User Tools

Site Tools


doc:howto:vpn.ipsec.basics

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.ipsec.basics [2013/01/29 14:46]
birnenschnitzel
doc:howto:vpn.ipsec.basics [2014/03/23 07:07] (current)
jaf323
Line 1: Line 1:
 ====== IPsec Basics ====== ====== IPsec Basics ======
 +| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/​howto/​vpn.overview]] |
  
 :!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.basics.racoon|here]]. :!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.basics.racoon|here]].
  
-A quick starters quide based on Backfire ​12.09. Maybe it will save you and me time if one has to setup an IPsec VPN in the future. Hopefully it will ecourage other people to use Openwrt as an IPsec VPN router. We cannot provide a graphical user interface at the moment but at least it is a solid alternative to commercial IPsec appliances. If you came here for informations about [[http://​www.openswan.org|Openswan]] on OpenWrt you may be disappointed. This guide is only about strongswan.+A quick starters quide based on OpenWrt Attitude Adjustment ​12.09. Maybe it will save you and me time if one has to setup an IPsec VPN in the future. Hopefully it will ecourage other people to use Openwrt as an IPsec VPN router. We cannot provide a graphical user interface at the moment but at least it is a solid alternative to commercial IPsec appliances. If you came here for informations about [[http://​www.openswan.org|Openswan]] on OpenWrt you may be disappointed. This guide is only about strongswan.
  
 ===== Packages ===== ===== Packages =====
  
-If not already installed on your router you need the at least those packages. **Ensure that you use strongswan 5.0.or higher**. ​Several severe bugs have been fixed in Charon that nowadays handles IKEv1 connections.+If not already installed on your router you need the at least those packages. **Ensure that you use strongswan 5.0.or higher**. ​Older versions will not work due to differences ​in configuration handling.
  
-  * strongswan-full 5.0.1: everything needed for IPsec tunnels ​+  * strongswan-full 5.0.0: everything needed for IPsec tunnels ​
   * ip: Required to make scripting easier   * ip: Required to make scripting easier
   * iptables-mod-nat-extra:​ For VPN networks with [[vpn.ipsec.overlappingsubnets|overlapping IP addresses]]   * iptables-mod-nat-extra:​ For VPN networks with [[vpn.ipsec.overlappingsubnets|overlapping IP addresses]]
   * djbdns-utils:​ for simpler name resolving than old "​nslookup | awk" thing (may also be named djbdns-tools)   * djbdns-utils:​ for simpler name resolving than old "​nslookup | awk" thing (may also be named djbdns-tools)
  
-Altogehter those packages will eat up about MB of your router'​s flash memory. Maybe it is time for an [[extroot]] installation?​+Altogehter those packages will eat up about MB of your router'​s flash memory. Maybe it is time for an [[extroot]] installation?​
  
  
Line 31: Line 32:
   * **/​etc/​config/​ipsec**:​ The OpenWrt configuration file for racoon   * **/​etc/​config/​ipsec**:​ The OpenWrt configuration file for racoon
   * **/​etc/​init.d/​ipsec**:​ The Strongswan start script. It will generate the required configuration files for racoon   * **/​etc/​init.d/​ipsec**:​ The Strongswan start script. It will generate the required configuration files for racoon
-  * **/​etc/​ipsec.conf**:​ The generated ​racoon ​config+  * **/​etc/​ipsec.conf**:​ The generated ​Strongswan ​config
   * **/​var/​ipsec.secrets** : The generated file with preshared keys   * **/​var/​ipsec.secrets** : The generated file with preshared keys
    
Line 37: Line 38:
  
 <​code>​ <​code>​
-#/​etc/​config/​racoon +#/​etc/​config/​ipsec 
-config 'remove' '​ACME'​+config 'remote' '​ACME'​
   option '​enabled'​ '​1'​   option '​enabled'​ '​1'​
   option '​gateway'​ '​1.2.3.4'​   option '​gateway'​ '​1.2.3.4'​
Line 49: Line 50:
   ...   ...
  
-config 'tunnel' '​Yabadoo'​+config 'remote' '​Yabadoo'​
   option '​enabled'​ '​1'​   option '​enabled'​ '​1'​
   option '​gateway'​ '​5.6.7.8'​   option '​gateway'​ '​5.6.7.8'​
Line 63: Line 64:
 <code bash> <code bash>
 #!/bin/sh /​etc/​rc.common #!/bin/sh /​etc/​rc.common
-#/​etc/​init.d/​ipsec - version ​2+#/​etc/​init.d/​ipsec - version ​4
  
 NAME=ipsec NAME=ipsec
Line 139: Line 140:
     echo " ​ authby=psk"​ >> $FileConn     echo " ​ authby=psk"​ >> $FileConn
     echo " ​ rightsubnet=$remote_subnet"​ >> $FileConn     echo " ​ rightsubnet=$remote_subnet"​ >> $FileConn
-    ​echo " ​ auto=route" >> $FileConn+# should be auto=route when going to 5.0.1 
 +    ​echo " ​ auto=start" >> $FileConn
   elif [ "​$AuthenticationMethod"​ = "​xauth_psk_server"​ ]; then   elif [ "​$AuthenticationMethod"​ = "​xauth_psk_server"​ ]; then
     echo " ​ authby=xauthpsk"​ >> $FileConn     echo " ​ authby=xauthpsk"​ >> $FileConn
Line 147: Line 149:
     echo " ​ auto=add"​ >> $FileConn     echo " ​ auto=add"​ >> $FileConn
   fi   fi
-  ​echo $ExchangeMode +  if [ "$LocalIdentifier" ​!= ""​ ]; then 
-  ​if [ "$ExchangeMode" = "main" ]; then +    echo "  ​leftid=$LocalIdentifier" >> $FileConn 
-    echo "  ​aggressive ​no" >> $FileConn +  ​fi 
-  ​else +  if [ "​$RemoteIdentifier"​ != ""​ ]; then 
-    echo "  ​aggressive ​yes" >> $FileConn+    echo "  ​rightid=$RemoteIdentifier" >> $FileConn
   fi   fi
-  [[ "​$MyIdentifier"​ != ""​ ]] && echo " ​ leftid=$MyIdentifier"​ >> $FileConn 
  
 #  echo " ​ auth=esp"​ >> $FileConn #  echo " ​ auth=esp"​ >> $FileConn
Line 159: Line 160:
   echo " ​ ike=$Phase1Proposal"​ >> $FileConn   echo " ​ ike=$Phase1Proposal"​ >> $FileConn
   echo " ​ type=tunnel"​ >> $FileConn   echo " ​ type=tunnel"​ >> $FileConn
-  echo " ​ dpdaction=restart"​ >> $FileConn 
 } }
  
Line 167: Line 167:
   local pre_shared_key   local pre_shared_key
   local authentication_method   local authentication_method
-  local my_identifier+  local local_identifier 
 +  local remote_identifier
  
   ConfigName=$1   ConfigName=$1
Line 177: Line 178:
   config_get pre_shared_key ​       "​$1"​ pre_shared_key   config_get pre_shared_key ​       "​$1"​ pre_shared_key
   config_get authentication_method "​$1"​ authentication_method   config_get authentication_method "​$1"​ authentication_method
-  config_get ​exchange_mode ​        "​$1" ​exchange_mode "​main"​ +  config_get ​local_identifier ​     ​"​$1" ​local_identifier 
-  config_get ​my_identifier ​        "​$1" ​my_identifier ""​+  config_get ​remote_identifier ​    "​$1" ​remote_identifier
  
   AuthenticationMethod=$authentication_method   AuthenticationMethod=$authentication_method
-  ​ExchangeMode=$exchange_mode +  ​LocalIdentifier=$local_identifier 
-  ​MyIdentifier=$my_identifier+  ​RemoteIdentifier=$remote_identifier
  
   RemoteGateway=$gateway   RemoteGateway=$gateway
Line 229: Line 230:
   echo "​version 2" > $FileConn   echo "​version 2" > $FileConn
   echo "​config setup" >> $FileConn   echo "​config setup" >> $FileConn
 +  echo " ​ charondebug = \"ike 2,knl 2\""​ >> $FileConn
  
   echo "# generated by /​etc/​init.d/​ipsec"​ > $FileSecrets   echo "# generated by /​etc/​init.d/​ipsec"​ > $FileSecrets
Line 239: Line 241:
     exit     exit
   fi   fi
 +
 +  for f in aes authenc cbc hmac md5 sha1; do
 +    if [ `opkg list kmod-crypto-$f | wc -l` -eq 0 ]; then
 +      echo kmod-crypto-$f missing
 +      echo install with  \"opkg install kmod-crypto-$f --nodeps\"​
 +      exit
 +    fi
 +  done
  
   for f in aes gmp hmac kernel-netlink md5 random sha1 updown attr resolve; do   for f in aes gmp hmac kernel-netlink md5 random sha1 updown attr resolve; do
     if [ ! -f /​usr/​lib/​ipsec/​plugins/​libstrongswan-${f}.so ]; then     if [ ! -f /​usr/​lib/​ipsec/​plugins/​libstrongswan-${f}.so ]; then
       echo /​usr/​lib/​ipsec/​plugins/​$f missing       echo /​usr/​lib/​ipsec/​plugins/​$f missing
-      echo install with \"opkg install ​strongswan4-mod-$f --nodeps\"​+      echo install with \"opkg install ​strongswan-mod-$f --nodeps\"​
       exit       exit
     fi     fi
Line 273: Line 283:
 ===== Hardware performance ===== ===== Hardware performance =====
  
-In the times of broadband internet connections encryption and decryption speed of routers can limit throughput of VPN tunnels. CPU utilization ​maxes out at 100 percent and impacts other services of the device like a web server. ​If you really want to go with a self made IPsec VPN on a cheap router ​you should consider ​some facts+In the times of broadband internet connections encryption and decryption speed of SOME low-end ​routers can limit throughput of VPN tunnels. CPU utilization ​can max out at 100 percent and impacts other services of the device like a web server. ​FOR REFERENCE: Strongswan will run just FINE on a WNDR3700 (MIPS 680 Mhz, 64 Mb RAM). If your router ​is underpowered,​ here are some other options:
  
   * Older firewall devices with hardware accelerated VPN are sold for a few bucks on Ebay. Juniper Netscreen 5GT for example can easily reach a VPN throughput of 20 MBit/sec. Downside is that firmware updates are only possible with a Juniper support contract. So check twice for a bargain.   * Older firewall devices with hardware accelerated VPN are sold for a few bucks on Ebay. Juniper Netscreen 5GT for example can easily reach a VPN throughput of 20 MBit/sec. Downside is that firmware updates are only possible with a Juniper support contract. So check twice for a bargain.
Line 340: Line 350:
  
 After the basic setup you should continue with the [[vpn.ipsec.firewall|firewall modifications]]. After the basic setup you should continue with the [[vpn.ipsec.firewall|firewall modifications]].
 +
 +===== Current Issues =====
 +The latest trunk includes Strongswan 5.1.1-1. It will compile if you remove curl, but will not run due to a module loading issue. ​
 +One workaround is to configure the charon.load string in strongswan.conf,​ which explicitly loads the modules you want/need.
 +
 +Example:
 +<​code>​
 +Charon {
 +   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown attr farp dhcp
 +....
 +</​code>​
  
 ===== Tag ===== ===== Tag =====
  
 {{tag>​crypto}} {{tag>​crypto}}
 +
  
doc/howto/vpn.ipsec.basics.1359467185.txt.bz2 · Last modified: 2013/01/29 14:46 by birnenschnitzel