![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2021-01-14
目錄
- Installation
- OS Setting
- Firewall Setting
- Diagram
- Configure
- CLI - strongswan
- Disable DHCP
- NAT Traversal (NAT-T)
- CLI - swanctl
Installation
Setup
# OS: Centos7, strongswan-5.7.2
yum install epel-release
yum install strongswan
Enable Service
systemctl start strongswan
systemctl enable strongswan
Checking
netstat -nlup | grep charon
udp 0 0 0.0.0.0:4500 0.0.0.0:* 3194/charon udp 0 0 0.0.0.0:500 0.0.0.0:* 3194/charon udp 0 0 0.0.0.0:68 0.0.0.0:* 3194/charon
strongswan version
Linux strongSwan U5.7.2/K3.10.0-1160.11.1.el7.x86_64 University of Applied Sciences Rapperswil, Switzerland See 'strongswan --copyright' for copyright information.
strongswan --help
OS Setting
/etc/sysctl.conf
# Disable sending of ICMP redirects and Reverse Path filters
net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.rp_filter = 0
# forwarding
net.ipv4.ip_forward = 1
sysctl -p
Firewall Setting
/etc/sysconfig/iptables
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] ... # ipsec -A INPUT -p udp --dport 500 -j ACCEPT -A INPUT -p udp --dport 4500 -j ACCEPT -A FORWARD -s 192.168.88.0/24 -j ACCEPT ... # Last Rule -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 192.168.160.0/24 -o ens5 -j MASQUERADE COMMIT
Diagram
(88.x/24)Site A(10.0.0.88) <-> (10.0.0.160)Site B(160.x/24)
Configure
Config File Location
cd /etc/strongswan
ipsec.secrets
# man strongswan_ipsec.secrets
strongSwan 的 IKE 會讀它
Generate Preshared Key
openssl rand -base64 16
????
ipsec.secrets
10.0.0.88 10.0.0.160 : PSK "????"
Format
# comment [ <selectors> ] : PSK <secret>
separated by a colon (:) that is surrounded by whitespace
A selector is an IP address, a Fully Qualified Domain Name, %any
secret
0x is interpreted as sequence of hexadecimal digits
0s is interpreted as Base64 encoded binary data.
strongswan.conf
# man strongswan.conf
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.confipsec.conf
# man strongswan_ipsec.conf
config setup
charondebug="all"
uniqueids=yes
conn dc-to-office
auto=start
type=tunnel
keyexchange=ikev2
authby=psk
# Net
left=10.0.0.160
leftsubnet=192.168.160.0/24
right=10.0.0.88
rightsubnet=192.168.88.0/24
# Enc
ike=aes256-sha1-modp2048!
esp=aes256-sha1-modp2048!
# lifetime
keyingtries=%forever
ikelifetime=86400s
lifetime=3600s
# DPD
dpdaction=restart
dpddelay=10s
# IKEv1 Setting
#aggressive=no
#dpdtimeout=120s
說明
uniqueids = yes (default)
whether a particular participant ID should be kept unique,
with any new IKE_SA using an ID deemed to replace all old ones using that ID;
auto
ipsec 啟動時此 conn 是否啟動(add, route, start and ignore (the default))
add: loads a connection without starting it.
route: loads a connection and installs kernel traps.
start: loads a connection and brings it up immediately.
ignore: ignores the connection.
keyexchange = ike(Default) | ikev1 | ikev2
left or right
left or right is arbitrary, 與 local remote 無關
ike = <cipher suites>
comma-separated list of IKE/ISAKMP SA encryption/authentication
Format: encryption-integrity[-prf]-dhgroup
If no PRF is given, the algorithms defined for integrity are used for the PRF.
i.e.
aes256-sha256-modp2048
In IKEv2, multiple algorithms and proposals may be included
aes128-aes256-sha1-modp3072-modp2048,3des-sha1-md5-modp1024
The daemon adds its extensive default proposal to this default or the configured value.
To restrict it to the configured proposal an exclamation mark (!) can be added at the end.
esp = <cipher suites>
encryption-integrity[-dhgroup][-esnmode]
aes256-sha128
keyingtries = 3 (default)
how many attempts should be made to negotiate a connection,
or a replacement for one, before giving up.
dpddelay
the period time interval with which R_U_THERE messages/INFORMATIONAL
exchanges are sent to the peer.
These are only sent if no other traffic is received.
IKEv1 Setting
aggressive
whether to use IKEv1 Aggressive or Main Mode (the default)
dpdtimeout
only applies to IKEv1. In IKEv2 the default retransmission timeout applies
CLI - strongswan
ipsec - invoke IPsec utilities
# man strongswan
Start / Stop
start
calls starter which in turn parses ipsec.conf and starts the IKE daemon charon
stop
terminates all IPsec connections and stops the IKE daemon charon by sending a TERM signal to starter
restart
stop followed by start
update
update sends a HUP signal to starter which in turn determines any changes in ipsec.conf and
updates the configuration on the running IKE daemon charon
reload
sends a USR1 signal to starter which in turn reloads
the whole configuration of the running IKE daemon charon based on the actual ipsec.conf
up / down name
tells the IKE daemon to start up connection name.
tells the IKE daemon to terminate connection name
route name / unroute name
tells the responsible IKE daemon to insert an IPsec policy in the kernel for connection name.
The first payload packet matching the IPsec policy will automatically trigger an IKE connection setup.
i.e.
strongswan start
Starting strongSwan 5.7.2 IPsec [starter]...
Status
status
# No connection
Security Associations (0 up, 0 connecting): none
# Phase 1 Only
Security Associations (1 up, 0 connecting): dc-to-office[1]: ESTABLISHED 13 seconds ago, 192.168.160.253[192.168.160.253]...r.r.r.r[r.r.r.r]
# Phase 1 & 2
Security Associations (1 up, 0 connecting):
dc-to-office[2]: ESTABLISHED 13 minutes ago, 192.168.160.253[192.168.160.253]...r.r.r.r[r.r.r.r]
dc-to-office{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c2a228a0_i 084d41ec_o
dc-to-office{2}: 192.168.160.0/24[icmp] === 192.168.88.0/24[icmp]
[icmp] 只可以比 icmp traffice 過
statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1160.11.1.el7.x86_64, x86_64): uptime: 8 minutes, since Jan 14 03:13:45 2021 malloc: sbrk 2666496, mmap 0, used 581424, free 2085072 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon ... Listening IP addresses: 192.168.160.253 Connections: Security Associations (0 up, 0 connecting): none
Other
rereadsecrets
flushes and rereads all secrets defined in ipsec.secrets
resetcounters [name]
resets global or connection specific counters.
listalgs
List of registered IKE algorithms
Log
/var/log/messages
Disable DHCP
/etc/strongswan/strongswan.d/charon/dhcp.conf
dhcp {
load = no
}
NAT Traversal (NAT-T)
The IKEv2 protocol includes NAT traversal (NAT-T) in the core standard, but it's optional to implement.
strongSwan implements it and does not require any special configuration.
If a NAT situation is detected, the client switches to UDP port 4500 to send the IKE_AUTH request
(only if it used UDP port 500 initially) and UDP encapsulation will be activated for IPsec SAs.
NAT-T cannot be disabled in the charon IKE daemon.
If you don't like the automatic port floating to UDP/4500 due to the "MOBIKE protocol"
(mobike option in your connection definition)
Forced UDP encapsulation for ESP packets
ipsec.conf
forceencaps = yes
NAT-T Keepalives
strongswan.d/charon.conf
charon {
keep_alive = 20s
}
CLI - swanctl
# man swanctl
strongSwan configuration, control and monitoring command line interface
-L, --list-conns # list loaded configurations
dc-to-office: IKEv2, reauthentication every 85860s, no rekeying, dpd delay 10s local: %any remote: r.r.r.r local pre-shared key authentication: remote pre-shared key authentication: id: r.r.r.r dc-to-office: TUNNEL, rekeying every 3060s, dpd action is restart local: 192.168.160.0/24 remote: 192.168.161.0/24
-l, --list-sas # list currently active IKE_SAs
dc-to-office: #2, ESTABLISHED, IKEv2, ?_i ?_r* local '192.168.160.253' @ 192.168.160.253[4500] remote 'r.r.r.r' @ r.r.r.r[4500] AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established 1266s ago, reauth in 84495s dc-to-office: #2, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96 installed 1266s ago, rekeying in 1311s, expires in 2334s in ca6f3ef3, 5764476 bytes, 17017 packets, 1s ago out 5aedc7d7, 16223342 bytes, 15338 packets, 1s ago local 192.168.160.0/24 remote 192.168.161.0/24
-S, --stats # show daemon infos and statistics
uptime: 23 minutes, since Jan 14 09:14:59 2021 worker threads: 16 total, 11 idle, working: 4/0/1/0 job queues: 0/0/0/0 jobs scheduled: 4 IKE_SAs: 1 total, 0 half-open mallinfo: sbrk 2666496, mmap 0, used 606480, free 2060016 loaded plugins: charon ...
-i, --initiate
-t, --terminate
-R, --rekey