Project

General

Profile

Usable Examples configurations » History » Version 23

Noel Kuntze, 27.03.2017 21:59
TOC

1 20 Noel Kuntze
h1. Usable Examples configurations
2 1 Noel Kuntze
3 23 Noel Kuntze
{{>toc}}
4 23 Noel Kuntze
5 1 Noel Kuntze
Preliminary obligatory notes:
6 1 Noel Kuntze
* These examples follow the [[SecurityRecommendations|Security Recommendations]]. Follow them. They are there
7 1 Noel Kuntze
  for a reason.
8 1 Noel Kuntze
* You can have several conn sections in your @ipsec.conf@ file
9 2 Noel Kuntze
* In scenarios where the remote peer authenticates itself with a client certificate,
10 4 Noel Kuntze
  charon requires all certificates that are in the trust path of the client's certificate
11 4 Noel Kuntze
  to be present, readable and valid for authentication
12 2 Noel Kuntze
  to be successful. charon implicitely trusts all CA certificates that it loads
13 1 Noel Kuntze
  via local files or that are loaded via the VICI API.
14 4 Noel Kuntze
* In scenarios where charon authenticates itself with a certificate, it needs to have
15 4 Noel Kuntze
  all certificates in the trust path. 
16 4 Noel Kuntze
* charon only reads the first certificate in a file.
17 1 Noel Kuntze
* Your responder (the proper word for "server" in ipsec talk) needs to identify
18 1 Noel Kuntze
  and authenticate itself to the initiator (the proper word for "client" in ipsec talk)
19 1 Noel Kuntze
  with the apropriate identity. If your initiator wants to talk to "foo.bar.com",
20 1 Noel Kuntze
  your responder needs to identify and authenticate itself as _foo.bar.com_.
21 1 Noel Kuntze
* Credentials are bound to identities. You can not successfully authenticate yourself
22 1 Noel Kuntze
  as the identitiy _foo.bar.com_ with a certificate if that certificate is not issued for that
23 1 Noel Kuntze
  identity. The identities that a certificate provide are its complete DN and the SAN fields.
24 1 Noel Kuntze
* The used cipher suite must be supported by both sides. Some implementations
25 3 Noel Kuntze
  only support weak crypto. Do not make concessions, unless necessary for interoperability.
26 1 Noel Kuntze
* XAUTH credentials are handled internally as EAP credentials. Both are valid for
27 1 Noel Kuntze
  XAUTH, EAP-GTC, EAP-MSCHAPv2 and whatever other cleartext or digest based
28 1 Noel Kuntze
  authentication might be implemented in the future.
29 1 Noel Kuntze
* The cipher settings are deliberately ordered by performance.
30 6 Noel Kuntze
  Faster, but secure ciphers appear in the beginning of the cipher list.
31 6 Noel Kuntze
  That should make charon choose faster, but secure ones first.  
32 14 Noel Kuntze
* Do not use 3DES, CAST, DES or MD5. They are broken.
33 1 Noel Kuntze
* The algorithm your certificate uses and they algorithm the key exchange uses
34 1 Noel Kuntze
  do not have anything to do with each other.
35 1 Noel Kuntze
* strongSwan does not implement L2TP.
36 16 Noel Kuntze
* Multiple pools can be used at the same time.
37 16 Noel Kuntze
* The [[IpsecPool|ipsec pools]] tool with the [[attrsql]] plugin can be used to assign different DNS and NBNS servers,
38 16 Noel Kuntze
  as well as different arbitrary attributes to remote peers.
39 1 Noel Kuntze
* Read the documentation and use "the search function":https://wiki.strongswan.org/projects/strongswan/search.
40 1 Noel Kuntze
41 10 Noel Kuntze
42 1 Noel Kuntze
h2. Roadwarrior scenario
43 17 Noel Kuntze
44 10 Noel Kuntze
h3. Responder
45 9 Noel Kuntze
46 1 Noel Kuntze
This is an example configuration that provides support for several clients
47 1 Noel Kuntze
with several authentication styles.
48 1 Noel Kuntze
49 1 Noel Kuntze
{{collapse(ipsec.conf)
50 1 Noel Kuntze
<pre>
51 1 Noel Kuntze
conn rw-base
52 1 Noel Kuntze
    # enables IKE fragmentation 
53 1 Noel Kuntze
    fragmentation=yes
54 1 Noel Kuntze
    dpdaction=clear
55 1 Noel Kuntze
    # dpdtimeout is not honored for ikev2. For IKEv2, every message is used
56 1 Noel Kuntze
    # to determine the timeout, so the generic timeout value for IKEv2 messages
57 1 Noel Kuntze
    # is used. 
58 1 Noel Kuntze
    dpdtimeout=90s
59 1 Noel Kuntze
    dpddelay=30s
60 1 Noel Kuntze
61 1 Noel Kuntze
# this is used in every conn in which the client is assigned a "virtual" IP or
62 1 Noel Kuntze
# one or several DNS servers    
63 1 Noel Kuntze
# the cipher suits require the openssl plugin.
64 1 Noel Kuntze
conn rw-config
65 1 Noel Kuntze
    also=rw-base
66 1 Noel Kuntze
    rightsourceip=172.16.252.0/24
67 1 Noel Kuntze
    # set this to a local DNS server that the clients can reach with their assigned IPs.
68 1 Noel Kuntze
    # Think about routing.
69 1 Noel Kuntze
    rightdns=
70 1 Noel Kuntze
    leftsubnet=0.0.0.0/0
71 1 Noel Kuntze
    leftid=whatevertheclientusestoconnect
72 1 Noel Kuntze
    leftcert=mycertificate.pem
73 1 Noel Kuntze
    # not possible with asymmetric authentication
74 1 Noel Kuntze
    reauth=no
75 1 Noel Kuntze
    rekey=no
76 20 Noel Kuntze
    # secure cipher suits
77 1 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
78 1 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
79 1 Noel Kuntze
    leftsendcert=always
80 1 Noel Kuntze
    rightca="C=This, O=Is, OU=My, CN=CA"
81 1 Noel Kuntze
    
82 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
83 1 Noel Kuntze
# in the l2tp control connection. With L2TP, clients are usually not assigned
84 1 Noel Kuntze
# a virtual IP in IKE.
85 1 Noel Kuntze
# Charon is not an l2tp server. You need to install xl2tp for that and configure it correctly.
86 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
87 1 Noel Kuntze
conn ikev1-l2tp-chap-auth-in-xl2tpd
88 1 Noel Kuntze
    also=rw-base
89 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
90 1 Noel Kuntze
    ike=aes128-sha1-modp3072
91 17 Noel Kuntze
    esp=aes128-sha1-modp3072
92 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
93 11 Noel Kuntze
    rightsubnet=%dynamic
94 1 Noel Kuntze
    mark=%unique
95 1 Noel Kuntze
    leftauth=psk
96 1 Noel Kuntze
    rightauth=psk
97 1 Noel Kuntze
    type=transport
98 1 Noel Kuntze
    auto=add
99 1 Noel Kuntze
    
100 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
101 1 Noel Kuntze
# during the IKEv1 authentication. With L2TP, clients are usually not assigned
102 1 Noel Kuntze
# a virtual IP in IKE.
103 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
104 1 Noel Kuntze
# this requires the xauth-generic plugin.
105 1 Noel Kuntze
conn ikev1-l2tp-xauth-in-ike
106 1 Noel Kuntze
    also=rw-base
107 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
108 1 Noel Kuntze
    ike=aes128-sha1-modp3072
109 17 Noel Kuntze
    esp=aes128-sha1-modp3072
110 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
111 11 Noel Kuntze
    rightsubnet=%dynamic
112 1 Noel Kuntze
    mark=%unique
113 1 Noel Kuntze
    leftauth=psk
114 1 Noel Kuntze
    rightauth=psk
115 1 Noel Kuntze
    rightauth2=xauth-generic
116 9 Noel Kuntze
    xauth=server
117 1 Noel Kuntze
    # not possible with asymmetric authentication
118 1 Noel Kuntze
    reauth=no
119 1 Noel Kuntze
    rekey=no
120 1 Noel Kuntze
    type=transport
121 1 Noel Kuntze
    auto=add
122 1 Noel Kuntze
    
123 1 Noel Kuntze
# this requires the xauth-generic plugin.
124 1 Noel Kuntze
conn ikev1-psk-xauth
125 1 Noel Kuntze
    also=rw-config
126 1 Noel Kuntze
    leftauth=psk
127 1 Noel Kuntze
    rightauth=psk
128 1 Noel Kuntze
    rightauth2=xauth-generic
129 9 Noel Kuntze
    xauth=server
130 1 Noel Kuntze
    auto=add
131 1 Noel Kuntze
132 1 Noel Kuntze
# leftauth and rightauth default to "pubkey", so no change necessary.
133 1 Noel Kuntze
conn ikev1-pubkey
134 1 Noel Kuntze
    also=rw-config
135 1 Noel Kuntze
    auto=add
136 1 Noel Kuntze
137 1 Noel Kuntze
# this requires the xauth-generic plugin.
138 1 Noel Kuntze
conn ikev1-pubkey-xauth
139 1 Noel Kuntze
    also=rw-config
140 1 Noel Kuntze
    rightauth2=xauth-generic
141 9 Noel Kuntze
    xauth=server
142 1 Noel Kuntze
    auto=add
143 1 Noel Kuntze
144 1 Noel Kuntze
# this requires the xauth-generic plugin.
145 1 Noel Kuntze
conn ikev1-hybrid
146 1 Noel Kuntze
    also=rw-config
147 1 Noel Kuntze
    rightauth=xauth-generic
148 9 Noel Kuntze
    xauth=server
149 1 Noel Kuntze
150 1 Noel Kuntze
conn ikev2-pubkey
151 1 Noel Kuntze
    also=rw-config
152 1 Noel Kuntze
    auto=add
153 1 Noel Kuntze
154 22 Noel Kuntze
# IF you need to support several EAP methods at the same time, you need to use eap-dynamic
155 22 Noel Kuntze
# and not use any other conn with eap settings. Add the settings for the eap-dynamic plugin to your strongswan.conf file.
156 22 Noel Kuntze
157 22 Noel Kuntze
conn ikev2-eap
158 22 Noel Kuntze
    also=rw-config
159 22 Noel Kuntze
    rightauth=eap-dynamic
160 22 Noel Kuntze
    eap_identity=%identity
161 22 Noel Kuntze
    auto=add
162 22 Noel Kuntze
163 1 Noel Kuntze
# this requires the eap-tls plugin.
164 1 Noel Kuntze
conn ikev2-eap-tls
165 1 Noel Kuntze
    also=rw-base
166 1 Noel Kuntze
    rightauth=eap-tls
167 1 Noel Kuntze
    eap_identity=%identity
168 18 Noel Kuntze
    auto=add
169 18 Noel Kuntze
170 18 Noel Kuntze
# this requires the eap-mschapv2 plugin.
171 18 Noel Kuntze
conn ikev2-eap-mschapv2
172 18 Noel Kuntze
    also=rw-config
173 18 Noel Kuntze
    rightauth=eap-mschapv2
174 18 Noel Kuntze
    eap_identity=%identity
175 18 Noel Kuntze
    auto=add
176 1 Noel Kuntze
</pre>
177 1 Noel Kuntze
}}
178 1 Noel Kuntze
179 18 Noel Kuntze
{{collapse(strongswan.conf)
180 21 Noel Kuntze
<pre>
181 18 Noel Kuntze
charon {
182 18 Noel Kuntze
183 18 Noel Kuntze
    plugins {
184 18 Noel Kuntze
        eap_dynamic {
185 18 Noel Kuntze
            preferred = eap-mschapv2, eap-tls
186 18 Noel Kuntze
        }
187 18 Noel Kuntze
    }
188 18 Noel Kuntze
}
189 21 Noel Kuntze
</pre>
190 18 Noel Kuntze
}}
191 1 Noel Kuntze
{{collapse(ipsec.secrets)
192 1 Noel Kuntze
<pre>
193 1 Noel Kuntze
: PSK "foobarblah"
194 1 Noel Kuntze
: RSA myprivatekey.pem
195 1 Noel Kuntze
carol : EAP "carolspassword"
196 1 Noel Kuntze
</pre>
197 1 Noel Kuntze
}}
198 9 Noel Kuntze
199 10 Noel Kuntze
h3. Initiator
200 1 Noel Kuntze
201 10 Noel Kuntze
These configuration files provide valid and usable configurations as use
202 10 Noel Kuntze
as a roadwarrior client against arbitrary IKE responders that are configured correctly.
203 10 Noel Kuntze
*You need to replace the marked values with the correct values*
204 10 Noel Kuntze
Remove conns that you do not require for your scenario. Some values
205 10 Noel Kuntze
might need to be changed, depending on the brokeness of the responder.
206 10 Noel Kuntze
*Read the comments in the files and read _ipsec.conf_ as well as _ipsec.secrets_.*
207 10 Noel Kuntze
208 10 Noel Kuntze
The configurations shown here are not exclusive. There are a lot more possible.
209 10 Noel Kuntze
Check out the [[PluginList|plugin list]] and the "test scenarios":https://strongswan.org/uml/testresults5/
210 10 Noel Kuntze
to see how they can be configured, but beware, those are just test scenarios
211 10 Noel Kuntze
and the configurations there are not usable in production as a whole. They need
212 10 Noel Kuntze
to be combined with the examples here to produce usable scenarios.
213 10 Noel Kuntze
214 10 Noel Kuntze
{{collapse(ipsec.conf)
215 10 Noel Kuntze
<pre>
216 10 Noel Kuntze
217 10 Noel Kuntze
conn rw-base
218 10 Noel Kuntze
    dpdaction=restart
219 10 Noel Kuntze
    dpddelay=30
220 10 Noel Kuntze
    dpdtimeout=90
221 10 Noel Kuntze
    fragmentation=yes
222 10 Noel Kuntze
223 10 Noel Kuntze
conn vip-base
224 10 Noel Kuntze
    also=rw-base
225 10 Noel Kuntze
    leftsourceip=%config
226 10 Noel Kuntze
227 10 Noel Kuntze
conn ikev1-psk-xauth
228 10 Noel Kuntze
# uncomment if the responder only supports crappy crypto. But seriously,
229 10 Noel Kuntze
# every single one of those algorithms is broken. Better spend some $$$
230 10 Noel Kuntze
# on a better solution.
231 10 Noel Kuntze
# 
232 10 Noel Kuntze
#   ike=3des-md5-modp1024!
233 10 Noel Kuntze
#   esp=3des-md5!
234 10 Noel Kuntze
# Use this, if you want PFS with DH group 2.
235 10 Noel Kuntze
#   esp=3des-md5-modp1024!
236 10 Noel Kuntze
    also=vip-base
237 10 Noel Kuntze
    keyexchange=ikev1
238 10 Noel Kuntze
    leftauth=psk
239 10 Noel Kuntze
    leftauth2=xauth
240 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
241 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
242 10 Noel Kuntze
#   rightid=foobar
243 10 Noel Kuntze
    rightauth=psk
244 10 Noel Kuntze
# this tunnels all the traffic. You might maybe want to also define a passthrough policy
245 10 Noel Kuntze
# for the local LAN traffic (or use the bypass-lan plugin when it's gone into the master branch)
246 10 Noel Kuntze
# Choose a smaller subnet, if required.
247 10 Noel Kuntze
# this config supports CISCO UNITY. 
248 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
249 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
250 10 Noel Kuntze
    auto=add
251 10 Noel Kuntze
    
252 12 Noel Kuntze
# aggressive mode is incredibly insecure.
253 12 Noel Kuntze
conn ikev1-psk-xauth-aggressive
254 12 Noel Kuntze
    aggressive=yes
255 10 Noel Kuntze
    also=ikev1-psk-xauth
256 10 Noel Kuntze
    auto=add
257 10 Noel Kuntze
258 10 Noel Kuntze
conn ikev1-rsa-xauth
259 10 Noel Kuntze
    also=vip-base
260 10 Noel Kuntze
    keyexchange=ikev1
261 10 Noel Kuntze
    leftauth=pubkey
262 10 Noel Kuntze
    leftauth2=xauth-generic
263 10 Noel Kuntze
    leftcert=thisithepathtomycertificate.pem
264 10 Noel Kuntze
    xauth_identity=thisismyusername
265 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
266 10 Noel Kuntze
# You might require this if the responder sends a wrong ID.
267 10 Noel Kuntze
#   rightid=somethingsomething
268 10 Noel Kuntze
    rightauth=pubkey
269 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
270 10 Noel Kuntze
# responder's certificate or just the certificate.
271 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
272 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
273 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
274 10 Noel Kuntze
# if you've only got the responder's certificate
275 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
276 10 Noel Kuntze
    auto=add
277 10 Noel Kuntze
278 10 Noel Kuntze
279 10 Noel Kuntze
conn ikev1-l2tp
280 10 Noel Kuntze
    also=rw-base
281 10 Noel Kuntze
    keyexchange=ikev1
282 1 Noel Kuntze
    type=transport
283 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
284 11 Noel Kuntze
    rightsubnet=%dynamic[/1701]
285 10 Noel Kuntze
    leftauth=psk
286 10 Noel Kuntze
    rightauth=psk
287 10 Noel Kuntze
    
288 10 Noel Kuntze
    
289 12 Noel Kuntze
# if your responder uses aggressive mode, add
290 12 Noel Kuntze
# aggressive=yes in the conn
291 10 Noel Kuntze
# user authentication happens in IKE using xauth
292 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-ike
293 10 Noel Kuntze
    also=ikev1-l2tp
294 10 Noel Kuntze
    leftauth2=xauth-generic
295 10 Noel Kuntze
    auto=add
296 10 Noel Kuntze
297 12 Noel Kuntze
# if your responder uses aggressive mode, add
298 12 Noel Kuntze
# aggressive=yes in the conn
299 10 Noel Kuntze
# user authentication happens in L2TP
300 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-l2tp
301 10 Noel Kuntze
    also=ikev1-l2tp
302 10 Noel Kuntze
    auto=add
303 10 Noel Kuntze
304 10 Noel Kuntze
305 10 Noel Kuntze
# Authentication with EAP-MSCHAPv2 is asymmetric. The responder
306 10 Noel Kuntze
# has to authenticate itself against the initiator with an X.509 certificate.
307 10 Noel Kuntze
conn ikev2-eap-mschapv2
308 10 Noel Kuntze
    also=vip-base
309 10 Noel Kuntze
    keyexchange=ikev2
310 10 Noel Kuntze
    leftauth=eap-mschapv2
311 10 Noel Kuntze
    rightauth=pubkey
312 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
313 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
314 10 Noel Kuntze
# responder's certificate or just the certificate.
315 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
316 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
317 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
318 10 Noel Kuntze
# if you've only got the responder's certificate
319 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
320 10 Noel Kuntze
321 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
322 10 Noel Kuntze
#   rightid=foobar
323 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
324 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
325 10 Noel Kuntze
    auto=add
326 10 Noel Kuntze
327 10 Noel Kuntze
# asymmetric authentication using eap-tls and pubkey auth
328 10 Noel Kuntze
conn ikev2-eap-tls-asymmetric
329 10 Noel Kuntze
    also=vip-base
330 10 Noel Kuntze
    keyexchange=ikev2
331 10 Noel Kuntze
    leftcert=mycert
332 10 Noel Kuntze
    leftauth=eap-tls
333 10 Noel Kuntze
    rightauth=pubkey
334 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
335 10 Noel Kuntze
# responder's certificate or just the certificate.
336 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
337 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
338 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
339 10 Noel Kuntze
# if you've only got the responder's certificate
340 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
341 10 Noel Kuntze
342 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
343 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
344 10 Noel Kuntze
#   rightid=foobar
345 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
346 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
347 10 Noel Kuntze
    auto=add
348 10 Noel Kuntze
349 10 Noel Kuntze
350 10 Noel Kuntze
# symmetric authentication using just eap-tls
351 10 Noel Kuntze
conn ikev2-eap-tls-symmetric
352 10 Noel Kuntze
    also=vip-base
353 10 Noel Kuntze
    keyexchange=ikev2
354 10 Noel Kuntze
    leftcert=mycert
355 10 Noel Kuntze
    leftauth=eap-tls
356 10 Noel Kuntze
    rightauth=eap-tls
357 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
358 10 Noel Kuntze
# responder's certificate or just the certificate.
359 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
360 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
361 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
362 10 Noel Kuntze
# if you've only got the responder's certificate
363 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
364 10 Noel Kuntze
365 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
366 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
367 10 Noel Kuntze
#   rightid=foobar
368 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
369 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
370 10 Noel Kuntze
    auto=add
371 10 Noel Kuntze
372 10 Noel Kuntze
</pre>
373 10 Noel Kuntze
}}
374 10 Noel Kuntze
375 10 Noel Kuntze
{{collapse(ipsec.secrets)
376 10 Noel Kuntze
<pre>
377 10 Noel Kuntze
RespondersIPorFQDNGoesHere : PSK "thisisthesharedpassword"
378 10 Noel Kuntze
thisismyusername : EAP "thisismypassword"
379 10 Noel Kuntze
: RSA myprivatekey
380 10 Noel Kuntze
</pre>
381 10 Noel Kuntze
}}
382 10 Noel Kuntze
383 10 Noel Kuntze
384 10 Noel Kuntze
385 1 Noel Kuntze
h2. Site-To-Site-Scenario
386 1 Noel Kuntze
387 1 Noel Kuntze
{{collapse(ipsec.conf)
388 1 Noel Kuntze
<pre>
389 1 Noel Kuntze
conn sts-base
390 1 Noel Kuntze
    fragmentation=yes
391 1 Noel Kuntze
    dpdaction=restart
392 1 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
393 1 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
394 1 Noel Kuntze
    keyingtries=%forever
395 1 Noel Kuntze
    leftcert=foobar.pem
396 1 Noel Kuntze
397 19 Noel Kuntze
# this conn is set up for a remote host with a static IP
398 1 Noel Kuntze
conn site-1-static-ip
399 1 Noel Kuntze
    also=sts-base
400 1 Noel Kuntze
    keyexchange=ikev2
401 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
402 1 Noel Kuntze
    rightsubnet=10.1.3.0/24
403 1 Noel Kuntze
    right=1.2.3.4
404 1 Noel Kuntze
    rightcert=1.2.3.4.pem
405 1 Noel Kuntze
    auto=route
406 1 Noel Kuntze
407 19 Noel Kuntze
# this conn is set up for a remote host with a dynamic IP
408 1 Noel Kuntze
conn site-2-dynamic-ip
409 1 Noel Kuntze
    also=sts-base
410 1 Noel Kuntze
    keyexchange=ikev2
411 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
412 1 Noel Kuntze
    rightsubnet=10.1.4.0/24
413 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
414 1 Noel Kuntze
    right=%example.com
415 1 Noel Kuntze
    rightcert=example.com.pem
416 1 Noel Kuntze
    auto=route
417 1 Noel Kuntze
418 1 Noel Kuntze
# this conn is set up for IKEv1 compatibility. It shows how to define several subnets
419 1 Noel Kuntze
# with IKEv1. site-3-legacy-1 and site-3-legacy-2 keep the data for the CHILD_SA.
420 1 Noel Kuntze
# The same can be accomplished with implicit merging by specifying the same IKE_SA
421 1 Noel Kuntze
# configuration in two different conns. This set up is cleaner, though.
422 1 Noel Kuntze
# If you put "auto=route" into the "site-3-legacy-base conn", charon will route the
423 1 Noel Kuntze
# conn with the ts being the local IP that is used to communicate with the remote
424 1 Noel Kuntze
# peer and the remote's peer. If such a CHILD_SA is not configured on the peer, ICMP
425 1 Noel Kuntze
# error messages from the remote peer to the local peer will not be able to be transmitted.
426 1 Noel Kuntze
# So don't do that, unless your remote peer is configured for that.
427 1 Noel Kuntze
# This is an IKEv1 connection with PSK authentication. That means, that you need to know
428 1 Noel Kuntze
# the other side's IP.
429 1 Noel Kuntze
conn site-3-legacy-base
430 1 Noel Kuntze
    also=sts-base
431 1 Noel Kuntze
    keyexchange=ikev1
432 1 Noel Kuntze
    # IKE and ESP cipher settings are reconfigured, because in IKEv1 every 
433 1 Noel Kuntze
    # single cipher suite needs to be enumerated.
434 1 Noel Kuntze
    # It is not possible to define all supported ciphers in one suite.
435 1 Noel Kuntze
    # select apropriate and strong ciphers for your scenario.
436 1 Noel Kuntze
    ike=aes192gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp521,aes192-sha256-modp3072
437 1 Noel Kuntze
    esp=aes192gcm16-ecp256,aes192-sha256-modp3072
438 1 Noel Kuntze
    rightsubnet=10.1.5.0/24
439 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
440 1 Noel Kuntze
    right=example.com
441 1 Noel Kuntze
    leftauth=psk
442 1 Noel Kuntze
    rightauth=psk
443 1 Noel Kuntze
444 1 Noel Kuntze
conn site-3-legacy-1
445 1 Noel Kuntze
    leftsubnet=10.1.1.0/24
446 1 Noel Kuntze
    also=site-3-legacy-base
447 1 Noel Kuntze
    auto=route
448 1 Noel Kuntze
449 1 Noel Kuntze
conn site-3-legacy-2
450 1 Noel Kuntze
    leftsubnet=10.1.2.0/24
451 1 Noel Kuntze
    also=site-3-legacy-base
452 1 Noel Kuntze
    auto=route
453 1 Noel Kuntze
</pre>
454 1 Noel Kuntze
}}
455 1 Noel Kuntze
456 1 Noel Kuntze
{{collapse(ipsec.secrets)
457 1 Noel Kuntze
<pre>
458 1 Noel Kuntze
: RSA foobar.key
459 15 Noel Kuntze
remote.com : PSK "example"
460 5 Noel Kuntze
</pre>
461 5 Noel Kuntze
}}
462 1 Noel Kuntze
463 10 Noel Kuntze
h2. Passthrough policy
464 5 Noel Kuntze
465 5 Noel Kuntze
{{collapse(ipsec.conf)
466 5 Noel Kuntze
<pre>
467 5 Noel Kuntze
conn passthrough-1
468 5 Noel Kuntze
    # makes sure those conns are excluded from every conn selection
469 5 Noel Kuntze
    left=127.0.0.1
470 5 Noel Kuntze
    right=127.0.0.1
471 5 Noel Kuntze
    # Those are just example values. Replace them with the apropriate ones!
472 5 Noel Kuntze
    leftsubnet=10.0.0.0/8
473 5 Noel Kuntze
    rightsubnet=10.0.0.0/8
474 5 Noel Kuntze
    # those two lines are critical.
475 5 Noel Kuntze
    type=passthrough
476 5 Noel Kuntze
    auto=route
477 5 Noel Kuntze
</pre>
478 1 Noel Kuntze
}}
479 7 Noel Kuntze
480 13 Noel Kuntze
h2. Host-To-Host transport mode
481 7 Noel Kuntze
482 7 Noel Kuntze
Based on "the trap-any test scenario":https://www.strongswan.org/testing/testresults/ikev2/trap-any/.
483 7 Noel Kuntze
484 7 Noel Kuntze
The hosts involved are in the 192.168.1.0/24 subnet.
485 8 Noel Kuntze
The notes from Tobias' comment in issue #196 apply:
486 8 Noel Kuntze
> The hosts can be limited by specifying rightsubnet (e.g. rightsubnet=192.168.1.0/24,192.168.2.0/30,10.0.2.2/32). It is even possible to limit this to a specific protocol/port (for any remote host use %dynamic[<proto>/<port>], not 0.0.0.0/0[...]). A new test scenario (ikev2/trap-any, bb1d9e45) provides some examples.
487 8 Noel Kuntze
> 
488 8 Noel Kuntze
> Authentication can easily be done via certificates, but using PSKs is also possible. However, because there is no pattern/subnet matching for IP-based identities you need to either use a single secret for all hosts or use identities appropriately if you want to use different PSKs for different groups of hosts (e.g. use leftid=<host>@<group>.example.com and rightid=*@<group>.example.com in ipsec.conf and *@<group>.example.com : PSK "..." in ipsec.secrets).
489 7 Noel Kuntze
490 7 Noel Kuntze
{{collapse(ipsec.conf)
491 7 Noel Kuntze
<pre>conn host-to-host
492 7 Noel Kuntze
	ikelifetime=60m
493 7 Noel Kuntze
	keylife=20m
494 7 Noel Kuntze
	rekeymargin=3m
495 7 Noel Kuntze
	keyingtries=1
496 7 Noel Kuntze
497 7 Noel Kuntze
conn trap-any
498 7 Noel Kuntze
    also=host-to-host
499 7 Noel Kuntze
	right=%any
500 7 Noel Kuntze
	leftsubnet=192.168.1.0/24
501 7 Noel Kuntze
	rightsubnet=192.168.1.0/24
502 7 Noel Kuntze
	type=transport
503 7 Noel Kuntze
	authby=psk
504 7 Noel Kuntze
	auto=route
505 7 Noel Kuntze
</pre>
506 7 Noel Kuntze
}}