Project

General

Profile

Usable Examples configurations » History » Version 21

Noel Kuntze, 10.03.2017 23:06
Fix formatting of "strongswan.conf" in Roadwarrior example configuration for Responder

1 20 Noel Kuntze
h1. Usable Examples configurations
2 1 Noel Kuntze
3 1 Noel Kuntze
Preliminary obligatory notes:
4 1 Noel Kuntze
* These examples follow the [[SecurityRecommendations|Security Recommendations]]. Follow them. They are there
5 1 Noel Kuntze
  for a reason.
6 1 Noel Kuntze
* You can have several conn sections in your @ipsec.conf@ file
7 2 Noel Kuntze
* In scenarios where the remote peer authenticates itself with a client certificate,
8 4 Noel Kuntze
  charon requires all certificates that are in the trust path of the client's certificate
9 4 Noel Kuntze
  to be present, readable and valid for authentication
10 2 Noel Kuntze
  to be successful. charon implicitely trusts all CA certificates that it loads
11 1 Noel Kuntze
  via local files or that are loaded via the VICI API.
12 4 Noel Kuntze
* In scenarios where charon authenticates itself with a certificate, it needs to have
13 4 Noel Kuntze
  all certificates in the trust path. 
14 4 Noel Kuntze
* charon only reads the first certificate in a file.
15 1 Noel Kuntze
* Your responder (the proper word for "server" in ipsec talk) needs to identify
16 1 Noel Kuntze
  and authenticate itself to the initiator (the proper word for "client" in ipsec talk)
17 1 Noel Kuntze
  with the apropriate identity. If your initiator wants to talk to "foo.bar.com",
18 1 Noel Kuntze
  your responder needs to identify and authenticate itself as _foo.bar.com_.
19 1 Noel Kuntze
* Credentials are bound to identities. You can not successfully authenticate yourself
20 1 Noel Kuntze
  as the identitiy _foo.bar.com_ with a certificate if that certificate is not issued for that
21 1 Noel Kuntze
  identity. The identities that a certificate provide are its complete DN and the SAN fields.
22 1 Noel Kuntze
* The used cipher suite must be supported by both sides. Some implementations
23 3 Noel Kuntze
  only support weak crypto. Do not make concessions, unless necessary for interoperability.
24 1 Noel Kuntze
* XAUTH credentials are handled internally as EAP credentials. Both are valid for
25 1 Noel Kuntze
  XAUTH, EAP-GTC, EAP-MSCHAPv2 and whatever other cleartext or digest based
26 1 Noel Kuntze
  authentication might be implemented in the future.
27 1 Noel Kuntze
* The cipher settings are deliberately ordered by performance.
28 6 Noel Kuntze
  Faster, but secure ciphers appear in the beginning of the cipher list.
29 6 Noel Kuntze
  That should make charon choose faster, but secure ones first.  
30 14 Noel Kuntze
* Do not use 3DES, CAST, DES or MD5. They are broken.
31 1 Noel Kuntze
* The algorithm your certificate uses and they algorithm the key exchange uses
32 1 Noel Kuntze
  do not have anything to do with each other.
33 1 Noel Kuntze
* strongSwan does not implement L2TP.
34 16 Noel Kuntze
* Multiple pools can be used at the same time.
35 16 Noel Kuntze
* The [[IpsecPool|ipsec pools]] tool with the [[attrsql]] plugin can be used to assign different DNS and NBNS servers,
36 16 Noel Kuntze
  as well as different arbitrary attributes to remote peers.
37 1 Noel Kuntze
* Read the documentation and use "the search function":https://wiki.strongswan.org/projects/strongswan/search.
38 1 Noel Kuntze
39 10 Noel Kuntze
40 1 Noel Kuntze
h2. Roadwarrior scenario
41 17 Noel Kuntze
42 10 Noel Kuntze
h3. Responder
43 9 Noel Kuntze
44 1 Noel Kuntze
This is an example configuration that provides support for several clients
45 1 Noel Kuntze
with several authentication styles.
46 1 Noel Kuntze
47 1 Noel Kuntze
{{collapse(ipsec.conf)
48 1 Noel Kuntze
<pre>
49 1 Noel Kuntze
conn rw-base
50 1 Noel Kuntze
    # enables IKE fragmentation 
51 1 Noel Kuntze
    fragmentation=yes
52 1 Noel Kuntze
    dpdaction=clear
53 1 Noel Kuntze
    # dpdtimeout is not honored for ikev2. For IKEv2, every message is used
54 1 Noel Kuntze
    # to determine the timeout, so the generic timeout value for IKEv2 messages
55 1 Noel Kuntze
    # is used. 
56 1 Noel Kuntze
    dpdtimeout=90s
57 1 Noel Kuntze
    dpddelay=30s
58 1 Noel Kuntze
59 1 Noel Kuntze
# this is used in every conn in which the client is assigned a "virtual" IP or
60 1 Noel Kuntze
# one or several DNS servers    
61 1 Noel Kuntze
# the cipher suits require the openssl plugin.
62 1 Noel Kuntze
conn rw-config
63 1 Noel Kuntze
    also=rw-base
64 1 Noel Kuntze
    rightsourceip=172.16.252.0/24
65 1 Noel Kuntze
    # set this to a local DNS server that the clients can reach with their assigned IPs.
66 1 Noel Kuntze
    # Think about routing.
67 1 Noel Kuntze
    rightdns=
68 1 Noel Kuntze
    leftsubnet=0.0.0.0/0
69 1 Noel Kuntze
    leftid=whatevertheclientusestoconnect
70 1 Noel Kuntze
    leftcert=mycertificate.pem
71 1 Noel Kuntze
    # not possible with asymmetric authentication
72 1 Noel Kuntze
    reauth=no
73 1 Noel Kuntze
    rekey=no
74 20 Noel Kuntze
    # secure cipher suits
75 1 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
76 1 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
77 1 Noel Kuntze
    leftsendcert=always
78 1 Noel Kuntze
    rightca="C=This, O=Is, OU=My, CN=CA"
79 1 Noel Kuntze
    
80 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
81 1 Noel Kuntze
# in the l2tp control connection. With L2TP, clients are usually not assigned
82 1 Noel Kuntze
# a virtual IP in IKE.
83 1 Noel Kuntze
# Charon is not an l2tp server. You need to install xl2tp for that and configure it correctly.
84 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
85 1 Noel Kuntze
conn ikev1-l2tp-chap-auth-in-xl2tpd
86 1 Noel Kuntze
    also=rw-base
87 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
88 1 Noel Kuntze
    ike=aes128-sha1-modp3072
89 17 Noel Kuntze
    esp=aes128-sha1-modp3072
90 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
91 11 Noel Kuntze
    rightsubnet=%dynamic
92 1 Noel Kuntze
    mark=%unique
93 1 Noel Kuntze
    leftauth=psk
94 1 Noel Kuntze
    rightauth=psk
95 1 Noel Kuntze
    type=transport
96 1 Noel Kuntze
    auto=add
97 1 Noel Kuntze
    
98 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
99 1 Noel Kuntze
# during the IKEv1 authentication. With L2TP, clients are usually not assigned
100 1 Noel Kuntze
# a virtual IP in IKE.
101 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
102 1 Noel Kuntze
# this requires the xauth-generic plugin.
103 1 Noel Kuntze
conn ikev1-l2tp-xauth-in-ike
104 1 Noel Kuntze
    also=rw-base
105 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
106 1 Noel Kuntze
    ike=aes128-sha1-modp3072
107 17 Noel Kuntze
    esp=aes128-sha1-modp3072
108 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
109 11 Noel Kuntze
    rightsubnet=%dynamic
110 1 Noel Kuntze
    mark=%unique
111 1 Noel Kuntze
    leftauth=psk
112 1 Noel Kuntze
    rightauth=psk
113 1 Noel Kuntze
    rightauth2=xauth-generic
114 9 Noel Kuntze
    xauth=server
115 1 Noel Kuntze
    # not possible with asymmetric authentication
116 1 Noel Kuntze
    reauth=no
117 1 Noel Kuntze
    rekey=no
118 1 Noel Kuntze
    type=transport
119 1 Noel Kuntze
    auto=add
120 1 Noel Kuntze
    
121 1 Noel Kuntze
# this requires the xauth-generic plugin.
122 1 Noel Kuntze
conn ikev1-psk-xauth
123 1 Noel Kuntze
    also=rw-config
124 1 Noel Kuntze
    leftauth=psk
125 1 Noel Kuntze
    rightauth=psk
126 1 Noel Kuntze
    rightauth2=xauth-generic
127 9 Noel Kuntze
    xauth=server
128 1 Noel Kuntze
    auto=add
129 1 Noel Kuntze
130 1 Noel Kuntze
# leftauth and rightauth default to "pubkey", so no change necessary.
131 1 Noel Kuntze
conn ikev1-pubkey
132 1 Noel Kuntze
    also=rw-config
133 1 Noel Kuntze
    auto=add
134 1 Noel Kuntze
135 1 Noel Kuntze
# this requires the xauth-generic plugin.
136 1 Noel Kuntze
conn ikev1-pubkey-xauth
137 1 Noel Kuntze
    also=rw-config
138 1 Noel Kuntze
    rightauth2=xauth-generic
139 9 Noel Kuntze
    xauth=server
140 1 Noel Kuntze
    auto=add
141 1 Noel Kuntze
142 1 Noel Kuntze
# this requires the xauth-generic plugin.
143 1 Noel Kuntze
conn ikev1-hybrid
144 1 Noel Kuntze
    also=rw-config
145 1 Noel Kuntze
    rightauth=xauth-generic
146 9 Noel Kuntze
    xauth=server
147 1 Noel Kuntze
148 1 Noel Kuntze
conn ikev2-pubkey
149 1 Noel Kuntze
    also=rw-config
150 1 Noel Kuntze
    auto=add
151 1 Noel Kuntze
152 1 Noel Kuntze
# this requires the eap-tls plugin.
153 1 Noel Kuntze
conn ikev2-eap-tls
154 1 Noel Kuntze
    also=rw-base
155 1 Noel Kuntze
    rightauth=eap-tls
156 1 Noel Kuntze
    eap_identity=%identity
157 1 Noel Kuntze
    auto=add
158 1 Noel Kuntze
159 1 Noel Kuntze
# this requires the eap-mschapv2 plugin.
160 1 Noel Kuntze
conn ikev2-eap-mschapv2
161 1 Noel Kuntze
    also=rw-config
162 1 Noel Kuntze
    rightauth=eap-mschapv2
163 1 Noel Kuntze
    eap_identity=%identity
164 1 Noel Kuntze
    auto=add
165 18 Noel Kuntze
# IF you need to support several EAP methods at the same time, you need to use eap-dynamic
166 18 Noel Kuntze
# and not use any other conn with eap settings. Add the settings for the eap-dynamic plugin to your strongswan.conf file.
167 18 Noel Kuntze
168 18 Noel Kuntze
conn ikev2-eap
169 18 Noel Kuntze
    also=rw-config
170 18 Noel Kuntze
    rightauth=eap-dynamic
171 18 Noel Kuntze
    eap_identity=%identity
172 18 Noel Kuntze
    auto=add
173 1 Noel Kuntze
</pre>
174 1 Noel Kuntze
}}
175 1 Noel Kuntze
176 18 Noel Kuntze
{{collapse(strongswan.conf)
177 21 Noel Kuntze
<pre>
178 18 Noel Kuntze
charon {
179 18 Noel Kuntze
180 18 Noel Kuntze
    plugins {
181 18 Noel Kuntze
        eap_dynamic {
182 18 Noel Kuntze
            preferred = eap-mschapv2, eap-tls
183 18 Noel Kuntze
        }
184 18 Noel Kuntze
    }
185 18 Noel Kuntze
}
186 21 Noel Kuntze
</pre>
187 18 Noel Kuntze
}}
188 1 Noel Kuntze
{{collapse(ipsec.secrets)
189 1 Noel Kuntze
<pre>
190 1 Noel Kuntze
: PSK "foobarblah"
191 1 Noel Kuntze
: RSA myprivatekey.pem
192 1 Noel Kuntze
carol : EAP "carolspassword"
193 1 Noel Kuntze
</pre>
194 1 Noel Kuntze
}}
195 9 Noel Kuntze
196 10 Noel Kuntze
h3. Initiator
197 1 Noel Kuntze
198 10 Noel Kuntze
These configuration files provide valid and usable configurations as use
199 10 Noel Kuntze
as a roadwarrior client against arbitrary IKE responders that are configured correctly.
200 10 Noel Kuntze
*You need to replace the marked values with the correct values*
201 10 Noel Kuntze
Remove conns that you do not require for your scenario. Some values
202 10 Noel Kuntze
might need to be changed, depending on the brokeness of the responder.
203 10 Noel Kuntze
*Read the comments in the files and read _ipsec.conf_ as well as _ipsec.secrets_.*
204 10 Noel Kuntze
205 10 Noel Kuntze
The configurations shown here are not exclusive. There are a lot more possible.
206 10 Noel Kuntze
Check out the [[PluginList|plugin list]] and the "test scenarios":https://strongswan.org/uml/testresults5/
207 10 Noel Kuntze
to see how they can be configured, but beware, those are just test scenarios
208 10 Noel Kuntze
and the configurations there are not usable in production as a whole. They need
209 10 Noel Kuntze
to be combined with the examples here to produce usable scenarios.
210 10 Noel Kuntze
211 10 Noel Kuntze
{{collapse(ipsec.conf)
212 10 Noel Kuntze
<pre>
213 10 Noel Kuntze
214 10 Noel Kuntze
conn rw-base
215 10 Noel Kuntze
    dpdaction=restart
216 10 Noel Kuntze
    dpddelay=30
217 10 Noel Kuntze
    dpdtimeout=90
218 10 Noel Kuntze
    fragmentation=yes
219 10 Noel Kuntze
220 10 Noel Kuntze
conn vip-base
221 10 Noel Kuntze
    also=rw-base
222 10 Noel Kuntze
    leftsourceip=%config
223 10 Noel Kuntze
224 10 Noel Kuntze
conn ikev1-psk-xauth
225 10 Noel Kuntze
# uncomment if the responder only supports crappy crypto. But seriously,
226 10 Noel Kuntze
# every single one of those algorithms is broken. Better spend some $$$
227 10 Noel Kuntze
# on a better solution.
228 10 Noel Kuntze
# 
229 10 Noel Kuntze
#   ike=3des-md5-modp1024!
230 10 Noel Kuntze
#   esp=3des-md5!
231 10 Noel Kuntze
# Use this, if you want PFS with DH group 2.
232 10 Noel Kuntze
#   esp=3des-md5-modp1024!
233 10 Noel Kuntze
    also=vip-base
234 10 Noel Kuntze
    keyexchange=ikev1
235 10 Noel Kuntze
    leftauth=psk
236 10 Noel Kuntze
    leftauth2=xauth
237 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
238 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
239 10 Noel Kuntze
#   rightid=foobar
240 10 Noel Kuntze
    rightauth=psk
241 10 Noel Kuntze
# this tunnels all the traffic. You might maybe want to also define a passthrough policy
242 10 Noel Kuntze
# for the local LAN traffic (or use the bypass-lan plugin when it's gone into the master branch)
243 10 Noel Kuntze
# Choose a smaller subnet, if required.
244 10 Noel Kuntze
# this config supports CISCO UNITY. 
245 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
246 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
247 10 Noel Kuntze
    auto=add
248 10 Noel Kuntze
    
249 12 Noel Kuntze
# aggressive mode is incredibly insecure.
250 12 Noel Kuntze
conn ikev1-psk-xauth-aggressive
251 12 Noel Kuntze
    aggressive=yes
252 10 Noel Kuntze
    also=ikev1-psk-xauth
253 10 Noel Kuntze
    auto=add
254 10 Noel Kuntze
255 10 Noel Kuntze
conn ikev1-rsa-xauth
256 10 Noel Kuntze
    also=vip-base
257 10 Noel Kuntze
    keyexchange=ikev1
258 10 Noel Kuntze
    leftauth=pubkey
259 10 Noel Kuntze
    leftauth2=xauth-generic
260 10 Noel Kuntze
    leftcert=thisithepathtomycertificate.pem
261 10 Noel Kuntze
    xauth_identity=thisismyusername
262 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
263 10 Noel Kuntze
# You might require this if the responder sends a wrong ID.
264 10 Noel Kuntze
#   rightid=somethingsomething
265 10 Noel Kuntze
    rightauth=pubkey
266 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
267 10 Noel Kuntze
# responder's certificate or just the certificate.
268 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
269 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
270 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
271 10 Noel Kuntze
# if you've only got the responder's certificate
272 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
273 10 Noel Kuntze
    auto=add
274 10 Noel Kuntze
275 10 Noel Kuntze
276 10 Noel Kuntze
conn ikev1-l2tp
277 10 Noel Kuntze
    also=rw-base
278 10 Noel Kuntze
    keyexchange=ikev1
279 1 Noel Kuntze
    type=transport
280 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
281 11 Noel Kuntze
    rightsubnet=%dynamic[/1701]
282 10 Noel Kuntze
    leftauth=psk
283 10 Noel Kuntze
    rightauth=psk
284 10 Noel Kuntze
    
285 10 Noel Kuntze
    
286 12 Noel Kuntze
# if your responder uses aggressive mode, add
287 12 Noel Kuntze
# aggressive=yes in the conn
288 10 Noel Kuntze
# user authentication happens in IKE using xauth
289 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-ike
290 10 Noel Kuntze
    also=ikev1-l2tp
291 10 Noel Kuntze
    leftauth2=xauth-generic
292 10 Noel Kuntze
    auto=add
293 10 Noel Kuntze
294 12 Noel Kuntze
# if your responder uses aggressive mode, add
295 12 Noel Kuntze
# aggressive=yes in the conn
296 10 Noel Kuntze
# user authentication happens in L2TP
297 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-l2tp
298 10 Noel Kuntze
    also=ikev1-l2tp
299 10 Noel Kuntze
    auto=add
300 10 Noel Kuntze
301 10 Noel Kuntze
302 10 Noel Kuntze
# Authentication with EAP-MSCHAPv2 is asymmetric. The responder
303 10 Noel Kuntze
# has to authenticate itself against the initiator with an X.509 certificate.
304 10 Noel Kuntze
conn ikev2-eap-mschapv2
305 10 Noel Kuntze
    also=vip-base
306 10 Noel Kuntze
    keyexchange=ikev2
307 10 Noel Kuntze
    leftauth=eap-mschapv2
308 10 Noel Kuntze
    rightauth=pubkey
309 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
310 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
311 10 Noel Kuntze
# responder's certificate or just the certificate.
312 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
313 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
314 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
315 10 Noel Kuntze
# if you've only got the responder's certificate
316 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
317 10 Noel Kuntze
318 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
319 10 Noel Kuntze
#   rightid=foobar
320 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
321 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
322 10 Noel Kuntze
    auto=add
323 10 Noel Kuntze
324 10 Noel Kuntze
# asymmetric authentication using eap-tls and pubkey auth
325 10 Noel Kuntze
conn ikev2-eap-tls-asymmetric
326 10 Noel Kuntze
    also=vip-base
327 10 Noel Kuntze
    keyexchange=ikev2
328 10 Noel Kuntze
    leftcert=mycert
329 10 Noel Kuntze
    leftauth=eap-tls
330 10 Noel Kuntze
    rightauth=pubkey
331 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
332 10 Noel Kuntze
# responder's certificate or just the certificate.
333 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
334 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
335 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
336 10 Noel Kuntze
# if you've only got the responder's certificate
337 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
338 10 Noel Kuntze
339 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
340 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
341 10 Noel Kuntze
#   rightid=foobar
342 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
343 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
344 10 Noel Kuntze
    auto=add
345 10 Noel Kuntze
346 10 Noel Kuntze
347 10 Noel Kuntze
# symmetric authentication using just eap-tls
348 10 Noel Kuntze
conn ikev2-eap-tls-symmetric
349 10 Noel Kuntze
    also=vip-base
350 10 Noel Kuntze
    keyexchange=ikev2
351 10 Noel Kuntze
    leftcert=mycert
352 10 Noel Kuntze
    leftauth=eap-tls
353 10 Noel Kuntze
    rightauth=eap-tls
354 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
355 10 Noel Kuntze
# responder's certificate or just the certificate.
356 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
357 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
358 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
359 10 Noel Kuntze
# if you've only got the responder's certificate
360 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
361 10 Noel Kuntze
362 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
363 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
364 10 Noel Kuntze
#   rightid=foobar
365 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
366 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
367 10 Noel Kuntze
    auto=add
368 10 Noel Kuntze
369 10 Noel Kuntze
</pre>
370 10 Noel Kuntze
}}
371 10 Noel Kuntze
372 10 Noel Kuntze
{{collapse(ipsec.secrets)
373 10 Noel Kuntze
<pre>
374 10 Noel Kuntze
RespondersIPorFQDNGoesHere : PSK "thisisthesharedpassword"
375 10 Noel Kuntze
thisismyusername : EAP "thisismypassword"
376 10 Noel Kuntze
: RSA myprivatekey
377 10 Noel Kuntze
</pre>
378 10 Noel Kuntze
}}
379 10 Noel Kuntze
380 10 Noel Kuntze
381 10 Noel Kuntze
382 1 Noel Kuntze
h2. Site-To-Site-Scenario
383 1 Noel Kuntze
384 1 Noel Kuntze
{{collapse(ipsec.conf)
385 1 Noel Kuntze
<pre>
386 1 Noel Kuntze
conn sts-base
387 1 Noel Kuntze
    fragmentation=yes
388 1 Noel Kuntze
    dpdaction=restart
389 1 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
390 1 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
391 1 Noel Kuntze
    keyingtries=%forever
392 1 Noel Kuntze
    leftcert=foobar.pem
393 1 Noel Kuntze
394 19 Noel Kuntze
# this conn is set up for a remote host with a static IP
395 1 Noel Kuntze
conn site-1-static-ip
396 1 Noel Kuntze
    also=sts-base
397 1 Noel Kuntze
    keyexchange=ikev2
398 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
399 1 Noel Kuntze
    rightsubnet=10.1.3.0/24
400 1 Noel Kuntze
    right=1.2.3.4
401 1 Noel Kuntze
    rightcert=1.2.3.4.pem
402 1 Noel Kuntze
    auto=route
403 1 Noel Kuntze
404 19 Noel Kuntze
# this conn is set up for a remote host with a dynamic IP
405 1 Noel Kuntze
conn site-2-dynamic-ip
406 1 Noel Kuntze
    also=sts-base
407 1 Noel Kuntze
    keyexchange=ikev2
408 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
409 1 Noel Kuntze
    rightsubnet=10.1.4.0/24
410 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
411 1 Noel Kuntze
    right=%example.com
412 1 Noel Kuntze
    rightcert=example.com.pem
413 1 Noel Kuntze
    auto=route
414 1 Noel Kuntze
415 1 Noel Kuntze
# this conn is set up for IKEv1 compatibility. It shows how to define several subnets
416 1 Noel Kuntze
# with IKEv1. site-3-legacy-1 and site-3-legacy-2 keep the data for the CHILD_SA.
417 1 Noel Kuntze
# The same can be accomplished with implicit merging by specifying the same IKE_SA
418 1 Noel Kuntze
# configuration in two different conns. This set up is cleaner, though.
419 1 Noel Kuntze
# If you put "auto=route" into the "site-3-legacy-base conn", charon will route the
420 1 Noel Kuntze
# conn with the ts being the local IP that is used to communicate with the remote
421 1 Noel Kuntze
# peer and the remote's peer. If such a CHILD_SA is not configured on the peer, ICMP
422 1 Noel Kuntze
# error messages from the remote peer to the local peer will not be able to be transmitted.
423 1 Noel Kuntze
# So don't do that, unless your remote peer is configured for that.
424 1 Noel Kuntze
# This is an IKEv1 connection with PSK authentication. That means, that you need to know
425 1 Noel Kuntze
# the other side's IP.
426 1 Noel Kuntze
conn site-3-legacy-base
427 1 Noel Kuntze
    also=sts-base
428 1 Noel Kuntze
    keyexchange=ikev1
429 1 Noel Kuntze
    # IKE and ESP cipher settings are reconfigured, because in IKEv1 every 
430 1 Noel Kuntze
    # single cipher suite needs to be enumerated.
431 1 Noel Kuntze
    # It is not possible to define all supported ciphers in one suite.
432 1 Noel Kuntze
    # select apropriate and strong ciphers for your scenario.
433 1 Noel Kuntze
    ike=aes192gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp521,aes192-sha256-modp3072
434 1 Noel Kuntze
    esp=aes192gcm16-ecp256,aes192-sha256-modp3072
435 1 Noel Kuntze
    rightsubnet=10.1.5.0/24
436 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
437 1 Noel Kuntze
    right=example.com
438 1 Noel Kuntze
    leftauth=psk
439 1 Noel Kuntze
    rightauth=psk
440 1 Noel Kuntze
441 1 Noel Kuntze
conn site-3-legacy-1
442 1 Noel Kuntze
    leftsubnet=10.1.1.0/24
443 1 Noel Kuntze
    also=site-3-legacy-base
444 1 Noel Kuntze
    auto=route
445 1 Noel Kuntze
446 1 Noel Kuntze
conn site-3-legacy-2
447 1 Noel Kuntze
    leftsubnet=10.1.2.0/24
448 1 Noel Kuntze
    also=site-3-legacy-base
449 1 Noel Kuntze
    auto=route
450 1 Noel Kuntze
</pre>
451 1 Noel Kuntze
}}
452 1 Noel Kuntze
453 1 Noel Kuntze
{{collapse(ipsec.secrets)
454 1 Noel Kuntze
<pre>
455 1 Noel Kuntze
: RSA foobar.key
456 15 Noel Kuntze
remote.com : PSK "example"
457 5 Noel Kuntze
</pre>
458 5 Noel Kuntze
}}
459 1 Noel Kuntze
460 10 Noel Kuntze
h2. Passthrough policy
461 5 Noel Kuntze
462 5 Noel Kuntze
{{collapse(ipsec.conf)
463 5 Noel Kuntze
<pre>
464 5 Noel Kuntze
conn passthrough-1
465 5 Noel Kuntze
    # makes sure those conns are excluded from every conn selection
466 5 Noel Kuntze
    left=127.0.0.1
467 5 Noel Kuntze
    right=127.0.0.1
468 5 Noel Kuntze
    # Those are just example values. Replace them with the apropriate ones!
469 5 Noel Kuntze
    leftsubnet=10.0.0.0/8
470 5 Noel Kuntze
    rightsubnet=10.0.0.0/8
471 5 Noel Kuntze
    # those two lines are critical.
472 5 Noel Kuntze
    type=passthrough
473 5 Noel Kuntze
    auto=route
474 5 Noel Kuntze
</pre>
475 1 Noel Kuntze
}}
476 7 Noel Kuntze
477 13 Noel Kuntze
h2. Host-To-Host transport mode
478 7 Noel Kuntze
479 7 Noel Kuntze
Based on "the trap-any test scenario":https://www.strongswan.org/testing/testresults/ikev2/trap-any/.
480 7 Noel Kuntze
481 7 Noel Kuntze
The hosts involved are in the 192.168.1.0/24 subnet.
482 8 Noel Kuntze
The notes from Tobias' comment in issue #196 apply:
483 8 Noel Kuntze
> The hosts can be limited by specifying rightsubnet (e.g. rightsubnet=192.168.1.0/24,192.168.2.0/30,10.0.2.2/32). It is even possible to limit this to a specific protocol/port (for any remote host use %dynamic[<proto>/<port>], not 0.0.0.0/0[...]). A new test scenario (ikev2/trap-any, bb1d9e45) provides some examples.
484 8 Noel Kuntze
> 
485 8 Noel Kuntze
> Authentication can easily be done via certificates, but using PSKs is also possible. However, because there is no pattern/subnet matching for IP-based identities you need to either use a single secret for all hosts or use identities appropriately if you want to use different PSKs for different groups of hosts (e.g. use leftid=<host>@<group>.example.com and rightid=*@<group>.example.com in ipsec.conf and *@<group>.example.com : PSK "..." in ipsec.secrets).
486 7 Noel Kuntze
487 7 Noel Kuntze
{{collapse(ipsec.conf)
488 7 Noel Kuntze
<pre>conn host-to-host
489 7 Noel Kuntze
	ikelifetime=60m
490 7 Noel Kuntze
	keylife=20m
491 7 Noel Kuntze
	rekeymargin=3m
492 7 Noel Kuntze
	keyingtries=1
493 7 Noel Kuntze
494 7 Noel Kuntze
conn trap-any
495 7 Noel Kuntze
    also=host-to-host
496 7 Noel Kuntze
	right=%any
497 7 Noel Kuntze
	leftsubnet=192.168.1.0/24
498 7 Noel Kuntze
	rightsubnet=192.168.1.0/24
499 7 Noel Kuntze
	type=transport
500 7 Noel Kuntze
	authby=psk
501 7 Noel Kuntze
	auto=route
502 7 Noel Kuntze
</pre>
503 7 Noel Kuntze
}}