User Tools

Site Tools


doc:howto:vpn.ipsec.basics

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.ipsec.basics [2013/03/11 21:30]
birnenschnitzel
doc:howto:vpn.ipsec.basics [2014/03/23 07:07] (current)
jaf323
Line 1: Line 1:
 ====== IPsec Basics ====== ====== IPsec Basics ======
 +| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/​howto/​vpn.overview]] |
  
 :!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.basics.racoon|here]]. :!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.basics.racoon|here]].
  
-A quick starters quide based on Backfire ​12.09. Maybe it will save you and me time if one has to setup an IPsec VPN in the future. Hopefully it will ecourage other people to use Openwrt as an IPsec VPN router. We cannot provide a graphical user interface at the moment but at least it is a solid alternative to commercial IPsec appliances. If you came here for informations about [[http://​www.openswan.org|Openswan]] on OpenWrt you may be disappointed. This guide is only about strongswan.+A quick starters quide based on OpenWrt Attitude Adjustment ​12.09. Maybe it will save you and me time if one has to setup an IPsec VPN in the future. Hopefully it will ecourage other people to use Openwrt as an IPsec VPN router. We cannot provide a graphical user interface at the moment but at least it is a solid alternative to commercial IPsec appliances. If you came here for informations about [[http://​www.openswan.org|Openswan]] on OpenWrt you may be disappointed. This guide is only about strongswan.
  
 ===== Packages ===== ===== Packages =====
  
-If not already installed on your router you need the at least those packages. **Ensure that you use strongswan 5.0.or higher**. ​Several severe bugs have been fixed in Charon that nowadays handles IKEv1 connections.+If not already installed on your router you need the at least those packages. **Ensure that you use strongswan 5.0.or higher**. ​Older versions will not work due to differences ​in configuration handling.
  
-  * strongswan-full 5.0.1: everything needed for IPsec tunnels ​+  * strongswan-full 5.0.0: everything needed for IPsec tunnels ​
   * ip: Required to make scripting easier   * ip: Required to make scripting easier
   * iptables-mod-nat-extra:​ For VPN networks with [[vpn.ipsec.overlappingsubnets|overlapping IP addresses]]   * iptables-mod-nat-extra:​ For VPN networks with [[vpn.ipsec.overlappingsubnets|overlapping IP addresses]]
   * djbdns-utils:​ for simpler name resolving than old "​nslookup | awk" thing (may also be named djbdns-tools)   * djbdns-utils:​ for simpler name resolving than old "​nslookup | awk" thing (may also be named djbdns-tools)
  
-Altogehter those packages will eat up about MB of your router'​s flash memory. Maybe it is time for an [[extroot]] installation?​+Altogehter those packages will eat up about MB of your router'​s flash memory. Maybe it is time for an [[extroot]] installation?​
  
  
Line 31: Line 32:
   * **/​etc/​config/​ipsec**:​ The OpenWrt configuration file for racoon   * **/​etc/​config/​ipsec**:​ The OpenWrt configuration file for racoon
   * **/​etc/​init.d/​ipsec**:​ The Strongswan start script. It will generate the required configuration files for racoon   * **/​etc/​init.d/​ipsec**:​ The Strongswan start script. It will generate the required configuration files for racoon
-  * **/​etc/​ipsec.conf**:​ The generated ​racoon ​config+  * **/​etc/​ipsec.conf**:​ The generated ​Strongswan ​config
   * **/​var/​ipsec.secrets** : The generated file with preshared keys   * **/​var/​ipsec.secrets** : The generated file with preshared keys
    
Line 49: Line 50:
   ...   ...
  
-config 'tunnel' '​Yabadoo'​+config 'remote' '​Yabadoo'​
   option '​enabled'​ '​1'​   option '​enabled'​ '​1'​
   option '​gateway'​ '​5.6.7.8'​   option '​gateway'​ '​5.6.7.8'​
Line 63: Line 64:
 <code bash> <code bash>
 #!/bin/sh /​etc/​rc.common #!/bin/sh /​etc/​rc.common
-#/​etc/​init.d/​ipsec - version ​3+#/​etc/​init.d/​ipsec - version ​4
  
 NAME=ipsec NAME=ipsec
Line 139: Line 140:
     echo " ​ authby=psk"​ >> $FileConn     echo " ​ authby=psk"​ >> $FileConn
     echo " ​ rightsubnet=$remote_subnet"​ >> $FileConn     echo " ​ rightsubnet=$remote_subnet"​ >> $FileConn
-# should be auto=route ​sometimes+# should be auto=route ​when going to 5.0.1
     echo " ​ auto=start"​ >> $FileConn     echo " ​ auto=start"​ >> $FileConn
   elif [ "​$AuthenticationMethod"​ = "​xauth_psk_server"​ ]; then   elif [ "​$AuthenticationMethod"​ = "​xauth_psk_server"​ ]; then
Line 147: Line 148:
     echo " ​ rightsourceip=$remote_subnet"​ >> $FileConn     echo " ​ rightsourceip=$remote_subnet"​ >> $FileConn
     echo " ​ auto=add"​ >> $FileConn     echo " ​ auto=add"​ >> $FileConn
 +  fi
 +  if [ "​$LocalIdentifier"​ != ""​ ]; then
 +    echo " ​ leftid=$LocalIdentifier"​ >> $FileConn
 +  fi
 +  if [ "​$RemoteIdentifier"​ != ""​ ]; then
 +    echo " ​ rightid=$RemoteIdentifier"​ >> $FileConn
   fi   fi
  
Line 160: Line 167:
   local pre_shared_key   local pre_shared_key
   local authentication_method   local authentication_method
 +  local local_identifier
 +  local remote_identifier
  
   ConfigName=$1   ConfigName=$1
Line 169: Line 178:
   config_get pre_shared_key ​       "​$1"​ pre_shared_key   config_get pre_shared_key ​       "​$1"​ pre_shared_key
   config_get authentication_method "​$1"​ authentication_method   config_get authentication_method "​$1"​ authentication_method
 +  config_get local_identifier ​     "​$1"​ local_identifier
 +  config_get remote_identifier ​    "​$1"​ remote_identifier
  
   AuthenticationMethod=$authentication_method   AuthenticationMethod=$authentication_method
 +  LocalIdentifier=$local_identifier
 +  RemoteIdentifier=$remote_identifier
  
   RemoteGateway=$gateway   RemoteGateway=$gateway
Line 270: Line 283:
 ===== Hardware performance ===== ===== Hardware performance =====
  
-In the times of broadband internet connections encryption and decryption speed of routers can limit throughput of VPN tunnels. CPU utilization ​maxes out at 100 percent and impacts other services of the device like a web server. ​If you really want to go with a self made IPsec VPN on a cheap router ​you should consider ​some facts+In the times of broadband internet connections encryption and decryption speed of SOME low-end ​routers can limit throughput of VPN tunnels. CPU utilization ​can max out at 100 percent and impacts other services of the device like a web server. ​FOR REFERENCE: Strongswan will run just FINE on a WNDR3700 (MIPS 680 Mhz, 64 Mb RAM). If your router ​is underpowered,​ here are some other options:
  
   * Older firewall devices with hardware accelerated VPN are sold for a few bucks on Ebay. Juniper Netscreen 5GT for example can easily reach a VPN throughput of 20 MBit/sec. Downside is that firmware updates are only possible with a Juniper support contract. So check twice for a bargain.   * Older firewall devices with hardware accelerated VPN are sold for a few bucks on Ebay. Juniper Netscreen 5GT for example can easily reach a VPN throughput of 20 MBit/sec. Downside is that firmware updates are only possible with a Juniper support contract. So check twice for a bargain.
Line 337: Line 350:
  
 After the basic setup you should continue with the [[vpn.ipsec.firewall|firewall modifications]]. After the basic setup you should continue with the [[vpn.ipsec.firewall|firewall modifications]].
 +
 +===== Current Issues =====
 +The latest trunk includes Strongswan 5.1.1-1. It will compile if you remove curl, but will not run due to a module loading issue. ​
 +One workaround is to configure the charon.load string in strongswan.conf,​ which explicitly loads the modules you want/need.
 +
 +Example:
 +<​code>​
 +Charon {
 +   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown attr farp dhcp
 +....
 +</​code>​
  
 ===== Tag ===== ===== Tag =====
  
 {{tag>​crypto}} {{tag>​crypto}}
 +
  
doc/howto/vpn.ipsec.basics.1363033836.txt.bz2 · Last modified: 2013/03/11 21:30 by birnenschnitzel