User Tools

Site Tools


doc:uci:ipsec

Strongswan IPsec Configuration

Linux Charon IPsec daemon can be configured through /etc/config/ipsec. This document is in an early alpha state.

Sections

ipsec

NameTypeRequiredDefaultDescription
zonestringnovpnFirewall zone. Has to match the defined firewall zone
listenlistyes''Interface that accept VPN traffic (empty for all interfaces, multiple lines for several interfaces)

remote

Contains tunnel definition.

NameTypeRequiredDefaultDescription
enabledbooleanyes(none)Configuration is enabled or not
gatewayipaddryes(none)IP address or FQDN name of the tunnel remote endpoint.
exchange_modestringnomainPhase 1 negotiation (main, aggressive)
local_identifierstringno(none)local identifier for phase 1
remote_identifierstringno(none)remote identifier for phase 1
authentication_methodstringyes(none)Phase 1 authentication. Only allowed value ath the moment is psk
pre_shared_keystringno(none)The preshared key for the tunnel if authentication is psk
p1_proposallistyes(none)Name of phase 1 proposal (see below)
tunnellistyes(none)Name of phase 2 section (see below)

p1_proposal

Definition of phase 1 proposals

NameTypeRequiredDefaultDescription
encryption_algorithmstringyes(none)Phase 1 encryption method (aes128, aes192, aes256, 3des)
hash_alogrithmstringyes(none)Phase 1 hash alogrithm (md5,sha1)
dh_groupstringyes(none)Diffie-Hellman exponentiation (modp768, modep1024, …

tunnel

Contains network defintion per tunnel.

NameTypeRequiredDefaultDescription
local_subnetsubnetyes(none)Local network
remote_subnetsubnetyes(none)Remote network
local_natsubnetno(none)NAT range for tunnels with overlapping IP addresses
p2_proposalstringyes(none)link to phase 2 proposal

p2_proposal

Definition of phase 2 proposal

NameTypeRequiredDefaultDescription
pfs_groupstringyes(none)Comma separated list of of Diffie-Hellman exponentiations (you can omit this, when peer is Cisco ASA)
encryption_algorithmstringyes(none)Comma separaeted list of encryption algorithms (aes128, aes192, aes256, 3des)
authentication_algorithmstringyes(none)Comma separated list of authentications (md5, sha1)

Example 1 taken from the IPSec site to site howto.

config 'ipsec'
  option 'zone' 'vpn'

config 'tunnel' 'acme'
  option 'enabled' '1'
  option 'gateway' '7.7.7.7'
  option 'authentication_method' 'psk'
  option 'pre_shared_key' 'yourpasswordhere'
  list   'p1_proposal' 'pre_g2_aes_sha1'
  list   'sainfo' 'acme_dmz'
  list   'sainfo' 'acme_lan'

config 'p1_proposal' 'pre_g2_aes_sha1'
  option 'encryption_algorithm' 'aes128'
  option 'hash_algorithm' 'sha1'
  option 'dh_group' 'modp1024'

config 'tunnel' 'acme_lan'
  option 'local_subnet' '192.168.2.64/26'
  option 'remote_subnet' '10.1.2.0/24'
  option 'p2_proposal' 'g2_aes_sha1'

config 'p2_proposal' 'g2_aes_sha1'
  option 'pfs_group' 'modp1024'
  option 'encryption_algorithm' 'aes 128'
  option 'authentication_algorithm' 'sha1'

Windows Native VPN Client Proposals

The following table lists the phase 1 proposals offered by the Windows native VPN client (as tested with Windows 7)

ProposalEncryptionHashDH Group
#1aes256sha120
#2aes128sha119
#3aes256sha1modp2048
#43dessha1modp2048
#53dessha1modp1024
doc/uci/ipsec.txt · Last modified: 2013/05/05 11:32 by birnenschnitzel