Differences

This shows you the differences between two versions of the page.

--- userdoc:tt_ipsec_vpn_strongswan [2016/12/08 15:22] – [Network to AVM FRITZ!Box with Pre-Shared Key] droemel
+++ userdoc:tt_ipsec_vpn_strongswan [2021/03/02 14:11] (current) – [IPsec VPN (strongSwan) Configuration] abelbeck
@@ Line 3: / Line 3: @@
 AstLinux now supports the [[https://www.strongswan.org/|strongSwan]] package, an OpenSource IPsec-based VPN solution.
-The web interface Network tab, "IPsec Peers" and "IPsec Mobile" VPN Types are still supported using [[https://sourceforge.net/projects/ipsec-tools/|ipsec-tools (racoon)]], the "IPsec strongSwan" method is a more feature rich alternative to the other IPsec methods.
+!!Note:!!  The ipsec-tools (racoon) support in AstLinux has been **removed** in !!AstLinux  1.4.2!!. The [[https://sourceforge.net/projects/ipsec-tools/|ipsec-tools (racoon)]] project is now abandoned and its source has been lagging behind in adapting to new threats.
+The web interface Network tab, "IPsec Peers" and "IPsec Mobile" VPN Types that used ipsec-tools (racoon) has been **removed** in !!AstLinux  1.4.2!!., the "IPsec strongSwan" method is a more feature rich alternative to the other IPsec methods.
 Three key strongSwan features not found in ipsec-tools (racoon):
@@ Line 13: / Line 15: @@
 How does this apply within AstLinux ...
-  * It is clear to the development team that we can't "switch" to strongSwan, at least for now, we need to understand strongSwan better, plus a point-and-click web interface like our current IPsec Peers / IPsec Mobile would limit strongSwan features.
+  * A point-and-click web interface like the removed IPsec Peers / IPsec Mobile would limit strongSwan features.
   * strongSwan is needed to support endpoints with changing IP's and dynamic DNS names using IKEv2 MOBIKE, racoon only supports IKEv1.
   * strongSwan is needed to interoperate with [[https://en.avm.de/products/fritzbox/|AVM FRITZ!Box]]((Quality home routers/PBX, used by many ISPs. Good support from the vendor.)) routers, very common in Germany and other parts of Europe.
-  * Either racoon or strongSwan can run at a time, so users can continue to use IPsec Peers / IPsec Mobile or use a new text configuration with IPsec strongSwan, but not both.
-At this point in time, the "IPsec strongSwan" method is implemented as a __text based configuration__ (only basic web interface support), so this should be considered for power-user situations.
+At this point in time, the "IPsec strongSwan" method is implemented as a __text based configuration__ (only basic web interface support).
 !!Warning ->!! It should go without saying, never use the example pre-shared key values shown below, always use as long as practical, randomly generated shared keys.
@@ Line 50: / Line 51: @@
 \\
-Tested with a AVM FRITZ!Box Fon WLAN 7390 with FRITZ!OS 06.51 and strongSwan 5.5.1
+Tested with a AVM FRITZ!Box Fon WLAN 7390 with FRITZ!OS 06.51 and strongSwan 5.5.1 (AstLinux 1.2.9-pre 64-bit)
   astlinux.example.tld: Dynamic DNS w/internal LAN 192.168.101.0/24
@@ Line 61: / Line 62: @@
   config setup
+    #charondebug="ike 0, enc 0, knl 0, net 0"
   conn %default
     dpddelay=15
@@ Line 81: / Line 83: @@
     aggressive=yes
     authby=psk
-    auto=start
+    #auto=start
+    auto=route
+    keyingtries=%forever
+!!Note:!! ''auto=route'' seems to work better with reconnecting, when the other side is down for a while.
 \\
 **astlinux.example.tld: /etc/ipsec.secrets**