Project

General

Profile

Usable Examples configurations » History » Version 39

Noel Kuntze, 27.06.2019 17:32
Remove occurences of %dynamic in swanctl.conf configuration with dynamic

1 20 Noel Kuntze
h1. Usable Examples configurations
2 1 Noel Kuntze
3 23 Noel Kuntze
{{>toc}}
4 23 Noel Kuntze
5 1 Noel Kuntze
Preliminary obligatory notes:
6 1 Noel Kuntze
* These examples follow the [[SecurityRecommendations|Security Recommendations]]. Follow them. They are there
7 1 Noel Kuntze
  for a reason.
8 1 Noel Kuntze
* You can have several conn sections in your @ipsec.conf@ file
9 2 Noel Kuntze
* In scenarios where the remote peer authenticates itself with a client certificate,
10 4 Noel Kuntze
  charon requires all certificates that are in the trust path of the client's certificate
11 4 Noel Kuntze
  to be present, readable and valid for authentication
12 2 Noel Kuntze
  to be successful. charon implicitely trusts all CA certificates that it loads
13 1 Noel Kuntze
  via local files or that are loaded via the VICI API.
14 4 Noel Kuntze
* In scenarios where charon authenticates itself with a certificate, it needs to have
15 4 Noel Kuntze
  all certificates in the trust path. 
16 4 Noel Kuntze
* charon only reads the first certificate in a file.
17 1 Noel Kuntze
* Your responder (the proper word for "server" in ipsec talk) needs to identify
18 1 Noel Kuntze
  and authenticate itself to the initiator (the proper word for "client" in ipsec talk)
19 1 Noel Kuntze
  with the apropriate identity. If your initiator wants to talk to "foo.bar.com",
20 1 Noel Kuntze
  your responder needs to identify and authenticate itself as _foo.bar.com_.
21 1 Noel Kuntze
* Credentials are bound to identities. You can not successfully authenticate yourself
22 1 Noel Kuntze
  as the identitiy _foo.bar.com_ with a certificate if that certificate is not issued for that
23 1 Noel Kuntze
  identity. The identities that a certificate provide are its complete DN and the SAN fields.
24 1 Noel Kuntze
* The used cipher suite must be supported by both sides. Some implementations
25 3 Noel Kuntze
  only support weak crypto. Do not make concessions, unless necessary for interoperability.
26 1 Noel Kuntze
* XAUTH credentials are handled internally as EAP credentials. Both are valid for
27 1 Noel Kuntze
  XAUTH, EAP-GTC, EAP-MSCHAPv2 and whatever other cleartext or digest based
28 1 Noel Kuntze
  authentication might be implemented in the future.
29 1 Noel Kuntze
* The cipher settings are deliberately ordered by performance.
30 6 Noel Kuntze
  Faster, but secure ciphers appear in the beginning of the cipher list.
31 6 Noel Kuntze
  That should make charon choose faster, but secure ones first.  
32 14 Noel Kuntze
* Do not use 3DES, CAST, DES or MD5. They are broken.
33 1 Noel Kuntze
* The algorithm your certificate uses and they algorithm the key exchange uses
34 1 Noel Kuntze
  do not have anything to do with each other.
35 1 Noel Kuntze
* strongSwan does not implement L2TP.
36 16 Noel Kuntze
* Multiple pools can be used at the same time.
37 16 Noel Kuntze
* The [[IpsecPool|ipsec pools]] tool with the [[attrsql]] plugin can be used to assign different DNS and NBNS servers,
38 16 Noel Kuntze
  as well as different arbitrary attributes to remote peers.
39 1 Noel Kuntze
* Read the documentation and use "the search function":https://wiki.strongswan.org/projects/strongswan/search.
40 34 Tobias Brunner
* The configured proposals (ecp256,ecp521) in these examples require you to have the _openssl_ plugin loaded in strongSwan.
41 10 Noel Kuntze
42 1 Noel Kuntze
h2. Roadwarrior scenario
43 17 Noel Kuntze
44 10 Noel Kuntze
h3. Responder
45 9 Noel Kuntze
46 1 Noel Kuntze
This is an example configuration that provides support for several clients
47 1 Noel Kuntze
with several authentication styles.
48 1 Noel Kuntze
49 1 Noel Kuntze
{{collapse(ipsec.conf)
50 1 Noel Kuntze
<pre>
51 1 Noel Kuntze
conn rw-base
52 1 Noel Kuntze
    # enables IKE fragmentation 
53 1 Noel Kuntze
    fragmentation=yes
54 1 Noel Kuntze
    dpdaction=clear
55 1 Noel Kuntze
    # dpdtimeout is not honored for ikev2. For IKEv2, every message is used
56 1 Noel Kuntze
    # to determine the timeout, so the generic timeout value for IKEv2 messages
57 1 Noel Kuntze
    # is used. 
58 1 Noel Kuntze
    dpdtimeout=90s
59 1 Noel Kuntze
    dpddelay=30s
60 1 Noel Kuntze
61 1 Noel Kuntze
# this is used in every conn in which the client is assigned a "virtual" IP or
62 1 Noel Kuntze
# one or several DNS servers    
63 1 Noel Kuntze
# the cipher suits require the openssl plugin.
64 1 Noel Kuntze
conn rw-config
65 1 Noel Kuntze
    also=rw-base
66 1 Noel Kuntze
    rightsourceip=172.16.252.0/24
67 1 Noel Kuntze
    # set this to a local DNS server that the clients can reach with their assigned IPs.
68 1 Noel Kuntze
    # Think about routing.
69 1 Noel Kuntze
    rightdns=
70 1 Noel Kuntze
    leftsubnet=0.0.0.0/0
71 1 Noel Kuntze
    leftid=whatevertheclientusestoconnect
72 1 Noel Kuntze
    leftcert=mycertificate.pem
73 1 Noel Kuntze
    # not possible with asymmetric authentication
74 1 Noel Kuntze
    reauth=no
75 1 Noel Kuntze
    rekey=no
76 20 Noel Kuntze
    # secure cipher suits
77 32 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
78 36 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-ecp256-modp3072,aes192-sha256-ecp256-modp3072
79 1 Noel Kuntze
    leftsendcert=always
80 1 Noel Kuntze
    rightca="C=This, O=Is, OU=My, CN=CA"
81 1 Noel Kuntze
    
82 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
83 1 Noel Kuntze
# in the l2tp control connection. With L2TP, clients are usually not assigned
84 1 Noel Kuntze
# a virtual IP in IKE.
85 1 Noel Kuntze
# Charon is not an l2tp server. You need to install xl2tp for that and configure it correctly.
86 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
87 25 Noel Kuntze
conn ikev1-l2tp-chap-auth-in-l2tp
88 1 Noel Kuntze
    also=rw-base
89 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
90 35 Andreas Steffen
    ike=aes128-sha256-modp3072
91 35 Andreas Steffen
    esp=aes128-sha256-modp3072
92 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
93 11 Noel Kuntze
    rightsubnet=%dynamic
94 1 Noel Kuntze
    mark=%unique
95 1 Noel Kuntze
    leftauth=psk
96 1 Noel Kuntze
    rightauth=psk
97 1 Noel Kuntze
    type=transport
98 1 Noel Kuntze
    auto=add
99 1 Noel Kuntze
    
100 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
101 1 Noel Kuntze
# during the IKEv1 authentication. With L2TP, clients are usually not assigned
102 1 Noel Kuntze
# a virtual IP in IKE.
103 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
104 1 Noel Kuntze
# this requires the xauth-generic plugin.
105 1 Noel Kuntze
conn ikev1-l2tp-xauth-in-ike
106 1 Noel Kuntze
    also=rw-base
107 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
108 35 Andreas Steffen
    ike=aes128-sha256-modp3072
109 35 Andreas Steffen
    esp=aes128-sha256-modp3072
110 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
111 11 Noel Kuntze
    rightsubnet=%dynamic
112 1 Noel Kuntze
    mark=%unique
113 1 Noel Kuntze
    leftauth=psk
114 1 Noel Kuntze
    rightauth=psk
115 1 Noel Kuntze
    rightauth2=xauth-generic
116 9 Noel Kuntze
    xauth=server
117 1 Noel Kuntze
    # not possible with asymmetric authentication
118 1 Noel Kuntze
    reauth=no
119 1 Noel Kuntze
    rekey=no
120 1 Noel Kuntze
    type=transport
121 1 Noel Kuntze
    auto=add
122 1 Noel Kuntze
    
123 1 Noel Kuntze
# this requires the xauth-generic plugin.
124 1 Noel Kuntze
conn ikev1-psk-xauth
125 1 Noel Kuntze
    also=rw-config
126 1 Noel Kuntze
    leftauth=psk
127 1 Noel Kuntze
    rightauth=psk
128 1 Noel Kuntze
    rightauth2=xauth-generic
129 9 Noel Kuntze
    xauth=server
130 1 Noel Kuntze
    auto=add
131 1 Noel Kuntze
132 1 Noel Kuntze
# leftauth and rightauth default to "pubkey", so no change necessary.
133 1 Noel Kuntze
conn ikev1-pubkey
134 1 Noel Kuntze
    also=rw-config
135 1 Noel Kuntze
    auto=add
136 1 Noel Kuntze
137 1 Noel Kuntze
# this requires the xauth-generic plugin.
138 1 Noel Kuntze
conn ikev1-pubkey-xauth
139 1 Noel Kuntze
    also=rw-config
140 1 Noel Kuntze
    rightauth2=xauth-generic
141 9 Noel Kuntze
    xauth=server
142 1 Noel Kuntze
    auto=add
143 1 Noel Kuntze
144 1 Noel Kuntze
# this requires the xauth-generic plugin.
145 1 Noel Kuntze
conn ikev1-hybrid
146 1 Noel Kuntze
    also=rw-config
147 1 Noel Kuntze
    rightauth=xauth-generic
148 9 Noel Kuntze
    xauth=server
149 1 Noel Kuntze
150 1 Noel Kuntze
conn ikev2-pubkey
151 1 Noel Kuntze
    also=rw-config
152 1 Noel Kuntze
    auto=add
153 1 Noel Kuntze
154 22 Noel Kuntze
# IF you need to support several EAP methods at the same time, you need to use eap-dynamic
155 22 Noel Kuntze
# and not use any other conn with eap settings. Add the settings for the eap-dynamic plugin to your strongswan.conf file.
156 22 Noel Kuntze
157 22 Noel Kuntze
conn ikev2-eap
158 22 Noel Kuntze
    also=rw-config
159 22 Noel Kuntze
    rightauth=eap-dynamic
160 22 Noel Kuntze
    eap_identity=%identity
161 22 Noel Kuntze
    auto=add
162 22 Noel Kuntze
163 1 Noel Kuntze
# this requires the eap-tls plugin.
164 1 Noel Kuntze
conn ikev2-eap-tls
165 1 Noel Kuntze
    also=rw-base
166 1 Noel Kuntze
    rightauth=eap-tls
167 1 Noel Kuntze
    eap_identity=%identity
168 18 Noel Kuntze
    auto=add
169 18 Noel Kuntze
170 18 Noel Kuntze
# this requires the eap-mschapv2 plugin.
171 18 Noel Kuntze
conn ikev2-eap-mschapv2
172 18 Noel Kuntze
    also=rw-config
173 18 Noel Kuntze
    rightauth=eap-mschapv2
174 18 Noel Kuntze
    eap_identity=%identity
175 18 Noel Kuntze
    auto=add
176 1 Noel Kuntze
</pre>
177 1 Noel Kuntze
}}
178 1 Noel Kuntze
179 25 Noel Kuntze
{{collapse(ipsec.secrets)
180 25 Noel Kuntze
<pre>
181 25 Noel Kuntze
: PSK "foobarblah"
182 25 Noel Kuntze
: RSA myprivatekey.pem
183 25 Noel Kuntze
carol : EAP "carolspassword"
184 25 Noel Kuntze
</pre>
185 25 Noel Kuntze
}}
186 25 Noel Kuntze
187 25 Noel Kuntze
{{collapse(swanctl.conf)
188 25 Noel Kuntze
<pre>
189 25 Noel Kuntze
connections {
190 25 Noel Kuntze
    ikev1-l2tp-chap-auth-in-l2tp {
191 25 Noel Kuntze
        version = 1
192 25 Noel Kuntze
        # reduce to the most secure combination the client can support, if absolutely required.
193 35 Andreas Steffen
        proposals = aes128-sha256-modp3072,default
194 25 Noel Kuntze
        rekey_time = 0s
195 25 Noel Kuntze
        fragmentation = yes
196 25 Noel Kuntze
        dpd_delay = 30s
197 25 Noel Kuntze
        dpd_timeout = 90s
198 25 Noel Kuntze
        local-1 {
199 25 Noel Kuntze
            auth = psk
200 25 Noel Kuntze
        }
201 25 Noel Kuntze
        remote-1 {
202 25 Noel Kuntze
            auth = psk
203 25 Noel Kuntze
        }
204 25 Noel Kuntze
        children {
205 25 Noel Kuntze
            ikev1-l2tp-chap-auth-in-l2tp {
206 25 Noel Kuntze
                local_ts = dynamic[/1701]
207 25 Noel Kuntze
                # reduce to the most secure combination the client can support, if absolutely required.
208 35 Andreas Steffen
                esp_proposals = aes128-sha256-modp3072,default
209 25 Noel Kuntze
                mark = unique
210 25 Noel Kuntze
                mode = transport
211 25 Noel Kuntze
                rekey_time = 0s
212 25 Noel Kuntze
                dpd_action = clear
213 25 Noel Kuntze
            }
214 25 Noel Kuntze
        }
215 25 Noel Kuntze
    }
216 25 Noel Kuntze
217 25 Noel Kuntze
    ikev1-l2tp-xauth-in-ike {
218 25 Noel Kuntze
        version = 1
219 35 Andreas Steffen
        proposals = aes128-sha256-modp3072,default
220 25 Noel Kuntze
        rekey_time = 0s
221 25 Noel Kuntze
        fragmentation = yes
222 25 Noel Kuntze
        dpd_delay = 30s
223 25 Noel Kuntze
        dpd_timeout = 90s
224 25 Noel Kuntze
225 25 Noel Kuntze
        local-1 {
226 25 Noel Kuntze
            auth = psk
227 25 Noel Kuntze
        }
228 25 Noel Kuntze
        remote-1 {
229 25 Noel Kuntze
            auth = psk
230 25 Noel Kuntze
        }
231 25 Noel Kuntze
        remote-2 {
232 25 Noel Kuntze
            auth = xauth
233 25 Noel Kuntze
        }
234 25 Noel Kuntze
        children {
235 25 Noel Kuntze
            ikev1-l2tp-xauth-in-ike {
236 1 Noel Kuntze
                local_ts = dynamic[/1701]
237 35 Andreas Steffen
                esp_proposals = aes128-sha256-modp3072,default
238 25 Noel Kuntze
                mark = unique
239 25 Noel Kuntze
                mode = transport
240 25 Noel Kuntze
                rekey_time = 0s
241 25 Noel Kuntze
                dpd_action = clear
242 25 Noel Kuntze
243 25 Noel Kuntze
            }
244 25 Noel Kuntze
        }
245 25 Noel Kuntze
    }
246 1 Noel Kuntze
    ikev1-psk-xauth {
247 25 Noel Kuntze
        version = 1
248 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
249 25 Noel Kuntze
        rekey_time = 0s
250 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
251 25 Noel Kuntze
        fragmentation = yes
252 25 Noel Kuntze
        dpd_delay = 30s
253 25 Noel Kuntze
        dpd_timeout = 90s
254 25 Noel Kuntze
        local-1 {
255 25 Noel Kuntze
            auth = psk
256 25 Noel Kuntze
        }
257 25 Noel Kuntze
        remote-1 {
258 25 Noel Kuntze
            auth = psk
259 25 Noel Kuntze
        }
260 25 Noel Kuntze
        remote-2 {
261 25 Noel Kuntze
            auth = xauth
262 25 Noel Kuntze
        }
263 25 Noel Kuntze
        children {
264 25 Noel Kuntze
            ikev1-psk-xauth {
265 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
266 1 Noel Kuntze
                rekey_time = 0s
267 25 Noel Kuntze
                dpd_action = clear
268 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
269 25 Noel Kuntze
            }
270 1 Noel Kuntze
        }
271 25 Noel Kuntze
    ikev1-pubkey {
272 25 Noel Kuntze
        version = 1
273 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
274 25 Noel Kuntze
        rekey_time = 0s
275 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
276 25 Noel Kuntze
        fragmentation = yes
277 25 Noel Kuntze
        dpd_delay = 30s
278 25 Noel Kuntze
        dpd_timeout = 90s
279 25 Noel Kuntze
        local-1 {
280 30 Noel Kuntze
            certs = mycert.pem
281 25 Noel Kuntze
            id = myid
282 25 Noel Kuntze
        }
283 25 Noel Kuntze
        remote-1 {
284 25 Noel Kuntze
            # defaults are fine.
285 25 Noel Kuntze
        }
286 25 Noel Kuntze
        children {
287 25 Noel Kuntze
            ikev1-pubkey {
288 1 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
289 25 Noel Kuntze
                rekey_time = 0s
290 25 Noel Kuntze
                dpd_action = clear
291 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
292 25 Noel Kuntze
            }
293 25 Noel Kuntze
        }
294 1 Noel Kuntze
    }
295 25 Noel Kuntze
296 25 Noel Kuntze
    ikev1-pubkey-xauth {
297 25 Noel Kuntze
        version = 1
298 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
299 25 Noel Kuntze
        rekey_time = 0s
300 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
301 25 Noel Kuntze
        fragmentation = yes
302 25 Noel Kuntze
        dpd_delay = 30s
303 25 Noel Kuntze
        dpd_timeout = 90s
304 25 Noel Kuntze
        local-1 {
305 30 Noel Kuntze
            certs = mycert.pem
306 25 Noel Kuntze
            id = myid
307 25 Noel Kuntze
        }
308 25 Noel Kuntze
        remote-1 {
309 25 Noel Kuntze
            # defaults are fine.
310 25 Noel Kuntze
        }
311 25 Noel Kuntze
        remote-2 {
312 25 Noel Kuntze
            auth = xauth
313 25 Noel Kuntze
        }
314 25 Noel Kuntze
        children {
315 1 Noel Kuntze
            ikev1-pubkey-xauth {
316 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
317 25 Noel Kuntze
                rekey_time = 0s
318 25 Noel Kuntze
                dpd_action = clear
319 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
320 25 Noel Kuntze
            }
321 25 Noel Kuntze
        }
322 1 Noel Kuntze
    }
323 25 Noel Kuntze
324 25 Noel Kuntze
    ikev1-hybrid {
325 25 Noel Kuntze
        version = 1
326 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
327 25 Noel Kuntze
        rekey_time = 0s
328 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
329 25 Noel Kuntze
        fragmentation = yes
330 25 Noel Kuntze
        dpd_delay = 30s
331 25 Noel Kuntze
        dpd_timeout = 90s
332 25 Noel Kuntze
        local-1 {
333 30 Noel Kuntze
            certs = mycert.pem
334 25 Noel Kuntze
            id = myid
335 25 Noel Kuntze
        }
336 25 Noel Kuntze
        remote-1 {
337 25 Noel Kuntze
            # defaults are fine.
338 25 Noel Kuntze
        }
339 25 Noel Kuntze
        children {
340 1 Noel Kuntze
            ikev1-hybrid {
341 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
342 25 Noel Kuntze
                rekey_time = 0s
343 25 Noel Kuntze
                dpd_action = clear
344 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
345 25 Noel Kuntze
            }
346 1 Noel Kuntze
        }
347 25 Noel Kuntze
    }
348 25 Noel Kuntze
349 25 Noel Kuntze
    ikev2-pubkey {
350 25 Noel Kuntze
        version = 2
351 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
352 25 Noel Kuntze
        rekey_time = 0s
353 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
354 25 Noel Kuntze
        fragmentation = yes
355 25 Noel Kuntze
        dpd_delay = 30s
356 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
357 25 Noel Kuntze
        local-1 {
358 30 Noel Kuntze
            certs = mycert.pem
359 25 Noel Kuntze
            id = myid
360 25 Noel Kuntze
        }
361 25 Noel Kuntze
        remote-1 {
362 25 Noel Kuntze
            # defaults are fine.
363 25 Noel Kuntze
        }
364 1 Noel Kuntze
        children {
365 25 Noel Kuntze
            ikev2-pubkey {
366 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
367 25 Noel Kuntze
                rekey_time = 0s
368 25 Noel Kuntze
                dpd_action = clear
369 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
370 25 Noel Kuntze
            }
371 1 Noel Kuntze
        }
372 25 Noel Kuntze
    }
373 25 Noel Kuntze
374 25 Noel Kuntze
    ikev2-eap {
375 25 Noel Kuntze
        version = 2
376 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
377 25 Noel Kuntze
        rekey_time = 0s
378 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
379 25 Noel Kuntze
        fragmentation = yes
380 25 Noel Kuntze
        dpd_delay = 30s
381 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
382 25 Noel Kuntze
        local-1 {
383 30 Noel Kuntze
            certs = mycert.pem
384 25 Noel Kuntze
            id = myid
385 25 Noel Kuntze
        }
386 25 Noel Kuntze
        remote-1 {
387 25 Noel Kuntze
            auth = eap-dynamic
388 25 Noel Kuntze
            # go ask the client for its eap identity.
389 25 Noel Kuntze
            eap_id = %any
390 25 Noel Kuntze
        }
391 1 Noel Kuntze
        children {
392 25 Noel Kuntze
            ikev2-eap {
393 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
394 25 Noel Kuntze
                rekey_time = 0s
395 25 Noel Kuntze
                dpd_action = clear
396 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
397 1 Noel Kuntze
            }
398 25 Noel Kuntze
        }
399 25 Noel Kuntze
    }
400 25 Noel Kuntze
    ikev2-eap-tls-asymmetric {
401 25 Noel Kuntze
        version = 2
402 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
403 25 Noel Kuntze
        rekey_time = 0s
404 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
405 25 Noel Kuntze
        fragmentation = yes
406 25 Noel Kuntze
        dpd_delay = 30s
407 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
408 25 Noel Kuntze
        local-1 {
409 30 Noel Kuntze
            certs = mycert.pem
410 25 Noel Kuntze
            id = myid
411 25 Noel Kuntze
        }
412 25 Noel Kuntze
        remote-1 {
413 25 Noel Kuntze
            auth = eap-tls
414 25 Noel Kuntze
            # go ask the client for its eap identity.
415 25 Noel Kuntze
            eap_id = %any
416 25 Noel Kuntze
        }
417 1 Noel Kuntze
        children {
418 25 Noel Kuntze
            ikev2-eap-tls-asymmetric {
419 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
420 25 Noel Kuntze
                rekey_time = 0s
421 25 Noel Kuntze
                dpd_action = clear
422 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
423 25 Noel Kuntze
            }
424 1 Noel Kuntze
        }
425 25 Noel Kuntze
    }
426 25 Noel Kuntze
427 25 Noel Kuntze
    ikev2-eap-tls-symmetric {
428 25 Noel Kuntze
        version = 2
429 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
430 25 Noel Kuntze
        rekey_time = 0s
431 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
432 25 Noel Kuntze
        fragmentation = yes
433 25 Noel Kuntze
        dpd_delay = 30s
434 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
435 25 Noel Kuntze
        local-1 {
436 30 Noel Kuntze
            certs = mycert.pem
437 25 Noel Kuntze
            id = myid
438 25 Noel Kuntze
            auth = eap-tls
439 25 Noel Kuntze
        }
440 25 Noel Kuntze
        remote-1 {
441 25 Noel Kuntze
            auth = eap-tls
442 25 Noel Kuntze
            # go ask the client for its eap identity.
443 25 Noel Kuntze
            eap_id = %any
444 25 Noel Kuntze
        }
445 1 Noel Kuntze
        children {
446 25 Noel Kuntze
            ikev2-eap-tls-symmetric {
447 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
448 25 Noel Kuntze
                rekey_time = 0s
449 25 Noel Kuntze
                dpd_action = clear
450 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
451 1 Noel Kuntze
            }
452 25 Noel Kuntze
        }
453 25 Noel Kuntze
    }
454 25 Noel Kuntze
    ikev2-eap-mschapv2 {
455 25 Noel Kuntze
        version = 2
456 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
457 25 Noel Kuntze
        rekey_time = 0s
458 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
459 25 Noel Kuntze
        fragmentation = yes
460 25 Noel Kuntze
        dpd_delay = 30s
461 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
462 25 Noel Kuntze
        local-1 {
463 30 Noel Kuntze
            certs = mycert.pem
464 25 Noel Kuntze
            id = myid
465 25 Noel Kuntze
        }
466 25 Noel Kuntze
        remote-1 {
467 25 Noel Kuntze
            auth = eap-mschapv2
468 25 Noel Kuntze
            # go ask the client for its eap identity.
469 25 Noel Kuntze
            eap_id = %any
470 25 Noel Kuntze
        }
471 1 Noel Kuntze
        children {
472 25 Noel Kuntze
            ikev2-eap-mschapv2 {
473 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
474 25 Noel Kuntze
                rekey_time = 0s
475 25 Noel Kuntze
                dpd_action = clear
476 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
477 25 Noel Kuntze
            }
478 25 Noel Kuntze
        }
479 25 Noel Kuntze
    }
480 25 Noel Kuntze
}
481 25 Noel Kuntze
482 25 Noel Kuntze
pools {
483 25 Noel Kuntze
    primary-pool-ipv4 {
484 25 Noel Kuntze
        addrs = 172.16.252.0/24
485 25 Noel Kuntze
        dns = 10.1.2.3, 8.8.8.8
486 25 Noel Kuntze
        split_exclude = 172.16.0.0/12
487 25 Noel Kuntze
    }
488 25 Noel Kuntze
    primary-pool-ipv6 {
489 25 Noel Kuntze
        addrs = yoursiteuniqueaddresspool goes here
490 25 Noel Kuntze
491 25 Noel Kuntze
    }
492 25 Noel Kuntze
}
493 25 Noel Kuntze
494 25 Noel Kuntze
secrets {
495 25 Noel Kuntze
    ike-one {
496 25 Noel Kuntze
        secret = "foobarblah"
497 25 Noel Kuntze
    }
498 25 Noel Kuntze
    private-second {
499 25 Noel Kuntze
        file = myprivatekey.pem
500 25 Noel Kuntze
    }
501 25 Noel Kuntze
    eap-carol {
502 25 Noel Kuntze
        id = carol
503 25 Noel Kuntze
        secret = "carolspassword"
504 25 Noel Kuntze
    }
505 25 Noel Kuntze
}
506 25 Noel Kuntze
}}
507 25 Noel Kuntze
508 18 Noel Kuntze
{{collapse(strongswan.conf)
509 18 Noel Kuntze
<pre>
510 18 Noel Kuntze
charon {
511 21 Noel Kuntze
512 18 Noel Kuntze
    plugins {
513 1 Noel Kuntze
        eap_dynamic {
514 1 Noel Kuntze
            preferred = eap-mschapv2, eap-tls
515 1 Noel Kuntze
        }
516 1 Noel Kuntze
    }
517 1 Noel Kuntze
}
518 1 Noel Kuntze
</pre>
519 1 Noel Kuntze
}}
520 1 Noel Kuntze
521 25 Noel Kuntze
522 10 Noel Kuntze
h3. Initiator
523 1 Noel Kuntze
524 10 Noel Kuntze
These configuration files provide valid and usable configurations as use
525 10 Noel Kuntze
as a roadwarrior client against arbitrary IKE responders that are configured correctly.
526 10 Noel Kuntze
*You need to replace the marked values with the correct values*
527 10 Noel Kuntze
Remove conns that you do not require for your scenario. Some values
528 10 Noel Kuntze
might need to be changed, depending on the brokeness of the responder.
529 10 Noel Kuntze
*Read the comments in the files and read _ipsec.conf_ as well as _ipsec.secrets_.*
530 10 Noel Kuntze
531 10 Noel Kuntze
The configurations shown here are not exclusive. There are a lot more possible.
532 10 Noel Kuntze
Check out the [[PluginList|plugin list]] and the "test scenarios":https://strongswan.org/uml/testresults5/
533 10 Noel Kuntze
to see how they can be configured, but beware, those are just test scenarios
534 10 Noel Kuntze
and the configurations there are not usable in production as a whole. They need
535 10 Noel Kuntze
to be combined with the examples here to produce usable scenarios.
536 10 Noel Kuntze
537 10 Noel Kuntze
{{collapse(ipsec.conf)
538 10 Noel Kuntze
<pre>
539 10 Noel Kuntze
540 10 Noel Kuntze
conn rw-base
541 10 Noel Kuntze
    dpdaction=restart
542 10 Noel Kuntze
    dpddelay=30
543 10 Noel Kuntze
    dpdtimeout=90
544 10 Noel Kuntze
    fragmentation=yes
545 10 Noel Kuntze
546 10 Noel Kuntze
conn vip-base
547 10 Noel Kuntze
    also=rw-base
548 10 Noel Kuntze
    leftsourceip=%config
549 10 Noel Kuntze
550 10 Noel Kuntze
conn ikev1-psk-xauth
551 10 Noel Kuntze
# uncomment if the responder only supports crappy crypto. But seriously,
552 10 Noel Kuntze
# every single one of those algorithms is broken. Better spend some $$$
553 10 Noel Kuntze
# on a better solution.
554 10 Noel Kuntze
# 
555 10 Noel Kuntze
#   ike=3des-md5-modp1024!
556 10 Noel Kuntze
#   esp=3des-md5!
557 10 Noel Kuntze
# Use this, if you want PFS with DH group 2.
558 10 Noel Kuntze
#   esp=3des-md5-modp1024!
559 10 Noel Kuntze
    also=vip-base
560 10 Noel Kuntze
    keyexchange=ikev1
561 10 Noel Kuntze
    leftauth=psk
562 10 Noel Kuntze
    leftauth2=xauth
563 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
564 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
565 10 Noel Kuntze
#   rightid=foobar
566 10 Noel Kuntze
    rightauth=psk
567 10 Noel Kuntze
# this tunnels all the traffic. You might maybe want to also define a passthrough policy
568 10 Noel Kuntze
# for the local LAN traffic (or use the bypass-lan plugin when it's gone into the master branch)
569 10 Noel Kuntze
# Choose a smaller subnet, if required.
570 10 Noel Kuntze
# this config supports CISCO UNITY. 
571 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
572 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
573 10 Noel Kuntze
    auto=add
574 10 Noel Kuntze
    
575 12 Noel Kuntze
# aggressive mode is incredibly insecure.
576 12 Noel Kuntze
conn ikev1-psk-xauth-aggressive
577 12 Noel Kuntze
    aggressive=yes
578 10 Noel Kuntze
    also=ikev1-psk-xauth
579 10 Noel Kuntze
    auto=add
580 10 Noel Kuntze
581 10 Noel Kuntze
conn ikev1-rsa-xauth
582 10 Noel Kuntze
    also=vip-base
583 10 Noel Kuntze
    keyexchange=ikev1
584 10 Noel Kuntze
    leftauth=pubkey
585 10 Noel Kuntze
    leftauth2=xauth-generic
586 10 Noel Kuntze
    leftcert=thisithepathtomycertificate.pem
587 10 Noel Kuntze
    xauth_identity=thisismyusername
588 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
589 10 Noel Kuntze
# You might require this if the responder sends a wrong ID.
590 10 Noel Kuntze
#   rightid=somethingsomething
591 10 Noel Kuntze
    rightauth=pubkey
592 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
593 10 Noel Kuntze
# responder's certificate or just the certificate.
594 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
595 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
596 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
597 10 Noel Kuntze
# if you've only got the responder's certificate
598 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
599 10 Noel Kuntze
    auto=add
600 10 Noel Kuntze
601 10 Noel Kuntze
602 10 Noel Kuntze
conn ikev1-l2tp
603 10 Noel Kuntze
    also=rw-base
604 10 Noel Kuntze
    keyexchange=ikev1
605 1 Noel Kuntze
    type=transport
606 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
607 11 Noel Kuntze
    rightsubnet=%dynamic[/1701]
608 10 Noel Kuntze
    leftauth=psk
609 10 Noel Kuntze
    rightauth=psk
610 10 Noel Kuntze
    
611 10 Noel Kuntze
    
612 12 Noel Kuntze
# if your responder uses aggressive mode, add
613 12 Noel Kuntze
# aggressive=yes in the conn
614 10 Noel Kuntze
# user authentication happens in IKE using xauth
615 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-ike
616 10 Noel Kuntze
    also=ikev1-l2tp
617 10 Noel Kuntze
    leftauth2=xauth-generic
618 10 Noel Kuntze
    auto=add
619 10 Noel Kuntze
620 12 Noel Kuntze
# if your responder uses aggressive mode, add
621 12 Noel Kuntze
# aggressive=yes in the conn
622 10 Noel Kuntze
# user authentication happens in L2TP
623 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-l2tp
624 10 Noel Kuntze
    also=ikev1-l2tp
625 10 Noel Kuntze
    auto=add
626 10 Noel Kuntze
627 10 Noel Kuntze
628 10 Noel Kuntze
# Authentication with EAP-MSCHAPv2 is asymmetric. The responder
629 10 Noel Kuntze
# has to authenticate itself against the initiator with an X.509 certificate.
630 10 Noel Kuntze
conn ikev2-eap-mschapv2
631 10 Noel Kuntze
    also=vip-base
632 10 Noel Kuntze
    keyexchange=ikev2
633 10 Noel Kuntze
    leftauth=eap-mschapv2
634 10 Noel Kuntze
    rightauth=pubkey
635 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
636 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
637 10 Noel Kuntze
# responder's certificate or just the certificate.
638 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
639 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
640 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
641 10 Noel Kuntze
# if you've only got the responder's certificate
642 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
643 10 Noel Kuntze
644 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
645 10 Noel Kuntze
#   rightid=foobar
646 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
647 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
648 10 Noel Kuntze
    auto=add
649 10 Noel Kuntze
650 10 Noel Kuntze
# asymmetric authentication using eap-tls and pubkey auth
651 10 Noel Kuntze
conn ikev2-eap-tls-asymmetric
652 10 Noel Kuntze
    also=vip-base
653 10 Noel Kuntze
    keyexchange=ikev2
654 10 Noel Kuntze
    leftcert=mycert
655 10 Noel Kuntze
    leftauth=eap-tls
656 10 Noel Kuntze
    rightauth=pubkey
657 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
658 10 Noel Kuntze
# responder's certificate or just the certificate.
659 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
660 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
661 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
662 10 Noel Kuntze
# if you've only got the responder's certificate
663 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
664 10 Noel Kuntze
665 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
666 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
667 10 Noel Kuntze
#   rightid=foobar
668 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
669 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
670 10 Noel Kuntze
    auto=add
671 10 Noel Kuntze
672 10 Noel Kuntze
673 10 Noel Kuntze
# symmetric authentication using just eap-tls
674 10 Noel Kuntze
conn ikev2-eap-tls-symmetric
675 10 Noel Kuntze
    also=vip-base
676 10 Noel Kuntze
    keyexchange=ikev2
677 10 Noel Kuntze
    leftcert=mycert
678 10 Noel Kuntze
    leftauth=eap-tls
679 10 Noel Kuntze
    rightauth=eap-tls
680 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
681 10 Noel Kuntze
# responder's certificate or just the certificate.
682 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
683 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
684 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
685 10 Noel Kuntze
# if you've only got the responder's certificate
686 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
687 10 Noel Kuntze
688 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
689 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
690 10 Noel Kuntze
#   rightid=foobar
691 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
692 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
693 10 Noel Kuntze
    auto=add
694 10 Noel Kuntze
695 10 Noel Kuntze
</pre>
696 10 Noel Kuntze
}}
697 10 Noel Kuntze
698 1 Noel Kuntze
{{collapse(ipsec.secrets)
699 1 Noel Kuntze
<pre>
700 1 Noel Kuntze
RespondersIPorFQDNGoesHere : PSK "thisisthesharedpassword"
701 1 Noel Kuntze
thisismyusername : EAP "thisismypassword"
702 1 Noel Kuntze
: RSA myprivatekey
703 1 Noel Kuntze
</pre>
704 1 Noel Kuntze
}}
705 1 Noel Kuntze
706 25 Noel Kuntze
{{collapse(swanctl.conf)
707 25 Noel Kuntze
<pre>
708 25 Noel Kuntze
connections {
709 25 Noel Kuntze
    ikev1-psk-xauth {
710 25 Noel Kuntze
        dpd_delay = 30
711 25 Noel Kuntze
        dpd_timeout = 90
712 25 Noel Kuntze
        version = 1
713 25 Noel Kuntze
        remote_addrs = ResponderIPorQDNGoesHere
714 25 Noel Kuntze
        # uncomment if the responder only supports crappy crypto. But seriously,
715 25 Noel Kuntze
        # every single one of those algorithms is broken. Better spend some $$$
716 25 Noel Kuntze
        # on a better solution.
717 25 Noel Kuntze
        # proposals = 3des-md5-modp1024
718 25 Noel Kuntze
        vips = 0.0.0.0,::
719 25 Noel Kuntze
        local-1 {
720 25 Noel Kuntze
            auth = psk
721 25 Noel Kuntze
        }
722 25 Noel Kuntze
        local-2 {
723 25 Noel Kuntze
            auth = xauth-generic
724 25 Noel Kuntze
        }
725 25 Noel Kuntze
        remote-1 {
726 25 Noel Kuntze
            auth = psk
727 25 Noel Kuntze
            # You might have to set this to the correct value, if the responder isn't configure correctly.
728 25 Noel Kuntze
            # id = foobar
729 25 Noel Kuntze
        }
730 1 Noel Kuntze
731 25 Noel Kuntze
        children {
732 25 Noel Kuntze
            ikev1-psk-xauth {
733 25 Noel Kuntze
                remote_Ts = 0.0.0.0/0,::/0
734 25 Noel Kuntze
                # uncomment if the responder only supports crappy crypto. But seriously,
735 25 Noel Kuntze
                # every single one of those algorithms is broken. Better spend some $$$
736 25 Noel Kuntze
                # on a better solution.
737 25 Noel Kuntze
                # esp_proposals = 3des-md5!
738 25 Noel Kuntze
                # Use this, if you want PFS with DH group 2.
739 25 Noel Kuntze
                # esp_proposals = 3des-md5-modp1024!
740 25 Noel Kuntze
            }
741 25 Noel Kuntze
        }
742 25 Noel Kuntze
    }
743 1 Noel Kuntze
744 25 Noel Kuntze
    ikev1-psk-xauth-aggressive {
745 25 Noel Kuntze
        aggressive = yes
746 25 Noel Kuntze
        dpd_delay = 30
747 25 Noel Kuntze
        dpd_timeout = 90
748 25 Noel Kuntze
        version = 1
749 25 Noel Kuntze
        remote_addrs = ResponderIPorQDNGoesHere
750 25 Noel Kuntze
        # uncomment if the responder only supports crappy crypto. But seriously,
751 25 Noel Kuntze
        # every single one of those algorithms is broken. Better spend some $$$
752 25 Noel Kuntze
        # on a better solution.
753 25 Noel Kuntze
        # proposals = 3des-md5-modp1024
754 25 Noel Kuntze
        vips = 0.0.0.0,::
755 25 Noel Kuntze
        local-1 {
756 25 Noel Kuntze
            auth = psk
757 25 Noel Kuntze
        }
758 25 Noel Kuntze
        local-2 {
759 25 Noel Kuntze
            auth = xauth-generic
760 25 Noel Kuntze
        }
761 25 Noel Kuntze
        remote-1 {
762 25 Noel Kuntze
            auth = psk
763 25 Noel Kuntze
            # You might have to set this to the correct value, if the responder isn't configure correctly.
764 25 Noel Kuntze
            # id = foobar
765 25 Noel Kuntze
        }
766 25 Noel Kuntze
767 25 Noel Kuntze
        children {
768 25 Noel Kuntze
            ikev1-psk-xauth-aggressive {
769 25 Noel Kuntze
                remote_Ts = 0.0.0.0/0,::/0
770 25 Noel Kuntze
                # uncomment if the responder only supports crappy crypto. But seriously,
771 25 Noel Kuntze
                # every single one of those algorithms is broken. Better spend some $$$
772 25 Noel Kuntze
                # on a better solution.
773 25 Noel Kuntze
                # esp_proposals = 3des-md5!
774 25 Noel Kuntze
                # Use this, if you want PFS with DH group 2.
775 25 Noel Kuntze
                # esp_proposals = 3des-md5-modp1024!
776 25 Noel Kuntze
            }
777 25 Noel Kuntze
        }
778 25 Noel Kuntze
    }
779 25 Noel Kuntze
    ikev1-rsa-xauth {
780 25 Noel Kuntze
        dpd_delay = 30
781 25 Noel Kuntze
        dpd_timeout = 90
782 25 Noel Kuntze
        version = 1
783 25 Noel Kuntze
        remote_addrs = ResponderIPorQDNGoesHere
784 25 Noel Kuntze
        # uncomment if the responder only supports crappy crypto. But seriously,
785 25 Noel Kuntze
        # every single one of those algorithms is broken. Better spend some $$$
786 25 Noel Kuntze
        # on a better solution.
787 25 Noel Kuntze
        # proposals = 3des-md5-modp1024
788 25 Noel Kuntze
        vips = 0.0.0.0,::
789 25 Noel Kuntze
        local-1 {
790 31 Noel Kuntze
            certs = thisithepathtomycertificate.pem
791 25 Noel Kuntze
        }
792 25 Noel Kuntze
        local-2 {
793 25 Noel Kuntze
            auth = xauth-generic
794 25 Noel Kuntze
        }
795 25 Noel Kuntze
        remote-1 {
796 25 Noel Kuntze
            # You might have to set this to the correct value, if the responder isn't configure correctly.
797 25 Noel Kuntze
            # id = foobar
798 25 Noel Kuntze
        }
799 25 Noel Kuntze
800 25 Noel Kuntze
        children {
801 25 Noel Kuntze
            ikev1-psk-xauth {
802 25 Noel Kuntze
                remote_Ts = 0.0.0.0/0,::/0
803 25 Noel Kuntze
                # uncomment if the responder only supports crappy crypto. But seriously,
804 25 Noel Kuntze
                # every single one of those algorithms is broken. Better spend some $$$
805 25 Noel Kuntze
                # on a better solution.
806 25 Noel Kuntze
                # esp_proposals = 3des-md5!
807 25 Noel Kuntze
                # Use this, if you want PFS with DH group 2.
808 25 Noel Kuntze
                # esp_proposals = 3des-md5-modp1024!
809 25 Noel Kuntze
            }
810 25 Noel Kuntze
        }
811 25 Noel Kuntze
    }
812 25 Noel Kuntze
813 25 Noel Kuntze
    ikev1-l2tp {
814 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
815 25 Noel Kuntze
        version = 1
816 25 Noel Kuntze
        local-1 {
817 25 Noel Kuntze
            auth = psk
818 25 Noel Kuntze
        }
819 25 Noel Kuntze
        remote-1 {
820 25 Noel Kuntze
            auth = psk
821 25 Noel Kuntze
        }
822 25 Noel Kuntze
823 25 Noel Kuntze
        children {
824 25 Noel Kuntze
            ikev1-l2tp-xauth {
825 39 Noel Kuntze
                remote_ts = dynamic[/1701]
826 25 Noel Kuntze
                mode = transport
827 25 Noel Kuntze
                start_action = none
828 25 Noel Kuntze
            }
829 25 Noel Kuntze
        }    
830 25 Noel Kuntze
    }
831 25 Noel Kuntze
    ikev1-l2tp-xauth {
832 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
833 25 Noel Kuntze
        version = 1
834 25 Noel Kuntze
        local-1 {
835 25 Noel Kuntze
            auth = psk
836 25 Noel Kuntze
        }
837 25 Noel Kuntze
        local-2 {
838 25 Noel Kuntze
            auth = xauth
839 25 Noel Kuntze
            xauth_id = myusername
840 25 Noel Kuntze
        }
841 25 Noel Kuntze
        remote-1 {
842 25 Noel Kuntze
            auth = psk
843 25 Noel Kuntze
        }
844 25 Noel Kuntze
845 25 Noel Kuntze
        children {
846 25 Noel Kuntze
            ikev1-l2tp-xauth {
847 39 Noel Kuntze
                remote_ts = dynamic[/1701]
848 25 Noel Kuntze
                mode = transport
849 25 Noel Kuntze
                start_action = none
850 25 Noel Kuntze
            }
851 25 Noel Kuntze
        }
852 25 Noel Kuntze
    }
853 25 Noel Kuntze
854 25 Noel Kuntze
    ikev2-eap-mschapv2 {
855 25 Noel Kuntze
        version = 2
856 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
857 25 Noel Kuntze
        vips = 0.0.0.0, ::
858 25 Noel Kuntze
        local-1 {
859 25 Noel Kuntze
            auth = eap-mschapv2
860 25 Noel Kuntze
            eap_id=myid
861 25 Noel Kuntze
        }
862 25 Noel Kuntze
        remote-1 {
863 25 Noel Kuntze
            # The following settings depend on if you've got the CA that issued the
864 25 Noel Kuntze
            # responder's certificate or just the certificate.
865 25 Noel Kuntze
            # if you've got the CA certificate, put it into /etc/swanctl.d/cacerts/. Also
866 25 Noel Kuntze
            # read the notes in the beginning of the page about certificates.
867 25 Noel Kuntze
            #   rightca="This is the DN of the CA's certificate"
868 25 Noel Kuntze
            # if you've only got the responder's certificate
869 31 Noel Kuntze
            #  certs = thisisthepathtothecertificate
870 25 Noel Kuntze
            # if the remote peer sends a wrong ID, set that wrong ID here or make them fix it.
871 25 Noel Kuntze
            # id = remoteIDGoesHere
872 25 Noel Kuntze
        }
873 25 Noel Kuntze
        children {
874 37 Noel Kuntze
            ikev2-eap-mschapv2 {
875 37 Noel Kuntze
                remote_ts = 0.0.0.0/0,::/0
876 37 Noel Kuntze
            }
877 25 Noel Kuntze
        }
878 25 Noel Kuntze
    }
879 25 Noel Kuntze
880 25 Noel Kuntze
    ikev2-eap-tls-asymmetric {
881 25 Noel Kuntze
        version = 2
882 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
883 25 Noel Kuntze
        vips = 0.0.0.0, ::
884 25 Noel Kuntze
        local-1 {
885 25 Noel Kuntze
            auth = eap-tls
886 31 Noel Kuntze
            certs = mycert
887 25 Noel Kuntze
        }
888 25 Noel Kuntze
        remote-1 {
889 25 Noel Kuntze
            # The following settings depend on if you've got the CA that issued the
890 25 Noel Kuntze
            # responder's certificate or just the certificate.
891 25 Noel Kuntze
            # if you've got the CA certificate, put it into /etc/swanctl.d/cacerts/. Also
892 25 Noel Kuntze
            # read the notes in the beginning of the page about certificates.
893 25 Noel Kuntze
            #   rightca="This is the DN of the CA's certificate"
894 25 Noel Kuntze
            # if you've only got the responder's certificate
895 31 Noel Kuntze
            #  certs = thisisthepathtothecertificate
896 25 Noel Kuntze
            # if the remote peer sends a wrong ID, set that wrong ID here or make them fix it.
897 25 Noel Kuntze
            # id = remoteIDGoesHere
898 1 Noel Kuntze
        }
899 1 Noel Kuntze
        children {
900 37 Noel Kuntze
            ikev2-eap-tls-asymmetric {
901 37 Noel Kuntze
                remote_ts = 0.0.0.0/0,::/0
902 37 Noel Kuntze
            }
903 25 Noel Kuntze
        }
904 25 Noel Kuntze
    }
905 25 Noel Kuntze
906 25 Noel Kuntze
    ikev2-eap-tls-symmetric {
907 25 Noel Kuntze
        version = 2
908 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
909 25 Noel Kuntze
        vips = 0.0.0.0, ::
910 25 Noel Kuntze
        local-1 {
911 25 Noel Kuntze
            auth = eap-tls
912 31 Noel Kuntze
            certs = mycert
913 25 Noel Kuntze
        }
914 25 Noel Kuntze
        remote-1 {
915 25 Noel Kuntze
            # The following settings depend on if you've got the CA that issued the
916 25 Noel Kuntze
            # responder's certificate or just the certificate.
917 25 Noel Kuntze
            # if you've got the CA certificate, put it into /etc/swanctl.d/cacerts/. Also
918 25 Noel Kuntze
            # read the notes in the beginning of the page about certificates.
919 25 Noel Kuntze
            #   rightca="This is the DN of the CA's certificate"
920 25 Noel Kuntze
            # if you've only got the responder's certificate
921 25 Noel Kuntze
            #  certs = thisisthepathtothecertificate
922 25 Noel Kuntze
            # if the remote peer sends a wrong ID, set that wrong ID here or make them fix it.
923 25 Noel Kuntze
            # id = remoteIDGoesHere
924 1 Noel Kuntze
            auth = eap-tls
925 1 Noel Kuntze
        }
926 1 Noel Kuntze
        children {
927 37 Noel Kuntze
            ikev2-eap-tls-symmetric {
928 37 Noel Kuntze
                remote_ts = 0.0.0.0/0,::/0
929 37 Noel Kuntze
            }
930 25 Noel Kuntze
        }
931 25 Noel Kuntze
    }
932 38 Jean-Tiare Le Bigot
}
933 25 Noel Kuntze
934 38 Jean-Tiare Le Bigot
secrets {
935 38 Jean-Tiare Le Bigot
    ike-example {
936 38 Jean-Tiare Le Bigot
        id = RespondersIPorFQDNGoesHere
937 38 Jean-Tiare Le Bigot
        secret = "thisisthesharedpassword"
938 38 Jean-Tiare Le Bigot
    }
939 38 Jean-Tiare Le Bigot
    eap-username {
940 38 Jean-Tiare Le Bigot
        id = thisismyusername
941 38 Jean-Tiare Le Bigot
        secret = "thisismypassword"
942 38 Jean-Tiare Le Bigot
    }
943 38 Jean-Tiare Le Bigot
    private-mine {
944 38 Jean-Tiare Le Bigot
        file = myprivatekey
945 25 Noel Kuntze
    }
946 25 Noel Kuntze
}
947 25 Noel Kuntze
</pre>
948 25 Noel Kuntze
}}
949 25 Noel Kuntze
950 1 Noel Kuntze
h2. Site-To-Site-Scenario
951 1 Noel Kuntze
952 24 Noel Kuntze
These configuration files are written under the presumption that both sides have public IPs and there is no NAT in between.
953 24 Noel Kuntze
If you use NAT and the peers' IPs as IDs, you need to set them manually in leftid and rightid respectively (whereever the ID is not equal to the set address).
954 24 Noel Kuntze
In some cases, the IDs other peers send are malformed or use an unusual type. If that is the case, you can force the sending of a specific ID or of a specific
955 24 Noel Kuntze
type using a [[ConnSection#leftright-End-Parameters|special notation]] (see text about left|rightid).
956 24 Noel Kuntze
957 1 Noel Kuntze
{{collapse(ipsec.conf)
958 1 Noel Kuntze
<pre>
959 1 Noel Kuntze
conn sts-base
960 1 Noel Kuntze
    fragmentation=yes
961 1 Noel Kuntze
    dpdaction=restart
962 32 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
963 36 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-ecp256-modp3072,aes192-sha256-ecp256-modp3072
964 1 Noel Kuntze
    keyingtries=%forever
965 25 Noel Kuntze
    leftid=foobar
966 1 Noel Kuntze
    leftcert=foobar.pem
967 1 Noel Kuntze
968 19 Noel Kuntze
# this conn is set up for a remote host with a static IP
969 1 Noel Kuntze
conn site-1-static-ip
970 1 Noel Kuntze
    also=sts-base
971 1 Noel Kuntze
    keyexchange=ikev2
972 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
973 1 Noel Kuntze
    rightsubnet=10.1.3.0/24
974 1 Noel Kuntze
    right=1.2.3.4
975 1 Noel Kuntze
    rightcert=1.2.3.4.pem
976 1 Noel Kuntze
    auto=route
977 1 Noel Kuntze
978 19 Noel Kuntze
# this conn is set up for a remote host with a dynamic IP
979 1 Noel Kuntze
conn site-2-dynamic-ip
980 1 Noel Kuntze
    also=sts-base
981 1 Noel Kuntze
    keyexchange=ikev2
982 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
983 1 Noel Kuntze
    rightsubnet=10.1.4.0/24
984 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
985 1 Noel Kuntze
    right=%example.com
986 1 Noel Kuntze
    rightcert=example.com.pem
987 1 Noel Kuntze
    auto=route
988 1 Noel Kuntze
989 1 Noel Kuntze
# this conn is set up for IKEv1 compatibility. It shows how to define several subnets
990 1 Noel Kuntze
# with IKEv1. site-3-legacy-1 and site-3-legacy-2 keep the data for the CHILD_SA.
991 1 Noel Kuntze
# The same can be accomplished with implicit merging by specifying the same IKE_SA
992 1 Noel Kuntze
# configuration in two different conns. This set up is cleaner, though.
993 1 Noel Kuntze
# If you put "auto=route" into the "site-3-legacy-base conn", charon will route the
994 1 Noel Kuntze
# conn with the ts being the local IP that is used to communicate with the remote
995 1 Noel Kuntze
# peer and the remote's peer. If such a CHILD_SA is not configured on the peer, ICMP
996 1 Noel Kuntze
# error messages from the remote peer to the local peer will not be able to be transmitted.
997 1 Noel Kuntze
# So don't do that, unless your remote peer is configured for that.
998 1 Noel Kuntze
# This is an IKEv1 connection with PSK authentication. That means, that you need to know
999 1 Noel Kuntze
# the other side's IP.
1000 1 Noel Kuntze
conn site-3-legacy-base
1001 1 Noel Kuntze
    also=sts-base
1002 1 Noel Kuntze
    keyexchange=ikev1
1003 1 Noel Kuntze
    # IKE and ESP cipher settings are reconfigured, because in IKEv1 every 
1004 1 Noel Kuntze
    # single cipher suite needs to be enumerated.
1005 1 Noel Kuntze
    # It is not possible to define all supported ciphers in one suite.
1006 1 Noel Kuntze
    # select apropriate and strong ciphers for your scenario.
1007 1 Noel Kuntze
    ike=aes192gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp521,aes192-sha256-modp3072
1008 1 Noel Kuntze
    esp=aes192gcm16-ecp256,aes192-sha256-modp3072
1009 1 Noel Kuntze
    rightsubnet=10.1.5.0/24
1010 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
1011 1 Noel Kuntze
    right=example.com
1012 1 Noel Kuntze
    leftauth=psk
1013 1 Noel Kuntze
    rightauth=psk
1014 1 Noel Kuntze
1015 1 Noel Kuntze
conn site-3-legacy-1
1016 1 Noel Kuntze
    leftsubnet=10.1.1.0/24
1017 1 Noel Kuntze
    also=site-3-legacy-base
1018 1 Noel Kuntze
    auto=route
1019 1 Noel Kuntze
1020 1 Noel Kuntze
conn site-3-legacy-2
1021 1 Noel Kuntze
    leftsubnet=10.1.2.0/24
1022 1 Noel Kuntze
    also=site-3-legacy-base
1023 1 Noel Kuntze
    auto=route
1024 1 Noel Kuntze
</pre>
1025 1 Noel Kuntze
}}
1026 1 Noel Kuntze
1027 1 Noel Kuntze
{{collapse(ipsec.secrets)
1028 1 Noel Kuntze
<pre>
1029 1 Noel Kuntze
: RSA foobar.key
1030 1 Noel Kuntze
remote.com : PSK "example"
1031 1 Noel Kuntze
</pre>
1032 1 Noel Kuntze
}}
1033 1 Noel Kuntze
1034 25 Noel Kuntze
{{collapse(swanctl.conf)
1035 25 Noel Kuntze
<pre>
1036 25 Noel Kuntze
connections {
1037 25 Noel Kuntze
1038 25 Noel Kuntze
    site-1-static-ip {
1039 25 Noel Kuntze
        remote_addrs = 1.2.3.4
1040 25 Noel Kuntze
        version = 2
1041 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
1042 25 Noel Kuntze
        keyingtries = 0
1043 25 Noel Kuntze
        
1044 25 Noel Kuntze
        local-1 {
1045 31 Noel Kuntze
            certs = foobar.pem
1046 25 Noel Kuntze
        }
1047 25 Noel Kuntze
        remote-1 {
1048 31 Noel Kuntze
            certs = 1.2.3.4.pem
1049 25 Noel Kuntze
        }
1050 25 Noel Kuntze
1051 25 Noel Kuntze
        children {
1052 25 Noel Kuntze
            site-1-static-ip {
1053 25 Noel Kuntze
                local_ts = 10.1.2.0/24,10.1.1.0/24
1054 25 Noel Kuntze
                remote_ts = 10.1.3.0/24
1055 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
1056 25 Noel Kuntze
                dpd_action = restart
1057 25 Noel Kuntze
                start_action = trap
1058 25 Noel Kuntze
            }
1059 25 Noel Kuntze
        }
1060 25 Noel Kuntze
    }
1061 25 Noel Kuntze
1062 25 Noel Kuntze
    site-2-dynamic-ip {
1063 25 Noel Kuntze
        remote_addrs = example.com, 0.0.0.0/0
1064 25 Noel Kuntze
        version = 2
1065 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
1066 25 Noel Kuntze
        keyingtries = 0
1067 25 Noel Kuntze
        local-1 {
1068 31 Noel Kuntze
            certs = foobar.pem
1069 25 Noel Kuntze
        }
1070 25 Noel Kuntze
        remote-1 {
1071 31 Noel Kuntze
            certs = 1.2.3.4.pem
1072 25 Noel Kuntze
        }
1073 25 Noel Kuntze
1074 25 Noel Kuntze
        children {
1075 25 Noel Kuntze
            site-2-dynamic-ip {
1076 25 Noel Kuntze
                local_ts = 10.1.2.0/24,10.1.1.0/24
1077 25 Noel Kuntze
                remote_ts = 10.1.3.0/24
1078 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
1079 25 Noel Kuntze
                dpd_action = restart
1080 25 Noel Kuntze
                start_action = trap
1081 25 Noel Kuntze
            }
1082 25 Noel Kuntze
        }
1083 25 Noel Kuntze
    }
1084 25 Noel Kuntze
    site-3-legacy {
1085 25 Noel Kuntze
        remote_addrs = example.com
1086 25 Noel Kuntze
        version = 1
1087 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
1088 25 Noel Kuntze
        local-1 {
1089 25 Noel Kuntze
            auth = psk
1090 25 Noel Kuntze
            id = mylocalsite
1091 25 Noel Kuntze
        }
1092 25 Noel Kuntze
        remote-1 {
1093 25 Noel Kuntze
            # id field here is inferred from the remote address
1094 25 Noel Kuntze
            auth = psk
1095 25 Noel Kuntze
        }
1096 25 Noel Kuntze
        children {
1097 25 Noel Kuntze
            site-3-legacy-1 {
1098 25 Noel Kuntze
                local_ts = 10.1.1.0/24
1099 25 Noel Kuntze
                remote_ts = 10.1.5.0/24
1100 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
1101 25 Noel Kuntze
                start_action = trap
1102 25 Noel Kuntze
                dpd_action = restart
1103 25 Noel Kuntze
            }
1104 25 Noel Kuntze
            site-3-legacy-2 {
1105 25 Noel Kuntze
                local_ts = 10.1.2.0/24
1106 25 Noel Kuntze
                remote_ts = 10.1.5.0/24
1107 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
1108 25 Noel Kuntze
                start_action = trap
1109 25 Noel Kuntze
                dpd_action = restart
1110 25 Noel Kuntze
            }
1111 25 Noel Kuntze
        }
1112 25 Noel Kuntze
    }
1113 25 Noel Kuntze
}
1114 25 Noel Kuntze
secrets {
1115 25 Noel Kuntze
    # PSK secret
1116 25 Noel Kuntze
    ike-example.com {
1117 25 Noel Kuntze
        id-1 = remote.com
1118 25 Noel Kuntze
        secret = "example"
1119 25 Noel Kuntze
    }
1120 25 Noel Kuntze
    # generic private key, no specific type
1121 25 Noel Kuntze
    private-foobar {
1122 25 Noel Kuntze
        file = foobar.key
1123 25 Noel Kuntze
    }
1124 25 Noel Kuntze
1125 25 Noel Kuntze
}
1126 25 Noel Kuntze
</pre>
1127 25 Noel Kuntze
}}
1128 25 Noel Kuntze
1129 10 Noel Kuntze
h2. Passthrough policy
1130 5 Noel Kuntze
1131 28 Noel Kuntze
h3. For a local LAN
1132 28 Noel Kuntze
1133 28 Noel Kuntze
This is a passthrough policy that works if the sender and recipient of the IP packets are in the 10.0.0.0/8 subnet.
1134 28 Noel Kuntze
@left@ is set to @127.0.0.1@ to prevent this conn from being considered in the conn lookup when a peer tries to connect.
1135 28 Noel Kuntze
1136 5 Noel Kuntze
{{collapse(ipsec.conf)
1137 5 Noel Kuntze
<pre>
1138 5 Noel Kuntze
conn passthrough-1
1139 5 Noel Kuntze
    # makes sure those conns are excluded from every conn selection
1140 5 Noel Kuntze
    left=127.0.0.1
1141 5 Noel Kuntze
    # Those are just example values. Replace them with the apropriate ones!
1142 1 Noel Kuntze
    leftsubnet=10.0.0.0/8
1143 1 Noel Kuntze
    rightsubnet=10.0.0.0/8
1144 1 Noel Kuntze
    # those two lines are critical.
1145 1 Noel Kuntze
    type=passthrough
1146 1 Noel Kuntze
    auto=route
1147 1 Noel Kuntze
</pre>
1148 1 Noel Kuntze
}}
1149 1 Noel Kuntze
1150 25 Noel Kuntze
{{collapse(swanctl.conf)
1151 27 Tobias Brunner
<pre>
1152 25 Noel Kuntze
connections {
1153 25 Noel Kuntze
    passthrough-1 {
1154 25 Noel Kuntze
        remote_addrs = 127.0.0.1
1155 25 Noel Kuntze
        children {
1156 25 Noel Kuntze
            passthrough-1 {
1157 27 Tobias Brunner
                local_ts = 10.0.0.0/8
1158 27 Tobias Brunner
                remote_ts = 10.0.0.0/8
1159 25 Noel Kuntze
                mode = pass
1160 25 Noel Kuntze
                start_action = trap
1161 25 Noel Kuntze
            }
1162 1 Noel Kuntze
        }
1163 1 Noel Kuntze
    }
1164 27 Tobias Brunner
}
1165 25 Noel Kuntze
</pre>
1166 1 Noel Kuntze
}}
1167 1 Noel Kuntze
1168 28 Noel Kuntze
h3. For remote networks
1169 28 Noel Kuntze
1170 28 Noel Kuntze
This is a passthrough policy that applies to packets for which all of the section's conditions are true:
1171 28 Noel Kuntze
* For received packets:
1172 28 Noel Kuntze
** The recipient is in @192.168.0.0/16@
1173 28 Noel Kuntze
** The sender is in @10.0.0.0/8@
1174 28 Noel Kuntze
* For sent packets:
1175 28 Noel Kuntze
** The recipient is in @10.0.0.0/8@
1176 28 Noel Kuntze
** The sender is in @192.168.0.0/16@
1177 28 Noel Kuntze
1178 28 Noel Kuntze
Note that the conditions for received and sent packets are the inverse of each other.
1179 28 Noel Kuntze
1180 28 Noel Kuntze
@left@ is set to @127.0.0.1@ to prevent this conn from being considered in the conn lookup when a peer tries to connect and to prevent strongSwan from switching the sides of the conn (because @127.0.0.1@ is a local IP address).
1181 28 Noel Kuntze
1182 28 Noel Kuntze
{{collapse(ipsec.conf)
1183 28 Noel Kuntze
<pre>
1184 28 Noel Kuntze
conn passthrough-2
1185 28 Noel Kuntze
    # makes sure those conns are excluded from every conn selection
1186 28 Noel Kuntze
    left=127.0.0.1
1187 28 Noel Kuntze
    # Those are just example values. Replace them with the apropriate ones!
1188 28 Noel Kuntze
    leftsubnet=192.168.0.0/16
1189 28 Noel Kuntze
    rightsubnet=10.0.0.0/8
1190 28 Noel Kuntze
    # those two lines are critical.
1191 28 Noel Kuntze
    type=passthrough
1192 28 Noel Kuntze
    auto=route
1193 28 Noel Kuntze
</pre>
1194 28 Noel Kuntze
}}
1195 28 Noel Kuntze
1196 28 Noel Kuntze
For swanctl.conf style configurations, it is not an issue, so remote_addrs or local_addrs can be set to 127.0.0.1 to prevent strongSwan from considering the conn in the conn lookup when a peer tries to connect.
1197 28 Noel Kuntze
In this example, only remote_addrs is set to @127.0.0.1@. You are free to choose local_addrs, remote_addrs or both.
1198 28 Noel Kuntze
1199 28 Noel Kuntze
{{collapse(swanctl.conf)
1200 28 Noel Kuntze
<pre>
1201 28 Noel Kuntze
connections {
1202 28 Noel Kuntze
    passthrough-2 {
1203 28 Noel Kuntze
        remote_addrs = 127.0.0.1
1204 28 Noel Kuntze
        children {
1205 28 Noel Kuntze
            passthrough-2 {
1206 28 Noel Kuntze
                local_ts = 192.168.0.0/16
1207 28 Noel Kuntze
                remote_ts = 10.0.0.0/8
1208 28 Noel Kuntze
                mode = pass
1209 28 Noel Kuntze
                start_action = trap
1210 28 Noel Kuntze
            }
1211 28 Noel Kuntze
        }
1212 28 Noel Kuntze
    }
1213 28 Noel Kuntze
}
1214 28 Noel Kuntze
</pre>
1215 28 Noel Kuntze
}}
1216 28 Noel Kuntze
1217 28 Noel Kuntze
If your goal is to exclude traffic into locally attached subnets from other tunnels and the locally attached subnets are dynamic, have a look at the [[bypass-lan]] plugin.
1218 25 Noel Kuntze
1219 29 Noel Kuntze
1220 29 Noel Kuntze
h3. For specific protocols or ports
1221 29 Noel Kuntze
1222 29 Noel Kuntze
The following configuration example is for traffic to the *local* SSH port.
1223 29 Noel Kuntze
1224 29 Noel Kuntze
{{collapse(ipsec.conf)
1225 29 Noel Kuntze
<pre>
1226 29 Noel Kuntze
conn passthrough-ssh
1227 29 Noel Kuntze
    # makes sure those conns are excluded from every conn selection
1228 29 Noel Kuntze
    left = 127.0.0.1
1229 29 Noel Kuntze
    leftsubnet = %dynamic[tcp/22]
1230 29 Noel Kuntze
    rightsubnet = 0.0.0.0/0
1231 29 Noel Kuntze
    type = passthrough
1232 29 Noel Kuntze
    auto = route
1233 29 Noel Kuntze
</pre>
1234 29 Noel Kuntze
}}
1235 29 Noel Kuntze
1236 29 Noel Kuntze
{{collapse(swanctl.conf)
1237 29 Noel Kuntze
<pre>
1238 29 Noel Kuntze
<pre>
1239 29 Noel Kuntze
connections {
1240 29 Noel Kuntze
    passthrough-ssh {
1241 29 Noel Kuntze
        remote_addrs = 127.0.0.1
1242 29 Noel Kuntze
        children {
1243 29 Noel Kuntze
            passthrough-ssh {
1244 29 Noel Kuntze
                local_ts = dynamic[tcp/22]
1245 29 Noel Kuntze
                remote_ts = 0.0.0.0/0
1246 29 Noel Kuntze
                mode = pass
1247 29 Noel Kuntze
                start_action = trap
1248 29 Noel Kuntze
            }
1249 29 Noel Kuntze
        }
1250 29 Noel Kuntze
    }
1251 29 Noel Kuntze
}
1252 29 Noel Kuntze
</pre>
1253 29 Noel Kuntze
}}
1254 29 Noel Kuntze
1255 13 Noel Kuntze
h2. Host-To-Host transport mode
1256 7 Noel Kuntze
1257 7 Noel Kuntze
Based on "the trap-any test scenario":https://www.strongswan.org/testing/testresults/ikev2/trap-any/.
1258 7 Noel Kuntze
1259 7 Noel Kuntze
The hosts involved are in the 192.168.1.0/24 subnet.
1260 8 Noel Kuntze
The notes from Tobias' comment in issue #196 apply:
1261 8 Noel Kuntze
> The hosts can be limited by specifying rightsubnet (e.g. rightsubnet=192.168.1.0/24,192.168.2.0/30,10.0.2.2/32). It is even possible to limit this to a specific protocol/port (for any remote host use %dynamic[<proto>/<port>], not 0.0.0.0/0[...]). A new test scenario (ikev2/trap-any, bb1d9e45) provides some examples.
1262 8 Noel Kuntze
> 
1263 8 Noel Kuntze
> Authentication can easily be done via certificates, but using PSKs is also possible. However, because there is no pattern/subnet matching for IP-based identities you need to either use a single secret for all hosts or use identities appropriately if you want to use different PSKs for different groups of hosts (e.g. use leftid=<host>@<group>.example.com and rightid=*@<group>.example.com in ipsec.conf and *@<group>.example.com : PSK "..." in ipsec.secrets).
1264 7 Noel Kuntze
1265 7 Noel Kuntze
{{collapse(ipsec.conf)
1266 7 Noel Kuntze
<pre>conn host-to-host
1267 7 Noel Kuntze
	ikelifetime=60m
1268 7 Noel Kuntze
	keylife=20m
1269 7 Noel Kuntze
	rekeymargin=3m
1270 7 Noel Kuntze
	keyingtries=1
1271 7 Noel Kuntze
1272 1 Noel Kuntze
conn trap-any
1273 1 Noel Kuntze
    also=host-to-host
1274 1 Noel Kuntze
	right=%any
1275 1 Noel Kuntze
	leftsubnet=192.168.1.0/24
1276 1 Noel Kuntze
	rightsubnet=192.168.1.0/24
1277 1 Noel Kuntze
	type=transport
1278 1 Noel Kuntze
	authby=psk
1279 1 Noel Kuntze
	auto=route
1280 25 Noel Kuntze
</pre>
1281 25 Noel Kuntze
}}
1282 25 Noel Kuntze
{{collapse(swanctl.conf)
1283 25 Noel Kuntze
<pre>
1284 25 Noel Kuntze
connections {
1285 25 Noel Kuntze
    trap-any {
1286 25 Noel Kuntze
        remote_addrs = %any
1287 25 Noel Kuntze
        local {
1288 25 Noel Kuntze
            auth = psk
1289 25 Noel Kuntze
        }
1290 25 Noel Kuntze
        remote {
1291 1 Noel Kuntze
            auth = psk
1292 25 Noel Kuntze
        }
1293 25 Noel Kuntze
1294 25 Noel Kuntze
        children {
1295 37 Noel Kuntze
            trap-any {
1296 25 Noel Kuntze
                remote_ts = 192.168.1.0/24
1297 25 Noel Kuntze
                local_ts = 192.168.1.0/24
1298 25 Noel Kuntze
                mode = transport
1299 25 Noel Kuntze
                start_action = trap
1300 25 Noel Kuntze
            }
1301 25 Noel Kuntze
        }
1302 25 Noel Kuntze
    }
1303 25 Noel Kuntze
}
1304 7 Noel Kuntze
</pre>
1305 7 Noel Kuntze
}}