Differences
This shows you the differences between two versions of the page.
|
doc:howto:vpn.ipsec.basics [2013/01/29 14:46] birnenschnitzel |
doc:howto:vpn.ipsec.basics [2013/05/05 11:49] (current) birnenschnitzel |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| :!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.basics.racoon|here]]. | :!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.basics.racoon|here]]. | ||
| - | A quick starters quide based on Backfire 12.09. Maybe it will save you and me time if one has to setup an IPsec VPN in the future. Hopefully it will ecourage other people to use Openwrt as an IPsec VPN router. We cannot provide a graphical user interface at the moment but at least it is a solid alternative to commercial IPsec appliances. If you came here for informations about [[http://www.openswan.org|Openswan]] on OpenWrt you may be disappointed. This guide is only about strongswan. | + | A quick starters quide based on OpenWrt Attitude Adjustment 12.09. Maybe it will save you and me time if one has to setup an IPsec VPN in the future. Hopefully it will ecourage other people to use Openwrt as an IPsec VPN router. We cannot provide a graphical user interface at the moment but at least it is a solid alternative to commercial IPsec appliances. If you came here for informations about [[http://www.openswan.org|Openswan]] on OpenWrt you may be disappointed. This guide is only about strongswan. |
| ===== Packages ===== | ===== Packages ===== | ||
| - | If not already installed on your router you need the at least those packages. **Ensure that you use strongswan 5.0.1 or higher**. Several severe bugs have been fixed in Charon that nowadays handles IKEv1 connections. | + | If not already installed on your router you need the at least those packages. **Ensure that you use strongswan 5.0.0 or higher**. Older versions will not work due to differences in configuration handling. |
| - | * strongswan-full 5.0.1: everything needed for IPsec tunnels | + | * strongswan-full 5.0.0: everything needed for IPsec tunnels |
| * ip: Required to make scripting easier | * ip: Required to make scripting easier | ||
| * iptables-mod-nat-extra: For VPN networks with [[vpn.ipsec.overlappingsubnets|overlapping IP addresses]] | * iptables-mod-nat-extra: For VPN networks with [[vpn.ipsec.overlappingsubnets|overlapping IP addresses]] | ||
| * djbdns-utils: for simpler name resolving than old "nslookup | awk" thing (may also be named djbdns-tools) | * djbdns-utils: for simpler name resolving than old "nslookup | awk" thing (may also be named djbdns-tools) | ||
| - | Altogehter those packages will eat up about 2 MB of your router's flash memory. Maybe it is time for an [[extroot]] installation? | + | Altogehter those packages will eat up about 4 MB of your router's flash memory. Maybe it is time for an [[extroot]] installation? |
| Line 31: | Line 31: | ||
| * **/etc/config/ipsec**: The OpenWrt configuration file for racoon | * **/etc/config/ipsec**: The OpenWrt configuration file for racoon | ||
| * **/etc/init.d/ipsec**: The Strongswan start script. It will generate the required configuration files for racoon | * **/etc/init.d/ipsec**: The Strongswan start script. It will generate the required configuration files for racoon | ||
| - | * **/etc/ipsec.conf**: The generated racoon config | + | * **/etc/ipsec.conf**: The generated Strongswan config |
| * **/var/ipsec.secrets** : The generated file with preshared keys | * **/var/ipsec.secrets** : The generated file with preshared keys | ||
| Line 37: | Line 37: | ||
| <code> | <code> | ||
| - | #/etc/config/racoon | + | #/etc/config/ipsec |
| - | config 'remove' 'ACME' | + | config 'remote' 'ACME' |
| option 'enabled' '1' | option 'enabled' '1' | ||
| option 'gateway' '1.2.3.4' | option 'gateway' '1.2.3.4' | ||
| Line 49: | Line 49: | ||
| ... | ... | ||
| - | config 'tunnel' 'Yabadoo' | + | config 'remote' 'Yabadoo' |
| option 'enabled' '1' | option 'enabled' '1' | ||
| option 'gateway' '5.6.7.8' | option 'gateway' '5.6.7.8' | ||
| Line 63: | Line 63: | ||
| <code bash> | <code bash> | ||
| #!/bin/sh /etc/rc.common | #!/bin/sh /etc/rc.common | ||
| - | #/etc/init.d/ipsec - version 2 | + | #/etc/init.d/ipsec - version 4 |
| NAME=ipsec | NAME=ipsec | ||
| Line 139: | Line 139: | ||
| echo " authby=psk" >> $FileConn | echo " authby=psk" >> $FileConn | ||
| echo " rightsubnet=$remote_subnet" >> $FileConn | echo " rightsubnet=$remote_subnet" >> $FileConn | ||
| - | echo " auto=route" >> $FileConn | + | # should be auto=route when going to 5.0.1 |
| + | echo " auto=start" >> $FileConn | ||
| elif [ "$AuthenticationMethod" = "xauth_psk_server" ]; then | elif [ "$AuthenticationMethod" = "xauth_psk_server" ]; then | ||
| echo " authby=xauthpsk" >> $FileConn | echo " authby=xauthpsk" >> $FileConn | ||
| Line 147: | Line 148: | ||
| echo " auto=add" >> $FileConn | echo " auto=add" >> $FileConn | ||
| fi | fi | ||
| - | echo $ExchangeMode | + | if [ "$LocalIdentifier" != "" ]; then |
| - | if [ "$ExchangeMode" = "main" ]; then | + | echo " leftid=$LocalIdentifier" >> $FileConn |
| - | echo " aggressive = no" >> $FileConn | + | fi |
| - | else | + | if [ "$RemoteIdentifier" != "" ]; then |
| - | echo " aggressive = yes" >> $FileConn | + | echo " rightid=$RemoteIdentifier" >> $FileConn |
| fi | fi | ||
| - | [[ "$MyIdentifier" != "" ]] && echo " leftid=$MyIdentifier" >> $FileConn | ||
| # echo " auth=esp" >> $FileConn | # echo " auth=esp" >> $FileConn | ||
| Line 159: | Line 159: | ||
| echo " ike=$Phase1Proposal" >> $FileConn | echo " ike=$Phase1Proposal" >> $FileConn | ||
| echo " type=tunnel" >> $FileConn | echo " type=tunnel" >> $FileConn | ||
| - | echo " dpdaction=restart" >> $FileConn | ||
| } | } | ||
| Line 167: | Line 166: | ||
| local pre_shared_key | local pre_shared_key | ||
| local authentication_method | local authentication_method | ||
| - | local my_identifier | + | local local_identifier |
| + | local remote_identifier | ||
| ConfigName=$1 | ConfigName=$1 | ||
| Line 177: | Line 177: | ||
| config_get pre_shared_key "$1" pre_shared_key | config_get pre_shared_key "$1" pre_shared_key | ||
| config_get authentication_method "$1" authentication_method | config_get authentication_method "$1" authentication_method | ||
| - | config_get exchange_mode "$1" exchange_mode "main" | + | config_get local_identifier "$1" local_identifier |
| - | config_get my_identifier "$1" my_identifier "" | + | config_get remote_identifier "$1" remote_identifier |
| AuthenticationMethod=$authentication_method | AuthenticationMethod=$authentication_method | ||
| - | ExchangeMode=$exchange_mode | + | LocalIdentifier=$local_identifier |
| - | MyIdentifier=$my_identifier | + | RemoteIdentifier=$remote_identifier |
| RemoteGateway=$gateway | RemoteGateway=$gateway | ||
| Line 229: | Line 229: | ||
| echo "version 2" > $FileConn | echo "version 2" > $FileConn | ||
| echo "config setup" >> $FileConn | echo "config setup" >> $FileConn | ||
| + | echo " charondebug = \"ike 2,knl 2\"" >> $FileConn | ||
| echo "# generated by /etc/init.d/ipsec" > $FileSecrets | echo "# generated by /etc/init.d/ipsec" > $FileSecrets | ||
| Line 239: | Line 240: | ||
| exit | exit | ||
| fi | fi | ||
| + | |||
| + | for f in aes authenc cbc hmac md5 sha1; do | ||
| + | if [ `opkg list kmod-crypto-$f | wc -l` -eq 0 ]; then | ||
| + | echo kmod-crypto-$f missing | ||
| + | echo install with \"opkg install kmod-crypto-$f --nodeps\" | ||
| + | exit | ||
| + | fi | ||
| + | done | ||
| for f in aes gmp hmac kernel-netlink md5 random sha1 updown attr resolve; do | for f in aes gmp hmac kernel-netlink md5 random sha1 updown attr resolve; do | ||
| if [ ! -f /usr/lib/ipsec/plugins/libstrongswan-${f}.so ]; then | if [ ! -f /usr/lib/ipsec/plugins/libstrongswan-${f}.so ]; then | ||
| echo /usr/lib/ipsec/plugins/$f missing | echo /usr/lib/ipsec/plugins/$f missing | ||
| - | echo install with \"opkg install strongswan4-mod-$f --nodeps\" | + | echo install with \"opkg install strongswan-mod-$f --nodeps\" |
| exit | exit | ||
| fi | fi | ||
doc/howto/vpn.ipsec.basics.1359467185.txt.bz2 · Last modified: 2013/01/29 14:46 by birnenschnitzel