Project

General

Profile

Usable Examples configurations » History » Version 22

Noel Kuntze, 11.03.2017 03:04
Move the eap-dynamic section up to make sure it negotiates the correct method for other conns, for example.

1 20 Noel Kuntze
h1. Usable Examples configurations
2 1 Noel Kuntze
3 1 Noel Kuntze
Preliminary obligatory notes:
4 1 Noel Kuntze
* These examples follow the [[SecurityRecommendations|Security Recommendations]]. Follow them. They are there
5 1 Noel Kuntze
  for a reason.
6 1 Noel Kuntze
* You can have several conn sections in your @ipsec.conf@ file
7 2 Noel Kuntze
* In scenarios where the remote peer authenticates itself with a client certificate,
8 4 Noel Kuntze
  charon requires all certificates that are in the trust path of the client's certificate
9 4 Noel Kuntze
  to be present, readable and valid for authentication
10 2 Noel Kuntze
  to be successful. charon implicitely trusts all CA certificates that it loads
11 1 Noel Kuntze
  via local files or that are loaded via the VICI API.
12 4 Noel Kuntze
* In scenarios where charon authenticates itself with a certificate, it needs to have
13 4 Noel Kuntze
  all certificates in the trust path. 
14 4 Noel Kuntze
* charon only reads the first certificate in a file.
15 1 Noel Kuntze
* Your responder (the proper word for "server" in ipsec talk) needs to identify
16 1 Noel Kuntze
  and authenticate itself to the initiator (the proper word for "client" in ipsec talk)
17 1 Noel Kuntze
  with the apropriate identity. If your initiator wants to talk to "foo.bar.com",
18 1 Noel Kuntze
  your responder needs to identify and authenticate itself as _foo.bar.com_.
19 1 Noel Kuntze
* Credentials are bound to identities. You can not successfully authenticate yourself
20 1 Noel Kuntze
  as the identitiy _foo.bar.com_ with a certificate if that certificate is not issued for that
21 1 Noel Kuntze
  identity. The identities that a certificate provide are its complete DN and the SAN fields.
22 1 Noel Kuntze
* The used cipher suite must be supported by both sides. Some implementations
23 3 Noel Kuntze
  only support weak crypto. Do not make concessions, unless necessary for interoperability.
24 1 Noel Kuntze
* XAUTH credentials are handled internally as EAP credentials. Both are valid for
25 1 Noel Kuntze
  XAUTH, EAP-GTC, EAP-MSCHAPv2 and whatever other cleartext or digest based
26 1 Noel Kuntze
  authentication might be implemented in the future.
27 1 Noel Kuntze
* The cipher settings are deliberately ordered by performance.
28 6 Noel Kuntze
  Faster, but secure ciphers appear in the beginning of the cipher list.
29 6 Noel Kuntze
  That should make charon choose faster, but secure ones first.  
30 14 Noel Kuntze
* Do not use 3DES, CAST, DES or MD5. They are broken.
31 1 Noel Kuntze
* The algorithm your certificate uses and they algorithm the key exchange uses
32 1 Noel Kuntze
  do not have anything to do with each other.
33 1 Noel Kuntze
* strongSwan does not implement L2TP.
34 16 Noel Kuntze
* Multiple pools can be used at the same time.
35 16 Noel Kuntze
* The [[IpsecPool|ipsec pools]] tool with the [[attrsql]] plugin can be used to assign different DNS and NBNS servers,
36 16 Noel Kuntze
  as well as different arbitrary attributes to remote peers.
37 1 Noel Kuntze
* Read the documentation and use "the search function":https://wiki.strongswan.org/projects/strongswan/search.
38 1 Noel Kuntze
39 10 Noel Kuntze
40 1 Noel Kuntze
h2. Roadwarrior scenario
41 17 Noel Kuntze
42 10 Noel Kuntze
h3. Responder
43 9 Noel Kuntze
44 1 Noel Kuntze
This is an example configuration that provides support for several clients
45 1 Noel Kuntze
with several authentication styles.
46 1 Noel Kuntze
47 1 Noel Kuntze
{{collapse(ipsec.conf)
48 1 Noel Kuntze
<pre>
49 1 Noel Kuntze
conn rw-base
50 1 Noel Kuntze
    # enables IKE fragmentation 
51 1 Noel Kuntze
    fragmentation=yes
52 1 Noel Kuntze
    dpdaction=clear
53 1 Noel Kuntze
    # dpdtimeout is not honored for ikev2. For IKEv2, every message is used
54 1 Noel Kuntze
    # to determine the timeout, so the generic timeout value for IKEv2 messages
55 1 Noel Kuntze
    # is used. 
56 1 Noel Kuntze
    dpdtimeout=90s
57 1 Noel Kuntze
    dpddelay=30s
58 1 Noel Kuntze
59 1 Noel Kuntze
# this is used in every conn in which the client is assigned a "virtual" IP or
60 1 Noel Kuntze
# one or several DNS servers    
61 1 Noel Kuntze
# the cipher suits require the openssl plugin.
62 1 Noel Kuntze
conn rw-config
63 1 Noel Kuntze
    also=rw-base
64 1 Noel Kuntze
    rightsourceip=172.16.252.0/24
65 1 Noel Kuntze
    # set this to a local DNS server that the clients can reach with their assigned IPs.
66 1 Noel Kuntze
    # Think about routing.
67 1 Noel Kuntze
    rightdns=
68 1 Noel Kuntze
    leftsubnet=0.0.0.0/0
69 1 Noel Kuntze
    leftid=whatevertheclientusestoconnect
70 1 Noel Kuntze
    leftcert=mycertificate.pem
71 1 Noel Kuntze
    # not possible with asymmetric authentication
72 1 Noel Kuntze
    reauth=no
73 1 Noel Kuntze
    rekey=no
74 20 Noel Kuntze
    # secure cipher suits
75 1 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
76 1 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
77 1 Noel Kuntze
    leftsendcert=always
78 1 Noel Kuntze
    rightca="C=This, O=Is, OU=My, CN=CA"
79 1 Noel Kuntze
    
80 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
81 1 Noel Kuntze
# in the l2tp control connection. With L2TP, clients are usually not assigned
82 1 Noel Kuntze
# a virtual IP in IKE.
83 1 Noel Kuntze
# Charon is not an l2tp server. You need to install xl2tp for that and configure it correctly.
84 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
85 1 Noel Kuntze
conn ikev1-l2tp-chap-auth-in-xl2tpd
86 1 Noel Kuntze
    also=rw-base
87 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
88 1 Noel Kuntze
    ike=aes128-sha1-modp3072
89 17 Noel Kuntze
    esp=aes128-sha1-modp3072
90 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
91 11 Noel Kuntze
    rightsubnet=%dynamic
92 1 Noel Kuntze
    mark=%unique
93 1 Noel Kuntze
    leftauth=psk
94 1 Noel Kuntze
    rightauth=psk
95 1 Noel Kuntze
    type=transport
96 1 Noel Kuntze
    auto=add
97 1 Noel Kuntze
    
98 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
99 1 Noel Kuntze
# during the IKEv1 authentication. With L2TP, clients are usually not assigned
100 1 Noel Kuntze
# a virtual IP in IKE.
101 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
102 1 Noel Kuntze
# this requires the xauth-generic plugin.
103 1 Noel Kuntze
conn ikev1-l2tp-xauth-in-ike
104 1 Noel Kuntze
    also=rw-base
105 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
106 1 Noel Kuntze
    ike=aes128-sha1-modp3072
107 17 Noel Kuntze
    esp=aes128-sha1-modp3072
108 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
109 11 Noel Kuntze
    rightsubnet=%dynamic
110 1 Noel Kuntze
    mark=%unique
111 1 Noel Kuntze
    leftauth=psk
112 1 Noel Kuntze
    rightauth=psk
113 1 Noel Kuntze
    rightauth2=xauth-generic
114 9 Noel Kuntze
    xauth=server
115 1 Noel Kuntze
    # not possible with asymmetric authentication
116 1 Noel Kuntze
    reauth=no
117 1 Noel Kuntze
    rekey=no
118 1 Noel Kuntze
    type=transport
119 1 Noel Kuntze
    auto=add
120 1 Noel Kuntze
    
121 1 Noel Kuntze
# this requires the xauth-generic plugin.
122 1 Noel Kuntze
conn ikev1-psk-xauth
123 1 Noel Kuntze
    also=rw-config
124 1 Noel Kuntze
    leftauth=psk
125 1 Noel Kuntze
    rightauth=psk
126 1 Noel Kuntze
    rightauth2=xauth-generic
127 9 Noel Kuntze
    xauth=server
128 1 Noel Kuntze
    auto=add
129 1 Noel Kuntze
130 1 Noel Kuntze
# leftauth and rightauth default to "pubkey", so no change necessary.
131 1 Noel Kuntze
conn ikev1-pubkey
132 1 Noel Kuntze
    also=rw-config
133 1 Noel Kuntze
    auto=add
134 1 Noel Kuntze
135 1 Noel Kuntze
# this requires the xauth-generic plugin.
136 1 Noel Kuntze
conn ikev1-pubkey-xauth
137 1 Noel Kuntze
    also=rw-config
138 1 Noel Kuntze
    rightauth2=xauth-generic
139 9 Noel Kuntze
    xauth=server
140 1 Noel Kuntze
    auto=add
141 1 Noel Kuntze
142 1 Noel Kuntze
# this requires the xauth-generic plugin.
143 1 Noel Kuntze
conn ikev1-hybrid
144 1 Noel Kuntze
    also=rw-config
145 1 Noel Kuntze
    rightauth=xauth-generic
146 9 Noel Kuntze
    xauth=server
147 1 Noel Kuntze
148 1 Noel Kuntze
conn ikev2-pubkey
149 1 Noel Kuntze
    also=rw-config
150 1 Noel Kuntze
    auto=add
151 1 Noel Kuntze
152 22 Noel Kuntze
# IF you need to support several EAP methods at the same time, you need to use eap-dynamic
153 22 Noel Kuntze
# and not use any other conn with eap settings. Add the settings for the eap-dynamic plugin to your strongswan.conf file.
154 22 Noel Kuntze
155 22 Noel Kuntze
conn ikev2-eap
156 22 Noel Kuntze
    also=rw-config
157 22 Noel Kuntze
    rightauth=eap-dynamic
158 22 Noel Kuntze
    eap_identity=%identity
159 22 Noel Kuntze
    auto=add
160 22 Noel Kuntze
161 1 Noel Kuntze
# this requires the eap-tls plugin.
162 1 Noel Kuntze
conn ikev2-eap-tls
163 1 Noel Kuntze
    also=rw-base
164 1 Noel Kuntze
    rightauth=eap-tls
165 1 Noel Kuntze
    eap_identity=%identity
166 18 Noel Kuntze
    auto=add
167 18 Noel Kuntze
168 18 Noel Kuntze
# this requires the eap-mschapv2 plugin.
169 18 Noel Kuntze
conn ikev2-eap-mschapv2
170 18 Noel Kuntze
    also=rw-config
171 18 Noel Kuntze
    rightauth=eap-mschapv2
172 18 Noel Kuntze
    eap_identity=%identity
173 18 Noel Kuntze
    auto=add
174 1 Noel Kuntze
</pre>
175 1 Noel Kuntze
}}
176 1 Noel Kuntze
177 18 Noel Kuntze
{{collapse(strongswan.conf)
178 21 Noel Kuntze
<pre>
179 18 Noel Kuntze
charon {
180 18 Noel Kuntze
181 18 Noel Kuntze
    plugins {
182 18 Noel Kuntze
        eap_dynamic {
183 18 Noel Kuntze
            preferred = eap-mschapv2, eap-tls
184 18 Noel Kuntze
        }
185 18 Noel Kuntze
    }
186 18 Noel Kuntze
}
187 21 Noel Kuntze
</pre>
188 18 Noel Kuntze
}}
189 1 Noel Kuntze
{{collapse(ipsec.secrets)
190 1 Noel Kuntze
<pre>
191 1 Noel Kuntze
: PSK "foobarblah"
192 1 Noel Kuntze
: RSA myprivatekey.pem
193 1 Noel Kuntze
carol : EAP "carolspassword"
194 1 Noel Kuntze
</pre>
195 1 Noel Kuntze
}}
196 9 Noel Kuntze
197 10 Noel Kuntze
h3. Initiator
198 1 Noel Kuntze
199 10 Noel Kuntze
These configuration files provide valid and usable configurations as use
200 10 Noel Kuntze
as a roadwarrior client against arbitrary IKE responders that are configured correctly.
201 10 Noel Kuntze
*You need to replace the marked values with the correct values*
202 10 Noel Kuntze
Remove conns that you do not require for your scenario. Some values
203 10 Noel Kuntze
might need to be changed, depending on the brokeness of the responder.
204 10 Noel Kuntze
*Read the comments in the files and read _ipsec.conf_ as well as _ipsec.secrets_.*
205 10 Noel Kuntze
206 10 Noel Kuntze
The configurations shown here are not exclusive. There are a lot more possible.
207 10 Noel Kuntze
Check out the [[PluginList|plugin list]] and the "test scenarios":https://strongswan.org/uml/testresults5/
208 10 Noel Kuntze
to see how they can be configured, but beware, those are just test scenarios
209 10 Noel Kuntze
and the configurations there are not usable in production as a whole. They need
210 10 Noel Kuntze
to be combined with the examples here to produce usable scenarios.
211 10 Noel Kuntze
212 10 Noel Kuntze
{{collapse(ipsec.conf)
213 10 Noel Kuntze
<pre>
214 10 Noel Kuntze
215 10 Noel Kuntze
conn rw-base
216 10 Noel Kuntze
    dpdaction=restart
217 10 Noel Kuntze
    dpddelay=30
218 10 Noel Kuntze
    dpdtimeout=90
219 10 Noel Kuntze
    fragmentation=yes
220 10 Noel Kuntze
221 10 Noel Kuntze
conn vip-base
222 10 Noel Kuntze
    also=rw-base
223 10 Noel Kuntze
    leftsourceip=%config
224 10 Noel Kuntze
225 10 Noel Kuntze
conn ikev1-psk-xauth
226 10 Noel Kuntze
# uncomment if the responder only supports crappy crypto. But seriously,
227 10 Noel Kuntze
# every single one of those algorithms is broken. Better spend some $$$
228 10 Noel Kuntze
# on a better solution.
229 10 Noel Kuntze
# 
230 10 Noel Kuntze
#   ike=3des-md5-modp1024!
231 10 Noel Kuntze
#   esp=3des-md5!
232 10 Noel Kuntze
# Use this, if you want PFS with DH group 2.
233 10 Noel Kuntze
#   esp=3des-md5-modp1024!
234 10 Noel Kuntze
    also=vip-base
235 10 Noel Kuntze
    keyexchange=ikev1
236 10 Noel Kuntze
    leftauth=psk
237 10 Noel Kuntze
    leftauth2=xauth
238 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
239 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
240 10 Noel Kuntze
#   rightid=foobar
241 10 Noel Kuntze
    rightauth=psk
242 10 Noel Kuntze
# this tunnels all the traffic. You might maybe want to also define a passthrough policy
243 10 Noel Kuntze
# for the local LAN traffic (or use the bypass-lan plugin when it's gone into the master branch)
244 10 Noel Kuntze
# Choose a smaller subnet, if required.
245 10 Noel Kuntze
# this config supports CISCO UNITY. 
246 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
247 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
248 10 Noel Kuntze
    auto=add
249 10 Noel Kuntze
    
250 12 Noel Kuntze
# aggressive mode is incredibly insecure.
251 12 Noel Kuntze
conn ikev1-psk-xauth-aggressive
252 12 Noel Kuntze
    aggressive=yes
253 10 Noel Kuntze
    also=ikev1-psk-xauth
254 10 Noel Kuntze
    auto=add
255 10 Noel Kuntze
256 10 Noel Kuntze
conn ikev1-rsa-xauth
257 10 Noel Kuntze
    also=vip-base
258 10 Noel Kuntze
    keyexchange=ikev1
259 10 Noel Kuntze
    leftauth=pubkey
260 10 Noel Kuntze
    leftauth2=xauth-generic
261 10 Noel Kuntze
    leftcert=thisithepathtomycertificate.pem
262 10 Noel Kuntze
    xauth_identity=thisismyusername
263 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
264 10 Noel Kuntze
# You might require this if the responder sends a wrong ID.
265 10 Noel Kuntze
#   rightid=somethingsomething
266 10 Noel Kuntze
    rightauth=pubkey
267 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
268 10 Noel Kuntze
# responder's certificate or just the certificate.
269 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
270 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
271 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
272 10 Noel Kuntze
# if you've only got the responder's certificate
273 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
274 10 Noel Kuntze
    auto=add
275 10 Noel Kuntze
276 10 Noel Kuntze
277 10 Noel Kuntze
conn ikev1-l2tp
278 10 Noel Kuntze
    also=rw-base
279 10 Noel Kuntze
    keyexchange=ikev1
280 1 Noel Kuntze
    type=transport
281 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
282 11 Noel Kuntze
    rightsubnet=%dynamic[/1701]
283 10 Noel Kuntze
    leftauth=psk
284 10 Noel Kuntze
    rightauth=psk
285 10 Noel Kuntze
    
286 10 Noel Kuntze
    
287 12 Noel Kuntze
# if your responder uses aggressive mode, add
288 12 Noel Kuntze
# aggressive=yes in the conn
289 10 Noel Kuntze
# user authentication happens in IKE using xauth
290 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-ike
291 10 Noel Kuntze
    also=ikev1-l2tp
292 10 Noel Kuntze
    leftauth2=xauth-generic
293 10 Noel Kuntze
    auto=add
294 10 Noel Kuntze
295 12 Noel Kuntze
# if your responder uses aggressive mode, add
296 12 Noel Kuntze
# aggressive=yes in the conn
297 10 Noel Kuntze
# user authentication happens in L2TP
298 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-l2tp
299 10 Noel Kuntze
    also=ikev1-l2tp
300 10 Noel Kuntze
    auto=add
301 10 Noel Kuntze
302 10 Noel Kuntze
303 10 Noel Kuntze
# Authentication with EAP-MSCHAPv2 is asymmetric. The responder
304 10 Noel Kuntze
# has to authenticate itself against the initiator with an X.509 certificate.
305 10 Noel Kuntze
conn ikev2-eap-mschapv2
306 10 Noel Kuntze
    also=vip-base
307 10 Noel Kuntze
    keyexchange=ikev2
308 10 Noel Kuntze
    leftauth=eap-mschapv2
309 10 Noel Kuntze
    rightauth=pubkey
310 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
311 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
312 10 Noel Kuntze
# responder's certificate or just the certificate.
313 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
314 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
315 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
316 10 Noel Kuntze
# if you've only got the responder's certificate
317 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
318 10 Noel Kuntze
319 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
320 10 Noel Kuntze
#   rightid=foobar
321 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
322 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
323 10 Noel Kuntze
    auto=add
324 10 Noel Kuntze
325 10 Noel Kuntze
# asymmetric authentication using eap-tls and pubkey auth
326 10 Noel Kuntze
conn ikev2-eap-tls-asymmetric
327 10 Noel Kuntze
    also=vip-base
328 10 Noel Kuntze
    keyexchange=ikev2
329 10 Noel Kuntze
    leftcert=mycert
330 10 Noel Kuntze
    leftauth=eap-tls
331 10 Noel Kuntze
    rightauth=pubkey
332 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
333 10 Noel Kuntze
# responder's certificate or just the certificate.
334 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
335 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
336 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
337 10 Noel Kuntze
# if you've only got the responder's certificate
338 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
339 10 Noel Kuntze
340 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
341 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
342 10 Noel Kuntze
#   rightid=foobar
343 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
344 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
345 10 Noel Kuntze
    auto=add
346 10 Noel Kuntze
347 10 Noel Kuntze
348 10 Noel Kuntze
# symmetric authentication using just eap-tls
349 10 Noel Kuntze
conn ikev2-eap-tls-symmetric
350 10 Noel Kuntze
    also=vip-base
351 10 Noel Kuntze
    keyexchange=ikev2
352 10 Noel Kuntze
    leftcert=mycert
353 10 Noel Kuntze
    leftauth=eap-tls
354 10 Noel Kuntze
    rightauth=eap-tls
355 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
356 10 Noel Kuntze
# responder's certificate or just the certificate.
357 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
358 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
359 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
360 10 Noel Kuntze
# if you've only got the responder's certificate
361 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
362 10 Noel Kuntze
363 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
364 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
365 10 Noel Kuntze
#   rightid=foobar
366 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
367 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
368 10 Noel Kuntze
    auto=add
369 10 Noel Kuntze
370 10 Noel Kuntze
</pre>
371 10 Noel Kuntze
}}
372 10 Noel Kuntze
373 10 Noel Kuntze
{{collapse(ipsec.secrets)
374 10 Noel Kuntze
<pre>
375 10 Noel Kuntze
RespondersIPorFQDNGoesHere : PSK "thisisthesharedpassword"
376 10 Noel Kuntze
thisismyusername : EAP "thisismypassword"
377 10 Noel Kuntze
: RSA myprivatekey
378 10 Noel Kuntze
</pre>
379 10 Noel Kuntze
}}
380 10 Noel Kuntze
381 10 Noel Kuntze
382 10 Noel Kuntze
383 1 Noel Kuntze
h2. Site-To-Site-Scenario
384 1 Noel Kuntze
385 1 Noel Kuntze
{{collapse(ipsec.conf)
386 1 Noel Kuntze
<pre>
387 1 Noel Kuntze
conn sts-base
388 1 Noel Kuntze
    fragmentation=yes
389 1 Noel Kuntze
    dpdaction=restart
390 1 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
391 1 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
392 1 Noel Kuntze
    keyingtries=%forever
393 1 Noel Kuntze
    leftcert=foobar.pem
394 1 Noel Kuntze
395 19 Noel Kuntze
# this conn is set up for a remote host with a static IP
396 1 Noel Kuntze
conn site-1-static-ip
397 1 Noel Kuntze
    also=sts-base
398 1 Noel Kuntze
    keyexchange=ikev2
399 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
400 1 Noel Kuntze
    rightsubnet=10.1.3.0/24
401 1 Noel Kuntze
    right=1.2.3.4
402 1 Noel Kuntze
    rightcert=1.2.3.4.pem
403 1 Noel Kuntze
    auto=route
404 1 Noel Kuntze
405 19 Noel Kuntze
# this conn is set up for a remote host with a dynamic IP
406 1 Noel Kuntze
conn site-2-dynamic-ip
407 1 Noel Kuntze
    also=sts-base
408 1 Noel Kuntze
    keyexchange=ikev2
409 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
410 1 Noel Kuntze
    rightsubnet=10.1.4.0/24
411 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
412 1 Noel Kuntze
    right=%example.com
413 1 Noel Kuntze
    rightcert=example.com.pem
414 1 Noel Kuntze
    auto=route
415 1 Noel Kuntze
416 1 Noel Kuntze
# this conn is set up for IKEv1 compatibility. It shows how to define several subnets
417 1 Noel Kuntze
# with IKEv1. site-3-legacy-1 and site-3-legacy-2 keep the data for the CHILD_SA.
418 1 Noel Kuntze
# The same can be accomplished with implicit merging by specifying the same IKE_SA
419 1 Noel Kuntze
# configuration in two different conns. This set up is cleaner, though.
420 1 Noel Kuntze
# If you put "auto=route" into the "site-3-legacy-base conn", charon will route the
421 1 Noel Kuntze
# conn with the ts being the local IP that is used to communicate with the remote
422 1 Noel Kuntze
# peer and the remote's peer. If such a CHILD_SA is not configured on the peer, ICMP
423 1 Noel Kuntze
# error messages from the remote peer to the local peer will not be able to be transmitted.
424 1 Noel Kuntze
# So don't do that, unless your remote peer is configured for that.
425 1 Noel Kuntze
# This is an IKEv1 connection with PSK authentication. That means, that you need to know
426 1 Noel Kuntze
# the other side's IP.
427 1 Noel Kuntze
conn site-3-legacy-base
428 1 Noel Kuntze
    also=sts-base
429 1 Noel Kuntze
    keyexchange=ikev1
430 1 Noel Kuntze
    # IKE and ESP cipher settings are reconfigured, because in IKEv1 every 
431 1 Noel Kuntze
    # single cipher suite needs to be enumerated.
432 1 Noel Kuntze
    # It is not possible to define all supported ciphers in one suite.
433 1 Noel Kuntze
    # select apropriate and strong ciphers for your scenario.
434 1 Noel Kuntze
    ike=aes192gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp521,aes192-sha256-modp3072
435 1 Noel Kuntze
    esp=aes192gcm16-ecp256,aes192-sha256-modp3072
436 1 Noel Kuntze
    rightsubnet=10.1.5.0/24
437 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
438 1 Noel Kuntze
    right=example.com
439 1 Noel Kuntze
    leftauth=psk
440 1 Noel Kuntze
    rightauth=psk
441 1 Noel Kuntze
442 1 Noel Kuntze
conn site-3-legacy-1
443 1 Noel Kuntze
    leftsubnet=10.1.1.0/24
444 1 Noel Kuntze
    also=site-3-legacy-base
445 1 Noel Kuntze
    auto=route
446 1 Noel Kuntze
447 1 Noel Kuntze
conn site-3-legacy-2
448 1 Noel Kuntze
    leftsubnet=10.1.2.0/24
449 1 Noel Kuntze
    also=site-3-legacy-base
450 1 Noel Kuntze
    auto=route
451 1 Noel Kuntze
</pre>
452 1 Noel Kuntze
}}
453 1 Noel Kuntze
454 1 Noel Kuntze
{{collapse(ipsec.secrets)
455 1 Noel Kuntze
<pre>
456 1 Noel Kuntze
: RSA foobar.key
457 15 Noel Kuntze
remote.com : PSK "example"
458 5 Noel Kuntze
</pre>
459 5 Noel Kuntze
}}
460 1 Noel Kuntze
461 10 Noel Kuntze
h2. Passthrough policy
462 5 Noel Kuntze
463 5 Noel Kuntze
{{collapse(ipsec.conf)
464 5 Noel Kuntze
<pre>
465 5 Noel Kuntze
conn passthrough-1
466 5 Noel Kuntze
    # makes sure those conns are excluded from every conn selection
467 5 Noel Kuntze
    left=127.0.0.1
468 5 Noel Kuntze
    right=127.0.0.1
469 5 Noel Kuntze
    # Those are just example values. Replace them with the apropriate ones!
470 5 Noel Kuntze
    leftsubnet=10.0.0.0/8
471 5 Noel Kuntze
    rightsubnet=10.0.0.0/8
472 5 Noel Kuntze
    # those two lines are critical.
473 5 Noel Kuntze
    type=passthrough
474 5 Noel Kuntze
    auto=route
475 5 Noel Kuntze
</pre>
476 1 Noel Kuntze
}}
477 7 Noel Kuntze
478 13 Noel Kuntze
h2. Host-To-Host transport mode
479 7 Noel Kuntze
480 7 Noel Kuntze
Based on "the trap-any test scenario":https://www.strongswan.org/testing/testresults/ikev2/trap-any/.
481 7 Noel Kuntze
482 7 Noel Kuntze
The hosts involved are in the 192.168.1.0/24 subnet.
483 8 Noel Kuntze
The notes from Tobias' comment in issue #196 apply:
484 8 Noel Kuntze
> The hosts can be limited by specifying rightsubnet (e.g. rightsubnet=192.168.1.0/24,192.168.2.0/30,10.0.2.2/32). It is even possible to limit this to a specific protocol/port (for any remote host use %dynamic[<proto>/<port>], not 0.0.0.0/0[...]). A new test scenario (ikev2/trap-any, bb1d9e45) provides some examples.
485 8 Noel Kuntze
> 
486 8 Noel Kuntze
> Authentication can easily be done via certificates, but using PSKs is also possible. However, because there is no pattern/subnet matching for IP-based identities you need to either use a single secret for all hosts or use identities appropriately if you want to use different PSKs for different groups of hosts (e.g. use leftid=<host>@<group>.example.com and rightid=*@<group>.example.com in ipsec.conf and *@<group>.example.com : PSK "..." in ipsec.secrets).
487 7 Noel Kuntze
488 7 Noel Kuntze
{{collapse(ipsec.conf)
489 7 Noel Kuntze
<pre>conn host-to-host
490 7 Noel Kuntze
	ikelifetime=60m
491 7 Noel Kuntze
	keylife=20m
492 7 Noel Kuntze
	rekeymargin=3m
493 7 Noel Kuntze
	keyingtries=1
494 7 Noel Kuntze
495 7 Noel Kuntze
conn trap-any
496 7 Noel Kuntze
    also=host-to-host
497 7 Noel Kuntze
	right=%any
498 7 Noel Kuntze
	leftsubnet=192.168.1.0/24
499 7 Noel Kuntze
	rightsubnet=192.168.1.0/24
500 7 Noel Kuntze
	type=transport
501 7 Noel Kuntze
	authby=psk
502 7 Noel Kuntze
	auto=route
503 7 Noel Kuntze
</pre>
504 7 Noel Kuntze
}}