4.0/24
408 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
409 1 Noel Kuntze
    right=%example.com
410 1 Noel Kuntze
    rightcert=example.com.pem
411 1 Noel Kuntze
    auto=route
412 1 Noel Kuntze
413 1 Noel Kuntze
# this conn is set up for IKEv1 compatibility. It shows how to define several subnets
414 1 Noel Kuntze
# with IKEv1. site-3-legacy-1 and site-3-legacy-2 keep the data for the CHILD_SA.
415 1 Noel Kuntze
# The same can be accomplished with implicit merging by specifying the same IKE_SA
416 1 Noel Kuntze
# configuration in two different conns. This set up is cleaner, though.
417 1 Noel Kuntze
# If you put "auto=route" into the "site-3-legacy-base conn", charon will route the
418 1 Noel Kuntze
# conn with the ts being the local IP that is used to communicate with the remote
419 1 Noel Kuntze
# peer and the remote's peer. If such a CHILD_SA is not configured on the peer, ICMP
420 1 Noel Kuntze
# error messages from the remote peer to the local peer will not be able to be transmitted.
421 1 Noel Kuntze
# So don't do that, unless your remote peer is configured for that.
422 1 Noel Kuntze
# This is an IKEv1 connection with PSK authentication. That means, that you need to know
423 1 Noel Kuntze
# the other side's IP.
424 1 Noel Kuntze
conn site-3-legacy-base
425 1 Noel Kuntze
    also=sts-base
426 1 Noel Kuntze
    keyexchange=ikev1
427 1 Noel Kuntze
    # IKE and ESP cipher settings are reconfigured, because in IKEv1 every 
428 1 Noel Kuntze
    # single cipher suite needs to be enumerated.
429 1 Noel Kuntze
    # It is not possible to define all supported ciphers in one suite.
430 1 Noel Kuntze
    # select apropriate and strong ciphers for your scenario.
431 1 Noel Kuntze
    ike=aes192gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp521,aes192-sha256-modp3072
432 1 Noel Kuntze
    esp=aes192gcm16-ecp256,aes192-sha256-modp3072
433 1 Noel Kuntze
    rightsubnet=10.1.5.0/24
434 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
435 1 Noel Kuntze
    right=example.com
436 1 Noel Kuntze
    leftauth=psk
437 1 Noel Kuntze
    rightauth=psk
438 1 Noel Kuntze
439 1 Noel Kuntze
conn site-3-legacy-1
440 1 Noel Kuntze
    leftsubnet=10.1.1.0/24
441 1 Noel Kuntze
    also=site-3-legacy-base
442 1 Noel Kuntze
    auto=route
443 1 Noel Kuntze
444 1 Noel Kuntze
conn site-3-legacy-2
445 1 Noel Kuntze
    leftsubnet=10.1.2.0/24
446 1 Noel Kuntze
    also=site-3-legacy-base
447 1 Noel Kuntze
    auto=route
448 1 Noel Kuntze
</pre>
449 1 Noel Kuntze
}}
450 1 Noel Kuntze
451 1 Noel Kuntze
{{collapse(ipsec.secrets)
452 1 Noel Kuntze
<pre>
453 1 Noel Kuntze
: RSA foobar.key
454 15 Noel Kuntze
remote.com : PSK "example"
455 5 Noel Kuntze
</pre>
456 5 Noel Kuntze
}}
457 1 Noel Kuntze
458 10 Noel Kuntze
h2. Passthrough policy
459 5 Noel Kuntze
460 5 Noel Kuntze
{{collapse(ipsec.conf)
461 5 Noel Kuntze
<pre>
462 5 Noel Kuntze
conn passthrough-1
463 5 Noel Kuntze
    # makes sure those conns are excluded from every conn selection
464 5 Noel Kuntze
    left=127.0.0.1
465 5 Noel Kuntze
    right=127.0.0.1
466 5 Noel Kuntze
    # Those are just example values. Replace them with the apropriate ones!
467 5 Noel Kuntze
    leftsubnet=10.0.0.0/8
468 5 Noel Kuntze
    rightsubnet=10.0.0.0/8
469 5 Noel Kuntze
    # those two lines are critical.
470 5 Noel Kuntze
    type=passthrough
471 5 Noel Kuntze
    auto=route
472 5 Noel Kuntze
</pre>
473 1 Noel Kuntze
}}
474 7 Noel Kuntze
475 13 Noel Kuntze
h2. Host-To-Host transport mode
476 7 Noel Kuntze
477 7 Noel Kuntze
Based on "the trap-any test scenario":https://www.strongswan.org/testing/testresults/ikev2/trap-any/.
478 7 Noel Kuntze
479 7 Noel Kuntze
The hosts involved are in the 192.168.1.0/24 subnet.
480 8 Noel Kuntze
The notes from Tobias' comment in issue #196 apply:
481 8 Noel Kuntze
> The hosts can be limited by specifying rightsubnet (e.g. rightsubnet=192.168.1.0/24,192.168.2.0/30,10.0.2.2/32). It is even possible to limit this to a specific protocol/port (for any remote host use %dynamic[<proto>/<port>], not 0.0.0.0/0[...]). A new test scenario (ikev2/trap-any, bb1d9e45) provides some examples.
482 8 Noel Kuntze
> 
483 8 Noel Kuntze
> Authentication can easily be done via certificates, but using PSKs is also possible. However, because there is no pattern/subnet matching for IP-based identities you need to either use a single secret for all hosts or use identities appropriately if you want to use different PSKs for different groups of hosts (e.g. use leftid=<host>@<group>.example.com and rightid=*@<group>.example.com in ipsec.conf and *@<group>.example.com : PSK "..." in ipsec.secrets).
484 7 Noel Kuntze
485 7 Noel Kuntze
{{collapse(ipsec.conf)
486 7 Noel Kuntze
<pre>conn host-to-host
487 7 Noel Kuntze
	ikelifetime=60m
488 7 Noel Kuntze
	keylife=20m
489 7 Noel Kuntze
	rekeymargin=3m
490 7 Noel Kuntze
	keyingtries=1
491 7 Noel Kuntze
492 7 Noel Kuntze
conn trap-any
493 7 Noel Kuntze
    also=host-to-host
494 7 Noel Kuntze
	right=%any
495 7 Noel Kuntze
	leftsubnet=192.168.1.0/24
496 7 Noel Kuntze
	rightsubnet=192.168.1.0/24
497 7 Noel Kuntze
	type=transport
498 7 Noel Kuntze
	authby=psk
499 7 Noel Kuntze
	auto=route
500 7 Noel Kuntze
</pre>
501 7 Noel Kuntze
}}