====== IPsec VPN (strongSwan) Configuration ====== AstLinux now supports the [[https://www.strongswan.org/|strongSwan]] package, an OpenSource IPsec-based VPN solution. !!Note:!! The ipsec-tools (racoon) support in AstLinux has been **removed** in !!AstLinux 1.4.2!!. The [[https://sourceforge.net/projects/ipsec-tools/|ipsec-tools (racoon)]] project is now abandoned and its source has been lagging behind in adapting to new threats. The web interface Network tab, "IPsec Peers" and "IPsec Mobile" VPN Types that used ipsec-tools (racoon) has been **removed** in !!AstLinux 1.4.2!!., the "IPsec strongSwan" method is a more feature rich alternative to the other IPsec methods. Three key strongSwan features not found in ipsec-tools (racoon): * Implements both the IKEv1 and IKEv2 (RFC 7296) key exchange protocols * Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555) * Actively developed and supported. How does this apply within AstLinux ... * A point-and-click web interface like the removed IPsec Peers / IPsec Mobile would limit strongSwan features. * strongSwan is needed to support endpoints with changing IP's and dynamic DNS names using IKEv2 MOBIKE, racoon only supports IKEv1. * strongSwan is needed to interoperate with [[https://en.avm.de/products/fritzbox/|AVM FRITZ!Box]]((Quality home routers/PBX, used by many ISPs. Good support from the vendor.)) routers, very common in Germany and other parts of Europe. At this point in time, the "IPsec strongSwan" method is implemented as a __text based configuration__ (only basic web interface support). !!Warning ->!! It should go without saying, never use the example pre-shared key values shown below, always use as long as practical, randomly generated shared keys. !!Note: AstLinux 1.2.9 or later is required!! ===== IPsec strongSwan Configuration ===== Select the Network Tab in the web interface.\\ {{:userdoc:ipv6-tunnel-network-tab.jpg?nolink|Network Tab}} Locate the IPsec strongSwan entry within **Network Services: -> VPN Type:** {{:userdoc:ipsec-vpn-strongswan-disabled-network-tab.jpeg?nolink|IPsec strongSwan Disabled Config}} Check "IPsec strongSwan" (uncheck any other IPsec VPN entries) and "Save Settings", then restart IPsec strongSwan... {{:userdoc:ipsec-vpn-strongswan-restart-network-tab.jpeg?nolink|IPsec strongSwan Enable Config}} IPsec strongSwan is now running, but by default no active associations are defined. A default configuration has been installed, which you can now edit by clicking on "IPsec Configuration"... {{:userdoc:ipsec-vpn-strongswan-enabled-network-tab.jpeg?nolink|IPsec strongSwan Enabled Config}} Reference: [[https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf|ipsec.conf]] \\ ===== Network to AVM FRITZ!Box with Pre-Shared Key ===== \\ Tested with a AVM FRITZ!Box Fon WLAN 7390 with FRITZ!OS 06.51 and strongSwan 5.5.1 (AstLinux 1.2.9-pre 64-bit) astlinux.example.tld: Dynamic DNS w/internal LAN 192.168.101.0/24 fritzbox.example.tld: Dynamic DNS w/internal LAN 192.168.178.0/24 \\ **astlinux.example.tld: /etc/ipsec.conf** # ipsec.conf - strongSwan IPsec configuration file config setup #charondebug="ike 0, enc 0, knl 0, net 0" conn %default dpddelay=15 dpdtimeout=60 dpdaction=restart conn fritzbox left=astlinux.example.tld leftid=@astlinux.example.tld leftsubnet=192.168.101.0/24 right=fritzbox.example.tld rightid=@fritzbox.example.tld rightsubnet=192.168.178.0/24 keyexchange=ikev1 ike=aes256-sha-modp1024 esp=aes256-sha1-modp1024 ikelifetime=3600s keylife=3600s aggressive=yes authby=psk #auto=start auto=route keyingtries=%forever !!Note:!! ''auto=route'' seems to work better with reconnecting, when the other side is down for a while. \\ **astlinux.example.tld: /etc/ipsec.secrets** # ipsec.secrets - strongSwan IPsec secrets file @astlinux.example.tld @fritzbox.example.tld : PSK monkey123 \\ **fritzbox.example.tld: VPN Config** It has to be imported into the Fritzbox. /* * astlinux-vpn.cfg */ vpncfg { connections { enabled = yes; editable = no; conn_type = conntype_lan; name = "astlinux.example.tld"; boxuser_id = 0; always_renew = yes; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = 0.0.0.0; remote_virtualip = 0.0.0.0; remotehostname = "astlinux.example.tld"; keepalive_ip = 0.0.0.0; localid { fqdn = "fritzbox.example.tld"; } remoteid { fqdn = "astlinux.example.tld"; } mode = phase1_mode_idp; phase1ss = "all/all/all"; keytype = connkeytype_pre_shared; key = "monkey123"; cert_do_server_auth = no; use_nat_t = yes; use_xauth = no; use_cfgmode = no; phase2localid { ipnet { ipaddr = 192.168.178.0; mask = 255.255.255.0; } } phase2remoteid { ipnet { ipaddr = 192.168.101.0; mask = 255.255.255.0; } } phase2ss = "esp-all-all/ah-none/comp-all/pfs"; accesslist = "permit ip any 192.168.101.0 255.255.255.0"; app_id = 0; } ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500"; } \\ !!Note:!! The Fritzbox 7390 (FW 6.51) accepts Pre-shared-Keys with a length up 128 characters, which can be generated e.g. with: openssl rand -base64 96 \\ ===== Network to Network with Pre-Shared Key ===== !!Tip ->!! Similar to IPsec Peers using a preshared key. pbx3: 10.10.50.64 w/internal LAN 192.168.222.0/24 pbx4: 10.10.50.65 w/internal LAN 192.168.200.0/24 \\ **pbx3: /etc/ipsec.conf** # ipsec.conf - strongSwan IPsec configuration file config setup # strictcrlpolicy=yes # uniqueids = no conn %default left=10.10.50.64 leftsubnet=192.168.222.0/24 dpdaction=restart authby=psk conn pbx4 right=10.10.50.65 rightsubnet=192.168.200.0/24 auto=start \\ **pbx3: /etc/ipsec.secrets** # ipsec.secrets - strongSwan IPsec secrets file 10.10.50.64 10.10.50.65 : PSK monkey123 \\ **pbx4: /etc/ipsec.conf** # ipsec.conf - strongSwan IPsec configuration file config setup # strictcrlpolicy=yes # uniqueids = no conn %default left=10.10.50.65 leftsubnet=192.168.200.0/24 dpdaction=restart authby=psk conn pbx3 right=10.10.50.64 rightsubnet=192.168.222.0/24 auto=start \\ **pbx4: /etc/ipsec.secrets** # ipsec.secrets - strongSwan IPsec secrets file 10.10.50.64 10.10.50.65 : PSK monkey123 \\ ===== Network to Network with Certificates ===== !!Tip ->!! Similar to IPsec Peers using certificates. pbx3: 10.10.50.64 w/internal LAN 192.168.222.0/24 pbx4: 10.10.50.65 w/internal LAN 192.168.200.0/24 For this example, the certificates were created using the //(disabled)// IPsec Mobile sub-tab on "pbx4" (server) for client "pbx3", the files are located in ''/mnt/kd/ipsec/webinterface/keys/''. The required files were manually copied over to the proper ''/etc/ipsec.d/'' directories on "pbx4" and securely transferred to "pbx3". \\ **pbx3: /etc/ipsec.conf** # ipsec.conf - strongSwan IPsec configuration file config setup # strictcrlpolicy=yes # uniqueids = no conn %default left=10.10.50.64 leftsubnet=192.168.222.0/24 leftcert=pbx3.crt leftsendcert=never dpdaction=restart conn pbx4 right=10.10.50.65 rightsubnet=192.168.200.0/24 rightcert=server.crt auto=start \\ **pbx3: /etc/ipsec.secrets** # ipsec.secrets - strongSwan IPsec secrets file : RSA pbx3.key \\ **pbx3: /etc/ipsec.d/** /etc/ipsec.d/private/pbx3.key /etc/ipsec.d/certs/pbx3.crt /etc/ipsec.d/certs/server.crt /etc/ipsec.d/cacerts/ca.crt \\ **pbx4: /etc/ipsec.conf** # ipsec.conf - strongSwan IPsec configuration file config setup # strictcrlpolicy=yes # uniqueids = no conn %default left=10.10.50.65 leftsubnet=192.168.200.0/24 leftcert=server.crt leftsendcert=never dpdaction=restart conn pbx3 right=10.10.50.64 rightsubnet=192.168.222.0/24 rightcert=pbx3.crt auto=start \\ **pbx4: /etc/ipsec.secrets** # ipsec.secrets - strongSwan IPsec secrets file : RSA server.key \\ **pbx4: /etc/ipsec.d/** /etc/ipsec.d/private/server.key /etc/ipsec.d/certs/pbx3.crt /etc/ipsec.d/certs/server.crt /etc/ipsec.d/cacerts/ca.crt \\ ===== Firewall Settings ===== By default, when "IPsec strongSwan" is enabled, the ipsec-vpn firewall plugin is automatically enabled. This allows any host to access the IPsec service via protocols ESP, AH and UDP 500, 4500. If you want to restrict who has access to the strongSwan service, define the ''IPSEC_ALLOWED_ENDPOINTS'' variable with a space separated list of IP addresses, defaults to any "0/0" endpoint. If you want to restrict which remote IPsec VPN networks have access, define the ''IPSEC_ALLOWED_VPN_NETS'' variable with a space separated list of IPsec remote nets (CIDR notation), defaults to allow any remote network. Either of these variables can be added directly into the ''/mnt/kd/rc.conf.d/user.conf'' file, or edited via the Network tab -> Advanced Configuration: User System Variables. \\ ===== Debugging CLI Commands ===== Show internal strongSwan routes: ip route list table 220 Show association states: ip xfrm state Show association policies: ip xfrm policy \\ \\