strongswan四, 14/01/2021 - 11:26 的修訂版本

修訂版本可以讓你追蹤文章的多個版本的不同之處。

最後更新: 2021-01-14

 


Install

 

Setup

# OS: Centos7, strongswan-5.7.2

yum install epel-release

yum install strongswan

Enable Service

systemctl start strongswan

systemctl enable strongswan

Checking

netstat -nlup

strongswan --help

strongswan version

 


OS Setting

 

/etc/sysctl.conf

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_forward = 1

sysctl -p

 


Diagram

 

(88.x/24)Site A(10.0.0.88) <-> (10.0.0.160)Site B(160.x/24)

 


Configure

 

Config File Location

cd /etc/strongswan

ipsec.secrets

# man strongswan_ipsec.secrets

strongSwan 的 IKE 會讀它

Generate Preshared Key

openssl rand -base64 16

????

ipsec.secrets

10.0.0.88 10.0.0.160 : PSK "????"

Format

# comment
[ <selectors> ] : PSK <secret>

separated by a colon (:) that is surrounded by whitespace

A selector is an IP address, a Fully Qualified Domain Name, %any

secret

  0x is interpreted as sequence of hexadecimal digits

  0s is interpreted as Base64 encoded binary data.

strongswan.conf

# man strongswan.conf

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

ipsec.conf

# man strongswan_ipsec.conf

config setup
        charondebug="all"
        uniqueids=yes

conn dc-to-office
        auto=start
        type=tunnel
        keyexchange=ikev2
        authby=psk
        # Net
        left=10.0.0.160
        leftsubnet=192.168.160.0/24
        right=10.0.0.88
        rightsubnet=192.168.88.0/24
        # Enc
        ike=aes256-sha128-modp1024!
        esp=aes256-sha128!
        # lifetime
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        # DPD
        dpdaction=restart
        dpddelay=30s
        # IKEv1 Setting
        #aggressive=no
        #dpdtimeout=120s

說明

auto

ipsec 啟動時此 conn 是否啟動(add,  route,  start  and ignore (the  default))

add: loads a connection without starting it.

route: loads a connection  and  installs  kernel  traps.

start: loads a connection and brings  it up immediately.

ignore: ignores the connection.

left or right

left or right is arbitrary, 與 local remote 無關

ike = <cipher suites>

comma-separated list of IKE/ISAKMP SA encryption/authentication

Format: encryption-integrity[-prf]-dhgroup

If no PRF is given, the algorithms defined for integrity are used for the PRF.

i.e.

aes256-sha256-modp2048

In IKEv2, multiple algorithms and  proposals  may  be  included

aes128-aes256-sha1-modp3072-modp2048,3des-sha1-md5-modp1024

The  daemon adds its extensive default proposal to this default or the configured value.

To restrict  it  to the configured proposal an exclamation mark (!) can be added at the end.

esp = <cipher suites>

encryption-integrity[-dhgroup][-esnmode]

aes256-sha128

keyingtries = 3 (default)

how many attempts should be made to negotiate a connection,

or a replacement for one, before  giving up.

 

IKEv1 Setting

aggressive

    whether to use IKEv1 Aggressive or Main Mode (the default)

dpdtimeout

    only applies to IKEv1. In IKEv2 the default retransmission timeout applies

 


strongswan

 

ipsec - invoke IPsec utilities

# man strongswan

Start / Stop

start

calls starter which in turn parses ipsec.conf and starts the IKE daemon charon

stop

terminates all IPsec connections and stops the IKE daemon charon by sending a TERM signal to starter

restart

stop followed by start

update

update sends a HUP signal to  starter which in turn determines any changes in ipsec.conf and

updates the configuration on the running IKE daemon charon

reload

sends a USR1 signal to starter which in turn reloads

the whole configuration of the running IKE daemon charon based on the actual ipsec.conf

up / down name

tells the IKE daemon to start up connection name.

tells the IKE daemon to terminate connection name

route name / unroute name

tells the responsible IKE daemon to insert an IPsec policy in the kernel for connection name.

The first payload packet matching the IPsec policy will  automatically  trigger  an IKE connection setup.

i.e.

strongswan start

Starting strongSwan 5.7.2 IPsec [starter]...

Status

status

Security Associations (0 up, 0 connecting):
  none

statusall

Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1160.11.1.el7.x86_64, x86_64):
  uptime: 8 minutes, since Jan 14 03:13:45 2021
  malloc: sbrk 2666496, mmap 0, used 581424, free 2085072
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon ...
Listening IP addresses:
  192.168.160.253
Connections:
Security Associations (0 up, 0 connecting):
  none

Other

rereadsecrets

flushes and rereads all secrets defined in ipsec.secrets

resetcounters [name]

resets global or connection specific counters.

 


swanctl

 

 


Phase 2 proposal (SA/Key Exchange)[IKE]