strongswan四, 14/01/2021 - 17:40 的修訂版本

修訂版本可以讓你追蹤文章的多個版本的不同之處。

最後更新: 2021-01-14

目錄

  • Installation
  • OS Setting
  • Firewall Setting

Installation

 

Setup

# OS: Centos7, strongswan-5.7.2

yum install epel-release

yum install strongswan

Enable Service

systemctl start strongswan

systemctl enable strongswan

Checking

netstat -nlup | grep charon

udp        0      0 0.0.0.0:4500            0.0.0.0:*                           3194/charon
udp        0      0 0.0.0.0:500             0.0.0.0:*                           3194/charon
udp        0      0 0.0.0.0:68              0.0.0.0:*                           3194/charon

strongswan --help

strongswan version

 


OS Setting

 

/etc/sysctl.conf

# Disable sending of ICMP redirects and Reverse Path filters

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0

# forwarding

net.ipv4.ip_forward = 1

sysctl -p

 


Firewall Setting

 

/etc/sysconfig/iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
...
# ipsec
-A INPUT -p udp --dport 500 -j ACCEPT
-A INPUT -p udp --dport 4500 -j ACCEPT
-A FORWARD -s 192.168.88.0/24 -j ACCEPT
...
# Last Rule
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.160.0/24 -o ens5 -j MASQUERADE
COMMIT

 


Diagram

 

(88.x/24)Site A(10.0.0.88) <-> (10.0.0.160)Site B(160.x/24)

 


Configure

 

Config File Location

cd /etc/strongswan

ipsec.secrets

# man strongswan_ipsec.secrets

strongSwan 的 IKE 會讀它

Generate Preshared Key

openssl rand -base64 16

????

ipsec.secrets

10.0.0.88 10.0.0.160 : PSK "????"

Format

# comment
[ <selectors> ] : PSK <secret>

separated by a colon (:) that is surrounded by whitespace

A selector is an IP address, a Fully Qualified Domain Name, %any

secret

  0x is interpreted as sequence of hexadecimal digits

  0s is interpreted as Base64 encoded binary data.

strongswan.conf

# man strongswan.conf

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

ipsec.conf

# man strongswan_ipsec.conf

config setup
        charondebug="all"
        uniqueids=yes

conn dc-to-office
        auto=start
        type=tunnel
        keyexchange=ikev2
        authby=psk
        # Net
        left=10.0.0.160
        leftsubnet=192.168.160.0/24
        right=10.0.0.88
        rightsubnet=192.168.88.0/24
        # Enc
        ike=aes256-sha1-modp2048!
        esp=aes256-sha1-modp2048!
        # lifetime
        keyingtries=%forever
        ikelifetime=86400s
        lifetime=3600s
        # DPD
        dpdaction=restart
        dpddelay=10s
        # IKEv1 Setting
        #aggressive=no
        #dpdtimeout=120s

說明

uniqueids = yes (default)

whether a particular participant ID should  be kept unique,

with any new IKE_SA using an ID deemed to replace all old ones using that ID;

auto

ipsec 啟動時此 conn 是否啟動(add,  route,  start  and ignore (the  default))

add: loads a connection without starting it.

route: loads a connection  and  installs  kernel  traps.

start: loads a connection and brings  it up immediately.

ignore: ignores the connection.

keyexchange = ike(Default) | ikev1 | ikev2

left or right

left or right is arbitrary, 與 local remote 無關

ike = <cipher suites>

comma-separated list of IKE/ISAKMP SA encryption/authentication

Format: encryption-integrity[-prf]-dhgroup

If no PRF is given, the algorithms defined for integrity are used for the PRF.

i.e.

aes256-sha256-modp2048

In IKEv2, multiple algorithms and  proposals  may  be  included

aes128-aes256-sha1-modp3072-modp2048,3des-sha1-md5-modp1024

The  daemon adds its extensive default proposal to this default or the configured value.

To restrict  it  to the configured proposal an exclamation mark (!) can be added at the end.

esp = <cipher suites>

encryption-integrity[-dhgroup][-esnmode]

aes256-sha128

keyingtries = 3 (default)

how many attempts should be made to negotiate a connection,

or a replacement for one, before  giving up.

dpddelay

the period time interval with which R_U_THERE messages/INFORMATIONAL

exchanges are sent to the peer.

These are only sent if no other traffic is received.

IKEv1 Setting

aggressive

    whether to use IKEv1 Aggressive or Main Mode (the default)

dpdtimeout

    only applies to IKEv1. In IKEv2 the default retransmission timeout applies

 


strongswan

 

ipsec - invoke IPsec utilities

# man strongswan

Start / Stop

start

calls starter which in turn parses ipsec.conf and starts the IKE daemon charon

stop

terminates all IPsec connections and stops the IKE daemon charon by sending a TERM signal to starter

restart

stop followed by start

update

update sends a HUP signal to  starter which in turn determines any changes in ipsec.conf and

updates the configuration on the running IKE daemon charon

reload

sends a USR1 signal to starter which in turn reloads

the whole configuration of the running IKE daemon charon based on the actual ipsec.conf

up / down name

tells the IKE daemon to start up connection name.

tells the IKE daemon to terminate connection name

route name / unroute name

tells the responsible IKE daemon to insert an IPsec policy in the kernel for connection name.

The first payload packet matching the IPsec policy will  automatically  trigger  an IKE connection setup.

i.e.

strongswan start

Starting strongSwan 5.7.2 IPsec [starter]...

Status

status

# No connection

Security Associations (0 up, 0 connecting):
  none

# Phase 1 Only

Security Associations (1 up, 0 connecting):
dc-to-office[1]: ESTABLISHED 13 seconds ago, 192.168.160.253[192.168.160.253]...r.r.r.r[r.r.r.r]

# Phase 1 & 2

Security Associations (1 up, 0 connecting):
dc-to-office[2]: ESTABLISHED 13 minutes ago, 192.168.160.253[192.168.160.253]...r.r.r.r[r.r.r.r]
dc-to-office{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c2a228a0_i 084d41ec_o
dc-to-office{2}:   192.168.160.0/24[icmp] === 192.168.88.0/24[icmp]

statusall

Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1160.11.1.el7.x86_64, x86_64):
  uptime: 8 minutes, since Jan 14 03:13:45 2021
  malloc: sbrk 2666496, mmap 0, used 581424, free 2085072
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon ...
Listening IP addresses:
  192.168.160.253
Connections:
Security Associations (0 up, 0 connecting):
  none

Other

rereadsecrets

flushes and rereads all secrets defined in ipsec.secrets

resetcounters [name]

resets global or connection specific counters.

listalgs

List of registered IKE algorithms

Log

/var/log/messages

 


Disable DHCP

 

/etc/strongswan/strongswan.d/charon/dhcp.conf

dhcp {
    load = no
}

 


NAT Traversal (NAT-T)

 

The IKEv2 protocol includes NAT traversal (NAT-T) in the core standard, but it's optional to implement.

    strongSwan implements it and does not require any special configuration.

If a NAT situation is detected, the client switches to UDP port 4500 to send the IKE_AUTH request

    (only if it used UDP port 500 initially) and UDP encapsulation will be activated for IPsec SAs.

NAT-T cannot be disabled in the charon IKE daemon.

    If you don't like the automatic port floating to UDP/4500 due to the "MOBIKE protocol"

    (mobike option in your connection definition)

 

Forced UDP encapsulation for ESP packets

ipsec.conf

forceencaps = yes

NAT-T Keepalives

strongswan.d/charon.conf

charon {
    keep_alive = 20s
}

 


swanctl

 

# man swanctl

strongSwan configuration, control and monitoring command line interface

-L, --list-conns            # list loaded configurations

dc-to-office: IKEv2, reauthentication every 85860s, no rekeying, dpd delay 10s
  local:  %any
  remote: r.r.r.r
  local pre-shared key authentication:
  remote pre-shared key authentication:
    id: r.r.r.r
  dc-to-office: TUNNEL, rekeying every 3060s, dpd action is restart
    local:  192.168.160.0/24
    remote: 192.168.161.0/24

-l, --list-sas                # list currently active IKE_SAs

dc-to-office: #2, ESTABLISHED, IKEv2, cb0ad32c4e80b290_i d68325ea2726f0b4_r*
  local  '192.168.160.253' @ 192.168.160.253[4500]
  remote 'r.r.r.r' @ r.r.r.r[4500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 1266s ago, reauth in 84495s
  dc-to-office: #2, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
    installed 1266s ago, rekeying in 1311s, expires in 2334s
    in  ca6f3ef3, 5764476 bytes, 17017 packets,     1s ago
    out 5aedc7d7, 16223342 bytes, 15338 packets,     1s ago
    local  192.168.160.0/24
    remote 192.168.161.0/24

-S, --stats                  # show daemon infos and statistics

uptime: 23 minutes, since Jan 14 09:14:59 2021
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 4
IKE_SAs: 1 total, 0 half-open
mallinfo: sbrk 2666496, mmap 0, used 606480, free 2060016
loaded plugins: charon ...

-i, --initiate

-t, --terminate

-R, --rekey