AstLinux now supports the strongSwan package, an OpenSource IPsec-based VPN solution.
Note: The ipsec-tools (racoon) support in AstLinux has been removed in AstLinux 1.4.2. The ipsec-tools (racoon) project is now abandoned and its source has been lagging behind in adapting to new threats.
The web interface Network tab, “IPsec Peers” and “IPsec Mobile” VPN Types that used ipsec-tools (racoon) has been removed in AstLinux 1.4.2., the “IPsec strongSwan” method is a more feature rich alternative to the other IPsec methods.
Three key strongSwan features not found in ipsec-tools (racoon):
How does this apply within AstLinux …
At this point in time, the “IPsec strongSwan” method is implemented as a text based configuration (only basic web interface support).
Warning -> It should go without saying, never use the example pre-shared key values shown below, always use as long as practical, randomly generated shared keys.
Note: AstLinux 1.2.9 or later is required
Select the Network Tab in the web interface.
Locate the IPsec strongSwan entry within Network Services: → VPN Type:
Check “IPsec strongSwan” (uncheck any other IPsec VPN entries) and “Save Settings”, then restart IPsec strongSwan…
IPsec strongSwan is now running, but by default no active associations are defined.
A default configuration has been installed, which you can now edit by clicking on “IPsec Configuration”…
Reference: ipsec.conf
Tested with a AVM FRITZ!Box Fon WLAN 7390 with FRITZ!OS 06.51 and strongSwan 5.5.1 (AstLinux 1.2.9-pre 64-bit)
astlinux.example.tld: Dynamic DNS w/internal LAN 192.168.101.0/24 fritzbox.example.tld: Dynamic DNS w/internal LAN 192.168.178.0/24
astlinux.example.tld: /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file config setup #charondebug="ike 0, enc 0, knl 0, net 0" conn %default dpddelay=15 dpdtimeout=60 dpdaction=restart conn fritzbox left=astlinux.example.tld leftid=@astlinux.example.tld leftsubnet=192.168.101.0/24 right=fritzbox.example.tld rightid=@fritzbox.example.tld rightsubnet=192.168.178.0/24 keyexchange=ikev1 ike=aes256-sha-modp1024 esp=aes256-sha1-modp1024 ikelifetime=3600s keylife=3600s aggressive=yes authby=psk #auto=start auto=route keyingtries=%forever
Note: auto=route
seems to work better with reconnecting, when the other side is down for a while.
astlinux.example.tld: /etc/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file @astlinux.example.tld @fritzbox.example.tld : PSK monkey123
fritzbox.example.tld: VPN Config
It has to be imported into the Fritzbox.
vpncfg { connections { enabled = yes; editable = no; conn_type = conntype_lan; name = "astlinux.example.tld"; boxuser_id = 0; always_renew = yes; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = 0.0.0.0; remote_virtualip = 0.0.0.0; remotehostname = "astlinux.example.tld"; keepalive_ip = 0.0.0.0; localid { fqdn = "fritzbox.example.tld"; } remoteid { fqdn = "astlinux.example.tld"; } mode = phase1_mode_idp; phase1ss = "all/all/all"; keytype = connkeytype_pre_shared; key = "monkey123"; cert_do_server_auth = no; use_nat_t = yes; use_xauth = no; use_cfgmode = no; phase2localid { ipnet { ipaddr = 192.168.178.0; mask = 255.255.255.0; } } phase2remoteid { ipnet { ipaddr = 192.168.101.0; mask = 255.255.255.0; } } phase2ss = "esp-all-all/ah-none/comp-all/pfs"; accesslist = "permit ip any 192.168.101.0 255.255.255.0"; app_id = 0; } ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500"; }
Note: The Fritzbox 7390 (FW 6.51) accepts Pre-shared-Keys with a length up 128 characters, which can be generated e.g. with:
openssl rand -base64 96
Tip -> Similar to IPsec Peers using a preshared key.
pbx3: 10.10.50.64 w/internal LAN 192.168.222.0/24 pbx4: 10.10.50.65 w/internal LAN 192.168.200.0/24
pbx3: /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file config setup # strictcrlpolicy=yes # uniqueids = no conn %default left=10.10.50.64 leftsubnet=192.168.222.0/24 dpdaction=restart authby=psk conn pbx4 right=10.10.50.65 rightsubnet=192.168.200.0/24 auto=start
pbx3: /etc/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file 10.10.50.64 10.10.50.65 : PSK monkey123
pbx4: /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file config setup # strictcrlpolicy=yes # uniqueids = no conn %default left=10.10.50.65 leftsubnet=192.168.200.0/24 dpdaction=restart authby=psk conn pbx3 right=10.10.50.64 rightsubnet=192.168.222.0/24 auto=start
pbx4: /etc/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file 10.10.50.64 10.10.50.65 : PSK monkey123
Tip -> Similar to IPsec Peers using certificates.
pbx3: 10.10.50.64 w/internal LAN 192.168.222.0/24 pbx4: 10.10.50.65 w/internal LAN 192.168.200.0/24
For this example, the certificates were created using the (disabled) IPsec Mobile sub-tab on “pbx4” (server) for client “pbx3”, the files are located in /mnt/kd/ipsec/webinterface/keys/
. The required files were manually copied over to the proper /etc/ipsec.d/
directories on “pbx4” and securely transferred to “pbx3”.
pbx3: /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file config setup # strictcrlpolicy=yes # uniqueids = no conn %default left=10.10.50.64 leftsubnet=192.168.222.0/24 leftcert=pbx3.crt leftsendcert=never dpdaction=restart conn pbx4 right=10.10.50.65 rightsubnet=192.168.200.0/24 rightcert=server.crt auto=start
pbx3: /etc/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file : RSA pbx3.key
pbx3: /etc/ipsec.d/
/etc/ipsec.d/private/pbx3.key /etc/ipsec.d/certs/pbx3.crt /etc/ipsec.d/certs/server.crt /etc/ipsec.d/cacerts/ca.crt
pbx4: /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file config setup # strictcrlpolicy=yes # uniqueids = no conn %default left=10.10.50.65 leftsubnet=192.168.200.0/24 leftcert=server.crt leftsendcert=never dpdaction=restart conn pbx3 right=10.10.50.64 rightsubnet=192.168.222.0/24 rightcert=pbx3.crt auto=start
pbx4: /etc/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file : RSA server.key
pbx4: /etc/ipsec.d/
/etc/ipsec.d/private/server.key /etc/ipsec.d/certs/pbx3.crt /etc/ipsec.d/certs/server.crt /etc/ipsec.d/cacerts/ca.crt
By default, when “IPsec strongSwan” is enabled, the ipsec-vpn firewall plugin is automatically enabled. This allows any host to access the IPsec service via protocols ESP, AH and UDP 500, 4500.
If you want to restrict who has access to the strongSwan service, define the IPSEC_ALLOWED_ENDPOINTS
variable with a space separated list of IP addresses, defaults to any “0/0” endpoint.
If you want to restrict which remote IPsec VPN networks have access, define the IPSEC_ALLOWED_VPN_NETS
variable with a space separated list of IPsec remote nets (CIDR notation), defaults to allow any remote network.
Either of these variables can be added directly into the /mnt/kd/rc.conf.d/user.conf
file, or edited via the Network tab → Advanced Configuration: User System Variables.
Show internal strongSwan routes:
ip route list table 220
Show association states:
ip xfrm state
Show association policies:
ip xfrm policy