Project

General

Profile

Usable Examples configurations » History » Version 41

Tobias Brunner, 22.04.2020 12:08
bypass-lan mentioned

1 20 Noel Kuntze
h1. Usable Examples configurations
2 1 Noel Kuntze
3 23 Noel Kuntze
{{>toc}}
4 23 Noel Kuntze
5 1 Noel Kuntze
Preliminary obligatory notes:
6 1 Noel Kuntze
* These examples follow the [[SecurityRecommendations|Security Recommendations]]. Follow them. They are there
7 1 Noel Kuntze
  for a reason.
8 1 Noel Kuntze
* You can have several conn sections in your @ipsec.conf@ file
9 2 Noel Kuntze
* In scenarios where the remote peer authenticates itself with a client certificate,
10 4 Noel Kuntze
  charon requires all certificates that are in the trust path of the client's certificate
11 4 Noel Kuntze
  to be present, readable and valid for authentication
12 2 Noel Kuntze
  to be successful. charon implicitely trusts all CA certificates that it loads
13 1 Noel Kuntze
  via local files or that are loaded via the VICI API.
14 4 Noel Kuntze
* In scenarios where charon authenticates itself with a certificate, it needs to have
15 4 Noel Kuntze
  all certificates in the trust path. 
16 4 Noel Kuntze
* charon only reads the first certificate in a file.
17 1 Noel Kuntze
* Your responder (the proper word for "server" in ipsec talk) needs to identify
18 1 Noel Kuntze
  and authenticate itself to the initiator (the proper word for "client" in ipsec talk)
19 1 Noel Kuntze
  with the apropriate identity. If your initiator wants to talk to "foo.bar.com",
20 1 Noel Kuntze
  your responder needs to identify and authenticate itself as _foo.bar.com_.
21 1 Noel Kuntze
* Credentials are bound to identities. You can not successfully authenticate yourself
22 1 Noel Kuntze
  as the identitiy _foo.bar.com_ with a certificate if that certificate is not issued for that
23 1 Noel Kuntze
  identity. The identities that a certificate provide are its complete DN and the SAN fields.
24 1 Noel Kuntze
* The used cipher suite must be supported by both sides. Some implementations
25 3 Noel Kuntze
  only support weak crypto. Do not make concessions, unless necessary for interoperability.
26 1 Noel Kuntze
* XAUTH credentials are handled internally as EAP credentials. Both are valid for
27 1 Noel Kuntze
  XAUTH, EAP-GTC, EAP-MSCHAPv2 and whatever other cleartext or digest based
28 1 Noel Kuntze
  authentication might be implemented in the future.
29 1 Noel Kuntze
* The cipher settings are deliberately ordered by performance.
30 6 Noel Kuntze
  Faster, but secure ciphers appear in the beginning of the cipher list.
31 6 Noel Kuntze
  That should make charon choose faster, but secure ones first.  
32 14 Noel Kuntze
* Do not use 3DES, CAST, DES or MD5. They are broken.
33 1 Noel Kuntze
* The algorithm your certificate uses and they algorithm the key exchange uses
34 1 Noel Kuntze
  do not have anything to do with each other.
35 1 Noel Kuntze
* strongSwan does not implement L2TP.
36 16 Noel Kuntze
* Multiple pools can be used at the same time.
37 16 Noel Kuntze
* The [[IpsecPool|ipsec pools]] tool with the [[attrsql]] plugin can be used to assign different DNS and NBNS servers,
38 16 Noel Kuntze
  as well as different arbitrary attributes to remote peers.
39 1 Noel Kuntze
* Read the documentation and use "the search function":https://wiki.strongswan.org/projects/strongswan/search.
40 34 Tobias Brunner
* The configured proposals (ecp256,ecp521) in these examples require you to have the _openssl_ plugin loaded in strongSwan.
41 10 Noel Kuntze
42 1 Noel Kuntze
h2. Roadwarrior scenario
43 17 Noel Kuntze
44 10 Noel Kuntze
h3. Responder
45 9 Noel Kuntze
46 1 Noel Kuntze
This is an example configuration that provides support for several clients
47 1 Noel Kuntze
with several authentication styles.
48 1 Noel Kuntze
49 1 Noel Kuntze
{{collapse(ipsec.conf)
50 1 Noel Kuntze
<pre>
51 1 Noel Kuntze
conn rw-base
52 1 Noel Kuntze
    # enables IKE fragmentation 
53 1 Noel Kuntze
    fragmentation=yes
54 1 Noel Kuntze
    dpdaction=clear
55 1 Noel Kuntze
    # dpdtimeout is not honored for ikev2. For IKEv2, every message is used
56 1 Noel Kuntze
    # to determine the timeout, so the generic timeout value for IKEv2 messages
57 1 Noel Kuntze
    # is used. 
58 1 Noel Kuntze
    dpdtimeout=90s
59 1 Noel Kuntze
    dpddelay=30s
60 1 Noel Kuntze
61 1 Noel Kuntze
# this is used in every conn in which the client is assigned a "virtual" IP or
62 1 Noel Kuntze
# one or several DNS servers    
63 1 Noel Kuntze
# the cipher suits require the openssl plugin.
64 1 Noel Kuntze
conn rw-config
65 1 Noel Kuntze
    also=rw-base
66 1 Noel Kuntze
    rightsourceip=172.16.252.0/24
67 1 Noel Kuntze
    # set this to a local DNS server that the clients can reach with their assigned IPs.
68 1 Noel Kuntze
    # Think about routing.
69 1 Noel Kuntze
    rightdns=
70 1 Noel Kuntze
    leftsubnet=0.0.0.0/0
71 1 Noel Kuntze
    leftid=whatevertheclientusestoconnect
72 1 Noel Kuntze
    leftcert=mycertificate.pem
73 1 Noel Kuntze
    # not possible with asymmetric authentication
74 1 Noel Kuntze
    reauth=no
75 1 Noel Kuntze
    rekey=no
76 20 Noel Kuntze
    # secure cipher suits
77 32 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
78 36 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-ecp256-modp3072,aes192-sha256-ecp256-modp3072
79 1 Noel Kuntze
    leftsendcert=always
80 1 Noel Kuntze
    rightca="C=This, O=Is, OU=My, CN=CA"
81 1 Noel Kuntze
    
82 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
83 1 Noel Kuntze
# in the l2tp control connection. With L2TP, clients are usually not assigned
84 1 Noel Kuntze
# a virtual IP in IKE.
85 1 Noel Kuntze
# Charon is not an l2tp server. You need to install xl2tp for that and configure it correctly.
86 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
87 25 Noel Kuntze
conn ikev1-l2tp-chap-auth-in-l2tp
88 1 Noel Kuntze
    also=rw-base
89 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
90 35 Andreas Steffen
    ike=aes128-sha256-modp3072
91 35 Andreas Steffen
    esp=aes128-sha256-modp3072
92 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
93 11 Noel Kuntze
    rightsubnet=%dynamic
94 1 Noel Kuntze
    mark=%unique
95 1 Noel Kuntze
    leftauth=psk
96 1 Noel Kuntze
    rightauth=psk
97 1 Noel Kuntze
    type=transport
98 1 Noel Kuntze
    auto=add
99 1 Noel Kuntze
    
100 1 Noel Kuntze
# this conn is set up for l2tp support where the user authentication is happening
101 1 Noel Kuntze
# during the IKEv1 authentication. With L2TP, clients are usually not assigned
102 1 Noel Kuntze
# a virtual IP in IKE.
103 1 Noel Kuntze
# mark=%unique requires the connmark plugin.
104 1 Noel Kuntze
# this requires the xauth-generic plugin.
105 1 Noel Kuntze
conn ikev1-l2tp-xauth-in-ike
106 1 Noel Kuntze
    also=rw-base
107 1 Noel Kuntze
    # reduce to the most secure combination the client can support, if absolutely required.
108 35 Andreas Steffen
    ike=aes128-sha256-modp3072
109 35 Andreas Steffen
    esp=aes128-sha256-modp3072
110 1 Noel Kuntze
    leftsubnet=%dynamic[/1701]
111 11 Noel Kuntze
    rightsubnet=%dynamic
112 1 Noel Kuntze
    mark=%unique
113 1 Noel Kuntze
    leftauth=psk
114 1 Noel Kuntze
    rightauth=psk
115 1 Noel Kuntze
    rightauth2=xauth-generic
116 9 Noel Kuntze
    xauth=server
117 1 Noel Kuntze
    # not possible with asymmetric authentication
118 1 Noel Kuntze
    reauth=no
119 1 Noel Kuntze
    rekey=no
120 1 Noel Kuntze
    type=transport
121 1 Noel Kuntze
    auto=add
122 1 Noel Kuntze
    
123 1 Noel Kuntze
# this requires the xauth-generic plugin.
124 1 Noel Kuntze
conn ikev1-psk-xauth
125 1 Noel Kuntze
    also=rw-config
126 1 Noel Kuntze
    leftauth=psk
127 1 Noel Kuntze
    rightauth=psk
128 1 Noel Kuntze
    rightauth2=xauth-generic
129 9 Noel Kuntze
    xauth=server
130 1 Noel Kuntze
    auto=add
131 1 Noel Kuntze
132 1 Noel Kuntze
# leftauth and rightauth default to "pubkey", so no change necessary.
133 1 Noel Kuntze
conn ikev1-pubkey
134 1 Noel Kuntze
    also=rw-config
135 1 Noel Kuntze
    auto=add
136 1 Noel Kuntze
137 1 Noel Kuntze
# this requires the xauth-generic plugin.
138 1 Noel Kuntze
conn ikev1-pubkey-xauth
139 1 Noel Kuntze
    also=rw-config
140 1 Noel Kuntze
    rightauth2=xauth-generic
141 9 Noel Kuntze
    xauth=server
142 1 Noel Kuntze
    auto=add
143 1 Noel Kuntze
144 1 Noel Kuntze
# this requires the xauth-generic plugin.
145 1 Noel Kuntze
conn ikev1-hybrid
146 1 Noel Kuntze
    also=rw-config
147 1 Noel Kuntze
    rightauth=xauth-generic
148 9 Noel Kuntze
    xauth=server
149 1 Noel Kuntze
150 1 Noel Kuntze
conn ikev2-pubkey
151 1 Noel Kuntze
    also=rw-config
152 1 Noel Kuntze
    auto=add
153 1 Noel Kuntze
154 22 Noel Kuntze
# IF you need to support several EAP methods at the same time, you need to use eap-dynamic
155 22 Noel Kuntze
# and not use any other conn with eap settings. Add the settings for the eap-dynamic plugin to your strongswan.conf file.
156 22 Noel Kuntze
157 22 Noel Kuntze
conn ikev2-eap
158 22 Noel Kuntze
    also=rw-config
159 22 Noel Kuntze
    rightauth=eap-dynamic
160 22 Noel Kuntze
    eap_identity=%identity
161 22 Noel Kuntze
    auto=add
162 22 Noel Kuntze
163 1 Noel Kuntze
# this requires the eap-tls plugin.
164 1 Noel Kuntze
conn ikev2-eap-tls
165 1 Noel Kuntze
    also=rw-base
166 1 Noel Kuntze
    rightauth=eap-tls
167 1 Noel Kuntze
    eap_identity=%identity
168 18 Noel Kuntze
    auto=add
169 18 Noel Kuntze
170 18 Noel Kuntze
# this requires the eap-mschapv2 plugin.
171 18 Noel Kuntze
conn ikev2-eap-mschapv2
172 18 Noel Kuntze
    also=rw-config
173 18 Noel Kuntze
    rightauth=eap-mschapv2
174 18 Noel Kuntze
    eap_identity=%identity
175 18 Noel Kuntze
    auto=add
176 1 Noel Kuntze
</pre>
177 1 Noel Kuntze
}}
178 1 Noel Kuntze
179 25 Noel Kuntze
{{collapse(ipsec.secrets)
180 25 Noel Kuntze
<pre>
181 25 Noel Kuntze
: PSK "foobarblah"
182 25 Noel Kuntze
: RSA myprivatekey.pem
183 25 Noel Kuntze
carol : EAP "carolspassword"
184 25 Noel Kuntze
</pre>
185 25 Noel Kuntze
}}
186 25 Noel Kuntze
187 25 Noel Kuntze
{{collapse(swanctl.conf)
188 25 Noel Kuntze
<pre>
189 25 Noel Kuntze
connections {
190 25 Noel Kuntze
    ikev1-l2tp-chap-auth-in-l2tp {
191 25 Noel Kuntze
        version = 1
192 25 Noel Kuntze
        # reduce to the most secure combination the client can support, if absolutely required.
193 35 Andreas Steffen
        proposals = aes128-sha256-modp3072,default
194 25 Noel Kuntze
        rekey_time = 0s
195 25 Noel Kuntze
        fragmentation = yes
196 25 Noel Kuntze
        dpd_delay = 30s
197 25 Noel Kuntze
        dpd_timeout = 90s
198 25 Noel Kuntze
        local-1 {
199 25 Noel Kuntze
            auth = psk
200 25 Noel Kuntze
        }
201 25 Noel Kuntze
        remote-1 {
202 25 Noel Kuntze
            auth = psk
203 25 Noel Kuntze
        }
204 25 Noel Kuntze
        children {
205 25 Noel Kuntze
            ikev1-l2tp-chap-auth-in-l2tp {
206 25 Noel Kuntze
                local_ts = dynamic[/1701]
207 25 Noel Kuntze
                # reduce to the most secure combination the client can support, if absolutely required.
208 35 Andreas Steffen
                esp_proposals = aes128-sha256-modp3072,default
209 25 Noel Kuntze
                mark = unique
210 25 Noel Kuntze
                mode = transport
211 25 Noel Kuntze
                rekey_time = 0s
212 25 Noel Kuntze
                dpd_action = clear
213 25 Noel Kuntze
            }
214 25 Noel Kuntze
        }
215 25 Noel Kuntze
    }
216 25 Noel Kuntze
217 25 Noel Kuntze
    ikev1-l2tp-xauth-in-ike {
218 25 Noel Kuntze
        version = 1
219 35 Andreas Steffen
        proposals = aes128-sha256-modp3072,default
220 25 Noel Kuntze
        rekey_time = 0s
221 25 Noel Kuntze
        fragmentation = yes
222 25 Noel Kuntze
        dpd_delay = 30s
223 25 Noel Kuntze
        dpd_timeout = 90s
224 25 Noel Kuntze
225 25 Noel Kuntze
        local-1 {
226 25 Noel Kuntze
            auth = psk
227 25 Noel Kuntze
        }
228 25 Noel Kuntze
        remote-1 {
229 25 Noel Kuntze
            auth = psk
230 25 Noel Kuntze
        }
231 25 Noel Kuntze
        remote-2 {
232 25 Noel Kuntze
            auth = xauth
233 25 Noel Kuntze
        }
234 25 Noel Kuntze
        children {
235 25 Noel Kuntze
            ikev1-l2tp-xauth-in-ike {
236 1 Noel Kuntze
                local_ts = dynamic[/1701]
237 35 Andreas Steffen
                esp_proposals = aes128-sha256-modp3072,default
238 25 Noel Kuntze
                mark = unique
239 25 Noel Kuntze
                mode = transport
240 25 Noel Kuntze
                rekey_time = 0s
241 25 Noel Kuntze
                dpd_action = clear
242 25 Noel Kuntze
243 25 Noel Kuntze
            }
244 25 Noel Kuntze
        }
245 25 Noel Kuntze
    }
246 40 Noel Kuntze
247 1 Noel Kuntze
    ikev1-psk-xauth {
248 25 Noel Kuntze
        version = 1
249 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
250 25 Noel Kuntze
        rekey_time = 0s
251 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
252 25 Noel Kuntze
        fragmentation = yes
253 25 Noel Kuntze
        dpd_delay = 30s
254 25 Noel Kuntze
        dpd_timeout = 90s
255 25 Noel Kuntze
        local-1 {
256 25 Noel Kuntze
            auth = psk
257 25 Noel Kuntze
        }
258 25 Noel Kuntze
        remote-1 {
259 25 Noel Kuntze
            auth = psk
260 25 Noel Kuntze
        }
261 25 Noel Kuntze
        remote-2 {
262 25 Noel Kuntze
            auth = xauth
263 25 Noel Kuntze
        }
264 25 Noel Kuntze
        children {
265 25 Noel Kuntze
            ikev1-psk-xauth {
266 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
267 1 Noel Kuntze
                rekey_time = 0s
268 25 Noel Kuntze
                dpd_action = clear
269 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
270 25 Noel Kuntze
            }
271 1 Noel Kuntze
        }
272 40 Noel Kuntze
    }
273 40 Noel Kuntze
274 25 Noel Kuntze
    ikev1-pubkey {
275 25 Noel Kuntze
        version = 1
276 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
277 25 Noel Kuntze
        rekey_time = 0s
278 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
279 25 Noel Kuntze
        fragmentation = yes
280 25 Noel Kuntze
        dpd_delay = 30s
281 25 Noel Kuntze
        dpd_timeout = 90s
282 25 Noel Kuntze
        local-1 {
283 30 Noel Kuntze
            certs = mycert.pem
284 25 Noel Kuntze
            id = myid
285 25 Noel Kuntze
        }
286 25 Noel Kuntze
        remote-1 {
287 25 Noel Kuntze
            # defaults are fine.
288 25 Noel Kuntze
        }
289 25 Noel Kuntze
        children {
290 25 Noel Kuntze
            ikev1-pubkey {
291 1 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
292 25 Noel Kuntze
                rekey_time = 0s
293 25 Noel Kuntze
                dpd_action = clear
294 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
295 25 Noel Kuntze
            }
296 25 Noel Kuntze
        }
297 1 Noel Kuntze
    }
298 25 Noel Kuntze
299 25 Noel Kuntze
    ikev1-pubkey-xauth {
300 25 Noel Kuntze
        version = 1
301 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
302 25 Noel Kuntze
        rekey_time = 0s
303 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
304 25 Noel Kuntze
        fragmentation = yes
305 25 Noel Kuntze
        dpd_delay = 30s
306 25 Noel Kuntze
        dpd_timeout = 90s
307 25 Noel Kuntze
        local-1 {
308 30 Noel Kuntze
            certs = mycert.pem
309 25 Noel Kuntze
            id = myid
310 25 Noel Kuntze
        }
311 25 Noel Kuntze
        remote-1 {
312 25 Noel Kuntze
            # defaults are fine.
313 25 Noel Kuntze
        }
314 25 Noel Kuntze
        remote-2 {
315 25 Noel Kuntze
            auth = xauth
316 25 Noel Kuntze
        }
317 25 Noel Kuntze
        children {
318 1 Noel Kuntze
            ikev1-pubkey-xauth {
319 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
320 25 Noel Kuntze
                rekey_time = 0s
321 25 Noel Kuntze
                dpd_action = clear
322 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
323 25 Noel Kuntze
            }
324 25 Noel Kuntze
        }
325 1 Noel Kuntze
    }
326 25 Noel Kuntze
327 25 Noel Kuntze
    ikev1-hybrid {
328 25 Noel Kuntze
        version = 1
329 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
330 25 Noel Kuntze
        rekey_time = 0s
331 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
332 25 Noel Kuntze
        fragmentation = yes
333 25 Noel Kuntze
        dpd_delay = 30s
334 25 Noel Kuntze
        dpd_timeout = 90s
335 25 Noel Kuntze
        local-1 {
336 30 Noel Kuntze
            certs = mycert.pem
337 25 Noel Kuntze
            id = myid
338 25 Noel Kuntze
        }
339 25 Noel Kuntze
        remote-1 {
340 25 Noel Kuntze
            # defaults are fine.
341 25 Noel Kuntze
        }
342 25 Noel Kuntze
        children {
343 1 Noel Kuntze
            ikev1-hybrid {
344 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
345 25 Noel Kuntze
                rekey_time = 0s
346 25 Noel Kuntze
                dpd_action = clear
347 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
348 25 Noel Kuntze
            }
349 1 Noel Kuntze
        }
350 25 Noel Kuntze
    }
351 25 Noel Kuntze
352 25 Noel Kuntze
    ikev2-pubkey {
353 25 Noel Kuntze
        version = 2
354 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
355 25 Noel Kuntze
        rekey_time = 0s
356 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
357 25 Noel Kuntze
        fragmentation = yes
358 25 Noel Kuntze
        dpd_delay = 30s
359 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
360 25 Noel Kuntze
        local-1 {
361 30 Noel Kuntze
            certs = mycert.pem
362 25 Noel Kuntze
            id = myid
363 25 Noel Kuntze
        }
364 25 Noel Kuntze
        remote-1 {
365 25 Noel Kuntze
            # defaults are fine.
366 25 Noel Kuntze
        }
367 1 Noel Kuntze
        children {
368 25 Noel Kuntze
            ikev2-pubkey {
369 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
370 25 Noel Kuntze
                rekey_time = 0s
371 25 Noel Kuntze
                dpd_action = clear
372 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
373 25 Noel Kuntze
            }
374 1 Noel Kuntze
        }
375 25 Noel Kuntze
    }
376 25 Noel Kuntze
377 25 Noel Kuntze
    ikev2-eap {
378 25 Noel Kuntze
        version = 2
379 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
380 25 Noel Kuntze
        rekey_time = 0s
381 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
382 25 Noel Kuntze
        fragmentation = yes
383 25 Noel Kuntze
        dpd_delay = 30s
384 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
385 25 Noel Kuntze
        local-1 {
386 30 Noel Kuntze
            certs = mycert.pem
387 25 Noel Kuntze
            id = myid
388 25 Noel Kuntze
        }
389 25 Noel Kuntze
        remote-1 {
390 25 Noel Kuntze
            auth = eap-dynamic
391 25 Noel Kuntze
            # go ask the client for its eap identity.
392 25 Noel Kuntze
            eap_id = %any
393 25 Noel Kuntze
        }
394 1 Noel Kuntze
        children {
395 25 Noel Kuntze
            ikev2-eap {
396 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
397 25 Noel Kuntze
                rekey_time = 0s
398 25 Noel Kuntze
                dpd_action = clear
399 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
400 1 Noel Kuntze
            }
401 25 Noel Kuntze
        }
402 25 Noel Kuntze
    }
403 40 Noel Kuntze
404 25 Noel Kuntze
    ikev2-eap-tls-asymmetric {
405 25 Noel Kuntze
        version = 2
406 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
407 25 Noel Kuntze
        rekey_time = 0s
408 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
409 25 Noel Kuntze
        fragmentation = yes
410 25 Noel Kuntze
        dpd_delay = 30s
411 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
412 25 Noel Kuntze
        local-1 {
413 30 Noel Kuntze
            certs = mycert.pem
414 25 Noel Kuntze
            id = myid
415 25 Noel Kuntze
        }
416 25 Noel Kuntze
        remote-1 {
417 25 Noel Kuntze
            auth = eap-tls
418 25 Noel Kuntze
            # go ask the client for its eap identity.
419 25 Noel Kuntze
            eap_id = %any
420 25 Noel Kuntze
        }
421 1 Noel Kuntze
        children {
422 25 Noel Kuntze
            ikev2-eap-tls-asymmetric {
423 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
424 25 Noel Kuntze
                rekey_time = 0s
425 25 Noel Kuntze
                dpd_action = clear
426 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
427 25 Noel Kuntze
            }
428 1 Noel Kuntze
        }
429 25 Noel Kuntze
    }
430 25 Noel Kuntze
431 25 Noel Kuntze
    ikev2-eap-tls-symmetric {
432 25 Noel Kuntze
        version = 2
433 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
434 25 Noel Kuntze
        rekey_time = 0s
435 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
436 25 Noel Kuntze
        fragmentation = yes
437 25 Noel Kuntze
        dpd_delay = 30s
438 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
439 25 Noel Kuntze
        local-1 {
440 30 Noel Kuntze
            certs = mycert.pem
441 25 Noel Kuntze
            id = myid
442 25 Noel Kuntze
            auth = eap-tls
443 25 Noel Kuntze
        }
444 25 Noel Kuntze
        remote-1 {
445 25 Noel Kuntze
            auth = eap-tls
446 25 Noel Kuntze
            # go ask the client for its eap identity.
447 25 Noel Kuntze
            eap_id = %any
448 25 Noel Kuntze
        }
449 1 Noel Kuntze
        children {
450 25 Noel Kuntze
            ikev2-eap-tls-symmetric {
451 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
452 25 Noel Kuntze
                rekey_time = 0s
453 25 Noel Kuntze
                dpd_action = clear
454 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
455 1 Noel Kuntze
            }
456 25 Noel Kuntze
        }
457 25 Noel Kuntze
    }
458 40 Noel Kuntze
459 25 Noel Kuntze
    ikev2-eap-mschapv2 {
460 25 Noel Kuntze
        version = 2
461 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
462 25 Noel Kuntze
        rekey_time = 0s
463 25 Noel Kuntze
        pools = primary-pool-ipv4, primary-pool-ipv6
464 25 Noel Kuntze
        fragmentation = yes
465 25 Noel Kuntze
        dpd_delay = 30s
466 25 Noel Kuntze
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
467 25 Noel Kuntze
        local-1 {
468 30 Noel Kuntze
            certs = mycert.pem
469 25 Noel Kuntze
            id = myid
470 25 Noel Kuntze
        }
471 25 Noel Kuntze
        remote-1 {
472 25 Noel Kuntze
            auth = eap-mschapv2
473 25 Noel Kuntze
            # go ask the client for its eap identity.
474 25 Noel Kuntze
            eap_id = %any
475 25 Noel Kuntze
        }
476 1 Noel Kuntze
        children {
477 25 Noel Kuntze
            ikev2-eap-mschapv2 {
478 25 Noel Kuntze
                local_ts = 0.0.0.0/0,::/0
479 25 Noel Kuntze
                rekey_time = 0s
480 25 Noel Kuntze
                dpd_action = clear
481 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
482 25 Noel Kuntze
            }
483 25 Noel Kuntze
        }
484 25 Noel Kuntze
    }
485 25 Noel Kuntze
}
486 25 Noel Kuntze
487 25 Noel Kuntze
pools {
488 25 Noel Kuntze
    primary-pool-ipv4 {
489 25 Noel Kuntze
        addrs = 172.16.252.0/24
490 25 Noel Kuntze
        dns = 10.1.2.3, 8.8.8.8
491 25 Noel Kuntze
        split_exclude = 172.16.0.0/12
492 25 Noel Kuntze
    }
493 25 Noel Kuntze
    primary-pool-ipv6 {
494 25 Noel Kuntze
        addrs = yoursiteuniqueaddresspool goes here
495 25 Noel Kuntze
496 25 Noel Kuntze
    }
497 25 Noel Kuntze
}
498 25 Noel Kuntze
499 25 Noel Kuntze
secrets {
500 25 Noel Kuntze
    ike-one {
501 25 Noel Kuntze
        secret = "foobarblah"
502 25 Noel Kuntze
    }
503 25 Noel Kuntze
    private-second {
504 25 Noel Kuntze
        file = myprivatekey.pem
505 25 Noel Kuntze
    }
506 25 Noel Kuntze
    eap-carol {
507 25 Noel Kuntze
        id = carol
508 25 Noel Kuntze
        secret = "carolspassword"
509 25 Noel Kuntze
    }
510 25 Noel Kuntze
}
511 25 Noel Kuntze
}}
512 25 Noel Kuntze
513 18 Noel Kuntze
{{collapse(strongswan.conf)
514 18 Noel Kuntze
<pre>
515 18 Noel Kuntze
charon {
516 21 Noel Kuntze
517 18 Noel Kuntze
    plugins {
518 1 Noel Kuntze
        eap_dynamic {
519 1 Noel Kuntze
            preferred = eap-mschapv2, eap-tls
520 1 Noel Kuntze
        }
521 1 Noel Kuntze
    }
522 1 Noel Kuntze
}
523 1 Noel Kuntze
</pre>
524 1 Noel Kuntze
}}
525 1 Noel Kuntze
526 25 Noel Kuntze
527 10 Noel Kuntze
h3. Initiator
528 1 Noel Kuntze
529 10 Noel Kuntze
These configuration files provide valid and usable configurations as use
530 10 Noel Kuntze
as a roadwarrior client against arbitrary IKE responders that are configured correctly.
531 10 Noel Kuntze
*You need to replace the marked values with the correct values*
532 10 Noel Kuntze
Remove conns that you do not require for your scenario. Some values
533 10 Noel Kuntze
might need to be changed, depending on the brokeness of the responder.
534 10 Noel Kuntze
*Read the comments in the files and read _ipsec.conf_ as well as _ipsec.secrets_.*
535 10 Noel Kuntze
536 10 Noel Kuntze
The configurations shown here are not exclusive. There are a lot more possible.
537 10 Noel Kuntze
Check out the [[PluginList|plugin list]] and the "test scenarios":https://strongswan.org/uml/testresults5/
538 10 Noel Kuntze
to see how they can be configured, but beware, those are just test scenarios
539 10 Noel Kuntze
and the configurations there are not usable in production as a whole. They need
540 10 Noel Kuntze
to be combined with the examples here to produce usable scenarios.
541 10 Noel Kuntze
542 10 Noel Kuntze
{{collapse(ipsec.conf)
543 10 Noel Kuntze
<pre>
544 10 Noel Kuntze
545 10 Noel Kuntze
conn rw-base
546 10 Noel Kuntze
    dpdaction=restart
547 10 Noel Kuntze
    dpddelay=30
548 10 Noel Kuntze
    dpdtimeout=90
549 10 Noel Kuntze
    fragmentation=yes
550 10 Noel Kuntze
551 10 Noel Kuntze
conn vip-base
552 10 Noel Kuntze
    also=rw-base
553 10 Noel Kuntze
    leftsourceip=%config
554 10 Noel Kuntze
555 10 Noel Kuntze
conn ikev1-psk-xauth
556 10 Noel Kuntze
# uncomment if the responder only supports crappy crypto. But seriously,
557 10 Noel Kuntze
# every single one of those algorithms is broken. Better spend some $$$
558 10 Noel Kuntze
# on a better solution.
559 10 Noel Kuntze
# 
560 10 Noel Kuntze
#   ike=3des-md5-modp1024!
561 10 Noel Kuntze
#   esp=3des-md5!
562 10 Noel Kuntze
# Use this, if you want PFS with DH group 2.
563 10 Noel Kuntze
#   esp=3des-md5-modp1024!
564 10 Noel Kuntze
    also=vip-base
565 10 Noel Kuntze
    keyexchange=ikev1
566 10 Noel Kuntze
    leftauth=psk
567 10 Noel Kuntze
    leftauth2=xauth
568 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
569 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
570 10 Noel Kuntze
#   rightid=foobar
571 10 Noel Kuntze
    rightauth=psk
572 10 Noel Kuntze
# this tunnels all the traffic. You might maybe want to also define a passthrough policy
573 10 Noel Kuntze
# for the local LAN traffic (or use the bypass-lan plugin when it's gone into the master branch)
574 10 Noel Kuntze
# Choose a smaller subnet, if required.
575 10 Noel Kuntze
# this config supports CISCO UNITY. 
576 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
577 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
578 10 Noel Kuntze
    auto=add
579 10 Noel Kuntze
    
580 12 Noel Kuntze
# aggressive mode is incredibly insecure.
581 12 Noel Kuntze
conn ikev1-psk-xauth-aggressive
582 12 Noel Kuntze
    aggressive=yes
583 10 Noel Kuntze
    also=ikev1-psk-xauth
584 10 Noel Kuntze
    auto=add
585 10 Noel Kuntze
586 10 Noel Kuntze
conn ikev1-rsa-xauth
587 10 Noel Kuntze
    also=vip-base
588 10 Noel Kuntze
    keyexchange=ikev1
589 10 Noel Kuntze
    leftauth=pubkey
590 10 Noel Kuntze
    leftauth2=xauth-generic
591 10 Noel Kuntze
    leftcert=thisithepathtomycertificate.pem
592 10 Noel Kuntze
    xauth_identity=thisismyusername
593 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
594 10 Noel Kuntze
# You might require this if the responder sends a wrong ID.
595 10 Noel Kuntze
#   rightid=somethingsomething
596 10 Noel Kuntze
    rightauth=pubkey
597 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
598 10 Noel Kuntze
# responder's certificate or just the certificate.
599 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
600 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
601 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
602 10 Noel Kuntze
# if you've only got the responder's certificate
603 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
604 10 Noel Kuntze
    auto=add
605 10 Noel Kuntze
606 10 Noel Kuntze
607 10 Noel Kuntze
conn ikev1-l2tp
608 10 Noel Kuntze
    also=rw-base
609 10 Noel Kuntze
    keyexchange=ikev1
610 1 Noel Kuntze
    type=transport
611 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
612 11 Noel Kuntze
    rightsubnet=%dynamic[/1701]
613 10 Noel Kuntze
    leftauth=psk
614 10 Noel Kuntze
    rightauth=psk
615 10 Noel Kuntze
    
616 10 Noel Kuntze
    
617 12 Noel Kuntze
# if your responder uses aggressive mode, add
618 12 Noel Kuntze
# aggressive=yes in the conn
619 10 Noel Kuntze
# user authentication happens in IKE using xauth
620 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-ike
621 10 Noel Kuntze
    also=ikev1-l2tp
622 10 Noel Kuntze
    leftauth2=xauth-generic
623 10 Noel Kuntze
    auto=add
624 10 Noel Kuntze
625 12 Noel Kuntze
# if your responder uses aggressive mode, add
626 12 Noel Kuntze
# aggressive=yes in the conn
627 10 Noel Kuntze
# user authentication happens in L2TP
628 10 Noel Kuntze
conn ikev1-l2tp-ipsec-userauth-in-l2tp
629 10 Noel Kuntze
    also=ikev1-l2tp
630 10 Noel Kuntze
    auto=add
631 10 Noel Kuntze
632 10 Noel Kuntze
633 10 Noel Kuntze
# Authentication with EAP-MSCHAPv2 is asymmetric. The responder
634 10 Noel Kuntze
# has to authenticate itself against the initiator with an X.509 certificate.
635 10 Noel Kuntze
conn ikev2-eap-mschapv2
636 10 Noel Kuntze
    also=vip-base
637 10 Noel Kuntze
    keyexchange=ikev2
638 10 Noel Kuntze
    leftauth=eap-mschapv2
639 10 Noel Kuntze
    rightauth=pubkey
640 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
641 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
642 10 Noel Kuntze
# responder's certificate or just the certificate.
643 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
644 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
645 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
646 10 Noel Kuntze
# if you've only got the responder's certificate
647 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
648 10 Noel Kuntze
649 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
650 10 Noel Kuntze
#   rightid=foobar
651 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
652 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
653 10 Noel Kuntze
    auto=add
654 10 Noel Kuntze
655 10 Noel Kuntze
# asymmetric authentication using eap-tls and pubkey auth
656 10 Noel Kuntze
conn ikev2-eap-tls-asymmetric
657 10 Noel Kuntze
    also=vip-base
658 10 Noel Kuntze
    keyexchange=ikev2
659 10 Noel Kuntze
    leftcert=mycert
660 10 Noel Kuntze
    leftauth=eap-tls
661 10 Noel Kuntze
    rightauth=pubkey
662 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
663 10 Noel Kuntze
# responder's certificate or just the certificate.
664 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
665 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
666 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
667 10 Noel Kuntze
# if you've only got the responder's certificate
668 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
669 10 Noel Kuntze
670 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
671 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
672 10 Noel Kuntze
#   rightid=foobar
673 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
674 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
675 10 Noel Kuntze
    auto=add
676 10 Noel Kuntze
677 10 Noel Kuntze
678 10 Noel Kuntze
# symmetric authentication using just eap-tls
679 10 Noel Kuntze
conn ikev2-eap-tls-symmetric
680 10 Noel Kuntze
    also=vip-base
681 10 Noel Kuntze
    keyexchange=ikev2
682 10 Noel Kuntze
    leftcert=mycert
683 10 Noel Kuntze
    leftauth=eap-tls
684 10 Noel Kuntze
    rightauth=eap-tls
685 10 Noel Kuntze
# The following settings depend on if you've got the CA that issued the
686 10 Noel Kuntze
# responder's certificate or just the certificate.
687 10 Noel Kuntze
# if you've got the CA certificate, put it into /etc/ipsec.d/cacerts/. Also
688 10 Noel Kuntze
# read the notes in the beginning of the page about certificates.
689 10 Noel Kuntze
#   rightca="This is the DN of the CA's certificate"
690 10 Noel Kuntze
# if you've only got the responder's certificate
691 10 Noel Kuntze
#   rightcert=thisisthepathtothecertificate
692 10 Noel Kuntze
693 10 Noel Kuntze
    right=RespondersIPorFQDNGoesHere
694 10 Noel Kuntze
# You might have to set this to the correct value, if the responder isn't configure correctly.
695 10 Noel Kuntze
#   rightid=foobar
696 10 Noel Kuntze
# Remove the ::/0, if you don't require IPv6.
697 10 Noel Kuntze
    rightsubnet=0.0.0.0/0,::/0
698 10 Noel Kuntze
    auto=add
699 10 Noel Kuntze
700 10 Noel Kuntze
</pre>
701 10 Noel Kuntze
}}
702 10 Noel Kuntze
703 1 Noel Kuntze
{{collapse(ipsec.secrets)
704 1 Noel Kuntze
<pre>
705 1 Noel Kuntze
RespondersIPorFQDNGoesHere : PSK "thisisthesharedpassword"
706 1 Noel Kuntze
thisismyusername : EAP "thisismypassword"
707 1 Noel Kuntze
: RSA myprivatekey
708 1 Noel Kuntze
</pre>
709 1 Noel Kuntze
}}
710 1 Noel Kuntze
711 25 Noel Kuntze
{{collapse(swanctl.conf)
712 25 Noel Kuntze
<pre>
713 25 Noel Kuntze
connections {
714 25 Noel Kuntze
    ikev1-psk-xauth {
715 25 Noel Kuntze
        dpd_delay = 30
716 25 Noel Kuntze
        dpd_timeout = 90
717 25 Noel Kuntze
        version = 1
718 25 Noel Kuntze
        remote_addrs = ResponderIPorQDNGoesHere
719 25 Noel Kuntze
        # uncomment if the responder only supports crappy crypto. But seriously,
720 25 Noel Kuntze
        # every single one of those algorithms is broken. Better spend some $$$
721 25 Noel Kuntze
        # on a better solution.
722 25 Noel Kuntze
        # proposals = 3des-md5-modp1024
723 25 Noel Kuntze
        vips = 0.0.0.0,::
724 25 Noel Kuntze
        local-1 {
725 25 Noel Kuntze
            auth = psk
726 25 Noel Kuntze
        }
727 25 Noel Kuntze
        local-2 {
728 25 Noel Kuntze
            auth = xauth-generic
729 25 Noel Kuntze
        }
730 25 Noel Kuntze
        remote-1 {
731 25 Noel Kuntze
            auth = psk
732 25 Noel Kuntze
            # You might have to set this to the correct value, if the responder isn't configure correctly.
733 25 Noel Kuntze
            # id = foobar
734 25 Noel Kuntze
        }
735 1 Noel Kuntze
736 25 Noel Kuntze
        children {
737 25 Noel Kuntze
            ikev1-psk-xauth {
738 25 Noel Kuntze
                remote_Ts = 0.0.0.0/0,::/0
739 25 Noel Kuntze
                # uncomment if the responder only supports crappy crypto. But seriously,
740 25 Noel Kuntze
                # every single one of those algorithms is broken. Better spend some $$$
741 25 Noel Kuntze
                # on a better solution.
742 25 Noel Kuntze
                # esp_proposals = 3des-md5!
743 25 Noel Kuntze
                # Use this, if you want PFS with DH group 2.
744 25 Noel Kuntze
                # esp_proposals = 3des-md5-modp1024!
745 25 Noel Kuntze
            }
746 25 Noel Kuntze
        }
747 25 Noel Kuntze
    }
748 1 Noel Kuntze
749 25 Noel Kuntze
    ikev1-psk-xauth-aggressive {
750 25 Noel Kuntze
        aggressive = yes
751 25 Noel Kuntze
        dpd_delay = 30
752 25 Noel Kuntze
        dpd_timeout = 90
753 25 Noel Kuntze
        version = 1
754 25 Noel Kuntze
        remote_addrs = ResponderIPorQDNGoesHere
755 25 Noel Kuntze
        # uncomment if the responder only supports crappy crypto. But seriously,
756 25 Noel Kuntze
        # every single one of those algorithms is broken. Better spend some $$$
757 25 Noel Kuntze
        # on a better solution.
758 25 Noel Kuntze
        # proposals = 3des-md5-modp1024
759 25 Noel Kuntze
        vips = 0.0.0.0,::
760 25 Noel Kuntze
        local-1 {
761 25 Noel Kuntze
            auth = psk
762 25 Noel Kuntze
        }
763 25 Noel Kuntze
        local-2 {
764 25 Noel Kuntze
            auth = xauth-generic
765 25 Noel Kuntze
        }
766 25 Noel Kuntze
        remote-1 {
767 25 Noel Kuntze
            auth = psk
768 25 Noel Kuntze
            # You might have to set this to the correct value, if the responder isn't configure correctly.
769 25 Noel Kuntze
            # id = foobar
770 25 Noel Kuntze
        }
771 25 Noel Kuntze
772 25 Noel Kuntze
        children {
773 25 Noel Kuntze
            ikev1-psk-xauth-aggressive {
774 25 Noel Kuntze
                remote_Ts = 0.0.0.0/0,::/0
775 25 Noel Kuntze
                # uncomment if the responder only supports crappy crypto. But seriously,
776 25 Noel Kuntze
                # every single one of those algorithms is broken. Better spend some $$$
777 25 Noel Kuntze
                # on a better solution.
778 25 Noel Kuntze
                # esp_proposals = 3des-md5!
779 25 Noel Kuntze
                # Use this, if you want PFS with DH group 2.
780 25 Noel Kuntze
                # esp_proposals = 3des-md5-modp1024!
781 25 Noel Kuntze
            }
782 25 Noel Kuntze
        }
783 25 Noel Kuntze
    }
784 25 Noel Kuntze
    ikev1-rsa-xauth {
785 25 Noel Kuntze
        dpd_delay = 30
786 25 Noel Kuntze
        dpd_timeout = 90
787 25 Noel Kuntze
        version = 1
788 25 Noel Kuntze
        remote_addrs = ResponderIPorQDNGoesHere
789 25 Noel Kuntze
        # uncomment if the responder only supports crappy crypto. But seriously,
790 25 Noel Kuntze
        # every single one of those algorithms is broken. Better spend some $$$
791 25 Noel Kuntze
        # on a better solution.
792 25 Noel Kuntze
        # proposals = 3des-md5-modp1024
793 25 Noel Kuntze
        vips = 0.0.0.0,::
794 25 Noel Kuntze
        local-1 {
795 31 Noel Kuntze
            certs = thisithepathtomycertificate.pem
796 25 Noel Kuntze
        }
797 25 Noel Kuntze
        local-2 {
798 25 Noel Kuntze
            auth = xauth-generic
799 25 Noel Kuntze
        }
800 25 Noel Kuntze
        remote-1 {
801 25 Noel Kuntze
            # You might have to set this to the correct value, if the responder isn't configure correctly.
802 25 Noel Kuntze
            # id = foobar
803 25 Noel Kuntze
        }
804 25 Noel Kuntze
805 25 Noel Kuntze
        children {
806 25 Noel Kuntze
            ikev1-psk-xauth {
807 25 Noel Kuntze
                remote_Ts = 0.0.0.0/0,::/0
808 25 Noel Kuntze
                # uncomment if the responder only supports crappy crypto. But seriously,
809 25 Noel Kuntze
                # every single one of those algorithms is broken. Better spend some $$$
810 25 Noel Kuntze
                # on a better solution.
811 25 Noel Kuntze
                # esp_proposals = 3des-md5!
812 25 Noel Kuntze
                # Use this, if you want PFS with DH group 2.
813 25 Noel Kuntze
                # esp_proposals = 3des-md5-modp1024!
814 25 Noel Kuntze
            }
815 25 Noel Kuntze
        }
816 25 Noel Kuntze
    }
817 25 Noel Kuntze
818 25 Noel Kuntze
    ikev1-l2tp {
819 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
820 25 Noel Kuntze
        version = 1
821 25 Noel Kuntze
        local-1 {
822 25 Noel Kuntze
            auth = psk
823 25 Noel Kuntze
        }
824 25 Noel Kuntze
        remote-1 {
825 25 Noel Kuntze
            auth = psk
826 25 Noel Kuntze
        }
827 25 Noel Kuntze
828 25 Noel Kuntze
        children {
829 25 Noel Kuntze
            ikev1-l2tp-xauth {
830 39 Noel Kuntze
                remote_ts = dynamic[/1701]
831 25 Noel Kuntze
                mode = transport
832 25 Noel Kuntze
                start_action = none
833 25 Noel Kuntze
            }
834 25 Noel Kuntze
        }    
835 25 Noel Kuntze
    }
836 25 Noel Kuntze
    ikev1-l2tp-xauth {
837 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
838 25 Noel Kuntze
        version = 1
839 25 Noel Kuntze
        local-1 {
840 25 Noel Kuntze
            auth = psk
841 25 Noel Kuntze
        }
842 25 Noel Kuntze
        local-2 {
843 25 Noel Kuntze
            auth = xauth
844 25 Noel Kuntze
            xauth_id = myusername
845 25 Noel Kuntze
        }
846 25 Noel Kuntze
        remote-1 {
847 25 Noel Kuntze
            auth = psk
848 25 Noel Kuntze
        }
849 25 Noel Kuntze
850 25 Noel Kuntze
        children {
851 25 Noel Kuntze
            ikev1-l2tp-xauth {
852 39 Noel Kuntze
                remote_ts = dynamic[/1701]
853 25 Noel Kuntze
                mode = transport
854 25 Noel Kuntze
                start_action = none
855 25 Noel Kuntze
            }
856 25 Noel Kuntze
        }
857 25 Noel Kuntze
    }
858 25 Noel Kuntze
859 25 Noel Kuntze
    ikev2-eap-mschapv2 {
860 25 Noel Kuntze
        version = 2
861 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
862 25 Noel Kuntze
        vips = 0.0.0.0, ::
863 25 Noel Kuntze
        local-1 {
864 25 Noel Kuntze
            auth = eap-mschapv2
865 25 Noel Kuntze
            eap_id=myid
866 25 Noel Kuntze
        }
867 25 Noel Kuntze
        remote-1 {
868 25 Noel Kuntze
            # The following settings depend on if you've got the CA that issued the
869 25 Noel Kuntze
            # responder's certificate or just the certificate.
870 25 Noel Kuntze
            # if you've got the CA certificate, put it into /etc/swanctl.d/cacerts/. Also
871 25 Noel Kuntze
            # read the notes in the beginning of the page about certificates.
872 25 Noel Kuntze
            #   rightca="This is the DN of the CA's certificate"
873 25 Noel Kuntze
            # if you've only got the responder's certificate
874 31 Noel Kuntze
            #  certs = thisisthepathtothecertificate
875 25 Noel Kuntze
            # if the remote peer sends a wrong ID, set that wrong ID here or make them fix it.
876 25 Noel Kuntze
            # id = remoteIDGoesHere
877 25 Noel Kuntze
        }
878 25 Noel Kuntze
        children {
879 37 Noel Kuntze
            ikev2-eap-mschapv2 {
880 37 Noel Kuntze
                remote_ts = 0.0.0.0/0,::/0
881 37 Noel Kuntze
            }
882 25 Noel Kuntze
        }
883 25 Noel Kuntze
    }
884 25 Noel Kuntze
885 25 Noel Kuntze
    ikev2-eap-tls-asymmetric {
886 25 Noel Kuntze
        version = 2
887 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
888 25 Noel Kuntze
        vips = 0.0.0.0, ::
889 25 Noel Kuntze
        local-1 {
890 25 Noel Kuntze
            auth = eap-tls
891 31 Noel Kuntze
            certs = mycert
892 25 Noel Kuntze
        }
893 25 Noel Kuntze
        remote-1 {
894 25 Noel Kuntze
            # The following settings depend on if you've got the CA that issued the
895 25 Noel Kuntze
            # responder's certificate or just the certificate.
896 25 Noel Kuntze
            # if you've got the CA certificate, put it into /etc/swanctl.d/cacerts/. Also
897 25 Noel Kuntze
            # read the notes in the beginning of the page about certificates.
898 25 Noel Kuntze
            #   rightca="This is the DN of the CA's certificate"
899 25 Noel Kuntze
            # if you've only got the responder's certificate
900 31 Noel Kuntze
            #  certs = thisisthepathtothecertificate
901 25 Noel Kuntze
            # if the remote peer sends a wrong ID, set that wrong ID here or make them fix it.
902 25 Noel Kuntze
            # id = remoteIDGoesHere
903 1 Noel Kuntze
        }
904 1 Noel Kuntze
        children {
905 37 Noel Kuntze
            ikev2-eap-tls-asymmetric {
906 37 Noel Kuntze
                remote_ts = 0.0.0.0/0,::/0
907 37 Noel Kuntze
            }
908 25 Noel Kuntze
        }
909 25 Noel Kuntze
    }
910 25 Noel Kuntze
911 25 Noel Kuntze
    ikev2-eap-tls-symmetric {
912 25 Noel Kuntze
        version = 2
913 25 Noel Kuntze
        remote_addrs = ResponderIPorFQDNGoesHere
914 25 Noel Kuntze
        vips = 0.0.0.0, ::
915 25 Noel Kuntze
        local-1 {
916 25 Noel Kuntze
            auth = eap-tls
917 31 Noel Kuntze
            certs = mycert
918 25 Noel Kuntze
        }
919 25 Noel Kuntze
        remote-1 {
920 25 Noel Kuntze
            # The following settings depend on if you've got the CA that issued the
921 25 Noel Kuntze
            # responder's certificate or just the certificate.
922 25 Noel Kuntze
            # if you've got the CA certificate, put it into /etc/swanctl.d/cacerts/. Also
923 25 Noel Kuntze
            # read the notes in the beginning of the page about certificates.
924 25 Noel Kuntze
            #   rightca="This is the DN of the CA's certificate"
925 25 Noel Kuntze
            # if you've only got the responder's certificate
926 25 Noel Kuntze
            #  certs = thisisthepathtothecertificate
927 25 Noel Kuntze
            # if the remote peer sends a wrong ID, set that wrong ID here or make them fix it.
928 25 Noel Kuntze
            # id = remoteIDGoesHere
929 1 Noel Kuntze
            auth = eap-tls
930 1 Noel Kuntze
        }
931 1 Noel Kuntze
        children {
932 37 Noel Kuntze
            ikev2-eap-tls-symmetric {
933 37 Noel Kuntze
                remote_ts = 0.0.0.0/0,::/0
934 37 Noel Kuntze
            }
935 25 Noel Kuntze
        }
936 25 Noel Kuntze
    }
937 38 Jean-Tiare Le Bigot
}
938 25 Noel Kuntze
939 38 Jean-Tiare Le Bigot
secrets {
940 38 Jean-Tiare Le Bigot
    ike-example {
941 38 Jean-Tiare Le Bigot
        id = RespondersIPorFQDNGoesHere
942 38 Jean-Tiare Le Bigot
        secret = "thisisthesharedpassword"
943 38 Jean-Tiare Le Bigot
    }
944 38 Jean-Tiare Le Bigot
    eap-username {
945 38 Jean-Tiare Le Bigot
        id = thisismyusername
946 38 Jean-Tiare Le Bigot
        secret = "thisismypassword"
947 38 Jean-Tiare Le Bigot
    }
948 38 Jean-Tiare Le Bigot
    private-mine {
949 38 Jean-Tiare Le Bigot
        file = myprivatekey
950 25 Noel Kuntze
    }
951 25 Noel Kuntze
}
952 25 Noel Kuntze
</pre>
953 25 Noel Kuntze
}}
954 25 Noel Kuntze
955 1 Noel Kuntze
h2. Site-To-Site-Scenario
956 1 Noel Kuntze
957 24 Noel Kuntze
These configuration files are written under the presumption that both sides have public IPs and there is no NAT in between.
958 24 Noel Kuntze
If you use NAT and the peers' IPs as IDs, you need to set them manually in leftid and rightid respectively (whereever the ID is not equal to the set address).
959 24 Noel Kuntze
In some cases, the IDs other peers send are malformed or use an unusual type. If that is the case, you can force the sending of a specific ID or of a specific
960 24 Noel Kuntze
type using a [[ConnSection#leftright-End-Parameters|special notation]] (see text about left|rightid).
961 24 Noel Kuntze
962 1 Noel Kuntze
{{collapse(ipsec.conf)
963 1 Noel Kuntze
<pre>
964 1 Noel Kuntze
conn sts-base
965 1 Noel Kuntze
    fragmentation=yes
966 1 Noel Kuntze
    dpdaction=restart
967 32 Noel Kuntze
    ike=aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
968 36 Noel Kuntze
    esp=aes192gcm16-aes128gcm16-ecp256-modp3072,aes192-sha256-ecp256-modp3072
969 1 Noel Kuntze
    keyingtries=%forever
970 25 Noel Kuntze
    leftid=foobar
971 1 Noel Kuntze
    leftcert=foobar.pem
972 1 Noel Kuntze
973 19 Noel Kuntze
# this conn is set up for a remote host with a static IP
974 1 Noel Kuntze
conn site-1-static-ip
975 1 Noel Kuntze
    also=sts-base
976 1 Noel Kuntze
    keyexchange=ikev2
977 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
978 1 Noel Kuntze
    rightsubnet=10.1.3.0/24
979 1 Noel Kuntze
    right=1.2.3.4
980 1 Noel Kuntze
    rightcert=1.2.3.4.pem
981 1 Noel Kuntze
    auto=route
982 1 Noel Kuntze
983 19 Noel Kuntze
# this conn is set up for a remote host with a dynamic IP
984 1 Noel Kuntze
conn site-2-dynamic-ip
985 1 Noel Kuntze
    also=sts-base
986 1 Noel Kuntze
    keyexchange=ikev2
987 1 Noel Kuntze
    leftsubnet=10.1.2.0/24,10.1.1.0/24
988 1 Noel Kuntze
    rightsubnet=10.1.4.0/24
989 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
990 1 Noel Kuntze
    right=%example.com
991 1 Noel Kuntze
    rightcert=example.com.pem
992 1 Noel Kuntze
    auto=route
993 1 Noel Kuntze
994 1 Noel Kuntze
# this conn is set up for IKEv1 compatibility. It shows how to define several subnets
995 1 Noel Kuntze
# with IKEv1. site-3-legacy-1 and site-3-legacy-2 keep the data for the CHILD_SA.
996 1 Noel Kuntze
# The same can be accomplished with implicit merging by specifying the same IKE_SA
997 1 Noel Kuntze
# configuration in two different conns. This set up is cleaner, though.
998 1 Noel Kuntze
# If you put "auto=route" into the "site-3-legacy-base conn", charon will route the
999 1 Noel Kuntze
# conn with the ts being the local IP that is used to communicate with the remote
1000 1 Noel Kuntze
# peer and the remote's peer. If such a CHILD_SA is not configured on the peer, ICMP
1001 1 Noel Kuntze
# error messages from the remote peer to the local peer will not be able to be transmitted.
1002 1 Noel Kuntze
# So don't do that, unless your remote peer is configured for that.
1003 1 Noel Kuntze
# This is an IKEv1 connection with PSK authentication. That means, that you need to know
1004 1 Noel Kuntze
# the other side's IP.
1005 1 Noel Kuntze
conn site-3-legacy-base
1006 1 Noel Kuntze
    also=sts-base
1007 1 Noel Kuntze
    keyexchange=ikev1
1008 1 Noel Kuntze
    # IKE and ESP cipher settings are reconfigured, because in IKEv1 every 
1009 1 Noel Kuntze
    # single cipher suite needs to be enumerated.
1010 1 Noel Kuntze
    # It is not possible to define all supported ciphers in one suite.
1011 1 Noel Kuntze
    # select apropriate and strong ciphers for your scenario.
1012 1 Noel Kuntze
    ike=aes192gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-ecp521,aes192-sha256-modp3072
1013 1 Noel Kuntze
    esp=aes192gcm16-ecp256,aes192-sha256-modp3072
1014 1 Noel Kuntze
    rightsubnet=10.1.5.0/24
1015 1 Noel Kuntze
    # for this to work, DNS must be usable and working.
1016 1 Noel Kuntze
    right=example.com
1017 1 Noel Kuntze
    leftauth=psk
1018 1 Noel Kuntze
    rightauth=psk
1019 1 Noel Kuntze
1020 1 Noel Kuntze
conn site-3-legacy-1
1021 1 Noel Kuntze
    leftsubnet=10.1.1.0/24
1022 1 Noel Kuntze
    also=site-3-legacy-base
1023 1 Noel Kuntze
    auto=route
1024 1 Noel Kuntze
1025 1 Noel Kuntze
conn site-3-legacy-2
1026 1 Noel Kuntze
    leftsubnet=10.1.2.0/24
1027 1 Noel Kuntze
    also=site-3-legacy-base
1028 1 Noel Kuntze
    auto=route
1029 1 Noel Kuntze
</pre>
1030 1 Noel Kuntze
}}
1031 1 Noel Kuntze
1032 1 Noel Kuntze
{{collapse(ipsec.secrets)
1033 1 Noel Kuntze
<pre>
1034 1 Noel Kuntze
: RSA foobar.key
1035 1 Noel Kuntze
remote.com : PSK "example"
1036 1 Noel Kuntze
</pre>
1037 1 Noel Kuntze
}}
1038 1 Noel Kuntze
1039 25 Noel Kuntze
{{collapse(swanctl.conf)
1040 25 Noel Kuntze
<pre>
1041 25 Noel Kuntze
connections {
1042 25 Noel Kuntze
1043 25 Noel Kuntze
    site-1-static-ip {
1044 25 Noel Kuntze
        remote_addrs = 1.2.3.4
1045 25 Noel Kuntze
        version = 2
1046 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
1047 25 Noel Kuntze
        keyingtries = 0
1048 25 Noel Kuntze
        
1049 25 Noel Kuntze
        local-1 {
1050 31 Noel Kuntze
            certs = foobar.pem
1051 25 Noel Kuntze
        }
1052 25 Noel Kuntze
        remote-1 {
1053 31 Noel Kuntze
            certs = 1.2.3.4.pem
1054 25 Noel Kuntze
        }
1055 25 Noel Kuntze
1056 25 Noel Kuntze
        children {
1057 25 Noel Kuntze
            site-1-static-ip {
1058 25 Noel Kuntze
                local_ts = 10.1.2.0/24,10.1.1.0/24
1059 25 Noel Kuntze
                remote_ts = 10.1.3.0/24
1060 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
1061 25 Noel Kuntze
                dpd_action = restart
1062 25 Noel Kuntze
                start_action = trap
1063 25 Noel Kuntze
            }
1064 25 Noel Kuntze
        }
1065 25 Noel Kuntze
    }
1066 25 Noel Kuntze
1067 25 Noel Kuntze
    site-2-dynamic-ip {
1068 25 Noel Kuntze
        remote_addrs = example.com, 0.0.0.0/0
1069 25 Noel Kuntze
        version = 2
1070 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
1071 25 Noel Kuntze
        keyingtries = 0
1072 25 Noel Kuntze
        local-1 {
1073 31 Noel Kuntze
            certs = foobar.pem
1074 25 Noel Kuntze
        }
1075 25 Noel Kuntze
        remote-1 {
1076 31 Noel Kuntze
            certs = 1.2.3.4.pem
1077 25 Noel Kuntze
        }
1078 25 Noel Kuntze
1079 25 Noel Kuntze
        children {
1080 25 Noel Kuntze
            site-2-dynamic-ip {
1081 25 Noel Kuntze
                local_ts = 10.1.2.0/24,10.1.1.0/24
1082 25 Noel Kuntze
                remote_ts = 10.1.3.0/24
1083 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
1084 25 Noel Kuntze
                dpd_action = restart
1085 25 Noel Kuntze
                start_action = trap
1086 25 Noel Kuntze
            }
1087 25 Noel Kuntze
        }
1088 25 Noel Kuntze
    }
1089 25 Noel Kuntze
    site-3-legacy {
1090 25 Noel Kuntze
        remote_addrs = example.com
1091 25 Noel Kuntze
        version = 1
1092 34 Tobias Brunner
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
1093 25 Noel Kuntze
        local-1 {
1094 25 Noel Kuntze
            auth = psk
1095 25 Noel Kuntze
            id = mylocalsite
1096 25 Noel Kuntze
        }
1097 25 Noel Kuntze
        remote-1 {
1098 25 Noel Kuntze
            # id field here is inferred from the remote address
1099 25 Noel Kuntze
            auth = psk
1100 25 Noel Kuntze
        }
1101 25 Noel Kuntze
        children {
1102 25 Noel Kuntze
            site-3-legacy-1 {
1103 25 Noel Kuntze
                local_ts = 10.1.1.0/24
1104 25 Noel Kuntze
                remote_ts = 10.1.5.0/24
1105 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
1106 25 Noel Kuntze
                start_action = trap
1107 25 Noel Kuntze
                dpd_action = restart
1108 25 Noel Kuntze
            }
1109 25 Noel Kuntze
            site-3-legacy-2 {
1110 25 Noel Kuntze
                local_ts = 10.1.2.0/24
1111 25 Noel Kuntze
                remote_ts = 10.1.5.0/24
1112 32 Noel Kuntze
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
1113 25 Noel Kuntze
                start_action = trap
1114 25 Noel Kuntze
                dpd_action = restart
1115 25 Noel Kuntze
            }
1116 25 Noel Kuntze
        }
1117 25 Noel Kuntze
    }
1118 25 Noel Kuntze
}
1119 25 Noel Kuntze
secrets {
1120 25 Noel Kuntze
    # PSK secret
1121 25 Noel Kuntze
    ike-example.com {
1122 25 Noel Kuntze
        id-1 = remote.com
1123 25 Noel Kuntze
        secret = "example"
1124 25 Noel Kuntze
    }
1125 25 Noel Kuntze
    # generic private key, no specific type
1126 25 Noel Kuntze
    private-foobar {
1127 25 Noel Kuntze
        file = foobar.key
1128 25 Noel Kuntze
    }
1129 25 Noel Kuntze
1130 25 Noel Kuntze
}
1131 25 Noel Kuntze
</pre>
1132 25 Noel Kuntze
}}
1133 25 Noel Kuntze
1134 10 Noel Kuntze
h2. Passthrough policy
1135 5 Noel Kuntze
1136 28 Noel Kuntze
h3. For a local LAN
1137 28 Noel Kuntze
1138 41 Tobias Brunner
To automatically install passthrough policies for locally connected subnets, the [[bypass-lan]] plugin may be used.
1139 41 Tobias Brunner
1140 28 Noel Kuntze
This is a passthrough policy that works if the sender and recipient of the IP packets are in the 10.0.0.0/8 subnet.
1141 28 Noel Kuntze
@left@ is set to @127.0.0.1@ to prevent this conn from being considered in the conn lookup when a peer tries to connect.
1142 28 Noel Kuntze
1143 5 Noel Kuntze
{{collapse(ipsec.conf)
1144 5 Noel Kuntze
<pre>
1145 5 Noel Kuntze
conn passthrough-1
1146 5 Noel Kuntze
    # makes sure those conns are excluded from every conn selection
1147 5 Noel Kuntze
    left=127.0.0.1
1148 5 Noel Kuntze
    # Those are just example values. Replace them with the apropriate ones!
1149 1 Noel Kuntze
    leftsubnet=10.0.0.0/8
1150 1 Noel Kuntze
    rightsubnet=10.0.0.0/8
1151 1 Noel Kuntze
    # those two lines are critical.
1152 1 Noel Kuntze
    type=passthrough
1153 1 Noel Kuntze
    auto=route
1154 1 Noel Kuntze
</pre>
1155 1 Noel Kuntze
}}
1156 1 Noel Kuntze
1157 25 Noel Kuntze
{{collapse(swanctl.conf)
1158 27 Tobias Brunner
<pre>
1159 25 Noel Kuntze
connections {
1160 25 Noel Kuntze
    passthrough-1 {
1161 25 Noel Kuntze
        remote_addrs = 127.0.0.1
1162 25 Noel Kuntze
        children {
1163 25 Noel Kuntze
            passthrough-1 {
1164 27 Tobias Brunner
                local_ts = 10.0.0.0/8
1165 27 Tobias Brunner
                remote_ts = 10.0.0.0/8
1166 25 Noel Kuntze
                mode = pass
1167 25 Noel Kuntze
                start_action = trap
1168 25 Noel Kuntze
            }
1169 1 Noel Kuntze
        }
1170 1 Noel Kuntze
    }
1171 27 Tobias Brunner
}
1172 25 Noel Kuntze
</pre>
1173 1 Noel Kuntze
}}
1174 1 Noel Kuntze
1175 28 Noel Kuntze
h3. For remote networks
1176 28 Noel Kuntze
1177 28 Noel Kuntze
This is a passthrough policy that applies to packets for which all of the section's conditions are true:
1178 28 Noel Kuntze
* For received packets:
1179 28 Noel Kuntze
** The recipient is in @192.168.0.0/16@
1180 28 Noel Kuntze
** The sender is in @10.0.0.0/8@
1181 28 Noel Kuntze
* For sent packets:
1182 28 Noel Kuntze
** The recipient is in @10.0.0.0/8@
1183 28 Noel Kuntze
** The sender is in @192.168.0.0/16@
1184 28 Noel Kuntze
1185 28 Noel Kuntze
Note that the conditions for received and sent packets are the inverse of each other.
1186 28 Noel Kuntze
1187 28 Noel Kuntze
@left@ is set to @127.0.0.1@ to prevent this conn from being considered in the conn lookup when a peer tries to connect and to prevent strongSwan from switching the sides of the conn (because @127.0.0.1@ is a local IP address).
1188 28 Noel Kuntze
1189 28 Noel Kuntze
{{collapse(ipsec.conf)
1190 28 Noel Kuntze
<pre>
1191 28 Noel Kuntze
conn passthrough-2
1192 28 Noel Kuntze
    # makes sure those conns are excluded from every conn selection
1193 28 Noel Kuntze
    left=127.0.0.1
1194 28 Noel Kuntze
    # Those are just example values. Replace them with the apropriate ones!
1195 28 Noel Kuntze
    leftsubnet=192.168.0.0/16
1196 28 Noel Kuntze
    rightsubnet=10.0.0.0/8
1197 28 Noel Kuntze
    # those two lines are critical.
1198 28 Noel Kuntze
    type=passthrough
1199 28 Noel Kuntze
    auto=route
1200 28 Noel Kuntze
</pre>
1201 28 Noel Kuntze
}}
1202 28 Noel Kuntze
1203 28 Noel Kuntze
For swanctl.conf style configurations, it is not an issue, so remote_addrs or local_addrs can be set to 127.0.0.1 to prevent strongSwan from considering the conn in the conn lookup when a peer tries to connect.
1204 28 Noel Kuntze
In this example, only remote_addrs is set to @127.0.0.1@. You are free to choose local_addrs, remote_addrs or both.
1205 28 Noel Kuntze
1206 28 Noel Kuntze
{{collapse(swanctl.conf)
1207 28 Noel Kuntze
<pre>
1208 28 Noel Kuntze
connections {
1209 28 Noel Kuntze
    passthrough-2 {
1210 28 Noel Kuntze
        remote_addrs = 127.0.0.1
1211 28 Noel Kuntze
        children {
1212 28 Noel Kuntze
            passthrough-2 {
1213 28 Noel Kuntze
                local_ts = 192.168.0.0/16
1214 28 Noel Kuntze
                remote_ts = 10.0.0.0/8
1215 28 Noel Kuntze
                mode = pass
1216 28 Noel Kuntze
                start_action = trap
1217 28 Noel Kuntze
            }
1218 28 Noel Kuntze
        }
1219 28 Noel Kuntze
    }
1220 28 Noel Kuntze
}
1221 28 Noel Kuntze
</pre>
1222 28 Noel Kuntze
}}
1223 28 Noel Kuntze
1224 28 Noel Kuntze
If your goal is to exclude traffic into locally attached subnets from other tunnels and the locally attached subnets are dynamic, have a look at the [[bypass-lan]] plugin.
1225 25 Noel Kuntze
1226 29 Noel Kuntze
1227 29 Noel Kuntze
h3. For specific protocols or ports
1228 29 Noel Kuntze
1229 29 Noel Kuntze
The following configuration example is for traffic to the *local* SSH port.
1230 29 Noel Kuntze
1231 29 Noel Kuntze
{{collapse(ipsec.conf)
1232 29 Noel Kuntze
<pre>
1233 29 Noel Kuntze
conn passthrough-ssh
1234 29 Noel Kuntze
    # makes sure those conns are excluded from every conn selection
1235 29 Noel Kuntze
    left = 127.0.0.1
1236 29 Noel Kuntze
    leftsubnet = %dynamic[tcp/22]
1237 29 Noel Kuntze
    rightsubnet = 0.0.0.0/0
1238 29 Noel Kuntze
    type = passthrough
1239 29 Noel Kuntze
    auto = route
1240 29 Noel Kuntze
</pre>
1241 29 Noel Kuntze
}}
1242 29 Noel Kuntze
1243 29 Noel Kuntze
{{collapse(swanctl.conf)
1244 29 Noel Kuntze
<pre>
1245 29 Noel Kuntze
<pre>
1246 29 Noel Kuntze
connections {
1247 29 Noel Kuntze
    passthrough-ssh {
1248 29 Noel Kuntze
        remote_addrs = 127.0.0.1
1249 29 Noel Kuntze
        children {
1250 29 Noel Kuntze
            passthrough-ssh {
1251 29 Noel Kuntze
                local_ts = dynamic[tcp/22]
1252 29 Noel Kuntze
                remote_ts = 0.0.0.0/0
1253 29 Noel Kuntze
                mode = pass
1254 29 Noel Kuntze
                start_action = trap
1255 29 Noel Kuntze
            }
1256 29 Noel Kuntze
        }
1257 29 Noel Kuntze
    }
1258 29 Noel Kuntze
}
1259 29 Noel Kuntze
</pre>
1260 29 Noel Kuntze
}}
1261 29 Noel Kuntze
1262 13 Noel Kuntze
h2. Host-To-Host transport mode
1263 7 Noel Kuntze
1264 7 Noel Kuntze
Based on "the trap-any test scenario":https://www.strongswan.org/testing/testresults/ikev2/trap-any/.
1265 7 Noel Kuntze
1266 7 Noel Kuntze
The hosts involved are in the 192.168.1.0/24 subnet.
1267 8 Noel Kuntze
The notes from Tobias' comment in issue #196 apply:
1268 8 Noel Kuntze
> The hosts can be limited by specifying rightsubnet (e.g. rightsubnet=192.168.1.0/24,192.168.2.0/30,10.0.2.2/32). It is even possible to limit this to a specific protocol/port (for any remote host use %dynamic[<proto>/<port>], not 0.0.0.0/0[...]). A new test scenario (ikev2/trap-any, bb1d9e45) provides some examples.
1269 8 Noel Kuntze
> 
1270 8 Noel Kuntze
> Authentication can easily be done via certificates, but using PSKs is also possible. However, because there is no pattern/subnet matching for IP-based identities you need to either use a single secret for all hosts or use identities appropriately if you want to use different PSKs for different groups of hosts (e.g. use leftid=<host>@<group>.example.com and rightid=*@<group>.example.com in ipsec.conf and *@<group>.example.com : PSK "..." in ipsec.secrets).
1271 7 Noel Kuntze
1272 7 Noel Kuntze
{{collapse(ipsec.conf)
1273 7 Noel Kuntze
<pre>conn host-to-host
1274 7 Noel Kuntze
	ikelifetime=60m
1275 7 Noel Kuntze
	keylife=20m
1276 7 Noel Kuntze
	rekeymargin=3m
1277 7 Noel Kuntze
	keyingtries=1
1278 7 Noel Kuntze
1279 1 Noel Kuntze
conn trap-any
1280 1 Noel Kuntze
    also=host-to-host
1281 1 Noel Kuntze
	right=%any
1282 1 Noel Kuntze
	leftsubnet=192.168.1.0/24
1283 1 Noel Kuntze
	rightsubnet=192.168.1.0/24
1284 1 Noel Kuntze
	type=transport
1285 1 Noel Kuntze
	authby=psk
1286 1 Noel Kuntze
	auto=route
1287 25 Noel Kuntze
</pre>
1288 25 Noel Kuntze
}}
1289 25 Noel Kuntze
{{collapse(swanctl.conf)
1290 25 Noel Kuntze
<pre>
1291 25 Noel Kuntze
connections {
1292 25 Noel Kuntze
    trap-any {
1293 25 Noel Kuntze
        remote_addrs = %any
1294 25 Noel Kuntze
        local {
1295 25 Noel Kuntze
            auth = psk
1296 25 Noel Kuntze
        }
1297 25 Noel Kuntze
        remote {
1298 1 Noel Kuntze
            auth = psk
1299 25 Noel Kuntze
        }
1300 25 Noel Kuntze
1301 25 Noel Kuntze
        children {
1302 37 Noel Kuntze
            trap-any {
1303 25 Noel Kuntze
                remote_ts = 192.168.1.0/24
1304 25 Noel Kuntze
                local_ts = 192.168.1.0/24
1305 25 Noel Kuntze
                mode = transport
1306 25 Noel Kuntze
                start_action = trap
1307 25 Noel Kuntze
            }
1308 25 Noel Kuntze
        }
1309 25 Noel Kuntze
    }
1310 25 Noel Kuntze
}
1311 7 Noel Kuntze
</pre>
1312 7 Noel Kuntze
}}