Differences

This shows you the differences between two versions of the page.

doc:howto:vpn.ipsec.basics [2012/12/21 16:03]
miceliux Add hotplug.d script
doc:howto:vpn.ipsec.basics [2014/03/23 07:07] (current)
jaf323
Line 1: Line 1:
====== IPsec Basics ====== ====== IPsec Basics ======
 +| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/howto/vpn.overview]] |
-A quick starters quide based on Backfire 10.03.1-rc6. Maybe it will save you and me time if one has to setup an IPsec VPN in the future. Hopefully it will ecourage other people to use Openwrt as an IPsec VPN router. We cannot provide a graphical user interface at the moment but at least it is a solid alternative to commercial IPsec appliances. If you came here for informations about [[http://www.openswan.org|Openswan]] on OpenWrt you may be disappointed. This guide is only about racoon.+:!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.basics.racoon|here]].
---UPDATE-- Openswan documentation is being put together here [[doc:howto:vpn.ipsec.site2site.openswan|IPsec Site To Site Using Openswan]]+A quick starters quide based on OpenWrt Attitude Adjustment 12.09. Maybe it will save you and me time if one has to setup an IPsec VPN in the future. Hopefully it will ecourage other people to use Openwrt as an IPsec VPN router. We cannot provide a graphical user interface at the moment but at least it is a solid alternative to commercial IPsec appliances. If you came here for informations about [[http://www.openswan.org|Openswan]] on OpenWrt you may be disappointed. This guide is only about strongswan.
===== Packages ===== ===== Packages =====
-If not already installed on your router you need the at least those packages+If not already installed on your router you need the at least those packages. **Ensure that you use strongswan 5.0.0 or higher**. Older versions will not work due to differences in configuration handling.
-  * ipsec-tools: racoon, setkey, and kernel encryption modules +  * strongswan-full 5.0.0: everything needed for IPsec tunnels
-  * kmod-crypto-authenc: Module for block cipher modes (AEAD) (automatically installed with ipsec-tools in latest trunk) +
-  * kmod-ipsec: Basic security module (automatically installed with ipsec-tools in latest trunk) +
-  * kmod-ipsec4: IPv4 security module+
  * ip: Required to make scripting easier   * ip: Required to make scripting easier
-  * openssl-util: Certificate handling 
  * iptables-mod-nat-extra: For VPN networks with [[vpn.ipsec.overlappingsubnets|overlapping IP addresses]]   * iptables-mod-nat-extra: For VPN networks with [[vpn.ipsec.overlappingsubnets|overlapping IP addresses]]
  * djbdns-utils: for simpler name resolving than old "nslookup | awk" thing (may also be named djbdns-tools)   * djbdns-utils: for simpler name resolving than old "nslookup | awk" thing (may also be named djbdns-tools)
-Altogehter those packages will eat up about 1,2 MB of your router's flash memory. The racoon and ip binaries will already be 650KB. Maybe it is time for an [[extroot]] installation?+Altogehter those packages will eat up about 4 MB of your router's flash memory. Maybe it is time for an [[extroot]] installation?
Line 24: Line 21:
===== Configuration concept ===== ===== Configuration concept =====
-With Linux default IPsec daemon is called racoon. For this one normally edits some files+Starting with Strongswan 5.0 the one and only IPsec daemon is Charon. The former Pluto daemon is no longer available. For this one normally edits some files
-  * **/etc/racoon.conf**: Central configuration file & endpoint definitions +  * **/etc/strongswan.conf**: Central configuration file  
-  * **/etc/racoon/psk.txt**: List of preshared keys +  * **/etc/ipsec.conf**: Tunnel definitions 
-  * **/etc/racoon/setkey.conf**: Security policies for tunnels+  * **/etc/ipsec.secrets**: List of preshared keys 
 +  * **/etc/ipsec.d**: Folder for certificates
-The major challenges are handling setkey.conf with dynamic IP addresses and clean integration into the OpenWrt configuration concept. To solve this we will use a hierarchical configuration process. That involves+The major challenge is handling ipsec.conf with clean integration into the OpenWrt configuration concept. To solve this we will use a hierarchical configuration process. That involves
-  * **/etc/config/racoon**: The OpenWrt configuration file for racoon +  * **/etc/config/ipsec**: The OpenWrt configuration file for racoon 
-  * **/etc/init.d/racoon**: The racoon start script. It will generate the required configuration files for racoon +  * **/etc/init.d/ipsec**: The Strongswan start script. It will generate the required configuration files for racoon 
-  * **/var/racoon/racoon.conf**: The generated racoon config +  * **/etc/ipsec.conf**: The generated Strongswan config 
-  * **/var/racoon/psk.txt** : The generated file with preshared keys +  * **/var/ipsec.secrets** : The generated file with preshared keys
-  * **/var/racoon/cert**: The folder with generated certificates+
Here a short example of the configuration methodology when having two VPN tunnels to ACME and Yabadoo networks Here a short example of the configuration methodology when having two VPN tunnels to ACME and Yabadoo networks
<code> <code>
-#/etc/config/racoon +#/etc/config/ipsec 
-config 'tunnel' 'ACME'+config 'remote' 'ACME'
  option 'enabled' '1'   option 'enabled' '1'
-  option 'remote' '1.2.3.4' +  option 'gateway' '1.2.3.4' 
-  list  'sainfo' 'acme_lan'+  list  'tunnel' 'acme_lan'
  ...   ...
-config 'sainfo' 'acme_lan' +config 'tunnel' 'acme_lan' 
-  option 'local_address' '192.168.213.64/26' +  option 'local_subnet' '192.168.213.64/26' 
-  option 'remote_address' '192.168.10.0/24'+  option 'remote_subnet' '192.168.10.0/24'
  ...   ...
-config 'tunnel' 'Yabadoo'+config 'remote' 'Yabadoo'
  option 'enabled' '1'   option 'enabled' '1'
-  option 'remote' '5.6.7.8'+  option 'gateway' '5.6.7.8'
</code> </code>
-Read more about the complete syntax for [[doc:uci:racoon|/etc/config/racoon]].+Read more about the complete syntax for [[doc:uci:ipsec|/etc/config/ipsec]].
===== IKE Daemon ===== ===== IKE Daemon =====
-As already mentioned it can be a little scary to insert security polices into the kernel. Especially when you have a reconnecting interface with a dynamic outside IP. But to be honest all we have to know is already inside our /etc/config/racoon file. So we just have to use the startup script to parse those files and hand them over to the IPSec stack via setkey command. Our solution involves +To let Charon run as a background daemon we can place a hook in the init environment. Therefore create the file **/etc/init.d/ipsec** and set the executable bit. Remark: This script is in an early alpha state. It currently works for site to site tunnels with preshared keys. Feel free to enhance it.
- +
-  * automatically determine interfaces and IPs +
-  * allow multiple sainfo sets per tunnel +
-  * if racoon is already running reload policies only +
-  * generate certificates and their hashes +
- +
-To let racoon run as a background daemon we can place a hook in the init environment. Therefore create the file **/etc/init.d/racoon** and set the executable bit. Remark: This script is in an advanced beta state. It currently works for site to site or roadwarrior tunnels with either preshared keys or RSA certificates. Feel free to enhance it. +
- +
-Enhancement:  It works also with cisco ASA remote endpoint now :-) +
<code bash> <code bash>
#!/bin/sh /etc/rc.common #!/bin/sh /etc/rc.common
-#/etc/init.d/racoon - version 26 +#/etc/init.d/ipsec - version 4 
-  + 
-NAME=racoon +NAME=ipsec
-PROG=/usr/sbin/racoon+
START=60 START=60
STOP=60 STOP=60
- +
. /etc/functions.sh . /etc/functions.sh
-  + 
-ConfigFile="/var/racoon/racoon.conf" +FileSecrets=/var/ipsec/ipsec.secrets 
-PSKFile="/var/racoon/psk.txt" +FileConn=/var/ipsec/ipsec.conf 
-UserFile="/var/racoon/xauthuser.txt" +FileCommon=/var/ipsec/strongswan.conf 
-CertificatePath="/var/racoon/cert" + 
-CallParameters="" +FolderCerts=/var/ipsec/ipsec.d 
-RoadWarriorRemote="anonymous" + 
-RoadWarriorDNS="" +ConfigUser()
-RoadWarriorDomain="" +
-RoadWarriorCerts="" +
-MainConfigDone=0 +
-  +
-UserConfig()+
{ {
  local enabled   local enabled
Line 103: Line 85:
  local password   local password
  local crt_subject   local crt_subject
- +
  config_get_bool enabled $1 enabled 0   config_get_bool enabled $1 enabled 0
  [[ "$enabled" == "0" ]] && return   [[ "$enabled" == "0" ]] && return
- +
  config_get_bool xauth      $1 xauth      0   config_get_bool xauth      $1 xauth      0
  config_get      name        $1 name        ""   config_get      name        $1 name        ""
  config_get      password    $1 password    ""   config_get      password    $1 password    ""
-  config_get      crt_subject $1 crt_subject "" +
- +
  if [ $xauth -eq 1 -a "$name" != "" -a "$password" != "" ]; then   if [ $xauth -eq 1 -a "$name" != "" -a "$password" != "" ]; then
-    echo "$name $password"; >>; $UserFile +    echo "$name : XAUTH \"$password\"" &gt;&gt; $FileSecrets
-  fi +
-  +
-  if [ "$crt_subject" != &quot;&quot; ]; then +
-    RoadWarriorCerts=";${RoadWarriorCerts}peers_identifier asn1dn \"$crt_subject\";"+
  fi   fi
} }
-  + 
-CreateSA() { + 
- local LocalEndpoint=`ip route get $3 | awk -F"src" '/src/{gsub(/ /,"");print $2}'` +ConfigPhase1() {
-  +
-  echo "spdadd $1 $2 any -P out ipsec \ +
-        esp/tunnel/$LocalEndpoint-$3/unique; \ +
-        spdadd $2 $1 any -P in ipsec \ +
-        esp/tunnel/$3-$LocalEndpoint/unique; \ +
-      " | setkey -c 1>&2 +
-+
-  +
-RoadWarriorSubnet() { +
-  local i +
-  +
-  let "i=255<<(24-${1#*/}+8)&255" +
-  echo "  netmask4 255.255.255.$i;" +
-  +
-  i="${1%/*}" +
-  let "i=${i##*.}+1" +
-  echo "  network4 ${1%.*}.$i;" +
-+
-  +
-MainConfig() { +
-  local foreground +
-  local debug +
-  local listen +
-  +
-  config_get_bool foreground        $1 foreground 0 +
-  config_get_bool debug            $1 debug      0 +
-  config_get      listen            $1 listen    "" +
-  config_get      RoadWarriorDNS    $1 dns        "" +
-  config_get      RoadWarriorDomain $1 domain    "" +
-  +
-  [[ $foreground -ne 0 ]] && CallParameters="-F" +
-  [[ $debug -ne 0 ]]      && CallParameters=$CallParameters" -d" +
-  +
-  echo "# auto generated by /etc/init.d/racoon" +
-  echo "path pre_shared_key \"$PSKFile\";" +
-  echo "path certificate \"$CertificatePath\";" +
-  echo "padding {" +
-  echo "  maximum_length 20; randomize off;" +
-  echo "  strict_check off; exclusive_tail off;" +
-  echo "}" +
-  echo "timer {" +
-  echo "  counter 5; interval 20 sec; persend 1;" +
-  echo "  phase1 30 sec; phase2 15 sec;" +
-  echo "}" +
-  echo "" +
-  +
-  if [ "$listen" != "" ]; then +
-    echo "listen {" +
-    config_list_foreach "$1" listen AddListenIP +
-    echo "}" +
-    echo "" +
-  fi +
-  MainConfigDone=1 +
-+
-  +
-AddListenIP() { +
-  local value="$1" +
-  . /lib/functions/network.sh +
-  local retvalue +
-  network_get_ipaddr listenIP "$value" +
-  if [ $? -eq 0 ]; then +
-    if [ "$listenIP" != "" ]; then +
-      echo "  isakmp $listenIP;" +
-      echo "  isakmp_natt $listenIP [4500];" +
-    fi +
-  fi +
-  network_get_ipaddr6 listenIP "$value" +
-  if [ $? -eq 0 ]; then +
-    if [ "$listenIP" != "" ]; then +
-      echo "  isakmp $listenIP;" +
-      echo "  isakmp_natt $listenIP [4500];" +
-    fi +
-  fi +
-+
-  +
-TunnelConfig() { +
-  local enabled +
-  local remote +
-  local remote_device +
-  local preshared_key +
-  local exchange_mode +
-  local my_identifier +
-  local my_identifier_type +
-  local certificate +
-  local remote_device +
-  +
-  config_get_bool enabled "$1" enabled 0 +
-  [[ "$enabled" == "0" ]] && return +
-  +
-  config_get remote            "$1" remote +
-  config_get remote_device      "$1" remote_device "" +
-  config_get pre_shared_key    "$1" pre_shared_key "" +
-  config_get exchange_mode      "$1" exchange_mode +
-  config_get my_identifier      "$1" my_identifier "" +
-  config_get my_identifier_type "$1" my_identifier_type "fqdn" +
-  config_get certificate        "$1" certificate "" +
-  config_get dpd_delay "$1" dpd_delay "" +
-  +
-  if [ "$remote" != "$RoadWarriorRemote" ]; then +
-    if [ -x /usr/bin/dnsip ] ; then +
-      remote=`/usr/bin/dnsip $remote` +
-    else  +
-      remote=`nslookup "$remote" | awk 'NR==5 { print $3 }'` +
-    fi +
-    prg=`racoon -V 2>/dev/null| grep "ipsec-tools 0.8" | wc -l` +
-    if [ $prg -eq 0 ]; then +
-      echo "remote $remote {" +
-    else +
-      echo "remote \"$1\" {" +
-      echo "  remote_address $remote;" +
-    fi +
-  +
-  else +
-    echo "remote anonymous {" +
-    echo "  generate_policy on;" +
-  fi +
-  +
-  if [ "$pre_shared_key" != "" ]; then +
-    if [ "$remote" != "$RoadWarriorRemote" ]; then +
-      echo "$remote $pre_shared_key" >> $PSKFile +
-    else +
-      echo "* $pre_shared_key" >> $PSKFile +
-    fi +
-    if [ "$my_identifier" != "" -a "$my_identifier_type" != "" ]; then +
-      echo "  my_identifier $my_identifier_type  \"$my_identifier\";" +
-    fi +
-  elif [ "$certificate" != "" ]; then +
-    echo "  verify_cert on;" +
-    echo "  certificate_type x509 \"$certificate.crt\" \"$certificate.key\";" +
-    echo "  my_identifier asn1dn;" +
-    if [ "$remote" == "$RoadWarriorRemote" ]; then +
-      echo "  verify_identifier on;" +
-      echo "  "$RoadWarriorCerts +
-    else +
-      echo "  peers_identifier asn1dn;" +
-    fi +
-  fi +
-  +
-  echo "  exchange_mode $exchange_mode;" +
-  echo "  proposal_check obey;" +
-  echo "  nat_traversal on;" +
-  if [ "$dpd_delay" != "" ]; then +
-    echo "  dpd_delay $dpd_delay;" +
-  fi +
-  +
-  config_list_foreach "$1" p1_proposal ConfigP1 +
-  echo "}" +
-  +
-  AnonSA=0 +
-  config_list_foreach "$1" sainfo ConfigSA $tunnel $remote +
-  [[ "$remote" == "$RoadWarriorRemote" ]] && echo "}" +
-+
-  +
-ConfigP1() { +
-  local lifetime+
  local encryption_algorithm   local encryption_algorithm
  local hash_algorithm   local hash_algorithm
-  local authentication 
  local dh_group   local dh_group
-  +
-  config_get lifetime              "$1" lifetime 28800+
  config_get encryption_algorithm  "$1" encryption_algorithm   config_get encryption_algorithm  "$1" encryption_algorithm
  config_get hash_algorithm        "$1" hash_algorithm   config_get hash_algorithm        "$1" hash_algorithm
-  config_get authentication_method "$1" authentication_method 
  config_get dh_group              "$1" dh_group   config_get dh_group              "$1" dh_group
-  + 
-  echo "  proposal {" +  Phase1Proposal=${Phase1Proposal}","${encryption_algorithm}-${hash_algorithm}-${dh_group}
-  echo "   lifetime time $lifetime sec;" +
-  echo "    encryption_algorithm $encryption_algorithm;" +
-  echo "    hash_algorithm $hash_algorithm;" +
-  echo "    authentication_method $authentication_method;" +
-  echo "    dh_group $dh_group;" +
-  echo "  }"+
} }
-  + 
-ConfigSA() { +ConfigTunnel() {
-  local tunnel=`echo $2 | cut -d" " -f1` +
-  local sainfo=$1 +
-  local remote=`echo $2 | cut -d" " -f2`+
  local local_subnet   local local_subnet
  local local_nat   local local_nat
Line 307: Line 117:
  local p2_proposal   local p2_proposal
  local pfs_group   local pfs_group
-  local lifetime 
  local encryption_algorithm   local encryption_algorithm
-  local local authentication_algorithm +  local authentication_algorithm 
-  + 
-  config_get local_subnet            "$sainfo"     local_subnet +  config_get local_subnet            "$1"           local_subnet 
-  config_get local_nat                "$sainfo"     local_nat "" +  config_get local_nat                "$1"           local_nat "" 
-  config_get remote_subnet            "$sainfo"     remote_subnet +  config_get remote_subnet            "$1"           remote_subnet 
-  config_get p2_proposal              "$sainfo"     p2_proposal+  config_get p2_proposal              "$1"           p2_proposal
  config_get pfs_group                "$p2_proposal" pfs_group   config_get pfs_group                "$p2_proposal" pfs_group
-  config_get lifetime                "$p2_proposal" lifetime 3600 
  config_get encryption_algorithm    "$p2_proposal" encryption_algorithm   config_get encryption_algorithm    "$p2_proposal" encryption_algorithm
  config_get authentication_algorithm "$p2_proposal" authentication_algorithm   config_get authentication_algorithm "$p2_proposal" authentication_algorithm
- +
  [[ "$local_nat" != "" ]] && local_subnet=$local_nat   [[ "$local_nat" != "" ]] && local_subnet=$local_nat
-  + 
-  if [ "$remote" = "$RoadWarriorRemote" ]; then + p2_proposal="${encryption_algorithm}-${authentication_algorithm}-${pfs_group}" 
-    let AnonSA=$AnonSA+1+ 
 +  echo "conn $ConfigName-$1" >> $FileConn 
 +  echo "  keyexchange=ikev1" >> $FileConn 
 +  echo "  left=$LocalGateway" >> $FileConn 
 +  echo "  right=$RemoteGateway" >> $FileConn 
 +  echo "  leftsubnet=$local_subnet" >> $FileConn 
 +  if [ "$AuthenticationMethod" = "psk" ]; then 
 +    echo "  authby=psk" >> $FileConn 
 +    echo "  rightsubnet=$remote_subnet" >> $FileConn 
 +# should be auto=route when going to 5.0.1 
 +    echo "  auto=start" >> $FileConn 
 +  elif [ "$AuthenticationMethod" = "xauth_psk_server" ]; then 
 +    echo "  authby=xauthpsk" >> $FileConn 
 +    echo "  xauth=server" >> $FileConn 
 +    echo "  modeconfig=pull" >> $FileConn 
 +    echo "  rightsourceip=$remote_subnet" >> $FileConn 
 +    echo "  auto=add" >> $FileConn
  fi   fi
-  [[ $AnonSA -eq 1 ]] &amp;&amp; echo "sainfo anonymous {" +  if [ &quot;$LocalIdentifier&quot; != "" ]; then 
-  if [ $AnonSA -eq 0 ]; then +    echo " leftid=$LocalIdentifier" >> $FileConn
-    CreateSA $local_subnet $remote_subnet $remote +
-    echo "sainfo address $local_subnet any address $remote_subnet any {"+
  fi   fi
-  if [ $AnonSA -lt 2 ]; then +  if [ "$RemoteIdentifier" != "" ]; then 
-    [[ "$remote_device" != "asa" ]] &&  echo "  pfs_group $pfs_group;"+    echo "  rightid=$RemoteIdentifier" &gt;&gt; $FileConn
-    echo "  lifetime time $lifetime sec;" +
-    echo &quot;  encryption_algorithm $encryption_algorithm;&quot; +
-    echo "  authentication_algorithm $authentication_algorithm;" +
-    echo "  compression_algorithm deflate;" +
-    echo "}"+
  fi   fi
-  if [ $AnonSA -eq 1 ]; then + 
-   echo "mode_cfg {+echo " auth=esp" >> $FileConn 
-   echo "  auth_source system;" + echo "  esp=$p2_proposal"; >> $FileConn 
-   echo "  conf_source local;" +  echo " ike=$Phase1Proposal" >> $FileConn 
-   [[ "$RoadWarriorDNS"   != "" ]] && echo " dns4 $RoadWarriorDNS;+ echo "  type=tunnel" >> $FileConn 
-   [[ "$RoadWarriorDomain" != "" ]] &amp;& echo default_domain \"$RoadWarriorDomain\";+
-   RoadWarriorSubnet $remote_subnet + 
-  fi +ConfigRemote() { 
-  if [ $AnonSA -gt 0 ]; then +  local enabled 
-    echo split_network include $local_subnet;"+  local gateway 
 +  local pre_shared_key 
 +  local authentication_method 
 +  local local_identifier 
 +  local remote_identifier 
 + 
 +  ConfigName=$1 
 + 
 +  config_get_bool enabled ";$1" enabled 0 
 + [[ "$enabled" == "0" ]] && return 
 + 
 +  config_get gateway              "$1" gateway 
 + config_get pre_shared_key        "$1" pre_shared_key 
 +  config_get authentication_method "$1" authentication_method 
 +  config_get local_identifier      &quot;$1" local_identifier 
 + config_get remote_identifier    "$1" remote_identifier 
 + 
 +  AuthenticationMethod=$authentication_method 
 +  LocalIdentifier=$local_identifier 
 +  RemoteIdentifier=$remote_identifier 
 + 
 +  RemoteGateway=$gateway 
 +  if [ "$RemoteGateway" = "any" ]; then 
 +    RemoteGateway="%any" 
 +    LocalGateway=`ip route get 1.1.1.1 | awk -F"src" '/src/{gsub(/ /,"");print $2}'` 
 + else 
 +    LocalGateway=`ip route get $RemoteGateway | awk -F";src" '/src/{gsub(/ /,"");print $2}'`
  fi   fi
 +  echo "$LocalGateway $RemoteGateway : PSK \"$pre_shared_key\"" >> $FileSecrets
 +
 +  Phase1Proposal=""
 +  config_list_foreach "$1" p1_proposal ConfigPhase1
 +  Phase1Proposal=`echo $Phase1Proposal | cut -b 2-`
 +
 +  config_list_foreach "$1" tunnel ConfigTunnel
} }
-  + 
-CertConfig() { +PrepareEnvironment() { 
-  local val +  for d in cacerts aacerts ocspcerts crls acerts; do 
-  local hash +    mkdir -p $FolderCerts/$d 2>/dev/null
-  +
-  for opt in key crt; do +
-    config_get val "$1" "$opt" "" +
-    if [ "$val" != "" ]; then +
-      echo $val | sed "s/-\+[A-Z ]\+-\+/\n&\n/g" \ +
-                | sed "s/.\{50,50\}/&\n/g" \ +
-                | sed "/^$/d" > $CertificatePath/$1.$opt +
-      chmod 600 $CertificatePath/$1.$opt +
-    fi+
  done   done
-  + 
-  hash=`openssl x509 -noout -hash -in $CertificatePath/$1.crt` +  if [ ! -L /etc/ipsec.d ]; then 
-  ln -s -f $CertificatePath/$1.crt $CertificatePath/$hash.0 +    rm -rf /etc/ipsec.d 2>/dev/null 
-+    ln -s $FolderCerts /etc/ipsec.d
-  +
-CheckEnvironment() { +
-  local prg +
-  for prg in /usr/bin/openssl /usr/sbin/ip; do +
-    if [ ! -x $prg ]; then +
-      echo "Error! $prg missing. Exit now." +
-      exit +
-    fi +
-  done +
-  +
-  mkdir -m 0700 -p /var/racoon +
-  mkdir -m 0700 -p $CertificatePath +
-+
-  +
-start() { +
-  local active=`ps | grep /usr/sbin/racoon | grep -v grep | wc -l` +
-  +
-  CheckEnvironment +
-  +
-  if [ $active -eq 0 -o "$1" = "force" ]; then +
-    rm $UserFile 2>/dev/null +
-    config_load users +
-    config_foreach UserConfig user+
  fi   fi
-  + 
-  config_load racoon +  if [ ! -L /etc/ipsec.secrets ]; then 
-  +    rm /etc/ipsec.secrets 2>/dev/null 
-  if [ $active -ne 0 -a "$1" != "force" ]; then +    ln -s $FileSecrets /etc/ipsec.secrets
-    PSKFile=/dev/null +
-    ConfigFile=/dev/null +
-  else +
-    config_foreach CertConfig certificate +
-    echo "# auto generated by /etc/init.d/racoon" > $PSKFile +
-    chmod 600 $PSKFile+
  fi   fi
-  + 
-  config_foreach MainConfig racoon > $ConfigFile +  if [ ! -L /etc/strongswan.conf ]; then 
-  if [ $MainConfigDone -eq 0 ]; then +    rm /etc/strongswan.conf 2>/dev/null 
-    MainConfig XXX > $ConfigFile+    ln -s $FileCommon /etc/strongswan.conf
  fi   fi
-  + 
-  echo "flush; spdflush;" | setkey -c +  if [ ! -L /etc/ipsec.conf ]; then 
-  config_foreach TunnelConfig tunnel >> $ConfigFile +    rm /etc/ipsec.conf 2&gt;/dev/null 
-  +    ln -s $FileConn /etc/ipsec.conf
-  if [ $active -eq 0 ]; then +
-    /usr/sbin/racoon $CallParameters -f $ConfigFile +
-  elif [ &quot;$1" = "force" ]; then +
-    racoonctl reload-config+
  fi   fi
 +
 +
 +  echo "# generated by /etc/init.d/ipsec" > $FileConn
 +  echo "version 2" > $FileConn
 +  echo "config setup" >> $FileConn
 +  echo "  charondebug = \"ike 2,knl 2\"" >> $FileConn
 +
 +  echo "# generated by /etc/init.d/ipsec" > $FileSecrets
} }
-  
-stop() { 
-  pid=`ps | grep /usr/sbin/racoon | grep -v grep | awk '{ print $1}'` 
-  [[ "$pid" != "" ]] && kill $pid 
-  echo "flush; spdflush;" | setkey -c 
-} 
-  
-restart() { 
-  start force 
-} 
-</code> 
-Before you start racoon with the web interface you should make a dry run from command line. Enable forground operation in /etc/config/racoon by setting **option 'foreground' '1'** in section racoon and call **/etc/init.d/racoon start**. This will show you if there are any errors in your generated configuration file **/var/racoon/racoon.conf**. Afterwards you can control startup behaviour with LuCI.+CheckInstallation() { 
 +  if [ ! -x /usr/sbin/ip ]; then 
 +    echo /usr/sbin/ip missing 
 +    echo install with \"opkg install ip\" 
 +    exit 
 +  fi
-{{:doc:howto:ipsec_racoon.png|}}+  for f in aes authenc cbc hmac md5 sha1; do 
 +    if [ `opkg list kmod-crypto-$f | wc -l` -eq 0 ]; then 
 +      echo kmod-crypto-$f missing 
 +      echo install with  \"opkg install kmod-crypto-$f --nodeps\" 
 +      exit 
 +    fi 
 +  done
-An automatic reload of security policies after a router reconnect is very helpful. Luckily pppd will call all scripts in /etc/ppp/ip-up.d after pppoe-wan is up again. Create a small script in this directory that calls the racoon init script. If it detects that racoon is running already it will only set the security policies.+  for f in aes gmp hmac kernel-netlink md5 random sha1 updown attr resolve; do 
 +    if [ ! -f /usr/lib/ipsec/plugins/libstrongswan-${f}.so ]; then 
 +      echo /usr/lib/ipsec/plugins/$f missing 
 +      echo install with \"opkg install strongswan-mod-$f --nodeps\" 
 +      exit 
 +    fi 
 +  done 
 +}
-<code bash> +start() { 
-#!/bin/sh + CheckInstallation 
-#/etc/ppp/ip-up.d/racoon + PrepareEnvironment
-/etc/init.d/racoon start +
-</code>+
-Another way to reload racoon when the wan IP changes and we are not using ppp, is creating a script like this in /etc/hotplug.d/iface/35-racoon+  config_load users 
 +  config_foreach ConfigUser user
-<code bash> +  config_load ipsec 
-#!/bin/sh+ config_foreach ConfigRemote remote
-ListenInterface() { +  /usr/sbin/ipsec start
-  local iface="$1" +
-  if [ "$INTERFACE" = "$iface" ]; then +
-    /etc/init.d/racoon restart +
-  fi+
} }
-RacoonInstance() { +stop() { 
-  config_list_foreach "$1" listen ListenInterface+  /usr/sbin/ipsec stop
} }
- 
-if [ "$ACTION" = "ifup" ]; then 
-  config_load racoon 
-  config_foreach RacoonInstance racoon 
-fi 
</code> </code>
 +
 +Before you start Charon with the web interface you should make a dry run from command line. This will show you if there are any errors in your generated configuration file **/etc/ipsec.conf**. Afterwards you can control startup behaviour with LuCI.
 +
 +{{:doc:howto:ipsec_daemon.png|}}
===== Hardware performance ===== ===== Hardware performance =====
-In the times of broadband internet connections encryption and decryption speed of routers can limit throughput of VPN tunnels. CPU utilization maxes out at 100 percent and impacts other services of the device like a web server. If you really want to go with a self made IPsec VPN on a cheap router you should consider some facts+In the times of broadband internet connections encryption and decryption speed of SOME low-end routers can limit throughput of VPN tunnels. CPU utilization can max out at 100 percent and impacts other services of the device like a web server. FOR REFERENCE: Strongswan will run just FINE on a WNDR3700 (MIPS 680 Mhz, 64 Mb RAM). If your router is underpowered, here are some other options:
  * Older firewall devices with hardware accelerated VPN are sold for a few bucks on Ebay. Juniper Netscreen 5GT for example can easily reach a VPN throughput of 20 MBit/sec. Downside is that firmware updates are only possible with a Juniper support contract. So check twice for a bargain.   * Older firewall devices with hardware accelerated VPN are sold for a few bucks on Ebay. Juniper Netscreen 5GT for example can easily reach a VPN throughput of 20 MBit/sec. Downside is that firmware updates are only possible with a Juniper support contract. So check twice for a bargain.
Line 515: Line 332:
  * compile an image for your router once   * compile an image for your router once
  * put the mcespi.c into the the folder build_dir/linux-<arch>/linux-<X.Y.Z>/crypto   * put the mcespi.c into the the folder build_dir/linux-<arch>/linux-<X.Y.Z>/crypto
-  * Include the line **obj-$(CONFIG_CRYPTO_AES) += mcespi.o** into build_dir/linux-<arch>/linux-<X.Y.Z>/crypto/Makefile+  * Include the line **obj-$(CONFIG_CRYPTO_MD5) += mcespi.o** into build_dir/linux-<arch>/linux-<X.Y.Z>/crypto/Makefile
  * compile the image once again.   * compile the image once again.
  * Afterwards you will find build_dir/linux-<arch>/linux-<X.Y.Z>/crypto/mcespi.ko   * Afterwards you will find build_dir/linux-<arch>/linux-<X.Y.Z>/crypto/mcespi.ko
Line 530: Line 347:
</code> </code>
-===== OpenSSL Tuning =====+===== What's next =====
-While talking about performance optimization there is also room for some improvement for non-VPN encrpytion scenarios. With newer versions of OpenSSL more and more assembler encryption and decryption routines are included. [[http://cvs.openssl.org/chngview?cn=21708|Check-in 21708]] provides those for MIPS architecture and the 1.0.1 branch . Porting some of the assembler routines to OpenSSL 0.9.8p for ar71xx (Backfire 10.06.01-rc6) involves the following steps in the [[about:toolchain|buildroot environment]]:+After the basic setup you should continue with the [[vpn.ipsec.firewall|firewall modifications]].
-  * Remove build_dir/target_xxx/openssl-0.9.8p/* +===== Current Issues ===== 
- +The latest trunk includes Strongswan 5.1.1-1. It will compile if you remove curl, but will not run due to a module loading issue.  
-  * Remove line OPENSSL_OPTIONS += no-perlasm from package/openssl/Makefile +One workaround is to configure the charon.load string in strongswan.conf, which explicitly loads the modules you want/need.
- +
-  * Replace "${no_asm}" with ":::aes_cbc.o aes-mips.o:::::::" in file package/openssl/patches/110-optimize-for-size.patch. Do not use quotation marks and ensure that you include those 10 colons. +
- +
-  * Start build process for first time with make package/openssl/compile V=99. This process will stop with an error+
- +
-  * Copy crypto/aes/asm/aes-mips.pl from OpenSLL 1.0.1 sources and store it into the newly created build_dir/target_xxx/openssl-0.9.8p/crypto/aes/asm folder.  +
- +
-  * Modify build_dir/target_xxx/openssl-0.9.8p/crypto/aes/Makefile and insert two lines (the second one starts with a tab)+
 +Example:
<code> <code>
-aes-mips.s: asm/aes-mips.pl +Charon { 
-        $(PERL) asm/aes-mips.pl > $@+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown attr farp dhcp 
 +....
</code> </code>
-  * Restart build process with make package/openssl/compile V=99. It will complete without errors this time.+===== Tag =====
-  * Copy build_dir/target_xxx/openssl-0.9.8p/libcrypto.so.0.9.8 to your router+{{tag>crypto}}
-Comparing benchmark numbers before and afterwards with **openssl speed** gives a speedup of about 8% for aes-128-cbc and about 5% for aes-256-cbc. 
- 
- 
-===== What's next ===== 
- 
-After the basic setup you should continue with the [[vpn.ipsec.firewall|firewall modifications]]. 
- 
-===== Tag ===== 
- 
-{{tag>crypto}} 

Back to top

doc/howto/vpn.ipsec.basics.1356102210.txt.bz2 · Last modified: 2012/12/21 16:03 by miceliux