Project

General

Profile

Usable Examples configurations » History » Version 33

Noel Kuntze, 28.03.2018 16:15
Note about requirement for the openssl plugin

1 20 Noel Kuntze
h1. Usable Examples configurations
2 1 Noel Kuntze
3 23 Noel Kuntze
{{>toc}}
4 23 Noel Kuntze
5 1 Noel Kuntze
Preliminary obligatory notes:
6 1 Noel Kuntze
* These examples follow the [[SecurityRecommendations|Security Recommendations]]. Follow them. They are there
7 1 Noel Kuntze
  for a reason.
8 1 Noel Kuntze
* You can have several conn sections in your @ipsec.conf@ file
9 2 Noel Kuntze
* In scenarios where the remote peer authenticates itself with a client certificate,
10 4 Noel Kuntze
  charon requires all certificates that are in the trust path of the client's certificate
11 4 Noel Kuntze
  to be present, readable and valid for authentication
12 2 Noel Kuntze
  to be successful. charon implicitely trusts all CA certificates that it loads
13 1 Noel Kuntze
  via local files or that are loaded via the VICI API.
14 4 Noel Kuntze
* In scenarios where charon authenticates itself with a certificate, it needs to have
15 4 Noel Kuntze
  all certificates in the trust path. 
16 4 Noel Kuntze
* charon only reads the first certificate in a file.
17 1 Noel Kuntze
* Your responder (the proper word for "server" in ipsec talk) needs to identify
18 1 Noel Kuntze
  and authenticate itself to the initiator (the proper word for "client" in ipsec talk)
19 1 Noel Kuntze
  with the apropriate identity. If your initiator wants to talk to "foo.bar.com",
20 1 Noel Kuntze
  your responder needs to identify and authenticate itself as _foo.bar.com_.
21 1 Noel Kuntze
* Credentials are bound to identities. You can not successfully authenticate yourself
22 1 Noel Kuntze
  as the identitiy _foo.bar.com_ with a certificate if that certificate is not issued for that
23 1 Noel Kuntze
  identity. The identities that a certificate provide are its complete DN and the SAN fields.
24 1 Noel Kuntze
* The used cipher suite must be supported by both sides. Some implementations
25 3 Noel Kuntze
  only support weak crypto. Do not make concessions, unless necessary for interoperability.
26 1 Noel Kuntze
* XAUTH credentials are handled internally as EAP credentials. Both are valid for
27 1 Noel Kuntze
  XAUTH, EAP-GTC, EAP-MSCHAPv2 and whatever other cleartext or digest based
28 1 Noel Kuntze
  authentication might be implemented in the future.
29 1 Noel Kuntze
* The cipher settings are deliberately ordered by performance.
30 6 Noel Kuntze
  Faster, but secure ciphers appear in the beginning of the cipher list.
31 6 Noel Kuntze
  That should make charon choose faster, but secure ones first.  
32 14 Noel Kuntze
* Do not use 3DES, CAST, DES or MD5. They are broken.
33 1 Noel Kuntze
* The algorithm your certificate uses and they algorithm the key exchange uses
34 1 Noel Kuntze
  do not have anything to do with each other.
35 1 Noel Kuntze
* strongSwan does not implement L2TP.
36 16 Noel Kuntze
* Multiple pools can be used at the same time.
37 16 Noel Kuntze
* The [[IpsecPool|ipsec pools]] tool with the [[attrsql]] plugin can be used to assign different DNS and NBNS servers,
38 16 Noel Kuntze
  as well as different arbitrary attributes to remote peers.
39 1 Noel Kuntze
* Read the documentation and use "the search function":https://wiki.strongswan.org/projects/strongswan/search.
40 33 Noel Kuntze
* The configured proposals (ecp256,ecp521) in these examples require you to have the openssl plugin loaded in strongSwan.
41 10 Noel Kuntze
42 1 Noel Kuntze
h2. Roadwarrior scenario
43 17 Noel Kuntze
44 10 Noel Kuntze
h3. Responder
45 9 Noel Kuntze
46 1 Noel Kuntze
This is an example configuration that provides support for several clients
47 1 Noel Kuntze
with several authentication styles.
48 1 Noel Kuntze
49 1 Noel Kuntze
{{collapse(ipsec.conf)
50 1 Noel Kuntze
<pre>
51 1 Noel Kuntze
conn rw-base
52 1 Noel Kuntze
    # enables IKE fragmentation 
53 1 Noel Kuntze
    fragmentation=yes
54 1 Noel Kuntze
    dpdaction=clear
55 1 Noel Kuntze
    # dpdtimeout is not honored for ikev2. For IKEv2, every message is used
56 1 Noel Kuntze
    # to determine the timeout, so the generic timeout value for IKEv2 messages
57 1 Noel Kuntze
    # is used. 
58 1 Noel Kuntze
    dpdtimeout=90s
59 1 Noel Kuntze
    dpddelay=30s
60 1 Noel Kuntze
61 1 Noel Kuntze
# this is used in every conn in which the client is assigned a "virtual" IP or
62 1 Noel Kuntze
# one or several DNS servers    
63 1 Noel Kuntze
# the cipher suits require the openssl plugin.
64 1 Noel Kuntze
conn rw-config
65 1 Noel Kuntze
    also=rw-base
66 1 Noel Kuntze
    rightsourceip=172.16.252.0/24
67 1 Noel Kuntze
    # set this to a local DNS server that the clients can reach with their assigned IPs.
68 1 Noel Kuntze
    # Think about routing.
69 1 Noel Kuntze
    rightdns=
70 1 Noel Kuntze
    leftsubnet=0.0.0.0/0
71 1 Noel Kuntze
    leftid=whatevertheclientusestoconnect
72 1 Noel Kuntze
    leftcert=mycertificate.pem
73 1 Noel Kuntze
    # not possible with asymmetric authentication
74 1 Noel Kuntze
    reauth=no
75 1 Noel Kuntze
    rekey=no
76 20 Noel Kuntze
    # secure cipher suits
77 32 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
78 32 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072
79 1 Noel Kuntze
    leftsendcert=always
80 1 Noel Kuntze
    rightca="C=This, O=Is, OU=My, CN=CA"
81 1 Noel Kuntze
    
82 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
83 1 Noel Kuntze
# in the l2tp control connection. With L2TP, clients are usually not assigned
84 1 Noel Kuntze
# a virtual IP in IKE.
85 1 Noel Kuntze
# Charon is not an l2tp server. You need to install xl2tp for that and configure it correctly.
86 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
87 25 Noel Kuntze
conn ikev1-l2tp-chap-auth-in-l2tp
88 1 Noel Kuntze
    also=rw-base
89 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
90 1 Noel Kuntze
    ike=aes128-sha1-modp3072
91 17 Noel Kuntze
    esp=aes128-sha1-modp3072
92 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
93 11 Noel Kuntze
    rightsubnet=%dynamic
94 1 Noel Kuntze
    mark=%unique
95 1 Noel Kuntze
    leftauth=psk
96 1 Noel Kuntze
    rightauth=psk
97 1 Noel Kuntze
    type=transport
98 1 Noel Kuntze
    auto=add
99 1 Noel Kuntze
    
100 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
101 1 Noel Kuntze
# during the IKEv1 authentication. With L2TP, clients are usually not assigned
102 1 Noel Kuntze
# a virtual IP in IKE.
103 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
104 1 Noel Kuntze
# this requires the xauth-generic plugin.
105 1 Noel Kuntze
conn ikev1-l2tp-xauth-in-ike
106 1 Noel Kuntze
    also=rw-base
107 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
108 1 Noel Kuntze
    ike=aes128-sha1-modp3072
109 17 Noel Kuntze
    esp=aes128-sha1-modp3072
110 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
111 11 Noel Kuntze
    rightsubnet=%dynamic
112 1 Noel Kuntze
    mark=%unique
113 1 Noel Kuntze
    leftauth=psk
114 1 Noel Kuntze
    rightauth=psk
115 1 Noel Kuntze
    rightauth2=xauth-generic
116 9 Noel Kuntze
    xauth=server
117 1 Noel Kuntze
    # not possible with asymmetric authentication
118 1 Noel Kuntze
    reauth=no
119 1 Noel Kuntze
    rekey=no
120 1 Noel Kuntze
    type=transport
121 1 Noel Kuntze
    auto=add
122 1 Noel Kuntze
    
123 1 Noel Kuntze
# this requires the xauth-generic plugin.
124 1 Noel Kuntze
conn ikev1-psk-xauth
125 1 Noel Kuntze
    also=rw-config
126 1 Noel Kuntze
    leftauth=psk
127 1 Noel Kuntze
    rightauth=psk
128 1 Noel Kuntze
    rightauth2=xauth-generic
129 9 Noel Kuntze
    xauth=server
130 1 Noel Kuntze
    auto=add
131 1 Noel Kuntze
132 1 Noel Kuntze
# leftauth and rightauth default to "pubkey", so no change necessary.
133 1 Noel Kuntze
conn ikev1-pubkey
134 1 Noel Kuntze
    also=rw-config
135 1 Noel Kuntze
    auto=add
136 1 Noel Kuntze
137 1 Noel Kuntze
# this requires the xauth-generic plugin.
138 1 Noel Kuntze
conn ikev1-pubkey-xauth
139 1 Noel Kuntze
    also=rw-config
140 1 Noel Kuntze
    rightauth2=xauth-generic
141 9 Noel Kuntze
    xauth=server
142 1 Noel Kuntze
    auto=add
143 1 Noel Kuntze
144 1 Noel Kuntze
# this requires the xauth-generic plugin.
145 1 Noel Kuntze
conn ikev1-hybrid
146 1 Noel Kuntze
    also=rw-config
147 1 Noel Kuntze
    rightauth=xauth-generic
148 9 Noel Kuntze
    xauth=server
149 1 Noel Kuntze
150 1 Noel Kuntze
conn ikev2-pubkey
151 1 Noel Kuntze
    also=rw-config
152 1 Noel Kuntze
    auto=add
153 1 Noel Kuntze
154 22 Noel Kuntze
# IF you need to support several EAP methods at the same time, you need to use eap-dynamic
155 22 Noel Kuntze
# and not use any other conn with eap settings. Add the settings for the eap-dynamic plugin to your strongswan.conf file.
156 22 Noel Kuntze
157 22 Noel Kuntze
conn ikev2-eap
158 22 Noel Kuntze
    also=rw-config
159 22 Noel Kuntze
    rightauth=eap-dynamic
160 22 Noel Kuntze
    eap_identity=%identity
161 22 Noel Kuntze
    auto=add
162 22 Noel Kuntze
163 1 Noel Kuntze
# this requires the eap-tls plugin.
164 1 Noel Kuntze
conn ikev2-eap-tls
165 1 Noel Kuntze
    also=rw-base
166 1 Noel Kuntze
    rightauth=eap-tls
167 1 Noel Kuntze
    eap_identity=%identity
168 18 Noel Kuntze
    auto=add
169 18 Noel Kuntze
170 18 Noel Kuntze
# this requires the eap-mschapv2 plugin.
171 18 Noel Kuntze
conn ikev2-eap-mschapv2
172 18 Noel Kuntze
    also=rw-config
173 18 Noel Kuntze
    rightauth=eap-mschapv2
174 18 Noel Kuntze
    eap_identity=%identity
175 18 Noel Kuntze
    auto=add
176 1 Noel Kuntze
</pre>
177 1 Noel Kuntze
}}
178 1 Noel Kuntze
179 25 Noel Kuntze
{{collapse(ipsec.secrets)
180 25 Noel Kuntze
<pre>
181 25 Noel Kuntze
: PSK "foobarblah"
182 25 Noel Kuntze
: RSA myprivatekey.pem
183 25 Noel Kuntze
carol : EAP "carolspassword"
184 25 Noel Kuntze
</pre>
185 25 Noel Kuntze
}}
186 25 Noel Kuntze
187 25 Noel Kuntze
{{collapse(swanctl.conf)
188 25 Noel Kuntze
<pre>
189 25 Noel Kuntze
connections {
190 25 Noel Kuntze
    ikev1-l2tp-chap-auth-in-l2tp {
191 25 Noel Kuntze
        version = 1
192 25 Noel Kuntze
        # reduce to the most secure combination the client can support, if absolutely required.
193 25 Noel Kuntze
        proposals = aes128-sha1-modp3072,default
194 25 Noel Kuntze
        rekey_time = 0s
195 25 Noel Kuntze
        fragmentation = yes
196 25 Noel Kuntze
        dpd_delay = 30s
197 25 Noel Kuntze
        dpd_timeout = 90s
198 25 Noel Kuntze
        local-1 {
199 25 Noel Kuntze
            auth = psk
200 25 Noel Kuntze
        }
201 25 Noel Kuntze
        remote-1 {
202 25 Noel Kuntze
            auth = psk
203 25 Noel Kuntze
        }
204 25 Noel Kuntze
        children {
205 25 Noel Kuntze
            ikev1-l2tp-chap-auth-in-l2tp {
206 25 Noel Kuntze
                local_ts = dynamic[/1701]
207 25 Noel Kuntze
                # reduce to the most secure combination the client can support, if absolutely required.
208 25 Noel Kuntze
                esp_proposals = aes128-sha1-modp3072,default
209 25 Noel Kuntze
                mark = unique
210 25 Noel Kuntze
                mode = transport
211 25 Noel Kuntze
                rekey_time = 0s
212 25 Noel Kuntze
                dpd_action = clear
213 25 Noel Kuntze
            }
214 25 Noel Kuntze
        }
215 25 Noel Kuntze
    }
216 25 Noel Kuntze
217 25 Noel Kuntze
    ikev1-l2tp-xauth-in-ike {
218 25 Noel Kuntze
        version = 1
219 25 Noel Kuntze
        proposals = aes128-sha1-modp3072,default
220 25 Noel Kuntze
        rekey_time = 0s
221 25 Noel Kuntze
        fragmentation = yes
222 25 Noel Kuntze
        dpd_delay = 30s
223 25 Noel Kuntze
        dpd_timeout = 90s
224 25 Noel Kuntze
225 25 Noel Kuntze
        local-1 {
226 25 Noel Kuntze
            auth = psk
227 25 Noel Kuntze
        }
228 25 Noel Kuntze
        remote-1 {
229 25 Noel Kuntze
            auth = psk
230 25 Noel Kuntze
        }
231 25 Noel Kuntze
        remote-2 {
232 25 Noel Kuntze
            auth = xauth
233 25 Noel Kuntze
        }
234 25 Noel Kuntze
        children {
235 25 Noel Kuntze
            ikev1-l2tp-xauth-in-ike {
236 1 Noel Kuntze
                local_ts = dynamic[/1701]
237 26 Noel Kuntze
                esp_proposals = aes128-sha1-modp3072,default
238 25 Noel Kuntze
                mark = unique
239 25 Noel Kuntze
                mode = transport
240 25 Noel Kuntze
                rekey_time = 0s
241 25 Noel Kuntze
                dpd_action = clear
242 25 Noel Kuntze
243 25 Noel Kuntze
            }
244 25 Noel Kuntze
        }
245 25 Noel Kuntze
    }
246 1 Noel Kuntze
    ikev1-psk-xauth {
247 25 Noel Kuntze
        version = 1
248 32 Noel Kuntze
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default,default
249 25 Noel Kuntze
        rekey_time = 0s
250 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
251 25 Noel Kuntze
        fragmentation = yes
252 25 Noel Kuntze
        dpd_delay = 30s
253 25 Noel Kuntze
        dpd_timeout = 90s
254 25 Noel Kuntze
        local-1 {
255 25 Noel Kuntze
            auth = psk
256 25 Noel Kuntze
        }
257 25 Noel Kuntze
        remote-1 {
258 25 Noel Kuntze
            auth = psk
259 25 Noel Kuntze
        }
260 25 Noel Kuntze
        remote-2 {
261 25 Noel Kuntze
            auth = xauth
262 25 Noel Kuntze
        }
263 25 Noel Kuntze
        children {
264 25 Noel Kuntze
            ikev1-psk-xauth {
265 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
266 1 Noel Kuntze
                rekey_time = 0s
267 25 Noel Kuntze
                dpd_action = clear
268 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
269 25 Noel Kuntze
            }
270 1 Noel Kuntze
        }
271 25 Noel Kuntze
    ikev1-pubkey {
272 25 Noel Kuntze
        version = 1
273 32 Noel Kuntze
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default,default
274 25 Noel Kuntze
        rekey_time = 0s
275 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
276 25 Noel Kuntze
        fragmentation = yes
277 25 Noel Kuntze
        dpd_delay = 30s
278 25 Noel Kuntze
        dpd_timeout = 90s
279 25 Noel Kuntze
        local-1 {
280 30 Noel Kuntze
            certs = mycert.pem
281 25 Noel Kuntze
            id = myid
282 25 Noel Kuntze
        }
283 25 Noel Kuntze
        remote-1 {
284 25 Noel Kuntze
            # defaults are fine.
285 25 Noel Kuntze
        }
286 25 Noel Kuntze
        children {
287 25 Noel Kuntze
            ikev1-pubkey {
288 1 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
289 25 Noel Kuntze
                rekey_time = 0s
290 25 Noel Kuntze
                dpd_action = clear
291 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
292 25 Noel Kuntze
            }
293 25 Noel Kuntze
        }
294 1 Noel Kuntze
    }
295 25 Noel Kuntze
296 25 Noel Kuntze
    ikev1-pubkey-xauth {
297 25 Noel Kuntze
        version = 1
298 32 Noel Kuntze
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default,default
299 25 Noel Kuntze
        rekey_time = 0s
300 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
301 25 Noel Kuntze
        fragmentation = yes
302 25 Noel Kuntze
        dpd_delay = 30s
303 25 Noel Kuntze
        dpd_timeout = 90s
304 25 Noel Kuntze
        local-1 {
305 30 Noel Kuntze
            certs = mycert.pem
306 25 Noel Kuntze
            id = myid
307 25 Noel Kuntze
        }
308 25 Noel Kuntze
        remote-1 {
309 25 Noel Kuntze
            # defaults are fine.
310 25 Noel Kuntze
        }
311 25 Noel Kuntze
        remote-2 {
312 25 Noel Kuntze
            auth = xauth
313 25 Noel Kuntze
        }
314 25 Noel Kuntze
        children {
315 1 Noel Kuntze
            ikev1-pubkey-xauth {
316 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
317 25 Noel Kuntze
                rekey_time = 0s
318 25 Noel Kuntze
                dpd_action = clear
319 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
320 25 Noel Kuntze
            }
321 25 Noel Kuntze
        }
322 1 Noel Kuntze
    }
323 25 Noel Kuntze
324 25 Noel Kuntze
    ikev1-hybrid {
325 25 Noel Kuntze
        version = 1
326 32 Noel Kuntze
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default,default
327 25 Noel Kuntze
        rekey_time = 0s
328 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
329 25 Noel Kuntze
        fragmentation = yes
330 25 Noel Kuntze
        dpd_delay = 30s
331 25 Noel Kuntze
        dpd_timeout = 90s
332 25 Noel Kuntze
        local-1 {
333 30 Noel Kuntze
            certs = mycert.pem
334 25 Noel Kuntze
            id = myid
335 25 Noel Kuntze
        }
336 25 Noel Kuntze
        remote-1 {
337 25 Noel Kuntze
            # defaults are fine.
338 25 Noel Kuntze
        }
339 25 Noel Kuntze
        children {
340 1 Noel Kuntze
            ikev1-hybrid {
341 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
342 25 Noel Kuntze
                rekey_time = 0s
343 25 Noel Kuntze
                dpd_action = clear
344 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
345 25 Noel Kuntze
            }
346 1 Noel Kuntze
        }
347 25 Noel Kuntze
    }
348 25 Noel Kuntze
349 25 Noel Kuntze
    ikev2-pubkey {
350 25 Noel Kuntze
        version = 2
351 32 Noel Kuntze
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default,default
352 25 Noel Kuntze
        rekey_time = 0s
353 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
354 25 Noel Kuntze
        fragmentation = yes
355 25 Noel Kuntze
        dpd_delay = 30s
356 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
357 25 Noel Kuntze
        local-1 {
358 30 Noel Kuntze
            certs = mycert.pem
359 25 Noel Kuntze
            id = myid
360 25 Noel Kuntze
        }
361 25 Noel Kuntze
        remote-1 {
362 25 Noel Kuntze
            # defaults are fine.
363 25 Noel Kuntze
        }
364 1 Noel Kuntze
        children {
365 25 Noel Kuntze
            ikev2-pubkey {
366 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
367 25 Noel Kuntze
                rekey_time = 0s
368 25 Noel Kuntze
                dpd_action = clear
369 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
370 25 Noel Kuntze
            }
371 1 Noel Kuntze
        }
372 25 Noel Kuntze
    }
373 25 Noel Kuntze
374 25 Noel Kuntze
    ikev2-eap {
375 25 Noel Kuntze
        version = 2
376 32 Noel Kuntze
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default,default
377 25 Noel Kuntze
        rekey_time = 0s
378 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
379 25 Noel Kuntze
        fragmentation = yes
380 25 Noel Kuntze
        dpd_delay = 30s
381 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
382 25 Noel Kuntze
        local-1 {
383 30 Noel Kuntze
            certs = mycert.pem
384 25 Noel Kuntze
            id = myid
385 25 Noel Kuntze
        }
386 25 Noel Kuntze
        remote-1 {
387 25 Noel Kuntze
            auth = eap-dynamic
388 25 Noel Kuntze
            # go ask the client for its eap identity.
389 25 Noel Kuntze
            eap_id = %any
390 25 Noel Kuntze
        }
391 1 Noel Kuntze
        children {
392 25 Noel Kuntze
            ikev2-eap {
393 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
394 25 Noel Kuntze
                rekey_time = 0s
395 25 Noel Kuntze
                dpd_action = clear
396 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
397 1 Noel Kuntze
            }
398 25 Noel Kuntze
        }
399 25 Noel Kuntze
    }
400 25 Noel Kuntze
    ikev2-eap-tls-asymmetric {
401 25 Noel Kuntze
        version = 2
402 32 Noel Kuntze
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default,default
403 25 Noel Kuntze
        rekey_time = 0s
404 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
405 25 Noel Kuntze
        fragmentation = yes
406 25 Noel Kuntze
        dpd_delay = 30s
407 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
408 25 Noel Kuntze
        local-1 {
409 30 Noel Kuntze
            certs = mycert.pem
410 25 Noel Kuntze
            id = myid
411 25 Noel Kuntze
        }
412 25 Noel Kuntze
        remote-1 {
413 25 Noel Kuntze
            auth = eap-tls
414 25 Noel Kuntze
            # go ask the client for its eap identity.
415 25 Noel Kuntze
            eap_id = %any
416 25 Noel Kuntze
        }
417 1 Noel Kuntze
        children {
418 25 Noel Kuntze
            ikev2-eap-tls-asymmetric {
419 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
420 25 Noel Kuntze
                rekey_time = 0s
421 25 Noel Kuntze
                dpd_action = clear
422 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
423 25 Noel Kuntze
            }
424 1 Noel Kuntze
        }
425 25 Noel Kuntze
    }
426 25 Noel Kuntze
427 25 Noel Kuntze
    ikev2-eap-tls-symmetric {
428 25 Noel Kuntze
        version = 2
429 32 Noel Kuntze
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default,default
430 25 Noel Kuntze
        rekey_time = 0s
431 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
432 25 Noel Kuntze
        fragmentation = yes
433 25 Noel Kuntze
        dpd_delay = 30s
434 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
435 25 Noel Kuntze
        local-1 {
436 30 Noel Kuntze
            certs = mycert.pem
437 25 Noel Kuntze
            id = myid
438 25 Noel Kuntze
            auth = eap-tls
439 25 Noel Kuntze
        }
440 25 Noel Kuntze
        remote-1 {
441 25 Noel Kuntze
            auth = eap-tls
442 25 Noel Kuntze
            # go ask the client for its eap identity.
443 25 Noel Kuntze
            eap_id = %any
444 25 Noel Kuntze
        }
445 1 Noel Kuntze
        children {
446 25 Noel Kuntze
            ikev2-eap-tls-symmetric {
447 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
448 25 Noel Kuntze
                rekey_time = 0s
449 25 Noel Kuntze
                dpd_action = clear
450 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
451 1 Noel Kuntze
            }
452 25 Noel Kuntze
        }
453 25 Noel Kuntze
    }
454 25 Noel Kuntze
    ikev2-eap-mschapv2 {
455 25 Noel Kuntze
        version = 2
456 32 Noel Kuntze
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default,default
457 25 Noel Kuntze
        rekey_time = 0s
458 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
459 25 Noel Kuntze
        fragmentation = yes
460 25 Noel Kuntze
        dpd_delay = 30s
461 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
462 25 Noel Kuntze
        local-1 {
463 30 Noel Kuntze
            certs = mycert.pem
464 25 Noel Kuntze
            id = myid
465 25 Noel Kuntze
        }
466 25 Noel Kuntze
        remote-1 {
467 25 Noel Kuntze
            auth = eap-mschapv2
468 25 Noel Kuntze
            # go ask the client for its eap identity.
469 25 Noel Kuntze
            eap_id = %any
470 25 Noel Kuntze
        }
471 1 Noel Kuntze
        children {
472 25 Noel Kuntze
            ikev2-eap-mschapv2 {
473 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
474 25 Noel Kuntze
                rekey_time = 0s
475 25 Noel Kuntze
                dpd_action = clear
476 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
477 25 Noel Kuntze
            }
478 25 Noel Kuntze
        }
479 25 Noel Kuntze
    }
480 25 Noel Kuntze
}
481 25 Noel Kuntze
482 25 Noel Kuntze
pools {
483 25 Noel Kuntze
    primary-pool-ipv4 {
484 25 Noel Kuntze
        addrs = 172.16.252.0/24
485 25 Noel Kuntze
        dns = 10.1.2.3, 8.8.8.8
486 25 Noel Kuntze
        split_exclude = 172.16.0.0/12
487 25 Noel Kuntze
    }
488 25 Noel Kuntze
    primary-pool-ipv6 {
489 25 Noel Kuntze
        addrs = yoursiteuniqueaddresspool goes here
490 25 Noel Kuntze
491 25 Noel Kuntze
    }
492 25 Noel Kuntze
}
493 25 Noel Kuntze
494 25 Noel Kuntze
secrets {
495 25 Noel Kuntze
    ike-one {
496 25 Noel Kuntze
        secret = "foobarblah"
497 25 Noel Kuntze
    }
498 25 Noel Kuntze
    private-second {
499 25 Noel Kuntze
        file = myprivatekey.pem
500 25 Noel Kuntze
    }
501 25 Noel Kuntze
    eap-carol {
502 25 Noel Kuntze
        id = carol
503 25 Noel Kuntze
        secret = "carolspassword"
504 25 Noel Kuntze
    }
505 25 Noel Kuntze
}
506 25 Noel Kuntze
}}
507 25 Noel Kuntze
508 18 Noel Kuntze
{{collapse(strongswan.conf)
509 18 Noel Kuntze
<pre>
510 18 Noel Kuntze
charon {
511 21 Noel Kuntze
512 18 Noel Kuntze
    plugins {
513 1 Noel Kuntze
        eap_dynamic {
514 1 Noel Kuntze
            preferred = eap-mschapv2, eap-tls
515 1 Noel Kuntze
        }
516 1 Noel Kuntze
    }
517 1 Noel Kuntze
}
518 1 Noel Kuntze
</pre>
519 1 Noel Kuntze
}}
520 1 Noel Kuntze
521 25 Noel Kuntze
522 10 Noel Kuntze
h3. Initiator
523 1 Noel Kuntze
524 10 Noel Kuntze
These configuration files provide valid and usable configurations as use
525 10 Noel Kuntze
as a roadwarrior client against arbitrary IKE responders that are configured correctly.
526 10 Noel Kuntze
*You need to replace the marked values with the correct values*
527 10 Noel Kuntze
Remove conns that you do not require for your scenario. Some values
528 10 Noel Kuntze
might need to be changed, depending on the brokeness of the responder.
529 10 Noel Kuntze
*Read the comments in the files and read _ipsec.conf_ as well as _ipsec.secrets_.*
530 10 Noel Kuntze
531 10 Noel Kuntze
The configurations shown here are not exclusive. There are a lot more possible.
532 10 Noel Kuntze
Check out the [[PluginList|plugin list]] and the "test scenarios":https://strongswan.org/uml/testresults5/
533 10 Noel Kuntze
to see how they can be configured, but beware, those are just test scenarios
534 10 Noel Kuntze
and the configurations there are not usable in production as a whole. They need
535 10 Noel Kuntze
to be combined with the examples here to produce usable scenarios.
536 10 Noel Kuntze
537 10 Noel Kuntze
{{collapse(ipsec.conf)
538 10 Noel Kuntze
<pre>
539 10 Noel Kuntze
540 10 Noel Kuntze
conn rw-base
541 10 Noel Kuntze
    dpdaction=restart
542 10 Noel Kuntze
    dpddelay=30
543 10 Noel Kuntze
    dpdtimeout=90
544 10 Noel Kuntze
    fragmentation=yes
545 10 Noel Kuntze
546 10 Noel Kuntze
conn vip-base
547 10 Noel Kuntze
    also=rw-base
548 10 Noel Kuntze
    leftsourceip=%config
549 10 Noel Kuntze
550 10 Noel Kuntze
conn ikev1-psk-xauth
551 10 Noel Kuntze
# uncomment if the responder only supports crappy crypto. But seriously,
552 10 Noel Kuntze
# every single one of those algorithms is broken. Better spend some $$$
553 10 Noel Kuntze
# on a better solution.
554 10 Noel Kuntze
# 
555 10 Noel Kuntze
#   ike=3des-md5-modp1024!
556 10 Noel Kuntze
#   esp=3des-md5!
557 10 Noel Kuntze
# Use this, if you want PFS with DH group 2.
558 10 Noel Kuntze
#   esp=3des-md5-modp1024!
559 10 Noel Kuntze
    also=vip-base
560 10 Noel Kuntze
    keyexchange=ikev1
561 10 Noel Kuntze
    leftauth=psk
562 10 Noel Kuntze
    leftauth2=xauth
563 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
564 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
565 10 Noel Kuntze
#   rightid=foobar
566 10 Noel Kuntze
    rightauth=psk
567 10 Noel Kuntze
# this tunnels all the traffic. You might maybe want to also define a passthrough policy
568 10 Noel Kuntze
# for the local LAN traffic (or use the bypass-lan plugin when it's gone into the master branch)
569 10 Noel Kuntze
# Choose a smaller subnet, if required.
570 10 Noel Kuntze
# this config supports CISCO UNITY. 
571 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
572 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
573 10 Noel Kuntze
    auto=add
574 10 Noel Kuntze
    
575 12 Noel Kuntze
# aggressive mode is incredibly insecure.
576 12 Noel Kuntze
conn ikev1-psk-xauth-aggressive
577 12 Noel Kuntze
    aggressive=yes
578 10 Noel Kuntze
    also=ikev1-psk-xauth
579 10 Noel Kuntze
    auto=add
580 10 Noel Kuntze
581 10 Noel Kuntze
conn ikev1-rsa-xauth
582 10 Noel Kuntze
    also=vip-base
583 10 Noel Kuntze
    keyexchange=ikev1
584 10 Noel Kuntze
    leftauth=pubkey
585 10 Noel Kuntze
    leftauth2=xauth-generic
586 10 Noel Kuntze
    leftcert=thisithepathtomycertificate.pem
587 10 Noel Kuntze
    xauth_identity=thisismyusername
588 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
589 10 Noel Kuntze
# You might require this if the responder sends a wrong ID.
590 10 Noel Kuntze
#   rightid=somethingsomething
591 10 Noel Kuntze
    rightauth=pubkey
592 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
593 10 Noel Kuntze
# responder's certificate or just the certificate.
594 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
595 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
596 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
597 10 Noel Kuntze
# if you've only got the responder's certificate
598 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
599 10 Noel Kuntze
    auto=add
600 10 Noel Kuntze
601 10 Noel Kuntze
602 10 Noel Kuntze
conn ikev1-l2tp
603 10 Noel Kuntze
    also=rw-base
604 10 Noel Kuntze
    keyexchange=ikev1
605 1 Noel Kuntze
    type=transport
606 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
607 11 Noel Kuntze
    rightsubnet=%dynamic[/1701]
608 10 Noel Kuntze
    leftauth=psk
609 10 Noel Kuntze
    rightauth=psk
610 10 Noel Kuntze
    
611 10 Noel Kuntze
    
612 12 Noel Kuntze
# if your responder uses aggressive mode, add
613 12 Noel Kuntze
# aggressive=yes in the conn
614 10 Noel Kuntze
# user authentication happens in IKE using xauth
615 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-ike
616 10 Noel Kuntze
    also=ikev1-l2tp
617 10 Noel Kuntze
    leftauth2=xauth-generic
618 10 Noel Kuntze
    auto=add
619 10 Noel Kuntze
620 12 Noel Kuntze
# if your responder uses aggressive mode, add
621 12 Noel Kuntze
# aggressive=yes in the conn
622 10 Noel Kuntze
# user authentication happens in L2TP
623 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-l2tp
624 10 Noel Kuntze
    also=ikev1-l2tp
625 10 Noel Kuntze
    auto=add
626 10 Noel Kuntze
627 10 Noel Kuntze
628 10 Noel Kuntze
# Authentication with EAP-MSCHAPv2 is asymmetric. The responder
629 10 Noel Kuntze
# has to authenticate itself against the initiator with an X.509 certificate.
630 10 Noel Kuntze
conn ikev2-eap-mschapv2
631 10 Noel Kuntze
    also=vip-base
632 10 Noel Kuntze
    keyexchange=ikev2
633 10 Noel Kuntze
    leftauth=eap-mschapv2
634 10 Noel Kuntze
    rightauth=pubkey
635 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
636 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
637 10 Noel Kuntze
# responder's certificate or just the certificate.
638 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
639 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
640 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
641 10 Noel Kuntze
# if you've only got the responder's certificate
642 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
643 10 Noel Kuntze
644 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
645 10 Noel Kuntze
#   rightid=foobar
646 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
647 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
648 10 Noel Kuntze
    auto=add
649 10 Noel Kuntze
650 10 Noel Kuntze
# asymmetric authentication using eap-tls and pubkey auth
651 10 Noel Kuntze
conn ikev2-eap-tls-asymmetric
652 10 Noel Kuntze
    also=vip-base
653 10 Noel Kuntze
    keyexchange=ikev2
654 10 Noel Kuntze
    leftcert=mycert
655 10 Noel Kuntze
    leftauth=eap-tls
656 10 Noel Kuntze
    rightauth=pubkey
657 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
658 10 Noel Kuntze
# responder's certificate or just the certificate.
659 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
660 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
661 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
662 10 Noel Kuntze
# if you've only got the responder's certificate
663 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
664 10 Noel Kuntze
665 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
666 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
667 10 Noel Kuntze
#   rightid=foobar
668 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
669 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
670 10 Noel Kuntze
    auto=add
671 10 Noel Kuntze
672 10 Noel Kuntze
673 10 Noel Kuntze
# symmetric authentication using just eap-tls
674 10 Noel Kuntze
conn ikev2-eap-tls-symmetric
675 10 Noel Kuntze
    also=vip-base
676 10 Noel Kuntze
    keyexchange=ikev2
677 10 Noel Kuntze
    leftcert=mycert
678 10 Noel Kuntze
    leftauth=eap-tls
679 10 Noel Kuntze
    rightauth=eap-tls
680 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
681 10 Noel Kuntze
# responder's certificate or just the certificate.
682 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
683 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
684 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
685 10 Noel Kuntze
# if you've only got the responder's certificate
686 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
687 10 Noel Kuntze
688 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
689 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
690 10 Noel Kuntze
#   rightid=foobar
691 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
692 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
693 10 Noel Kuntze
    auto=add
694 10 Noel Kuntze
695 10 Noel Kuntze
</pre>
696 10 Noel Kuntze
}}
697 10 Noel Kuntze
698 1 Noel Kuntze
{{collapse(ipsec.secrets)
699 1 Noel Kuntze
<pre>
700 1 Noel Kuntze
RespondersIPorFQDNGoesHere : PSK "thisisthesharedpassword"
701 1 Noel Kuntze
thisismyusername : EAP "thisismypassword"
702 1 Noel Kuntze
: RSA myprivatekey
703 1 Noel Kuntze
</pre>
704 1 Noel Kuntze
}}
705 1 Noel Kuntze
706 25 Noel Kuntze
{{collapse(swanctl.conf)
707 25 Noel Kuntze
<pre>
708 25 Noel Kuntze
connections {
709 25 Noel Kuntze
    ikev1-psk-xauth {
710 25 Noel Kuntze
        dpd_delay = 30
711 25 Noel Kuntze
        dpd_timeout = 90
712 25 Noel Kuntze
        version = 1
713 25 Noel Kuntze
        remote_addrs = ResponderIPorQDNGoesHere
714 25 Noel Kuntze
        # uncomment if the responder only supports crappy crypto. But seriously,
715 25 Noel Kuntze
        # every single one of those algorithms is broken. Better spend some $$$
716 25 Noel Kuntze
        # on a better solution.
717 25 Noel Kuntze
        # proposals = 3des-md5-modp1024
718 25 Noel Kuntze
        vips = 0.0.0.0,::
719 25 Noel Kuntze
        local-1 {
720 25 Noel Kuntze
            auth = psk
721 25 Noel Kuntze
        }
722 25 Noel Kuntze
        local-2 {
723 25 Noel Kuntze
            auth = xauth-generic
724 25 Noel Kuntze
        }
725 25 Noel Kuntze
        remote-1 {
726 25 Noel Kuntze
            auth = psk
727 25 Noel Kuntze
            # You might have to set this to the correct value, if the responder isn't configure correctly.
728 25 Noel Kuntze
            # id = foobar
729 25 Noel Kuntze
        }
730 1 Noel Kuntze
731 25 Noel Kuntze
        children {
732 25 Noel Kuntze
            ikev1-psk-xauth {
733 25 Noel Kuntze
                remote_Ts = 0.0.0.0/0,::/0
734 25 Noel Kuntze
                # uncomment if the responder only supports crappy crypto. But seriously,
735 25 Noel Kuntze
                # every single one of those algorithms is broken. Better spend some $$$
736 25 Noel Kuntze
                # on a better solution.
737 25 Noel Kuntze
                # esp_proposals = 3des-md5!
738 25 Noel Kuntze
                # Use this, if you want PFS with DH group 2.
739 25 Noel Kuntze
                # esp_proposals = 3des-md5-modp1024!
740 25 Noel Kuntze
            }
741 25 Noel Kuntze
        }
742 25 Noel Kuntze
    }
743 1 Noel Kuntze
744 25 Noel Kuntze
    ikev1-psk-xauth-aggressive {
745 25 Noel Kuntze
        aggressive = yes
746 25 Noel Kuntze
        dpd_delay = 30
747 25 Noel Kuntze
        dpd_timeout = 90
748 25 Noel Kuntze
        version = 1
749 25 Noel Kuntze
        remote_addrs = ResponderIPorQDNGoesHere
750 25 Noel Kuntze
        # uncomment if the responder only supports crappy crypto. But seriously,
751 25 Noel Kuntze
        # every single one of those algorithms is broken. Better spend some $$$
752 25 Noel Kuntze
        # on a better solution.
753 25 Noel Kuntze
        # proposals = 3des-md5-modp1024
754 25 Noel Kuntze
        vips = 0.0.0.0,::
755 25 Noel Kuntze
        local-1 {
756 25 Noel Kuntze
            auth = psk
757 25 Noel Kuntze
        }
758 25 Noel Kuntze
        local-2 {
759 25 Noel Kuntze
            auth = xauth-generic
760 25 Noel Kuntze
        }
761 25 Noel Kuntze
        remote-1 {
762 25 Noel Kuntze
            auth = psk
763 25 Noel Kuntze
            # You might have to set this to the correct value, if the responder isn't configure correctly.
764 25 Noel Kuntze
            # id = foobar
765 25 Noel Kuntze
        }
766 25 Noel Kuntze
767 25 Noel Kuntze
        children {
768 25 Noel Kuntze
            ikev1-psk-xauth-aggressive {
769 25 Noel Kuntze
                remote_Ts = 0.0.0.0/0,::/0
770 25 Noel Kuntze
                # uncomment if the responder only supports crappy crypto. But seriously,
771 25 Noel Kuntze
                # every single one of those algorithms is broken. Better spend some $$$
772 25 Noel Kuntze
                # on a better solution.
773 25 Noel Kuntze
                # esp_proposals = 3des-md5!
774 25 Noel Kuntze
                # Use this, if you want PFS with DH group 2.
775 25 Noel Kuntze
                # esp_proposals = 3des-md5-modp1024!
776 25 Noel Kuntze
            }
777 25 Noel Kuntze
        }
778 25 Noel Kuntze
    }
779 25 Noel Kuntze
    ikev1-rsa-xauth {
780 25 Noel Kuntze
        dpd_delay = 30
781 25 Noel Kuntze
        dpd_timeout = 90
782 25 Noel Kuntze
        version = 1
783 25 Noel Kuntze
        remote_addrs = ResponderIPorQDNGoesHere
784 25 Noel Kuntze
        # uncomment if the responder only supports crappy crypto. But seriously,
785 25 Noel Kuntze
        # every single one of those algorithms is broken. Better spend some $$$
786 25 Noel Kuntze
        # on a better solution.
787 25 Noel Kuntze
        # proposals = 3des-md5-modp1024
788 25 Noel Kuntze
        vips = 0.0.0.0,::
789 25 Noel Kuntze
        local-1 {
790 31 Noel Kuntze
            certs = thisithepathtomycertificate.pem
791 25 Noel Kuntze
        }
792 25 Noel Kuntze
        local-2 {
793 25 Noel Kuntze
            auth = xauth-generic
794 25 Noel Kuntze
        }
795 25 Noel Kuntze
        remote-1 {
796 25 Noel Kuntze
            # You might have to set this to the correct value, if the responder isn't configure correctly.
797 25 Noel Kuntze
            # id = foobar
798 25 Noel Kuntze
        }
799 25 Noel Kuntze
800 25 Noel Kuntze
        children {
801 25 Noel Kuntze
            ikev1-psk-xauth {
802 25 Noel Kuntze
                remote_Ts = 0.0.0.0/0,::/0
803 25 Noel Kuntze
                # uncomment if the responder only supports crappy crypto. But seriously,
804 25 Noel Kuntze
                # every single one of those algorithms is broken. Better spend some $$$
805 25 Noel Kuntze
                # on a better solution.
806 25 Noel Kuntze
                # esp_proposals = 3des-md5!
807 25 Noel Kuntze
                # Use this, if you want PFS with DH group 2.
808 25 Noel Kuntze
                # esp_proposals = 3des-md5-modp1024!
809 25 Noel Kuntze
            }
810 25 Noel Kuntze
        }
811 25 Noel Kuntze
    }
812 25 Noel Kuntze
813 25 Noel Kuntze
    ikev1-l2tp {
814 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
815 25 Noel Kuntze
        version = 1
816 25 Noel Kuntze
        local-1 {
817 25 Noel Kuntze
            auth = psk
818 25 Noel Kuntze
        }
819 25 Noel Kuntze
        remote-1 {
820 25 Noel Kuntze
            auth = psk
821 25 Noel Kuntze
        }
822 25 Noel Kuntze
823 25 Noel Kuntze
        children {
824 25 Noel Kuntze
            ikev1-l2tp-xauth {
825 25 Noel Kuntze
                remote_ts = %dynamic[/1701]
826 25 Noel Kuntze
                mode = transport
827 25 Noel Kuntze
                start_action = none
828 25 Noel Kuntze
            }
829 25 Noel Kuntze
        }    
830 25 Noel Kuntze
    }
831 25 Noel Kuntze
    ikev1-l2tp-xauth {
832 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
833 25 Noel Kuntze
        version = 1
834 25 Noel Kuntze
        local-1 {
835 25 Noel Kuntze
            auth = psk
836 25 Noel Kuntze
        }
837 25 Noel Kuntze
        local-2 {
838 25 Noel Kuntze
            auth = xauth
839 25 Noel Kuntze
            xauth_id = myusername
840 25 Noel Kuntze
        }
841 25 Noel Kuntze
        remote-1 {
842 25 Noel Kuntze
            auth = psk
843 25 Noel Kuntze
        }
844 25 Noel Kuntze
845 25 Noel Kuntze
        children {
846 25 Noel Kuntze
            ikev1-l2tp-xauth {
847 25 Noel Kuntze
                remote_ts = %dynamic[/1701]
848 25 Noel Kuntze
                mode = transport
849 25 Noel Kuntze
                start_action = none
850 25 Noel Kuntze
            }
851 25 Noel Kuntze
        }
852 25 Noel Kuntze
    }
853 25 Noel Kuntze
854 25 Noel Kuntze
    ikev2-eap-mschapv2 {
855 25 Noel Kuntze
        version = 2
856 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
857 25 Noel Kuntze
        vips = 0.0.0.0, ::
858 25 Noel Kuntze
        local-1 {
859 25 Noel Kuntze
            auth = eap-mschapv2
860 25 Noel Kuntze
            eap_id=myid
861 25 Noel Kuntze
        }
862 25 Noel Kuntze
        remote-1 {
863 25 Noel Kuntze
            # The following settings depend on if you've got the CA that issued the
864 25 Noel Kuntze
            # responder's certificate or just the certificate.
865 25 Noel Kuntze
            # if you've got the CA certificate, put it into /etc/swanctl.d/cacerts/. Also
866 25 Noel Kuntze
            # read the notes in the beginning of the page about certificates.
867 25 Noel Kuntze
            #   rightca="This is the DN of the CA's certificate"
868 25 Noel Kuntze
            # if you've only got the responder's certificate
869 31 Noel Kuntze
            #  certs = thisisthepathtothecertificate
870 25 Noel Kuntze
            # if the remote peer sends a wrong ID, set that wrong ID here or make them fix it.
871 25 Noel Kuntze
            # id = remoteIDGoesHere
872 25 Noel Kuntze
        }
873 25 Noel Kuntze
        children {
874 25 Noel Kuntze
            remote_ts = 0.0.0.0/0,::/0
875 25 Noel Kuntze
        }
876 25 Noel Kuntze
    }
877 25 Noel Kuntze
878 25 Noel Kuntze
    ikev2-eap-tls-asymmetric {
879 25 Noel Kuntze
        version = 2
880 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
881 25 Noel Kuntze
        vips = 0.0.0.0, ::
882 25 Noel Kuntze
        local-1 {
883 25 Noel Kuntze
            auth = eap-tls
884 31 Noel Kuntze
            certs = mycert
885 25 Noel Kuntze
        }
886 25 Noel Kuntze
        remote-1 {
887 25 Noel Kuntze
            # The following settings depend on if you've got the CA that issued the
888 25 Noel Kuntze
            # responder's certificate or just the certificate.
889 25 Noel Kuntze
            # if you've got the CA certificate, put it into /etc/swanctl.d/cacerts/. Also
890 25 Noel Kuntze
            # read the notes in the beginning of the page about certificates.
891 25 Noel Kuntze
            #   rightca="This is the DN of the CA's certificate"
892 25 Noel Kuntze
            # if you've only got the responder's certificate
893 31 Noel Kuntze
            #  certs = thisisthepathtothecertificate
894 25 Noel Kuntze
            # if the remote peer sends a wrong ID, set that wrong ID here or make them fix it.
895 25 Noel Kuntze
            # id = remoteIDGoesHere
896 25 Noel Kuntze
        }
897 25 Noel Kuntze
        children {
898 25 Noel Kuntze
            remote_ts = 0.0.0.0/0,::/0
899 25 Noel Kuntze
        }
900 25 Noel Kuntze
    }
901 25 Noel Kuntze
902 25 Noel Kuntze
    ikev2-eap-tls-symmetric {
903 25 Noel Kuntze
        version = 2
904 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
905 25 Noel Kuntze
        vips = 0.0.0.0, ::
906 25 Noel Kuntze
        local-1 {
907 25 Noel Kuntze
            auth = eap-tls
908 31 Noel Kuntze
            certs = mycert
909 25 Noel Kuntze
        }
910 25 Noel Kuntze
        remote-1 {
911 25 Noel Kuntze
            # The following settings depend on if you've got the CA that issued the
912 25 Noel Kuntze
            # responder's certificate or just the certificate.
913 25 Noel Kuntze
            # if you've got the CA certificate, put it into /etc/swanctl.d/cacerts/. Also
914 25 Noel Kuntze
            # read the notes in the beginning of the page about certificates.
915 25 Noel Kuntze
            #   rightca="This is the DN of the CA's certificate"
916 25 Noel Kuntze
            # if you've only got the responder's certificate
917 31 Noel Kuntze
            #  certs = thisisthepathtothecertificate
918 25 Noel Kuntze
            # if the remote peer sends a wrong ID, set that wrong ID here or make them fix it.
919 25 Noel Kuntze
            # id = remoteIDGoesHere
920 25 Noel Kuntze
            auth = eap-tls
921 25 Noel Kuntze
        }
922 25 Noel Kuntze
        children {
923 25 Noel Kuntze
            remote_ts = 0.0.0.0/0,::/0
924 25 Noel Kuntze
        }
925 25 Noel Kuntze
    }
926 25 Noel Kuntze
927 25 Noel Kuntze
    secrets {
928 25 Noel Kuntze
        ike-example {
929 25 Noel Kuntze
            id = RespondersIPorFQDNGoesHere
930 25 Noel Kuntze
            secret = "thisisthesharedpassword"
931 25 Noel Kuntze
        }
932 25 Noel Kuntze
        eap-username {
933 25 Noel Kuntze
            id = thisismyusername
934 25 Noel Kuntze
            secret = "thisismypassword"
935 25 Noel Kuntze
        }
936 25 Noel Kuntze
        private-mine {
937 25 Noel Kuntze
            file = myprivatekey
938 25 Noel Kuntze
        }
939 25 Noel Kuntze
    }
940 25 Noel Kuntze
}
941 25 Noel Kuntze
</pre>
942 25 Noel Kuntze
}}
943 25 Noel Kuntze
944 1 Noel Kuntze
h2. Site-To-Site-Scenario
945 1 Noel Kuntze
946 24 Noel Kuntze
These configuration files are written under the presumption that both sides have public IPs and there is no NAT in between.
947 24 Noel Kuntze
If you use NAT and the peers' IPs as IDs, you need to set them manually in leftid and rightid respectively (whereever the ID is not equal to the set address).
948 24 Noel Kuntze
In some cases, the IDs other peers send are malformed or use an unusual type. If that is the case, you can force the sending of a specific ID or of a specific
949 24 Noel Kuntze
type using a [[ConnSection#leftright-End-Parameters|special notation]] (see text about left|rightid).
950 24 Noel Kuntze
951 1 Noel Kuntze
{{collapse(ipsec.conf)
952 1 Noel Kuntze
<pre>
953 1 Noel Kuntze
conn sts-base
954 1 Noel Kuntze
    fragmentation=yes
955 1 Noel Kuntze
    dpdaction=restart
956 32 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
957 32 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072#
958 1 Noel Kuntze
    keyingtries=%forever
959 25 Noel Kuntze
    leftid=foobar
960 1 Noel Kuntze
    leftcert=foobar.pem
961 1 Noel Kuntze
962 19 Noel Kuntze
# this conn is set up for a remote host with a static IP
963 1 Noel Kuntze
conn site-1-static-ip
964 1 Noel Kuntze
    also=sts-base
965 1 Noel Kuntze
    keyexchange=ikev2
966 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
967 1 Noel Kuntze
    rightsubnet=10.1.3.0/24
968 1 Noel Kuntze
    right=1.2.3.4
969 1 Noel Kuntze
    rightcert=1.2.3.4.pem
970 1 Noel Kuntze
    auto=route
971 1 Noel Kuntze
972 19 Noel Kuntze
# this conn is set up for a remote host with a dynamic IP
973 1 Noel Kuntze
conn site-2-dynamic-ip
974 1 Noel Kuntze
    also=sts-base
975 1 Noel Kuntze
    keyexchange=ikev2
976 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
977 1 Noel Kuntze
    rightsubnet=10.1.4.0/24
978 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
979 1 Noel Kuntze
    right=%example.com
980 1 Noel Kuntze
    rightcert=example.com.pem
981 1 Noel Kuntze
    auto=route
982 1 Noel Kuntze
983 1 Noel Kuntze
# this conn is set up for IKEv1 compatibility. It shows how to define several subnets
984 1 Noel Kuntze
# with IKEv1. site-3-legacy-1 and site-3-legacy-2 keep the data for the CHILD_SA.
985 1 Noel Kuntze
# The same can be accomplished with implicit merging by specifying the same IKE_SA
986 1 Noel Kuntze
# configuration in two different conns. This set up is cleaner, though.
987 1 Noel Kuntze
# If you put "auto=route" into the "site-3-legacy-base conn", charon will route the
988 1 Noel Kuntze
# conn with the ts being the local IP that is used to communicate with the remote
989 1 Noel Kuntze
# peer and the remote's peer. If such a CHILD_SA is not configured on the peer, ICMP
990 1 Noel Kuntze
# error messages from the remote peer to the local peer will not be able to be transmitted.
991 1 Noel Kuntze
# So don't do that, unless your remote peer is configured for that.
992 1 Noel Kuntze
# This is an IKEv1 connection with PSK authentication. That means, that you need to know
993 1 Noel Kuntze
# the other side's IP.
994 1 Noel Kuntze
conn site-3-legacy-base
995 1 Noel Kuntze
    also=sts-base
996 1 Noel Kuntze
    keyexchange=ikev1
997 1 Noel Kuntze
    # IKE and ESP cipher settings are reconfigured, because in IKEv1 every 
998 1 Noel Kuntze
    # single cipher suite needs to be enumerated.
999 1 Noel Kuntze
    # It is not possible to define all supported ciphers in one suite.
1000 1 Noel Kuntze
    # select apropriate and strong ciphers for your scenario.
1001 1 Noel Kuntze
    ike=aes192gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp521,aes192-sha256-modp3072
1002 1 Noel Kuntze
    esp=aes192gcm16-ecp256,aes192-sha256-modp3072
1003 1 Noel Kuntze
    rightsubnet=10.1.5.0/24
1004 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
1005 1 Noel Kuntze
    right=example.com
1006 1 Noel Kuntze
    leftauth=psk
1007 1 Noel Kuntze
    rightauth=psk
1008 1 Noel Kuntze
1009 1 Noel Kuntze
conn site-3-legacy-1
1010 1 Noel Kuntze
    leftsubnet=10.1.1.0/24
1011 1 Noel Kuntze
    also=site-3-legacy-base
1012 1 Noel Kuntze
    auto=route
1013 1 Noel Kuntze
1014 1 Noel Kuntze
conn site-3-legacy-2
1015 1 Noel Kuntze
    leftsubnet=10.1.2.0/24
1016 1 Noel Kuntze
    also=site-3-legacy-base
1017 1 Noel Kuntze
    auto=route
1018 1 Noel Kuntze
</pre>
1019 1 Noel Kuntze
}}
1020 1 Noel Kuntze
1021 1 Noel Kuntze
{{collapse(ipsec.secrets)
1022 1 Noel Kuntze
<pre>
1023 1 Noel Kuntze
: RSA foobar.key
1024 1 Noel Kuntze
remote.com : PSK "example"
1025 1 Noel Kuntze
</pre>
1026 1 Noel Kuntze
}}
1027 1 Noel Kuntze
1028 25 Noel Kuntze
{{collapse(swanctl.conf)
1029 25 Noel Kuntze
<pre>
1030 25 Noel Kuntze
connections {
1031 25 Noel Kuntze
1032 25 Noel Kuntze
    site-1-static-ip {
1033 25 Noel Kuntze
        remote_addrs = 1.2.3.4
1034 25 Noel Kuntze
        version = 2
1035 32 Noel Kuntze
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default,default
1036 25 Noel Kuntze
        keyingtries = 0
1037 25 Noel Kuntze
        
1038 25 Noel Kuntze
        local-1 {
1039 31 Noel Kuntze
            certs = foobar.pem
1040 25 Noel Kuntze
        }
1041 25 Noel Kuntze
        remote-1 {
1042 31 Noel Kuntze
            certs = 1.2.3.4.pem
1043 25 Noel Kuntze
        }
1044 25 Noel Kuntze
1045 25 Noel Kuntze
        children {
1046 25 Noel Kuntze
            site-1-static-ip {
1047 25 Noel Kuntze
                local_ts = 10.1.2.0/24,10.1.1.0/24
1048 25 Noel Kuntze
                remote_ts = 10.1.3.0/24
1049 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
1050 25 Noel Kuntze
                dpd_action = restart
1051 25 Noel Kuntze
                start_action = trap
1052 25 Noel Kuntze
            }
1053 25 Noel Kuntze
        }
1054 25 Noel Kuntze
    }
1055 25 Noel Kuntze
1056 25 Noel Kuntze
    site-2-dynamic-ip {
1057 25 Noel Kuntze
        remote_addrs = example.com, 0.0.0.0/0
1058 25 Noel Kuntze
        version = 2
1059 32 Noel Kuntze
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default,default
1060 25 Noel Kuntze
        keyingtries = 0
1061 25 Noel Kuntze
        local-1 {
1062 31 Noel Kuntze
            certs = foobar.pem
1063 25 Noel Kuntze
        }
1064 25 Noel Kuntze
        remote-1 {
1065 31 Noel Kuntze
            certs = 1.2.3.4.pem
1066 25 Noel Kuntze
        }
1067 25 Noel Kuntze
1068 25 Noel Kuntze
        children {
1069 25 Noel Kuntze
            site-2-dynamic-ip {
1070 25 Noel Kuntze
                local_ts = 10.1.2.0/24,10.1.1.0/24
1071 25 Noel Kuntze
                remote_ts = 10.1.3.0/24
1072 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
1073 25 Noel Kuntze
                dpd_action = restart
1074 25 Noel Kuntze
                start_action = trap
1075 25 Noel Kuntze
            }
1076 25 Noel Kuntze
        }
1077 25 Noel Kuntze
    }
1078 25 Noel Kuntze
    site-3-legacy {
1079 25 Noel Kuntze
        remote_addrs = example.com
1080 25 Noel Kuntze
        version = 1
1081 32 Noel Kuntze
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default,default
1082 25 Noel Kuntze
        local-1 {
1083 25 Noel Kuntze
            auth = psk
1084 25 Noel Kuntze
            id = mylocalsite
1085 25 Noel Kuntze
        }
1086 25 Noel Kuntze
        remote-1 {
1087 25 Noel Kuntze
            # id field here is inferred from the remote address
1088 25 Noel Kuntze
            auth = psk
1089 25 Noel Kuntze
        }
1090 25 Noel Kuntze
        children {
1091 25 Noel Kuntze
            site-3-legacy-1 {
1092 25 Noel Kuntze
                local_ts = 10.1.1.0/24
1093 25 Noel Kuntze
                remote_ts = 10.1.5.0/24
1094 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
1095 25 Noel Kuntze
                start_action = trap
1096 25 Noel Kuntze
                dpd_action = restart
1097 25 Noel Kuntze
            }
1098 25 Noel Kuntze
            site-3-legacy-2 {
1099 25 Noel Kuntze
                local_ts = 10.1.2.0/24
1100 25 Noel Kuntze
                remote_ts = 10.1.5.0/24
1101 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
1102 25 Noel Kuntze
                start_action = trap
1103 25 Noel Kuntze
                dpd_action = restart
1104 25 Noel Kuntze
            }
1105 25 Noel Kuntze
        }
1106 25 Noel Kuntze
    }
1107 25 Noel Kuntze
}
1108 25 Noel Kuntze
secrets {
1109 25 Noel Kuntze
    # PSK secret
1110 25 Noel Kuntze
    ike-example.com {
1111 25 Noel Kuntze
        id-1 = remote.com
1112 25 Noel Kuntze
        secret = "example"
1113 25 Noel Kuntze
    }
1114 25 Noel Kuntze
    # generic private key, no specific type
1115 25 Noel Kuntze
    private-foobar {
1116 25 Noel Kuntze
        file = foobar.key
1117 25 Noel Kuntze
    }
1118 25 Noel Kuntze
1119 25 Noel Kuntze
}
1120 25 Noel Kuntze
</pre>
1121 25 Noel Kuntze
}}
1122 25 Noel Kuntze
1123 10 Noel Kuntze
h2. Passthrough policy
1124 5 Noel Kuntze
1125 28 Noel Kuntze
h3. For a local LAN
1126 28 Noel Kuntze
1127 28 Noel Kuntze
This is a passthrough policy that works if the sender and recipient of the IP packets are in the 10.0.0.0/8 subnet.
1128 28 Noel Kuntze
@left@ is set to @127.0.0.1@ to prevent this conn from being considered in the conn lookup when a peer tries to connect.
1129 28 Noel Kuntze
1130 5 Noel Kuntze
{{collapse(ipsec.conf)
1131 5 Noel Kuntze
<pre>
1132 5 Noel Kuntze
conn passthrough-1
1133 5 Noel Kuntze
    # makes sure those conns are excluded from every conn selection
1134 5 Noel Kuntze
    left=127.0.0.1
1135 5 Noel Kuntze
    # Those are just example values. Replace them with the apropriate ones!
1136 1 Noel Kuntze
    leftsubnet=10.0.0.0/8
1137 1 Noel Kuntze
    rightsubnet=10.0.0.0/8
1138 1 Noel Kuntze
    # those two lines are critical.
1139 1 Noel Kuntze
    type=passthrough
1140 1 Noel Kuntze
    auto=route
1141 1 Noel Kuntze
</pre>
1142 1 Noel Kuntze
}}
1143 1 Noel Kuntze
1144 25 Noel Kuntze
{{collapse(swanctl.conf)
1145 27 Tobias Brunner
<pre>
1146 25 Noel Kuntze
connections {
1147 25 Noel Kuntze
    passthrough-1 {
1148 25 Noel Kuntze
        remote_addrs = 127.0.0.1
1149 25 Noel Kuntze
        children {
1150 25 Noel Kuntze
            passthrough-1 {
1151 27 Tobias Brunner
                local_ts = 10.0.0.0/8
1152 27 Tobias Brunner
                remote_ts = 10.0.0.0/8
1153 25 Noel Kuntze
                mode = pass
1154 25 Noel Kuntze
                start_action = trap
1155 25 Noel Kuntze
            }
1156 1 Noel Kuntze
        }
1157 1 Noel Kuntze
    }
1158 27 Tobias Brunner
}
1159 25 Noel Kuntze
</pre>
1160 1 Noel Kuntze
}}
1161 1 Noel Kuntze
1162 28 Noel Kuntze
h3. For remote networks
1163 28 Noel Kuntze
1164 28 Noel Kuntze
This is a passthrough policy that applies to packets for which all of the section's conditions are true:
1165 28 Noel Kuntze
* For received packets:
1166 28 Noel Kuntze
** The recipient is in @192.168.0.0/16@
1167 28 Noel Kuntze
** The sender is in @10.0.0.0/8@
1168 28 Noel Kuntze
* For sent packets:
1169 28 Noel Kuntze
** The recipient is in @10.0.0.0/8@
1170 28 Noel Kuntze
** The sender is in @192.168.0.0/16@
1171 28 Noel Kuntze
1172 28 Noel Kuntze
Note that the conditions for received and sent packets are the inverse of each other.
1173 28 Noel Kuntze
1174 28 Noel Kuntze
@left@ is set to @127.0.0.1@ to prevent this conn from being considered in the conn lookup when a peer tries to connect and to prevent strongSwan from switching the sides of the conn (because @127.0.0.1@ is a local IP address).
1175 28 Noel Kuntze
1176 28 Noel Kuntze
{{collapse(ipsec.conf)
1177 28 Noel Kuntze
<pre>
1178 28 Noel Kuntze
conn passthrough-2
1179 28 Noel Kuntze
    # makes sure those conns are excluded from every conn selection
1180 28 Noel Kuntze
    left=127.0.0.1
1181 28 Noel Kuntze
    # Those are just example values. Replace them with the apropriate ones!
1182 28 Noel Kuntze
    leftsubnet=192.168.0.0/16
1183 28 Noel Kuntze
    rightsubnet=10.0.0.0/8
1184 28 Noel Kuntze
    # those two lines are critical.
1185 28 Noel Kuntze
    type=passthrough
1186 28 Noel Kuntze
    auto=route
1187 28 Noel Kuntze
</pre>
1188 28 Noel Kuntze
}}
1189 28 Noel Kuntze
1190 28 Noel Kuntze
For swanctl.conf style configurations, it is not an issue, so remote_addrs or local_addrs can be set to 127.0.0.1 to prevent strongSwan from considering the conn in the conn lookup when a peer tries to connect.
1191 28 Noel Kuntze
In this example, only remote_addrs is set to @127.0.0.1@. You are free to choose local_addrs, remote_addrs or both.
1192 28 Noel Kuntze
1193 28 Noel Kuntze
{{collapse(swanctl.conf)
1194 28 Noel Kuntze
<pre>
1195 28 Noel Kuntze
connections {
1196 28 Noel Kuntze
    passthrough-2 {
1197 28 Noel Kuntze
        remote_addrs = 127.0.0.1
1198 28 Noel Kuntze
        children {
1199 28 Noel Kuntze
            passthrough-2 {
1200 28 Noel Kuntze
                local_ts = 192.168.0.0/16
1201 28 Noel Kuntze
                remote_ts = 10.0.0.0/8
1202 28 Noel Kuntze
                mode = pass
1203 28 Noel Kuntze
                start_action = trap
1204 28 Noel Kuntze
            }
1205 28 Noel Kuntze
        }
1206 28 Noel Kuntze
    }
1207 28 Noel Kuntze
}
1208 28 Noel Kuntze
</pre>
1209 28 Noel Kuntze
}}
1210 28 Noel Kuntze
1211 28 Noel Kuntze
If your goal is to exclude traffic into locally attached subnets from other tunnels and the locally attached subnets are dynamic, have a look at the [[bypass-lan]] plugin.
1212 25 Noel Kuntze
1213 29 Noel Kuntze
1214 29 Noel Kuntze
h3. For specific protocols or ports
1215 29 Noel Kuntze
1216 29 Noel Kuntze
The following configuration example is for traffic to the *local* SSH port.
1217 29 Noel Kuntze
1218 29 Noel Kuntze
{{collapse(ipsec.conf)
1219 29 Noel Kuntze
<pre>
1220 29 Noel Kuntze
conn passthrough-ssh
1221 29 Noel Kuntze
    # makes sure those conns are excluded from every conn selection
1222 29 Noel Kuntze
    left = 127.0.0.1
1223 29 Noel Kuntze
    leftsubnet = %dynamic[tcp/22]
1224 29 Noel Kuntze
    rightsubnet = 0.0.0.0/0
1225 29 Noel Kuntze
    type = passthrough
1226 29 Noel Kuntze
    auto = route
1227 29 Noel Kuntze
</pre>
1228 29 Noel Kuntze
}}
1229 29 Noel Kuntze
1230 29 Noel Kuntze
{{collapse(swanctl.conf)
1231 29 Noel Kuntze
<pre>
1232 29 Noel Kuntze
<pre>
1233 29 Noel Kuntze
connections {
1234 29 Noel Kuntze
    passthrough-ssh {
1235 29 Noel Kuntze
        remote_addrs = 127.0.0.1
1236 29 Noel Kuntze
        children {
1237 29 Noel Kuntze
            passthrough-ssh {
1238 29 Noel Kuntze
                local_ts = dynamic[tcp/22]
1239 29 Noel Kuntze
                remote_ts = 0.0.0.0/0
1240 29 Noel Kuntze
                mode = pass
1241 29 Noel Kuntze
                start_action = trap
1242 29 Noel Kuntze
            }
1243 29 Noel Kuntze
        }
1244 29 Noel Kuntze
    }
1245 29 Noel Kuntze
}
1246 29 Noel Kuntze
</pre>
1247 29 Noel Kuntze
}}
1248 29 Noel Kuntze
1249 13 Noel Kuntze
h2. Host-To-Host transport mode
1250 7 Noel Kuntze
1251 7 Noel Kuntze
Based on "the trap-any test scenario":https://www.strongswan.org/testing/testresults/ikev2/trap-any/.
1252 7 Noel Kuntze
1253 7 Noel Kuntze
The hosts involved are in the 192.168.1.0/24 subnet.
1254 8 Noel Kuntze
The notes from Tobias' comment in issue #196 apply:
1255 8 Noel Kuntze
> The hosts can be limited by specifying rightsubnet (e.g. rightsubnet=192.168.1.0/24,192.168.2.0/30,10.0.2.2/32). It is even possible to limit this to a specific protocol/port (for any remote host use %dynamic[<proto>/<port>], not 0.0.0.0/0[...]). A new test scenario (ikev2/trap-any, bb1d9e45) provides some examples.
1256 8 Noel Kuntze
> 
1257 8 Noel Kuntze
> Authentication can easily be done via certificates, but using PSKs is also possible. However, because there is no pattern/subnet matching for IP-based identities you need to either use a single secret for all hosts or use identities appropriately if you want to use different PSKs for different groups of hosts (e.g. use leftid=<host>@<group>.example.com and rightid=*@<group>.example.com in ipsec.conf and *@<group>.example.com : PSK "..." in ipsec.secrets).
1258 7 Noel Kuntze
1259 7 Noel Kuntze
{{collapse(ipsec.conf)
1260 7 Noel Kuntze
<pre>conn host-to-host
1261 7 Noel Kuntze
	ikelifetime=60m
1262 7 Noel Kuntze
	keylife=20m
1263 7 Noel Kuntze
	rekeymargin=3m
1264 7 Noel Kuntze
	keyingtries=1
1265 7 Noel Kuntze
1266 1 Noel Kuntze
conn trap-any
1267 1 Noel Kuntze
    also=host-to-host
1268 1 Noel Kuntze
	right=%any
1269 1 Noel Kuntze
	leftsubnet=192.168.1.0/24
1270 1 Noel Kuntze
	rightsubnet=192.168.1.0/24
1271 1 Noel Kuntze
	type=transport
1272 1 Noel Kuntze
	authby=psk
1273 1 Noel Kuntze
	auto=route
1274 25 Noel Kuntze
</pre>
1275 25 Noel Kuntze
}}
1276 25 Noel Kuntze
{{collapse(swanctl.conf)
1277 25 Noel Kuntze
<pre>
1278 25 Noel Kuntze
connections {
1279 25 Noel Kuntze
    trap-any {
1280 25 Noel Kuntze
        remote_addrs = %any
1281 25 Noel Kuntze
        local {
1282 25 Noel Kuntze
            auth = psk
1283 25 Noel Kuntze
        }
1284 25 Noel Kuntze
        remote {
1285 25 Noel Kuntze
            auth = psk
1286 25 Noel Kuntze
        }
1287 25 Noel Kuntze
1288 25 Noel Kuntze
        children {
1289 25 Noel Kuntze
            trap-yn {
1290 25 Noel Kuntze
                remote_ts = 192.168.1.0/24
1291 25 Noel Kuntze
                local_ts = 192.168.1.0/24
1292 25 Noel Kuntze
                mode = transport
1293 25 Noel Kuntze
                start_action = trap
1294 25 Noel Kuntze
            }
1295 25 Noel Kuntze
        }
1296 25 Noel Kuntze
    }
1297 25 Noel Kuntze
}
1298 7 Noel Kuntze
</pre>
1299 7 Noel Kuntze
}}