IPsec VPN (strongSwan) Configuration

AstLinux now supports the strongSwan package, an OpenSource IPsec-based VPN solution.

The web interface Network tab, “IPsec Peers” and “IPsec Mobile” VPN Types are still supported using ipsec-tools (racoon), the “IPsec strongSwan” method is a more feature rich alternative to the other IPsec methods.

Three key strongSwan features not found in ipsec-tools (racoon):

  • Implements both the IKEv1 and IKEv2 (RFC 7296) key exchange protocols
  • Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
  • Actively developed and supported.

How does this apply within AstLinux …

  • It is clear to the development team that we can't “switch” to strongSwan, at least for now, we need to understand strongSwan better, plus a point-and-click web interface like our current IPsec Peers / IPsec Mobile would limit strongSwan features.
  • strongSwan is needed to support endpoints with changing IP's and dynamic DNS names using IKEv2 MOBIKE, racoon only supports IKEv1.
  • strongSwan is needed to interoperate with AVM FRITZ!Box1) routers, very common in Germany and other parts of Europe.
  • Either racoon or strongSwan can run at a time, so users can continue to use IPsec Peers / IPsec Mobile or use a new text configuration with IPsec strongSwan, but not both.

At this point in time, the “IPsec strongSwan” method is implemented as a text based configuration (only basic web interface support), so this should be considered for power-user situations.

Warning → It should go without saying, never use the example pre-shared key values shown below, always use as long as practical, randomly generated shared keys.

Note: AstLinux 1.2.9 or later is required

IPsec strongSwan Configuration

Select the Network Tab in the web interface.
Network Tab

Locate the IPsec strongSwan entry within Network Services: → VPN Type:

IPsec strongSwan Disabled Config

Check “IPsec strongSwan” (uncheck any other IPsec VPN entries) and “Save Settings”, then restart IPsec strongSwan…

IPsec strongSwan Enable Config

IPsec strongSwan is now running, but by default no active associations are defined.

A default configuration has been installed, which you can now edit by clicking on “IPsec Configuration”…

IPsec strongSwan Enabled Config

Reference: ipsec.conf


Network to AVM FRITZ!Box with Pre-Shared Key


Tested with a AVM FRITZ!Box Fon WLAN 7390 with FRITZ!OS 06.51 and strongSwan 5.5.1 (AstLinux 1.2.9-pre 64-bit)

astlinux.example.tld: Dynamic DNS w/internal LAN 192.168.101.0/24
fritzbox.example.tld: Dynamic DNS w/internal LAN 192.168.178.0/24


astlinux.example.tld: /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup
  #charondebug="ike 0, enc 0, knl 0, net 0"
    
conn %default
  dpddelay=15
  dpdtimeout=60
  dpdaction=restart

conn fritzbox
  left=astlinux.example.tld
  leftid=@astlinux.example.tld
  leftsubnet=192.168.101.0/24
  right=fritzbox.example.tld
  rightid=@fritzbox.example.tld
  rightsubnet=192.168.178.0/24
  keyexchange=ikev1
  ike=aes256-sha-modp1024
  esp=aes256-sha1-modp1024
  ikelifetime=3600s
  keylife=3600s
  aggressive=yes
  authby=psk
  #auto=start
  auto=route
  keyingtries=%forever

Note: auto=route seems to work better with reconnecting, when the other side is down for a while.


astlinux.example.tld: /etc/ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file

@astlinux.example.tld @fritzbox.example.tld : PSK monkey123


fritzbox.example.tld: VPN Config

It has to be imported into the Fritzbox.

vpncfg {
        connections {
              enabled = yes;
              editable = no;
              conn_type = conntype_lan;
              name = "astlinux.example.tld";
              boxuser_id = 0;
              always_renew = yes;
              reject_not_encrypted = no;
              dont_filter_netbios = yes;
              localip = 0.0.0.0;
              local_virtualip = 0.0.0.0;
              remoteip = 0.0.0.0;
              remote_virtualip = 0.0.0.0;
              remotehostname = "astlinux.example.tld";
              keepalive_ip = 0.0.0.0;
              localid {
                      fqdn = "fritzbox.example.tld";
              }
              remoteid {
                      fqdn = "astlinux.example.tld";
              }
              mode = phase1_mode_idp;
              phase1ss = "all/all/all";
              keytype = connkeytype_pre_shared;
              key = "monkey123";
              cert_do_server_auth = no;
              use_nat_t = yes;
              use_xauth = no;
              use_cfgmode = no;
              phase2localid {
                      ipnet {
                              ipaddr = 192.168.178.0;
                              mask = 255.255.255.0;
                      }
              }
              phase2remoteid {
                      ipnet {
                              ipaddr = 192.168.101.0;
                              mask = 255.255.255.0;
                      }
              }
              phase2ss = "esp-all-all/ah-none/comp-all/pfs";
              accesslist = "permit ip any 192.168.101.0 255.255.255.0";
              app_id = 0;
      }
      ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
                          "udp 0.0.0.0:4500 0.0.0.0:4500";
}


Note: The Fritzbox 7390 (FW 6.51) accepts Pre-shared-Keys with a length up 128 characters, which can be generated e.g. with:

openssl rand -base64 96


Network to Network with Pre-Shared Key

Tip → Similar to IPsec Peers using a preshared key.

pbx3: 10.10.50.64 w/internal LAN 192.168.222.0/24
pbx4: 10.10.50.65 w/internal LAN 192.168.200.0/24


pbx3: /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup
  # strictcrlpolicy=yes
  # uniqueids = no

conn %default
  left=10.10.50.64
  leftsubnet=192.168.222.0/24
  dpdaction=restart
  authby=psk

conn pbx4
  right=10.10.50.65
  rightsubnet=192.168.200.0/24
  auto=start


pbx3: /etc/ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file

10.10.50.64 10.10.50.65 : PSK monkey123


pbx4: /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup
  # strictcrlpolicy=yes
  # uniqueids = no

conn %default
  left=10.10.50.65
  leftsubnet=192.168.200.0/24
  dpdaction=restart
  authby=psk

conn pbx3
  right=10.10.50.64
  rightsubnet=192.168.222.0/24
  auto=start


pbx4: /etc/ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file

10.10.50.64 10.10.50.65 : PSK monkey123


Network to Network with Certificates

Tip → Similar to IPsec Peers using certificates.

pbx3: 10.10.50.64 w/internal LAN 192.168.222.0/24
pbx4: 10.10.50.65 w/internal LAN 192.168.200.0/24

For this example, the certificates were created using the (disabled) IPsec Mobile sub-tab on “pbx4” (server) for client “pbx3”, the files are located in /mnt/kd/ipsec/webinterface/keys/. The required files were manually copied over to the proper /etc/ipsec.d/ directories on “pbx4” and securely transferred to “pbx3”.


pbx3: /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup
  # strictcrlpolicy=yes
  # uniqueids = no

conn %default
  left=10.10.50.64
  leftsubnet=192.168.222.0/24
  leftcert=pbx3.crt
  leftsendcert=never
  dpdaction=restart

conn pbx4
  right=10.10.50.65
  rightsubnet=192.168.200.0/24
  rightcert=server.crt
  auto=start


pbx3: /etc/ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file

: RSA pbx3.key


pbx3: /etc/ipsec.d/

/etc/ipsec.d/private/pbx3.key
/etc/ipsec.d/certs/pbx3.crt
/etc/ipsec.d/certs/server.crt
/etc/ipsec.d/cacerts/ca.crt


pbx4: /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup
  # strictcrlpolicy=yes
  # uniqueids = no

conn %default
  left=10.10.50.65
  leftsubnet=192.168.200.0/24
  leftcert=server.crt
  leftsendcert=never
  dpdaction=restart

conn pbx3
  right=10.10.50.64
  rightsubnet=192.168.222.0/24
  rightcert=pbx3.crt
  auto=start


pbx4: /etc/ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file

: RSA server.key


pbx4: /etc/ipsec.d/

/etc/ipsec.d/private/server.key
/etc/ipsec.d/certs/pbx3.crt
/etc/ipsec.d/certs/server.crt
/etc/ipsec.d/cacerts/ca.crt


Firewall Settings

By default, when “IPsec strongSwan” is enabled, the ipsec-vpn firewall plugin is automatically enabled. This allows any host to access the IPsec service via protocols ESP, AH and UDP 500, 4500.

If you want to restrict who has access to the strongSwan service, define the IPSEC_ALLOWED_ENDPOINTS variable with a space separated list of IP addresses, defaults to any “0/0” endpoint.

If you want to restrict which remote IPsec VPN networks have access, define the IPSEC_ALLOWED_VPN_NETS variable with a space separated list of IPsec remote nets (CIDR notation), defaults to allow any remote network.

Either of these variables can be added directly into the /mnt/kd/rc.conf.d/user.conf file, or edited via the Network tab → Advanced Configuration: User System Variables.


Debugging CLI Commands

Show internal strongSwan routes:

ip route list table 220

Show association states:

ip xfrm state

Show association policies:

ip xfrm policy



1) Quality home routers/PBX, used by many ISPs. Good support from the vendor.