![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
介紹:
strongswan (95968)
最少安裝:
opkg install strongswan-minimal
meta-package:
-
strongswan-default
Depends: libc, strongswan, strongswan-charon, strongswan-mod-aes, strongswan-mod-attr, strongswan-mod-constraints, strongswan-mod-des, strongswan-mod-dnskey, strongswan-mod-fips-prf, strongswan-mod-gmp, strongswan-mod-hmac, strongswan-mod-kernel-netlink, strongswan-mod-md5, strongswan-mod-nonce, strongswan-mod-pem, strongswan-mod-pgp, strongswan-mod-pkcs1, strongswan-mod-pubkey, strongswan-mod-random, strongswan-mod-resolve, strongswan-mod-revocation, strongswan-mod-sha1, strongswan-mod-sha2, strongswan-mod-socket-default, strongswan-mod-stroke, strongswan-mod-updown, strongswan-mod-x509, strongswan-mod-xauth-generic, strongswan-mod-xcbc, strongswan-utils - strongswan-full
-
strongswan-minimal (minimal IKEv2 setup)
Depends: libc, strongswan, strongswan-charon, strongswan-mod-aes, strongswan-mod-gmp, strongswan-mod-hmac, strongswan-mod-kernel-netlink, strongswan-mod-nonce, strongswan-mod-pubkey, strongswan-mod-random, strongswan-mod-sha1, strongswan-mod-socket-default, strongswan-mod-stroke, strongswan-mod-updown, strongswan-mod-x509, strongswan-mod-xcbc
其他 Package:
- iptables-mod-nat-extra (overlapping IP addresses)
strongswan 本身的設定檔:
/etc/ipsec.conf: Tunnel definitions
/etc/ipsec.secrets: List of preshared keys
/etc/ipsec.d: Folder for certificates
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=no
# plutostart=no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# left=%defaultroute
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# left=%defaultroute
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# keyexchange=ikev2
# auto=start
Openwrt 設定:
/etc/config/ipsec: The OpenWrt configuration file for racoon
/etc/init.d/ipsec: The Strongswan start script. It will generate the required configuration files for racoon
- /etc/ipsec.conf
- /var/ipsec.secrets
#/etc/config/ipsec
# Firewall zone. Has to match the defined firewall zone # Interface that accept VPN traffic config 'ipsec' option 'zone' 'ipsec-vpn' list 'listen' 'eth0' # exchange_mode: main, aggressive # authentication_method: Phase 1 authentication # tunnel: Name of phase 2 section config 'tunnel' 'acme' option 'enabled' '1' option 'gateway' '7.7.7.7' option 'authentication_method' 'psk' option 'pre_shared_key' 'yourpasswordhere' list 'p1_proposal' 'pre_g2_aes_sha1' list 'tunnel' 'acme_dmz' list 'tunnel' 'acme_lan' # dh_group: Diffie-Hellman config 'p1_proposal' 'pre_g2_aes_sha1' option 'encryption_algorithm' 'aes128' option 'hash_algorithm' 'sha1' option 'dh_group' 'modp1024' # pfs_group: Diffie-Hellman config 'p2_proposal' 'g2_aes_sha1' option 'pfs_group' 'modp1024' option 'encryption_algorithm' 'aes 128' option 'authentication_algorithm' 'sha1' # network defintion per tunnel # p2_proposal: 對應 p2_proposal 的名稱 config 'tunnel' 'acme_lan' option 'local_subnet' '192.168.2.64/26' option 'remote_subnet' '10.1.2.0/24' option 'p2_proposal' 'g2_aes_sha1' config 'tunnel' 'acme_dmz' option 'local_subnet' '192.168.2.64/26' option 'remote_subnet' '66.77.88.192/26' option 'p2_proposal' 'g2_aes_sha1'
Windows 7 native VPN client
Proposal Encryption Hash DH Group
#1 aes256 sha1 20
#2 aes128 sha1 19
#3 aes256 sha1 modp2048
#4 3des sha1 modp2048
#5 3des sha1 modp1024
firewall:
lan:0.0.0.0/0:* vpn:10.1.2.0/24:* ACCEPT
Three rules are required.
ESP payload: the encrypted data packets
ISAKMP: Handling of security associations (SA)
NAT-T: Handling of IPsec between natted devices
iptables -A input_rule -p esp -j ACCEPT
iptables -A input_rule -p udp --dport 500 -j ACCEPT
iptables -A input_rule -p udp --dport 4500 -j ACCEPT
CPU
MIPS 24k 400 MHz AES128: 16.5(MBit/s) AES256: 14.2(MBit/s)
Juniper Netscreen 5GT can easily reach a VPN throughput of 20 MBit/sec.
A good tradeoff could be to choose AES256/SHA1 for phase 1 and AES128/MD5 for phase 2.
/proc/crypto
mcespi.ko
DOC
http://wiki.openwrt.org/doc/howto/vpn.ipsec.basics
http://wiki.openwrt.org/doc/uci/ipsec
http://wiki.openwrt.org/doc/howto/vpn.ipsec.firewall
http://wiki.openwrt.org/doc/howto/vpn.ipsec.site2site
http://wiki.openwrt.org/doc/howto/vpn.ipsec.overlappingsubnets
