Project

General

Profile

Usable Examples configurations » History » Version 25

Noel Kuntze, 22.11.2017 00:26
add swanctl.conf examples.

1 20 Noel Kuntze
h1. Usable Examples configurations
2 1 Noel Kuntze
3 23 Noel Kuntze
{{>toc}}
4 23 Noel Kuntze
5 1 Noel Kuntze
Preliminary obligatory notes:
6 1 Noel Kuntze
* These examples follow the [[SecurityRecommendations|Security Recommendations]]. Follow them. They are there
7 1 Noel Kuntze
  for a reason.
8 1 Noel Kuntze
* You can have several conn sections in your @ipsec.conf@ file
9 2 Noel Kuntze
* In scenarios where the remote peer authenticates itself with a client certificate,
10 4 Noel Kuntze
  charon requires all certificates that are in the trust path of the client's certificate
11 4 Noel Kuntze
  to be present, readable and valid for authentication
12 2 Noel Kuntze
  to be successful. charon implicitely trusts all CA certificates that it loads
13 1 Noel Kuntze
  via local files or that are loaded via the VICI API.
14 4 Noel Kuntze
* In scenarios where charon authenticates itself with a certificate, it needs to have
15 4 Noel Kuntze
  all certificates in the trust path. 
16 4 Noel Kuntze
* charon only reads the first certificate in a file.
17 1 Noel Kuntze
* Your responder (the proper word for "server" in ipsec talk) needs to identify
18 1 Noel Kuntze
  and authenticate itself to the initiator (the proper word for "client" in ipsec talk)
19 1 Noel Kuntze
  with the apropriate identity. If your initiator wants to talk to "foo.bar.com",
20 1 Noel Kuntze
  your responder needs to identify and authenticate itself as _foo.bar.com_.
21 1 Noel Kuntze
* Credentials are bound to identities. You can not successfully authenticate yourself
22 1 Noel Kuntze
  as the identitiy _foo.bar.com_ with a certificate if that certificate is not issued for that
23 1 Noel Kuntze
  identity. The identities that a certificate provide are its complete DN and the SAN fields.
24 1 Noel Kuntze
* The used cipher suite must be supported by both sides. Some implementations
25 3 Noel Kuntze
  only support weak crypto. Do not make concessions, unless necessary for interoperability.
26 1 Noel Kuntze
* XAUTH credentials are handled internally as EAP credentials. Both are valid for
27 1 Noel Kuntze
  XAUTH, EAP-GTC, EAP-MSCHAPv2 and whatever other cleartext or digest based
28 1 Noel Kuntze
  authentication might be implemented in the future.
29 1 Noel Kuntze
* The cipher settings are deliberately ordered by performance.
30 6 Noel Kuntze
  Faster, but secure ciphers appear in the beginning of the cipher list.
31 6 Noel Kuntze
  That should make charon choose faster, but secure ones first.  
32 14 Noel Kuntze
* Do not use 3DES, CAST, DES or MD5. They are broken.
33 1 Noel Kuntze
* The algorithm your certificate uses and they algorithm the key exchange uses
34 1 Noel Kuntze
  do not have anything to do with each other.
35 1 Noel Kuntze
* strongSwan does not implement L2TP.
36 16 Noel Kuntze
* Multiple pools can be used at the same time.
37 16 Noel Kuntze
* The [[IpsecPool|ipsec pools]] tool with the [[attrsql]] plugin can be used to assign different DNS and NBNS servers,
38 16 Noel Kuntze
  as well as different arbitrary attributes to remote peers.
39 1 Noel Kuntze
* Read the documentation and use "the search function":https://wiki.strongswan.org/projects/strongswan/search.
40 1 Noel Kuntze
41 10 Noel Kuntze
42 1 Noel Kuntze
h2. Roadwarrior scenario
43 17 Noel Kuntze
44 10 Noel Kuntze
h3. Responder
45 9 Noel Kuntze
46 1 Noel Kuntze
This is an example configuration that provides support for several clients
47 1 Noel Kuntze
with several authentication styles.
48 1 Noel Kuntze
49 1 Noel Kuntze
{{collapse(ipsec.conf)
50 1 Noel Kuntze
<pre>
51 1 Noel Kuntze
conn rw-base
52 1 Noel Kuntze
    # enables IKE fragmentation 
53 1 Noel Kuntze
    fragmentation=yes
54 1 Noel Kuntze
    dpdaction=clear
55 1 Noel Kuntze
    # dpdtimeout is not honored for ikev2. For IKEv2, every message is used
56 1 Noel Kuntze
    # to determine the timeout, so the generic timeout value for IKEv2 messages
57 1 Noel Kuntze
    # is used. 
58 1 Noel Kuntze
    dpdtimeout=90s
59 1 Noel Kuntze
    dpddelay=30s
60 1 Noel Kuntze
61 1 Noel Kuntze
# this is used in every conn in which the client is assigned a "virtual" IP or
62 1 Noel Kuntze
# one or several DNS servers    
63 1 Noel Kuntze
# the cipher suits require the openssl plugin.
64 1 Noel Kuntze
conn rw-config
65 1 Noel Kuntze
    also=rw-base
66 1 Noel Kuntze
    rightsourceip=172.16.252.0/24
67 1 Noel Kuntze
    # set this to a local DNS server that the clients can reach with their assigned IPs.
68 1 Noel Kuntze
    # Think about routing.
69 1 Noel Kuntze
    rightdns=
70 1 Noel Kuntze
    leftsubnet=0.0.0.0/0
71 1 Noel Kuntze
    leftid=whatevertheclientusestoconnect
72 1 Noel Kuntze
    leftcert=mycertificate.pem
73 1 Noel Kuntze
    # not possible with asymmetric authentication
74 1 Noel Kuntze
    reauth=no
75 1 Noel Kuntze
    rekey=no
76 20 Noel Kuntze
    # secure cipher suits
77 1 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
78 1 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
79 1 Noel Kuntze
    leftsendcert=always
80 1 Noel Kuntze
    rightca="C=This, O=Is, OU=My, CN=CA"
81 1 Noel Kuntze
    
82 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
83 1 Noel Kuntze
# in the l2tp control connection. With L2TP, clients are usually not assigned
84 1 Noel Kuntze
# a virtual IP in IKE.
85 1 Noel Kuntze
# Charon is not an l2tp server. You need to install xl2tp for that and configure it correctly.
86 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
87 25 Noel Kuntze
conn ikev1-l2tp-chap-auth-in-l2tp
88 1 Noel Kuntze
    also=rw-base
89 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
90 1 Noel Kuntze
    ike=aes128-sha1-modp3072
91 17 Noel Kuntze
    esp=aes128-sha1-modp3072
92 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
93 11 Noel Kuntze
    rightsubnet=%dynamic
94 1 Noel Kuntze
    mark=%unique
95 1 Noel Kuntze
    leftauth=psk
96 1 Noel Kuntze
    rightauth=psk
97 1 Noel Kuntze
    type=transport
98 1 Noel Kuntze
    auto=add
99 1 Noel Kuntze
    
100 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
101 1 Noel Kuntze
# during the IKEv1 authentication. With L2TP, clients are usually not assigned
102 1 Noel Kuntze
# a virtual IP in IKE.
103 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
104 1 Noel Kuntze
# this requires the xauth-generic plugin.
105 1 Noel Kuntze
conn ikev1-l2tp-xauth-in-ike
106 1 Noel Kuntze
    also=rw-base
107 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
108 1 Noel Kuntze
    ike=aes128-sha1-modp3072
109 17 Noel Kuntze
    esp=aes128-sha1-modp3072
110 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
111 11 Noel Kuntze
    rightsubnet=%dynamic
112 1 Noel Kuntze
    mark=%unique
113 1 Noel Kuntze
    leftauth=psk
114 1 Noel Kuntze
    rightauth=psk
115 1 Noel Kuntze
    rightauth2=xauth-generic
116 9 Noel Kuntze
    xauth=server
117 1 Noel Kuntze
    # not possible with asymmetric authentication
118 1 Noel Kuntze
    reauth=no
119 1 Noel Kuntze
    rekey=no
120 1 Noel Kuntze
    type=transport
121 1 Noel Kuntze
    auto=add
122 1 Noel Kuntze
    
123 1 Noel Kuntze
# this requires the xauth-generic plugin.
124 1 Noel Kuntze
conn ikev1-psk-xauth
125 1 Noel Kuntze
    also=rw-config
126 1 Noel Kuntze
    leftauth=psk
127 1 Noel Kuntze
    rightauth=psk
128 1 Noel Kuntze
    rightauth2=xauth-generic
129 9 Noel Kuntze
    xauth=server
130 1 Noel Kuntze
    auto=add
131 1 Noel Kuntze
132 1 Noel Kuntze
# leftauth and rightauth default to "pubkey", so no change necessary.
133 1 Noel Kuntze
conn ikev1-pubkey
134 1 Noel Kuntze
    also=rw-config
135 1 Noel Kuntze
    auto=add
136 1 Noel Kuntze
137 1 Noel Kuntze
# this requires the xauth-generic plugin.
138 1 Noel Kuntze
conn ikev1-pubkey-xauth
139 1 Noel Kuntze
    also=rw-config
140 1 Noel Kuntze
    rightauth2=xauth-generic
141 9 Noel Kuntze
    xauth=server
142 1 Noel Kuntze
    auto=add
143 1 Noel Kuntze
144 1 Noel Kuntze
# this requires the xauth-generic plugin.
145 1 Noel Kuntze
conn ikev1-hybrid
146 1 Noel Kuntze
    also=rw-config
147 1 Noel Kuntze
    rightauth=xauth-generic
148 9 Noel Kuntze
    xauth=server
149 1 Noel Kuntze
150 1 Noel Kuntze
conn ikev2-pubkey
151 1 Noel Kuntze
    also=rw-config
152 1 Noel Kuntze
    auto=add
153 1 Noel Kuntze
154 22 Noel Kuntze
# IF you need to support several EAP methods at the same time, you need to use eap-dynamic
155 22 Noel Kuntze
# and not use any other conn with eap settings. Add the settings for the eap-dynamic plugin to your strongswan.conf file.
156 22 Noel Kuntze
157 22 Noel Kuntze
conn ikev2-eap
158 22 Noel Kuntze
    also=rw-config
159 22 Noel Kuntze
    rightauth=eap-dynamic
160 22 Noel Kuntze
    eap_identity=%identity
161 22 Noel Kuntze
    auto=add
162 22 Noel Kuntze
163 1 Noel Kuntze
# this requires the eap-tls plugin.
164 1 Noel Kuntze
conn ikev2-eap-tls
165 1 Noel Kuntze
    also=rw-base
166 1 Noel Kuntze
    rightauth=eap-tls
167 1 Noel Kuntze
    eap_identity=%identity
168 18 Noel Kuntze
    auto=add
169 18 Noel Kuntze
170 18 Noel Kuntze
# this requires the eap-mschapv2 plugin.
171 18 Noel Kuntze
conn ikev2-eap-mschapv2
172 18 Noel Kuntze
    also=rw-config
173 18 Noel Kuntze
    rightauth=eap-mschapv2
174 18 Noel Kuntze
    eap_identity=%identity
175 18 Noel Kuntze
    auto=add
176 1 Noel Kuntze
</pre>
177 1 Noel Kuntze
}}
178 1 Noel Kuntze
179 25 Noel Kuntze
{{collapse(ipsec.secrets)
180 25 Noel Kuntze
<pre>
181 25 Noel Kuntze
: PSK "foobarblah"
182 25 Noel Kuntze
: RSA myprivatekey.pem
183 25 Noel Kuntze
carol : EAP "carolspassword"
184 25 Noel Kuntze
</pre>
185 25 Noel Kuntze
}}
186 25 Noel Kuntze
187 25 Noel Kuntze
{{collapse(swanctl.conf)
188 25 Noel Kuntze
<pre>
189 25 Noel Kuntze
connections {
190 25 Noel Kuntze
    ikev1-l2tp-chap-auth-in-l2tp {
191 25 Noel Kuntze
        version = 1
192 25 Noel Kuntze
        # reduce to the most secure combination the client can support, if absolutely required.
193 25 Noel Kuntze
        proposals = aes128-sha1-modp3072,default
194 25 Noel Kuntze
        rekey_time = 0s
195 25 Noel Kuntze
        fragmentation = yes
196 25 Noel Kuntze
        dpd_delay = 30s
197 25 Noel Kuntze
        dpd_timeout = 90s
198 25 Noel Kuntze
        local-1 {
199 25 Noel Kuntze
            auth = psk
200 25 Noel Kuntze
        }
201 25 Noel Kuntze
        remote-1 {
202 25 Noel Kuntze
            auth = psk
203 25 Noel Kuntze
        }
204 25 Noel Kuntze
        children {
205 25 Noel Kuntze
            ikev1-l2tp-chap-auth-in-l2tp {
206 25 Noel Kuntze
                local_ts = dynamic[/1701]
207 25 Noel Kuntze
                # reduce to the most secure combination the client can support, if absolutely required.
208 25 Noel Kuntze
                esp_proposals = aes128-sha1-modp3072,default
209 25 Noel Kuntze
                mark = unique
210 25 Noel Kuntze
                mode = transport
211 25 Noel Kuntze
                rekey_time = 0s
212 25 Noel Kuntze
                dpd_action = clear
213 25 Noel Kuntze
            }
214 25 Noel Kuntze
        }
215 25 Noel Kuntze
    }
216 25 Noel Kuntze
217 25 Noel Kuntze
    ikev1-l2tp-xauth-in-ike {
218 25 Noel Kuntze
        version = 1
219 25 Noel Kuntze
        proposals = aes128-sha1-modp3072,default
220 25 Noel Kuntze
        rekey_time = 0s
221 25 Noel Kuntze
        fragmentation = yes
222 25 Noel Kuntze
        dpd_delay = 30s
223 25 Noel Kuntze
        dpd_timeout = 90s
224 25 Noel Kuntze
225 25 Noel Kuntze
        local-1 {
226 25 Noel Kuntze
            auth = psk
227 25 Noel Kuntze
        }
228 25 Noel Kuntze
        remote-1 {
229 25 Noel Kuntze
            auth = psk
230 25 Noel Kuntze
        }
231 25 Noel Kuntze
        remote-2 {
232 25 Noel Kuntze
            auth = xauth
233 25 Noel Kuntze
        }
234 25 Noel Kuntze
        children {
235 25 Noel Kuntze
            ikev1-l2tp-xauth-in-ike {
236 25 Noel Kuntze
                local_ts = dynamic[/1701]
237 25 Noel Kuntze
                mark = unique
238 25 Noel Kuntze
                mode = transport
239 25 Noel Kuntze
                rekey_time = 0s
240 25 Noel Kuntze
                dpd_action = clear
241 25 Noel Kuntze
242 25 Noel Kuntze
            }
243 25 Noel Kuntze
        }
244 25 Noel Kuntze
    }
245 25 Noel Kuntze
    ikev1-psk-xauth {
246 25 Noel Kuntze
        version = 1
247 25 Noel Kuntze
        proposals = aes128-sha1-modp3072,default
248 25 Noel Kuntze
        rekey_time = 0s
249 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
250 25 Noel Kuntze
        fragmentation = yes
251 25 Noel Kuntze
        dpd_delay = 30s
252 25 Noel Kuntze
        dpd_timeout = 90s
253 25 Noel Kuntze
        local-1 {
254 25 Noel Kuntze
            auth = psk
255 25 Noel Kuntze
        }
256 25 Noel Kuntze
        remote-1 {
257 25 Noel Kuntze
            auth = psk
258 25 Noel Kuntze
        }
259 25 Noel Kuntze
        remote-2 {
260 25 Noel Kuntze
            auth = xauth
261 25 Noel Kuntze
        }
262 25 Noel Kuntze
        children {
263 25 Noel Kuntze
            ikev1-psk-xauth {
264 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
265 25 Noel Kuntze
                rekey_time = 0s
266 25 Noel Kuntze
                dpd_action = clear
267 25 Noel Kuntze
            }
268 25 Noel Kuntze
        }
269 25 Noel Kuntze
    ikev1-pubkey {
270 25 Noel Kuntze
        version = 1
271 25 Noel Kuntze
        proposals = aes128-sha1-modp3072,default
272 25 Noel Kuntze
        rekey_time = 0s
273 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
274 25 Noel Kuntze
        fragmentation = yes
275 25 Noel Kuntze
        dpd_delay = 30s
276 25 Noel Kuntze
        dpd_timeout = 90s
277 25 Noel Kuntze
        local-1 {
278 25 Noel Kuntze
            cert = mycert.pem
279 25 Noel Kuntze
            id = myid
280 25 Noel Kuntze
        }
281 25 Noel Kuntze
        remote-1 {
282 25 Noel Kuntze
            # defaults are fine.
283 25 Noel Kuntze
        }
284 25 Noel Kuntze
        children {
285 25 Noel Kuntze
            ikev1-pubkey {
286 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
287 25 Noel Kuntze
                rekey_time = 0s
288 25 Noel Kuntze
                dpd_action = clear
289 25 Noel Kuntze
            }
290 25 Noel Kuntze
        }
291 25 Noel Kuntze
    }
292 25 Noel Kuntze
293 25 Noel Kuntze
    ikev1-pubkey-xauth {
294 25 Noel Kuntze
        version = 1
295 25 Noel Kuntze
        proposals = aes128-sha1-modp3072,default
296 25 Noel Kuntze
        rekey_time = 0s
297 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
298 25 Noel Kuntze
        fragmentation = yes
299 25 Noel Kuntze
        dpd_delay = 30s
300 25 Noel Kuntze
        dpd_timeout = 90s
301 25 Noel Kuntze
        local-1 {
302 25 Noel Kuntze
            cert = mycert.pem
303 25 Noel Kuntze
            id = myid
304 25 Noel Kuntze
        }
305 25 Noel Kuntze
        remote-1 {
306 25 Noel Kuntze
            # defaults are fine.
307 25 Noel Kuntze
        }
308 25 Noel Kuntze
        remote-2 {
309 25 Noel Kuntze
            auth = xauth
310 25 Noel Kuntze
        }
311 25 Noel Kuntze
        children {
312 25 Noel Kuntze
            ikev1-pubkey-xauth {
313 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
314 25 Noel Kuntze
                rekey_time = 0s
315 25 Noel Kuntze
                dpd_action = clear
316 25 Noel Kuntze
            }
317 25 Noel Kuntze
        }
318 25 Noel Kuntze
    }
319 25 Noel Kuntze
320 25 Noel Kuntze
    ikev1-hybrid {
321 25 Noel Kuntze
        version = 1
322 25 Noel Kuntze
        rekey_time = 0s
323 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
324 25 Noel Kuntze
        fragmentation = yes
325 25 Noel Kuntze
        dpd_delay = 30s
326 25 Noel Kuntze
        dpd_timeout = 90s
327 25 Noel Kuntze
        local-1 {
328 25 Noel Kuntze
            cert = mycert.pem
329 25 Noel Kuntze
            id = myid
330 25 Noel Kuntze
        }
331 25 Noel Kuntze
        remote-1 {
332 25 Noel Kuntze
            # defaults are fine.
333 25 Noel Kuntze
        }
334 25 Noel Kuntze
        children {
335 25 Noel Kuntze
            ikev1-hybrid {
336 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
337 25 Noel Kuntze
                rekey_time = 0s
338 25 Noel Kuntze
                dpd_action = clear
339 25 Noel Kuntze
            }
340 25 Noel Kuntze
        }
341 25 Noel Kuntze
    }
342 25 Noel Kuntze
343 25 Noel Kuntze
    ikev2-pubkey {
344 25 Noel Kuntze
        version = 2
345 25 Noel Kuntze
        proposals = aes128-sha1-modp3072,default
346 25 Noel Kuntze
        rekey_time = 0s
347 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
348 25 Noel Kuntze
        fragmentation = yes
349 25 Noel Kuntze
        dpd_delay = 30s
350 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
351 25 Noel Kuntze
        local-1 {
352 25 Noel Kuntze
            cert = mycert.pem
353 25 Noel Kuntze
            id = myid
354 25 Noel Kuntze
        }
355 25 Noel Kuntze
        remote-1 {
356 25 Noel Kuntze
            # defaults are fine.
357 25 Noel Kuntze
        }
358 25 Noel Kuntze
        children {
359 25 Noel Kuntze
            ikev2-pubkey {
360 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
361 25 Noel Kuntze
                rekey_time = 0s
362 25 Noel Kuntze
                dpd_action = clear
363 25 Noel Kuntze
            }
364 25 Noel Kuntze
        }
365 25 Noel Kuntze
    }
366 25 Noel Kuntze
367 25 Noel Kuntze
    ikev2-eap {
368 25 Noel Kuntze
        version = 2
369 25 Noel Kuntze
        rekey_time = 0s
370 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
371 25 Noel Kuntze
        fragmentation = yes
372 25 Noel Kuntze
        dpd_delay = 30s
373 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
374 25 Noel Kuntze
        local-1 {
375 25 Noel Kuntze
            cert = mycert.pem
376 25 Noel Kuntze
            id = myid
377 25 Noel Kuntze
        }
378 25 Noel Kuntze
        remote-1 {
379 25 Noel Kuntze
            auth = eap-dynamic
380 25 Noel Kuntze
            # go ask the client for its eap identity.
381 25 Noel Kuntze
            eap_id = %any
382 25 Noel Kuntze
        }
383 25 Noel Kuntze
        children {
384 25 Noel Kuntze
            ikev2-eap {
385 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
386 25 Noel Kuntze
                rekey_time = 0s
387 25 Noel Kuntze
                dpd_action = clear
388 25 Noel Kuntze
            }
389 25 Noel Kuntze
        }
390 25 Noel Kuntze
    }
391 25 Noel Kuntze
    ikev2-eap-tls-asymmetric {
392 25 Noel Kuntze
        version = 2
393 25 Noel Kuntze
        rekey_time = 0s
394 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
395 25 Noel Kuntze
        fragmentation = yes
396 25 Noel Kuntze
        dpd_delay = 30s
397 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
398 25 Noel Kuntze
        local-1 {
399 25 Noel Kuntze
            cert = mycert.pem
400 25 Noel Kuntze
            id = myid
401 25 Noel Kuntze
        }
402 25 Noel Kuntze
        remote-1 {
403 25 Noel Kuntze
            auth = eap-tls
404 25 Noel Kuntze
            # go ask the client for its eap identity.
405 25 Noel Kuntze
            eap_id = %any
406 25 Noel Kuntze
        }
407 25 Noel Kuntze
        children {
408 25 Noel Kuntze
            ikev2-eap-tls-asymmetric {
409 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
410 25 Noel Kuntze
                rekey_time = 0s
411 25 Noel Kuntze
                dpd_action = clear
412 25 Noel Kuntze
            }
413 25 Noel Kuntze
        }
414 25 Noel Kuntze
    }
415 25 Noel Kuntze
416 25 Noel Kuntze
    ikev2-eap-tls-symmetric {
417 25 Noel Kuntze
        version = 2
418 25 Noel Kuntze
        rekey_time = 0s
419 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
420 25 Noel Kuntze
        fragmentation = yes
421 25 Noel Kuntze
        dpd_delay = 30s
422 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
423 25 Noel Kuntze
        local-1 {
424 25 Noel Kuntze
            cert = mycert.pem
425 25 Noel Kuntze
            id = myid
426 25 Noel Kuntze
            auth = eap-tls
427 25 Noel Kuntze
        }
428 25 Noel Kuntze
        remote-1 {
429 25 Noel Kuntze
            auth = eap-tls
430 25 Noel Kuntze
            # go ask the client for its eap identity.
431 25 Noel Kuntze
            eap_id = %any
432 25 Noel Kuntze
        }
433 25 Noel Kuntze
        children {
434 25 Noel Kuntze
            ikev2-eap-tls-symmetric {
435 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
436 25 Noel Kuntze
                rekey_time = 0s
437 25 Noel Kuntze
                dpd_action = clear
438 25 Noel Kuntze
            }
439 25 Noel Kuntze
        }
440 25 Noel Kuntze
    }
441 25 Noel Kuntze
    ikev2-eap-mschapv2 {
442 25 Noel Kuntze
        version = 2
443 25 Noel Kuntze
        rekey_time = 0s
444 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
445 25 Noel Kuntze
        fragmentation = yes
446 25 Noel Kuntze
        dpd_delay = 30s
447 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
448 25 Noel Kuntze
        local-1 {
449 25 Noel Kuntze
            cert = mycert.pem
450 25 Noel Kuntze
            id = myid
451 25 Noel Kuntze
        }
452 25 Noel Kuntze
        remote-1 {
453 25 Noel Kuntze
            auth = eap-mschapv2
454 25 Noel Kuntze
            # go ask the client for its eap identity.
455 25 Noel Kuntze
            eap_id = %any
456 25 Noel Kuntze
        }
457 25 Noel Kuntze
        children {
458 25 Noel Kuntze
            ikev2-eap-mschapv2 {
459 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
460 25 Noel Kuntze
                rekey_time = 0s
461 25 Noel Kuntze
                dpd_action = clear
462 25 Noel Kuntze
            }
463 25 Noel Kuntze
        }
464 25 Noel Kuntze
    }
465 25 Noel Kuntze
}
466 25 Noel Kuntze
467 25 Noel Kuntze
pools {
468 25 Noel Kuntze
    primary-pool-ipv4 {
469 25 Noel Kuntze
        addrs = 172.16.252.0/24
470 25 Noel Kuntze
        dns = 10.1.2.3, 8.8.8.8
471 25 Noel Kuntze
        split_exclude = 172.16.0.0/12
472 25 Noel Kuntze
    }
473 25 Noel Kuntze
    primary-pool-ipv6 {
474 25 Noel Kuntze
        addrs = yoursiteuniqueaddresspool goes here
475 25 Noel Kuntze
476 25 Noel Kuntze
    }
477 25 Noel Kuntze
}
478 25 Noel Kuntze
479 25 Noel Kuntze
secrets {
480 25 Noel Kuntze
    ike-one {
481 25 Noel Kuntze
        secret = "foobarblah"
482 25 Noel Kuntze
    }
483 25 Noel Kuntze
    private-second {
484 25 Noel Kuntze
        file = myprivatekey.pem
485 25 Noel Kuntze
    }
486 25 Noel Kuntze
    eap-carol {
487 25 Noel Kuntze
        id = carol
488 25 Noel Kuntze
        secret = "carolspassword"
489 25 Noel Kuntze
    }
490 25 Noel Kuntze
}
491 25 Noel Kuntze
}}
492 25 Noel Kuntze
493 18 Noel Kuntze
{{collapse(strongswan.conf)
494 18 Noel Kuntze
<pre>
495 18 Noel Kuntze
charon {
496 21 Noel Kuntze
497 18 Noel Kuntze
    plugins {
498 1 Noel Kuntze
        eap_dynamic {
499 1 Noel Kuntze
            preferred = eap-mschapv2, eap-tls
500 1 Noel Kuntze
        }
501 1 Noel Kuntze
    }
502 1 Noel Kuntze
}
503 1 Noel Kuntze
</pre>
504 1 Noel Kuntze
}}
505 1 Noel Kuntze
506 25 Noel Kuntze
507 10 Noel Kuntze
h3. Initiator
508 1 Noel Kuntze
509 10 Noel Kuntze
These configuration files provide valid and usable configurations as use
510 10 Noel Kuntze
as a roadwarrior client against arbitrary IKE responders that are configured correctly.
511 10 Noel Kuntze
*You need to replace the marked values with the correct values*
512 10 Noel Kuntze
Remove conns that you do not require for your scenario. Some values
513 10 Noel Kuntze
might need to be changed, depending on the brokeness of the responder.
514 10 Noel Kuntze
*Read the comments in the files and read _ipsec.conf_ as well as _ipsec.secrets_.*
515 10 Noel Kuntze
516 10 Noel Kuntze
The configurations shown here are not exclusive. There are a lot more possible.
517 10 Noel Kuntze
Check out the [[PluginList|plugin list]] and the "test scenarios":https://strongswan.org/uml/testresults5/
518 10 Noel Kuntze
to see how they can be configured, but beware, those are just test scenarios
519 10 Noel Kuntze
and the configurations there are not usable in production as a whole. They need
520 10 Noel Kuntze
to be combined with the examples here to produce usable scenarios.
521 10 Noel Kuntze
522 10 Noel Kuntze
{{collapse(ipsec.conf)
523 10 Noel Kuntze
<pre>
524 10 Noel Kuntze
525 10 Noel Kuntze
conn rw-base
526 10 Noel Kuntze
    dpdaction=restart
527 10 Noel Kuntze
    dpddelay=30
528 10 Noel Kuntze
    dpdtimeout=90
529 10 Noel Kuntze
    fragmentation=yes
530 10 Noel Kuntze
531 10 Noel Kuntze
conn vip-base
532 10 Noel Kuntze
    also=rw-base
533 10 Noel Kuntze
    leftsourceip=%config
534 10 Noel Kuntze
535 10 Noel Kuntze
conn ikev1-psk-xauth
536 10 Noel Kuntze
# uncomment if the responder only supports crappy crypto. But seriously,
537 10 Noel Kuntze
# every single one of those algorithms is broken. Better spend some $$$
538 10 Noel Kuntze
# on a better solution.
539 10 Noel Kuntze
# 
540 10 Noel Kuntze
#   ike=3des-md5-modp1024!
541 10 Noel Kuntze
#   esp=3des-md5!
542 10 Noel Kuntze
# Use this, if you want PFS with DH group 2.
543 10 Noel Kuntze
#   esp=3des-md5-modp1024!
544 10 Noel Kuntze
    also=vip-base
545 10 Noel Kuntze
    keyexchange=ikev1
546 10 Noel Kuntze
    leftauth=psk
547 10 Noel Kuntze
    leftauth2=xauth
548 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
549 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
550 10 Noel Kuntze
#   rightid=foobar
551 10 Noel Kuntze
    rightauth=psk
552 10 Noel Kuntze
# this tunnels all the traffic. You might maybe want to also define a passthrough policy
553 10 Noel Kuntze
# for the local LAN traffic (or use the bypass-lan plugin when it's gone into the master branch)
554 10 Noel Kuntze
# Choose a smaller subnet, if required.
555 10 Noel Kuntze
# this config supports CISCO UNITY. 
556 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
557 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
558 10 Noel Kuntze
    auto=add
559 10 Noel Kuntze
    
560 12 Noel Kuntze
# aggressive mode is incredibly insecure.
561 12 Noel Kuntze
conn ikev1-psk-xauth-aggressive
562 12 Noel Kuntze
    aggressive=yes
563 10 Noel Kuntze
    also=ikev1-psk-xauth
564 10 Noel Kuntze
    auto=add
565 10 Noel Kuntze
566 10 Noel Kuntze
conn ikev1-rsa-xauth
567 10 Noel Kuntze
    also=vip-base
568 10 Noel Kuntze
    keyexchange=ikev1
569 10 Noel Kuntze
    leftauth=pubkey
570 10 Noel Kuntze
    leftauth2=xauth-generic
571 10 Noel Kuntze
    leftcert=thisithepathtomycertificate.pem
572 10 Noel Kuntze
    xauth_identity=thisismyusername
573 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
574 10 Noel Kuntze
# You might require this if the responder sends a wrong ID.
575 10 Noel Kuntze
#   rightid=somethingsomething
576 10 Noel Kuntze
    rightauth=pubkey
577 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
578 10 Noel Kuntze
# responder's certificate or just the certificate.
579 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
580 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
581 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
582 10 Noel Kuntze
# if you've only got the responder's certificate
583 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
584 10 Noel Kuntze
    auto=add
585 10 Noel Kuntze
586 10 Noel Kuntze
587 10 Noel Kuntze
conn ikev1-l2tp
588 10 Noel Kuntze
    also=rw-base
589 10 Noel Kuntze
    keyexchange=ikev1
590 1 Noel Kuntze
    type=transport
591 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
592 11 Noel Kuntze
    rightsubnet=%dynamic[/1701]
593 10 Noel Kuntze
    leftauth=psk
594 10 Noel Kuntze
    rightauth=psk
595 10 Noel Kuntze
    
596 10 Noel Kuntze
    
597 12 Noel Kuntze
# if your responder uses aggressive mode, add
598 12 Noel Kuntze
# aggressive=yes in the conn
599 10 Noel Kuntze
# user authentication happens in IKE using xauth
600 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-ike
601 10 Noel Kuntze
    also=ikev1-l2tp
602 10 Noel Kuntze
    leftauth2=xauth-generic
603 10 Noel Kuntze
    auto=add
604 10 Noel Kuntze
605 12 Noel Kuntze
# if your responder uses aggressive mode, add
606 12 Noel Kuntze
# aggressive=yes in the conn
607 10 Noel Kuntze
# user authentication happens in L2TP
608 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-l2tp
609 10 Noel Kuntze
    also=ikev1-l2tp
610 10 Noel Kuntze
    auto=add
611 10 Noel Kuntze
612 10 Noel Kuntze
613 10 Noel Kuntze
# Authentication with EAP-MSCHAPv2 is asymmetric. The responder
614 10 Noel Kuntze
# has to authenticate itself against the initiator with an X.509 certificate.
615 10 Noel Kuntze
conn ikev2-eap-mschapv2
616 10 Noel Kuntze
    also=vip-base
617 10 Noel Kuntze
    keyexchange=ikev2
618 10 Noel Kuntze
    leftauth=eap-mschapv2
619 10 Noel Kuntze
    rightauth=pubkey
620 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
621 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
622 10 Noel Kuntze
# responder's certificate or just the certificate.
623 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
624 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
625 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
626 10 Noel Kuntze
# if you've only got the responder's certificate
627 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
628 10 Noel Kuntze
629 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
630 10 Noel Kuntze
#   rightid=foobar
631 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
632 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
633 10 Noel Kuntze
    auto=add
634 10 Noel Kuntze
635 10 Noel Kuntze
# asymmetric authentication using eap-tls and pubkey auth
636 10 Noel Kuntze
conn ikev2-eap-tls-asymmetric
637 10 Noel Kuntze
    also=vip-base
638 10 Noel Kuntze
    keyexchange=ikev2
639 10 Noel Kuntze
    leftcert=mycert
640 10 Noel Kuntze
    leftauth=eap-tls
641 10 Noel Kuntze
    rightauth=pubkey
642 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
643 10 Noel Kuntze
# responder's certificate or just the certificate.
644 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
645 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
646 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
647 10 Noel Kuntze
# if you've only got the responder's certificate
648 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
649 10 Noel Kuntze
650 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
651 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
652 10 Noel Kuntze
#   rightid=foobar
653 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
654 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
655 10 Noel Kuntze
    auto=add
656 10 Noel Kuntze
657 10 Noel Kuntze
658 10 Noel Kuntze
# symmetric authentication using just eap-tls
659 10 Noel Kuntze
conn ikev2-eap-tls-symmetric
660 10 Noel Kuntze
    also=vip-base
661 10 Noel Kuntze
    keyexchange=ikev2
662 10 Noel Kuntze
    leftcert=mycert
663 10 Noel Kuntze
    leftauth=eap-tls
664 10 Noel Kuntze
    rightauth=eap-tls
665 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
666 10 Noel Kuntze
# responder's certificate or just the certificate.
667 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
668 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
669 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
670 10 Noel Kuntze
# if you've only got the responder's certificate
671 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
672 10 Noel Kuntze
673 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
674 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
675 10 Noel Kuntze
#   rightid=foobar
676 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
677 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
678 10 Noel Kuntze
    auto=add
679 10 Noel Kuntze
680 10 Noel Kuntze
</pre>
681 10 Noel Kuntze
}}
682 10 Noel Kuntze
683 1 Noel Kuntze
{{collapse(ipsec.secrets)
684 1 Noel Kuntze
<pre>
685 1 Noel Kuntze
RespondersIPorFQDNGoesHere : PSK "thisisthesharedpassword"
686 1 Noel Kuntze
thisismyusername : EAP "thisismypassword"
687 1 Noel Kuntze
: RSA myprivatekey
688 1 Noel Kuntze
</pre>
689 1 Noel Kuntze
}}
690 1 Noel Kuntze
691 25 Noel Kuntze
{{collapse(swanctl.conf)
692 25 Noel Kuntze
<pre>
693 25 Noel Kuntze
connections {
694 25 Noel Kuntze
    ikev1-psk-xauth {
695 25 Noel Kuntze
        dpd_delay = 30
696 25 Noel Kuntze
        dpd_timeout = 90
697 25 Noel Kuntze
        version = 1
698 25 Noel Kuntze
        remote_addrs = ResponderIPorQDNGoesHere
699 25 Noel Kuntze
        # uncomment if the responder only supports crappy crypto. But seriously,
700 25 Noel Kuntze
        # every single one of those algorithms is broken. Better spend some $$$
701 25 Noel Kuntze
        # on a better solution.
702 25 Noel Kuntze
        # proposals = 3des-md5-modp1024
703 25 Noel Kuntze
        vips = 0.0.0.0,::
704 25 Noel Kuntze
        local-1 {
705 25 Noel Kuntze
            auth = psk
706 25 Noel Kuntze
        }
707 25 Noel Kuntze
        local-2 {
708 25 Noel Kuntze
            auth = xauth-generic
709 25 Noel Kuntze
        }
710 25 Noel Kuntze
        remote-1 {
711 25 Noel Kuntze
            auth = psk
712 25 Noel Kuntze
            # You might have to set this to the correct value, if the responder isn't configure correctly.
713 25 Noel Kuntze
            # id = foobar
714 25 Noel Kuntze
        }
715 1 Noel Kuntze
716 25 Noel Kuntze
        children {
717 25 Noel Kuntze
            ikev1-psk-xauth {
718 25 Noel Kuntze
                remote_Ts = 0.0.0.0/0,::/0
719 25 Noel Kuntze
                # uncomment if the responder only supports crappy crypto. But seriously,
720 25 Noel Kuntze
                # every single one of those algorithms is broken. Better spend some $$$
721 25 Noel Kuntze
                # on a better solution.
722 25 Noel Kuntze
                # esp_proposals = 3des-md5!
723 25 Noel Kuntze
                # Use this, if you want PFS with DH group 2.
724 25 Noel Kuntze
                # esp_proposals = 3des-md5-modp1024!
725 25 Noel Kuntze
            }
726 25 Noel Kuntze
        }
727 25 Noel Kuntze
    }
728 1 Noel Kuntze
729 25 Noel Kuntze
    ikev1-psk-xauth-aggressive {
730 25 Noel Kuntze
        aggressive = yes
731 25 Noel Kuntze
        dpd_delay = 30
732 25 Noel Kuntze
        dpd_timeout = 90
733 25 Noel Kuntze
        version = 1
734 25 Noel Kuntze
        remote_addrs = ResponderIPorQDNGoesHere
735 25 Noel Kuntze
        # uncomment if the responder only supports crappy crypto. But seriously,
736 25 Noel Kuntze
        # every single one of those algorithms is broken. Better spend some $$$
737 25 Noel Kuntze
        # on a better solution.
738 25 Noel Kuntze
        # proposals = 3des-md5-modp1024
739 25 Noel Kuntze
        vips = 0.0.0.0,::
740 25 Noel Kuntze
        local-1 {
741 25 Noel Kuntze
            auth = psk
742 25 Noel Kuntze
        }
743 25 Noel Kuntze
        local-2 {
744 25 Noel Kuntze
            auth = xauth-generic
745 25 Noel Kuntze
        }
746 25 Noel Kuntze
        remote-1 {
747 25 Noel Kuntze
            auth = psk
748 25 Noel Kuntze
            # You might have to set this to the correct value, if the responder isn't configure correctly.
749 25 Noel Kuntze
            # id = foobar
750 25 Noel Kuntze
        }
751 25 Noel Kuntze
752 25 Noel Kuntze
        children {
753 25 Noel Kuntze
            ikev1-psk-xauth-aggressive {
754 25 Noel Kuntze
                remote_Ts = 0.0.0.0/0,::/0
755 25 Noel Kuntze
                # uncomment if the responder only supports crappy crypto. But seriously,
756 25 Noel Kuntze
                # every single one of those algorithms is broken. Better spend some $$$
757 25 Noel Kuntze
                # on a better solution.
758 25 Noel Kuntze
                # esp_proposals = 3des-md5!
759 25 Noel Kuntze
                # Use this, if you want PFS with DH group 2.
760 25 Noel Kuntze
                # esp_proposals = 3des-md5-modp1024!
761 25 Noel Kuntze
            }
762 25 Noel Kuntze
        }
763 25 Noel Kuntze
    }
764 25 Noel Kuntze
    ikev1-rsa-xauth {
765 25 Noel Kuntze
        dpd_delay = 30
766 25 Noel Kuntze
        dpd_timeout = 90
767 25 Noel Kuntze
        version = 1
768 25 Noel Kuntze
        remote_addrs = ResponderIPorQDNGoesHere
769 25 Noel Kuntze
        # uncomment if the responder only supports crappy crypto. But seriously,
770 25 Noel Kuntze
        # every single one of those algorithms is broken. Better spend some $$$
771 25 Noel Kuntze
        # on a better solution.
772 25 Noel Kuntze
        # proposals = 3des-md5-modp1024
773 25 Noel Kuntze
        vips = 0.0.0.0,::
774 25 Noel Kuntze
        local-1 {
775 25 Noel Kuntze
            cert = thisithepathtomycertificate.pem
776 25 Noel Kuntze
        }
777 25 Noel Kuntze
        local-2 {
778 25 Noel Kuntze
            auth = xauth-generic
779 25 Noel Kuntze
        }
780 25 Noel Kuntze
        remote-1 {
781 25 Noel Kuntze
            # You might have to set this to the correct value, if the responder isn't configure correctly.
782 25 Noel Kuntze
            # id = foobar
783 25 Noel Kuntze
        }
784 25 Noel Kuntze
785 25 Noel Kuntze
        children {
786 25 Noel Kuntze
            ikev1-psk-xauth {
787 25 Noel Kuntze
                remote_Ts = 0.0.0.0/0,::/0
788 25 Noel Kuntze
                # uncomment if the responder only supports crappy crypto. But seriously,
789 25 Noel Kuntze
                # every single one of those algorithms is broken. Better spend some $$$
790 25 Noel Kuntze
                # on a better solution.
791 25 Noel Kuntze
                # esp_proposals = 3des-md5!
792 25 Noel Kuntze
                # Use this, if you want PFS with DH group 2.
793 25 Noel Kuntze
                # esp_proposals = 3des-md5-modp1024!
794 25 Noel Kuntze
            }
795 25 Noel Kuntze
        }
796 25 Noel Kuntze
    }
797 25 Noel Kuntze
798 25 Noel Kuntze
    ikev1-l2tp {
799 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
800 25 Noel Kuntze
        version = 1
801 25 Noel Kuntze
        local-1 {
802 25 Noel Kuntze
            auth = psk
803 25 Noel Kuntze
        }
804 25 Noel Kuntze
        remote-1 {
805 25 Noel Kuntze
            auth = psk
806 25 Noel Kuntze
        }
807 25 Noel Kuntze
808 25 Noel Kuntze
        children {
809 25 Noel Kuntze
            ikev1-l2tp-xauth {
810 25 Noel Kuntze
                remote_ts = %dynamic[/1701]
811 25 Noel Kuntze
                mode = transport
812 25 Noel Kuntze
                start_action = none
813 25 Noel Kuntze
            }
814 25 Noel Kuntze
        }    
815 25 Noel Kuntze
    }
816 25 Noel Kuntze
    ikev1-l2tp-xauth {
817 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
818 25 Noel Kuntze
        version = 1
819 25 Noel Kuntze
        local-1 {
820 25 Noel Kuntze
            auth = psk
821 25 Noel Kuntze
        }
822 25 Noel Kuntze
        local-2 {
823 25 Noel Kuntze
            auth = xauth
824 25 Noel Kuntze
            xauth_id = myusername
825 25 Noel Kuntze
        }
826 25 Noel Kuntze
        remote-1 {
827 25 Noel Kuntze
            auth = psk
828 25 Noel Kuntze
        }
829 25 Noel Kuntze
830 25 Noel Kuntze
        children {
831 25 Noel Kuntze
            ikev1-l2tp-xauth {
832 25 Noel Kuntze
                remote_ts = %dynamic[/1701]
833 25 Noel Kuntze
                mode = transport
834 25 Noel Kuntze
                start_action = none
835 25 Noel Kuntze
            }
836 25 Noel Kuntze
        }
837 25 Noel Kuntze
    }
838 25 Noel Kuntze
839 25 Noel Kuntze
    ikev2-eap-mschapv2 {
840 25 Noel Kuntze
        version = 2
841 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
842 25 Noel Kuntze
        vips = 0.0.0.0, ::
843 25 Noel Kuntze
        local-1 {
844 25 Noel Kuntze
            auth = eap-mschapv2
845 25 Noel Kuntze
            eap_id=myid
846 25 Noel Kuntze
        }
847 25 Noel Kuntze
        remote-1 {
848 25 Noel Kuntze
            # The following settings depend on if you've got the CA that issued the
849 25 Noel Kuntze
            # responder's certificate or just the certificate.
850 25 Noel Kuntze
            # if you've got the CA certificate, put it into /etc/swanctl.d/cacerts/. Also
851 25 Noel Kuntze
            # read the notes in the beginning of the page about certificates.
852 25 Noel Kuntze
            #   rightca="This is the DN of the CA's certificate"
853 25 Noel Kuntze
            # if you've only got the responder's certificate
854 25 Noel Kuntze
            #  cert = thisisthepathtothecertificate
855 25 Noel Kuntze
            # if the remote peer sends a wrong ID, set that wrong ID here or make them fix it.
856 25 Noel Kuntze
            # id = remoteIDGoesHere
857 25 Noel Kuntze
        }
858 25 Noel Kuntze
        children {
859 25 Noel Kuntze
            remote_ts = 0.0.0.0/0,::/0
860 25 Noel Kuntze
        }
861 25 Noel Kuntze
    }
862 25 Noel Kuntze
863 25 Noel Kuntze
    ikev2-eap-tls-asymmetric {
864 25 Noel Kuntze
        version = 2
865 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
866 25 Noel Kuntze
        vips = 0.0.0.0, ::
867 25 Noel Kuntze
        local-1 {
868 25 Noel Kuntze
            auth = eap-tls
869 25 Noel Kuntze
            cert = mycert
870 25 Noel Kuntze
        }
871 25 Noel Kuntze
        remote-1 {
872 25 Noel Kuntze
            # The following settings depend on if you've got the CA that issued the
873 25 Noel Kuntze
            # responder's certificate or just the certificate.
874 25 Noel Kuntze
            # if you've got the CA certificate, put it into /etc/swanctl.d/cacerts/. Also
875 25 Noel Kuntze
            # read the notes in the beginning of the page about certificates.
876 25 Noel Kuntze
            #   rightca="This is the DN of the CA's certificate"
877 25 Noel Kuntze
            # if you've only got the responder's certificate
878 25 Noel Kuntze
            #  cert = thisisthepathtothecertificate
879 25 Noel Kuntze
            # if the remote peer sends a wrong ID, set that wrong ID here or make them fix it.
880 25 Noel Kuntze
            # id = remoteIDGoesHere
881 25 Noel Kuntze
        }
882 25 Noel Kuntze
        children {
883 25 Noel Kuntze
            remote_ts = 0.0.0.0/0,::/0
884 25 Noel Kuntze
        }
885 25 Noel Kuntze
    }
886 25 Noel Kuntze
887 25 Noel Kuntze
    ikev2-eap-tls-symmetric {
888 25 Noel Kuntze
        version = 2
889 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
890 25 Noel Kuntze
        vips = 0.0.0.0, ::
891 25 Noel Kuntze
        local-1 {
892 25 Noel Kuntze
            auth = eap-tls
893 25 Noel Kuntze
            cert = mycert
894 25 Noel Kuntze
        }
895 25 Noel Kuntze
        remote-1 {
896 25 Noel Kuntze
            # The following settings depend on if you've got the CA that issued the
897 25 Noel Kuntze
            # responder's certificate or just the certificate.
898 25 Noel Kuntze
            # if you've got the CA certificate, put it into /etc/swanctl.d/cacerts/. Also
899 25 Noel Kuntze
            # read the notes in the beginning of the page about certificates.
900 25 Noel Kuntze
            #   rightca="This is the DN of the CA's certificate"
901 25 Noel Kuntze
            # if you've only got the responder's certificate
902 25 Noel Kuntze
            #  cert = thisisthepathtothecertificate
903 25 Noel Kuntze
            # if the remote peer sends a wrong ID, set that wrong ID here or make them fix it.
904 25 Noel Kuntze
            # id = remoteIDGoesHere
905 25 Noel Kuntze
            auth = eap-tls
906 25 Noel Kuntze
        }
907 25 Noel Kuntze
        children {
908 25 Noel Kuntze
            remote_ts = 0.0.0.0/0,::/0
909 25 Noel Kuntze
        }
910 25 Noel Kuntze
    }
911 25 Noel Kuntze
912 25 Noel Kuntze
    secrets {
913 25 Noel Kuntze
        ike-example {
914 25 Noel Kuntze
            id = RespondersIPorFQDNGoesHere
915 25 Noel Kuntze
            secret = "thisisthesharedpassword"
916 25 Noel Kuntze
        }
917 25 Noel Kuntze
        eap-username {
918 25 Noel Kuntze
            id = thisismyusername
919 25 Noel Kuntze
            secret = "thisismypassword"
920 25 Noel Kuntze
        }
921 25 Noel Kuntze
        private-mine {
922 25 Noel Kuntze
            file = myprivatekey
923 25 Noel Kuntze
        }
924 25 Noel Kuntze
    }
925 25 Noel Kuntze
}
926 25 Noel Kuntze
</pre>
927 25 Noel Kuntze
}}
928 25 Noel Kuntze
929 1 Noel Kuntze
h2. Site-To-Site-Scenario
930 1 Noel Kuntze
931 24 Noel Kuntze
These configuration files are written under the presumption that both sides have public IPs and there is no NAT in between.
932 24 Noel Kuntze
If you use NAT and the peers' IPs as IDs, you need to set them manually in leftid and rightid respectively (whereever the ID is not equal to the set address).
933 24 Noel Kuntze
In some cases, the IDs other peers send are malformed or use an unusual type. If that is the case, you can force the sending of a specific ID or of a specific
934 24 Noel Kuntze
type using a [[ConnSection#leftright-End-Parameters|special notation]] (see text about left|rightid).
935 24 Noel Kuntze
936 1 Noel Kuntze
{{collapse(ipsec.conf)
937 1 Noel Kuntze
<pre>
938 1 Noel Kuntze
conn sts-base
939 1 Noel Kuntze
    fragmentation=yes
940 1 Noel Kuntze
    dpdaction=restart
941 1 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
942 1 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072#
943 1 Noel Kuntze
    keyingtries=%forever
944 25 Noel Kuntze
    leftid=foobar
945 1 Noel Kuntze
    leftcert=foobar.pem
946 1 Noel Kuntze
947 19 Noel Kuntze
# this conn is set up for a remote host with a static IP
948 1 Noel Kuntze
conn site-1-static-ip
949 1 Noel Kuntze
    also=sts-base
950 1 Noel Kuntze
    keyexchange=ikev2
951 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
952 1 Noel Kuntze
    rightsubnet=10.1.3.0/24
953 1 Noel Kuntze
    right=1.2.3.4
954 1 Noel Kuntze
    rightcert=1.2.3.4.pem
955 1 Noel Kuntze
    auto=route
956 1 Noel Kuntze
957 19 Noel Kuntze
# this conn is set up for a remote host with a dynamic IP
958 1 Noel Kuntze
conn site-2-dynamic-ip
959 1 Noel Kuntze
    also=sts-base
960 1 Noel Kuntze
    keyexchange=ikev2
961 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
962 1 Noel Kuntze
    rightsubnet=10.1.4.0/24
963 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
964 1 Noel Kuntze
    right=%example.com
965 1 Noel Kuntze
    rightcert=example.com.pem
966 1 Noel Kuntze
    auto=route
967 1 Noel Kuntze
968 1 Noel Kuntze
# this conn is set up for IKEv1 compatibility. It shows how to define several subnets
969 1 Noel Kuntze
# with IKEv1. site-3-legacy-1 and site-3-legacy-2 keep the data for the CHILD_SA.
970 1 Noel Kuntze
# The same can be accomplished with implicit merging by specifying the same IKE_SA
971 1 Noel Kuntze
# configuration in two different conns. This set up is cleaner, though.
972 1 Noel Kuntze
# If you put "auto=route" into the "site-3-legacy-base conn", charon will route the
973 1 Noel Kuntze
# conn with the ts being the local IP that is used to communicate with the remote
974 1 Noel Kuntze
# peer and the remote's peer. If such a CHILD_SA is not configured on the peer, ICMP
975 1 Noel Kuntze
# error messages from the remote peer to the local peer will not be able to be transmitted.
976 1 Noel Kuntze
# So don't do that, unless your remote peer is configured for that.
977 1 Noel Kuntze
# This is an IKEv1 connection with PSK authentication. That means, that you need to know
978 1 Noel Kuntze
# the other side's IP.
979 1 Noel Kuntze
conn site-3-legacy-base
980 1 Noel Kuntze
    also=sts-base
981 1 Noel Kuntze
    keyexchange=ikev1
982 1 Noel Kuntze
    # IKE and ESP cipher settings are reconfigured, because in IKEv1 every 
983 1 Noel Kuntze
    # single cipher suite needs to be enumerated.
984 1 Noel Kuntze
    # It is not possible to define all supported ciphers in one suite.
985 1 Noel Kuntze
    # select apropriate and strong ciphers for your scenario.
986 1 Noel Kuntze
    ike=aes192gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp521,aes192-sha256-modp3072
987 1 Noel Kuntze
    esp=aes192gcm16-ecp256,aes192-sha256-modp3072
988 1 Noel Kuntze
    rightsubnet=10.1.5.0/24
989 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
990 1 Noel Kuntze
    right=example.com
991 1 Noel Kuntze
    leftauth=psk
992 1 Noel Kuntze
    rightauth=psk
993 1 Noel Kuntze
994 1 Noel Kuntze
conn site-3-legacy-1
995 1 Noel Kuntze
    leftsubnet=10.1.1.0/24
996 1 Noel Kuntze
    also=site-3-legacy-base
997 1 Noel Kuntze
    auto=route
998 1 Noel Kuntze
999 1 Noel Kuntze
conn site-3-legacy-2
1000 1 Noel Kuntze
    leftsubnet=10.1.2.0/24
1001 1 Noel Kuntze
    also=site-3-legacy-base
1002 1 Noel Kuntze
    auto=route
1003 1 Noel Kuntze
</pre>
1004 1 Noel Kuntze
}}
1005 1 Noel Kuntze
1006 1 Noel Kuntze
{{collapse(ipsec.secrets)
1007 1 Noel Kuntze
<pre>
1008 1 Noel Kuntze
: RSA foobar.key
1009 1 Noel Kuntze
remote.com : PSK "example"
1010 1 Noel Kuntze
</pre>
1011 1 Noel Kuntze
}}
1012 1 Noel Kuntze
1013 25 Noel Kuntze
{{collapse(swanctl.conf)
1014 25 Noel Kuntze
<pre>
1015 25 Noel Kuntze
connections {
1016 25 Noel Kuntze
1017 25 Noel Kuntze
    site-1-static-ip {
1018 25 Noel Kuntze
        remote_addrs = 1.2.3.4
1019 25 Noel Kuntze
        version = 2
1020 25 Noel Kuntze
        proposals = aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
1021 25 Noel Kuntze
        keyingtries = 0
1022 25 Noel Kuntze
        
1023 25 Noel Kuntze
        local-1 {
1024 25 Noel Kuntze
            cert = foobar.pem
1025 25 Noel Kuntze
        }
1026 25 Noel Kuntze
        remote-1 {
1027 25 Noel Kuntze
            cert = 1.2.3.4.pem
1028 25 Noel Kuntze
        }
1029 25 Noel Kuntze
1030 25 Noel Kuntze
        children {
1031 25 Noel Kuntze
            site-1-static-ip {
1032 25 Noel Kuntze
                local_ts = 10.1.2.0/24,10.1.1.0/24
1033 25 Noel Kuntze
                remote_ts = 10.1.3.0/24
1034 25 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
1035 25 Noel Kuntze
                dpd_action = restart
1036 25 Noel Kuntze
                start_action = trap
1037 25 Noel Kuntze
            }
1038 25 Noel Kuntze
        }
1039 25 Noel Kuntze
    }
1040 25 Noel Kuntze
1041 25 Noel Kuntze
    site-2-dynamic-ip {
1042 25 Noel Kuntze
        remote_addrs = example.com, 0.0.0.0/0
1043 25 Noel Kuntze
        version = 2
1044 25 Noel Kuntze
        proposals = aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
1045 25 Noel Kuntze
        keyingtries = 0
1046 25 Noel Kuntze
        local-1 {
1047 25 Noel Kuntze
            cert = foobar.pem
1048 25 Noel Kuntze
        }
1049 25 Noel Kuntze
        remote-1 {
1050 25 Noel Kuntze
            cert = 1.2.3.4.pem
1051 25 Noel Kuntze
        }
1052 25 Noel Kuntze
1053 25 Noel Kuntze
        children {
1054 25 Noel Kuntze
            site-2-dynamic-ip {
1055 25 Noel Kuntze
                local_ts = 10.1.2.0/24,10.1.1.0/24
1056 25 Noel Kuntze
                remote_ts = 10.1.3.0/24
1057 25 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
1058 25 Noel Kuntze
                dpd_action = restart
1059 25 Noel Kuntze
                start_action = trap
1060 25 Noel Kuntze
            }
1061 25 Noel Kuntze
        }
1062 25 Noel Kuntze
    }
1063 25 Noel Kuntze
    site-3-legacy {
1064 25 Noel Kuntze
        remote_addrs = example.com
1065 25 Noel Kuntze
        version = 1
1066 25 Noel Kuntze
        proposals = aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
1067 25 Noel Kuntze
        local-1 {
1068 25 Noel Kuntze
            auth = psk
1069 25 Noel Kuntze
            id = mylocalsite
1070 25 Noel Kuntze
        }
1071 25 Noel Kuntze
        remote-1 {
1072 25 Noel Kuntze
            # id field here is inferred from the remote address
1073 25 Noel Kuntze
            auth = psk
1074 25 Noel Kuntze
        }
1075 25 Noel Kuntze
        children {
1076 25 Noel Kuntze
            site-3-legacy-1 {
1077 25 Noel Kuntze
                local_ts = 10.1.1.0/24
1078 25 Noel Kuntze
                remote_ts = 10.1.5.0/24
1079 25 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
1080 25 Noel Kuntze
                start_action = trap
1081 25 Noel Kuntze
                dpd_action = restart
1082 25 Noel Kuntze
            }
1083 25 Noel Kuntze
            site-3-legacy-2 {
1084 25 Noel Kuntze
                local_ts = 10.1.2.0/24
1085 25 Noel Kuntze
                remote_ts = 10.1.5.0/24
1086 25 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
1087 25 Noel Kuntze
                start_action = trap
1088 25 Noel Kuntze
                dpd_action = restart
1089 25 Noel Kuntze
            }
1090 25 Noel Kuntze
        }
1091 25 Noel Kuntze
    }
1092 25 Noel Kuntze
}
1093 25 Noel Kuntze
secrets {
1094 25 Noel Kuntze
    # PSK secret
1095 25 Noel Kuntze
    ike-example.com {
1096 25 Noel Kuntze
        id-1 = remote.com
1097 25 Noel Kuntze
        secret = "example"
1098 25 Noel Kuntze
    }
1099 25 Noel Kuntze
    # generic private key, no specific type
1100 25 Noel Kuntze
    private-foobar {
1101 25 Noel Kuntze
        file = foobar.key
1102 25 Noel Kuntze
    }
1103 25 Noel Kuntze
1104 25 Noel Kuntze
}
1105 25 Noel Kuntze
</pre>
1106 25 Noel Kuntze
}}
1107 25 Noel Kuntze
1108 10 Noel Kuntze
h2. Passthrough policy
1109 5 Noel Kuntze
1110 5 Noel Kuntze
{{collapse(ipsec.conf)
1111 5 Noel Kuntze
<pre>
1112 5 Noel Kuntze
conn passthrough-1
1113 5 Noel Kuntze
    # makes sure those conns are excluded from every conn selection
1114 5 Noel Kuntze
    left=127.0.0.1
1115 5 Noel Kuntze
    right=127.0.0.1
1116 5 Noel Kuntze
    # Those are just example values. Replace them with the apropriate ones!
1117 1 Noel Kuntze
    leftsubnet=10.0.0.0/8
1118 1 Noel Kuntze
    rightsubnet=10.0.0.0/8
1119 1 Noel Kuntze
    # those two lines are critical.
1120 1 Noel Kuntze
    type=passthrough
1121 1 Noel Kuntze
    auto=route
1122 1 Noel Kuntze
</pre>
1123 1 Noel Kuntze
}}
1124 1 Noel Kuntze
1125 25 Noel Kuntze
{{collapse(swanctl.conf)
1126 25 Noel Kuntze
connections {
1127 25 Noel Kuntze
    passthrough-1 {
1128 25 Noel Kuntze
        local_addrs = 127.0.0.1
1129 25 Noel Kuntze
        remote_addrs = 127.0.0.1
1130 25 Noel Kuntze
        children {
1131 25 Noel Kuntze
            passthrough-1 {
1132 25 Noel Kuntze
                local_ts = 10.0.0/8
1133 25 Noel Kuntze
                remote_ts = 10.0.0/8
1134 25 Noel Kuntze
                mode = pass
1135 25 Noel Kuntze
                start_action = trap
1136 25 Noel Kuntze
            }
1137 25 Noel Kuntze
        }
1138 25 Noel Kuntze
    }
1139 25 Noel Kuntze
}
1140 25 Noel Kuntze
}}
1141 25 Noel Kuntze
1142 13 Noel Kuntze
h2. Host-To-Host transport mode
1143 7 Noel Kuntze
1144 7 Noel Kuntze
Based on "the trap-any test scenario":https://www.strongswan.org/testing/testresults/ikev2/trap-any/.
1145 7 Noel Kuntze
1146 7 Noel Kuntze
The hosts involved are in the 192.168.1.0/24 subnet.
1147 8 Noel Kuntze
The notes from Tobias' comment in issue #196 apply:
1148 8 Noel Kuntze
> The hosts can be limited by specifying rightsubnet (e.g. rightsubnet=192.168.1.0/24,192.168.2.0/30,10.0.2.2/32). It is even possible to limit this to a specific protocol/port (for any remote host use %dynamic[<proto>/<port>], not 0.0.0.0/0[...]). A new test scenario (ikev2/trap-any, bb1d9e45) provides some examples.
1149 8 Noel Kuntze
> 
1150 8 Noel Kuntze
> Authentication can easily be done via certificates, but using PSKs is also possible. However, because there is no pattern/subnet matching for IP-based identities you need to either use a single secret for all hosts or use identities appropriately if you want to use different PSKs for different groups of hosts (e.g. use leftid=<host>@<group>.example.com and rightid=*@<group>.example.com in ipsec.conf and *@<group>.example.com : PSK "..." in ipsec.secrets).
1151 7 Noel Kuntze
1152 7 Noel Kuntze
{{collapse(ipsec.conf)
1153 7 Noel Kuntze
<pre>conn host-to-host
1154 7 Noel Kuntze
	ikelifetime=60m
1155 7 Noel Kuntze
	keylife=20m
1156 7 Noel Kuntze
	rekeymargin=3m
1157 7 Noel Kuntze
	keyingtries=1
1158 7 Noel Kuntze
1159 1 Noel Kuntze
conn trap-any
1160 1 Noel Kuntze
    also=host-to-host
1161 1 Noel Kuntze
	right=%any
1162 1 Noel Kuntze
	leftsubnet=192.168.1.0/24
1163 1 Noel Kuntze
	rightsubnet=192.168.1.0/24
1164 1 Noel Kuntze
	type=transport
1165 1 Noel Kuntze
	authby=psk
1166 1 Noel Kuntze
	auto=route
1167 25 Noel Kuntze
</pre>
1168 25 Noel Kuntze
}}
1169 25 Noel Kuntze
{{collapse(swanctl.conf)
1170 25 Noel Kuntze
<pre>
1171 25 Noel Kuntze
connections {
1172 25 Noel Kuntze
    trap-any {
1173 25 Noel Kuntze
        remote_addrs = %any
1174 25 Noel Kuntze
        local {
1175 25 Noel Kuntze
            auth = psk
1176 25 Noel Kuntze
        }
1177 25 Noel Kuntze
        remote {
1178 25 Noel Kuntze
            auth = psk
1179 25 Noel Kuntze
        }
1180 25 Noel Kuntze
1181 25 Noel Kuntze
        children {
1182 25 Noel Kuntze
            trap-yn {
1183 25 Noel Kuntze
                remote_ts = 192.168.1.0/24
1184 25 Noel Kuntze
                local_ts = 192.168.1.0/24
1185 25 Noel Kuntze
                mode = transport
1186 25 Noel Kuntze
                start_action = trap
1187 25 Noel Kuntze
            }
1188 25 Noel Kuntze
        }
1189 25 Noel Kuntze
    }
1190 25 Noel Kuntze
}
1191 7 Noel Kuntze
</pre>
1192 7 Noel Kuntze
}}