IPsec VPN (strongSwan) Configuration
AstLinux now supports the strongSwan package, an OpenSource IPsec-based VPN solution.
Note: The ipsec-tools (racoon) support in AstLinux has been removed in AstLinux 1.4.2. The ipsec-tools (racoon) project is now abandoned and its source has been lagging behind in adapting to new threats.
The web interface Network tab, “IPsec Peers” and “IPsec Mobile” VPN Types that used ipsec-tools (racoon) has been removed in AstLinux 1.4.2., the “IPsec strongSwan” method is a more feature rich alternative to the other IPsec methods.
Three key strongSwan features not found in ipsec-tools (racoon):
- Implements both the IKEv1 and IKEv2 (RFC 7296) key exchange protocols
- Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
- Actively developed and supported.
How does this apply within AstLinux …
- A point-and-click web interface like the removed IPsec Peers / IPsec Mobile would limit strongSwan features.
- strongSwan is needed to support endpoints with changing IP's and dynamic DNS names using IKEv2 MOBIKE, racoon only supports IKEv1.
- strongSwan is needed to interoperate with AVM FRITZ!Box1) routers, very common in Germany and other parts of Europe.
At this point in time, the “IPsec strongSwan” method is implemented as a text based configuration (only basic web interface support).
Warning -> It should go without saying, never use the example pre-shared key values shown below, always use as long as practical, randomly generated shared keys.
Note: AstLinux 1.2.9 or later is required
IPsec strongSwan Configuration
Select the Network Tab in the web interface.
Locate the IPsec strongSwan entry within Network Services: → VPN Type:
Check “IPsec strongSwan” (uncheck any other IPsec VPN entries) and “Save Settings”, then restart IPsec strongSwan…
IPsec strongSwan is now running, but by default no active associations are defined.
A default configuration has been installed, which you can now edit by clicking on “IPsec Configuration”…
Reference: ipsec.conf
Network to AVM FRITZ!Box with Pre-Shared Key
Tested with a AVM FRITZ!Box Fon WLAN 7390 with FRITZ!OS 06.51 and strongSwan 5.5.1 (AstLinux 1.2.9-pre 64-bit)
astlinux.example.tld: Dynamic DNS w/internal LAN 192.168.101.0/24 fritzbox.example.tld: Dynamic DNS w/internal LAN 192.168.178.0/24
astlinux.example.tld: /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
#charondebug="ike 0, enc 0, knl 0, net 0"
conn %default
dpddelay=15
dpdtimeout=60
dpdaction=restart
conn fritzbox
left=astlinux.example.tld
leftid=@astlinux.example.tld
leftsubnet=192.168.101.0/24
right=fritzbox.example.tld
rightid=@fritzbox.example.tld
rightsubnet=192.168.178.0/24
keyexchange=ikev1
ike=aes256-sha-modp1024
esp=aes256-sha1-modp1024
ikelifetime=3600s
keylife=3600s
aggressive=yes
authby=psk
#auto=start
auto=route
keyingtries=%forever
Note: auto=route seems to work better with reconnecting, when the other side is down for a while.
astlinux.example.tld: /etc/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file @astlinux.example.tld @fritzbox.example.tld : PSK monkey123
fritzbox.example.tld: VPN Config
It has to be imported into the Fritzbox.
vpncfg {
connections {
enabled = yes;
editable = no;
conn_type = conntype_lan;
name = "astlinux.example.tld";
boxuser_id = 0;
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "astlinux.example.tld";
keepalive_ip = 0.0.0.0;
localid {
fqdn = "fritzbox.example.tld";
}
remoteid {
fqdn = "astlinux.example.tld";
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "monkey123";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.178.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.101.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.101.0 255.255.255.0";
app_id = 0;
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
Note: The Fritzbox 7390 (FW 6.51) accepts Pre-shared-Keys with a length up 128 characters, which can be generated e.g. with:
openssl rand -base64 96
Network to Network with Pre-Shared Key
Tip -> Similar to IPsec Peers using a preshared key.
pbx3: 10.10.50.64 w/internal LAN 192.168.222.0/24 pbx4: 10.10.50.65 w/internal LAN 192.168.200.0/24
pbx3: /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file config setup # strictcrlpolicy=yes # uniqueids = no conn %default left=10.10.50.64 leftsubnet=192.168.222.0/24 dpdaction=restart authby=psk conn pbx4 right=10.10.50.65 rightsubnet=192.168.200.0/24 auto=start
pbx3: /etc/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file 10.10.50.64 10.10.50.65 : PSK monkey123
pbx4: /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file config setup # strictcrlpolicy=yes # uniqueids = no conn %default left=10.10.50.65 leftsubnet=192.168.200.0/24 dpdaction=restart authby=psk conn pbx3 right=10.10.50.64 rightsubnet=192.168.222.0/24 auto=start
pbx4: /etc/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file 10.10.50.64 10.10.50.65 : PSK monkey123
Network to Network with Certificates
Tip -> Similar to IPsec Peers using certificates.
pbx3: 10.10.50.64 w/internal LAN 192.168.222.0/24 pbx4: 10.10.50.65 w/internal LAN 192.168.200.0/24
For this example, the certificates were created using the (disabled) IPsec Mobile sub-tab on “pbx4” (server) for client “pbx3”, the files are located in /mnt/kd/ipsec/webinterface/keys/. The required files were manually copied over to the proper /etc/ipsec.d/ directories on “pbx4” and securely transferred to “pbx3”.
pbx3: /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file config setup # strictcrlpolicy=yes # uniqueids = no conn %default left=10.10.50.64 leftsubnet=192.168.222.0/24 leftcert=pbx3.crt leftsendcert=never dpdaction=restart conn pbx4 right=10.10.50.65 rightsubnet=192.168.200.0/24 rightcert=server.crt auto=start
pbx3: /etc/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file : RSA pbx3.key
pbx3: /etc/ipsec.d/
/etc/ipsec.d/private/pbx3.key /etc/ipsec.d/certs/pbx3.crt /etc/ipsec.d/certs/server.crt /etc/ipsec.d/cacerts/ca.crt
pbx4: /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file config setup # strictcrlpolicy=yes # uniqueids = no conn %default left=10.10.50.65 leftsubnet=192.168.200.0/24 leftcert=server.crt leftsendcert=never dpdaction=restart conn pbx3 right=10.10.50.64 rightsubnet=192.168.222.0/24 rightcert=pbx3.crt auto=start
pbx4: /etc/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file : RSA server.key
pbx4: /etc/ipsec.d/
/etc/ipsec.d/private/server.key /etc/ipsec.d/certs/pbx3.crt /etc/ipsec.d/certs/server.crt /etc/ipsec.d/cacerts/ca.crt
Firewall Settings
By default, when “IPsec strongSwan” is enabled, the ipsec-vpn firewall plugin is automatically enabled. This allows any host to access the IPsec service via protocols ESP, AH and UDP 500, 4500.
If you want to restrict who has access to the strongSwan service, define the IPSEC_ALLOWED_ENDPOINTS variable with a space separated list of IP addresses, defaults to any “0/0” endpoint.
If you want to restrict which remote IPsec VPN networks have access, define the IPSEC_ALLOWED_VPN_NETS variable with a space separated list of IPsec remote nets (CIDR notation), defaults to allow any remote network.
Either of these variables can be added directly into the /mnt/kd/rc.conf.d/user.conf file, or edited via the Network tab → Advanced Configuration: User System Variables.
Debugging CLI Commands
Show internal strongSwan routes:
ip route list table 220
Show association states:
ip xfrm state
Show association policies:
ip xfrm policy