Table of Contents
Strongswan IPsec Configuration
Linux Charon IPsec daemon can be configured through /etc/config/ipsec. This document is in an early alpha state.
Sections
ipsec
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| zone | string | no | vpn | Firewall zone. Has to match the defined firewall zone |
| listen | list | yes | '' | Interface that accept VPN traffic (empty for all interfaces, multiple lines for several interfaces) |
remote
Contains tunnel definition.
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| enabled | boolean | yes | (none) | Configuration is enabled or not |
| gateway | ipaddr | yes | (none) | IP address or FQDN name of the tunnel remote endpoint. |
| exchange_mode | string | no | main | Phase 1 negotiation (main, aggressive) |
| local_identifier | string | no | (none) | local identifier for phase 1 |
| remote_identifier | string | no | (none) | remote identifier for phase 1 |
| authentication_method | string | yes | (none) | Phase 1 authentication. Only allowed value ath the moment is psk |
| pre_shared_key | string | no | (none) | The preshared key for the tunnel if authentication is psk |
| p1_proposal | list | yes | (none) | Name of phase 1 proposal (see below) |
| tunnel | list | yes | (none) | Name of phase 2 section (see below) |
p1_proposal
Definition of phase 1 proposals
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| encryption_algorithm | string | yes | (none) | Phase 1 encryption method (aes128, aes192, aes256, 3des) |
| hash_alogrithm | string | yes | (none) | Phase 1 hash alogrithm (md5,sha1) |
| dh_group | string | yes | (none) | Diffie-Hellman exponentiation (modp768, modep1024, … |
tunnel
Contains network defintion per tunnel.
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| local_subnet | subnet | yes | (none) | Local network |
| remote_subnet | subnet | yes | (none) | Remote network |
| local_nat | subnet | no | (none) | NAT range for tunnels with overlapping IP addresses |
| p2_proposal | string | yes | (none) | link to phase 2 proposal |
p2_proposal
Definition of phase 2 proposal
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| pfs_group | string | yes | (none) | Comma separated list of of Diffie-Hellman exponentiations (you can omit this, when peer is Cisco ASA) |
| encryption_algorithm | string | yes | (none) | Comma separaeted list of encryption algorithms (aes128, aes192, aes256, 3des) |
| authentication_algorithm | string | yes | (none) | Comma separated list of authentications (md5, sha1) |
Example 1 taken from the IPSec site to site howto.
config 'ipsec' option 'zone' 'vpn' config 'tunnel' 'acme' option 'enabled' '1' option 'gateway' '7.7.7.7' option 'authentication_method' 'psk' option 'pre_shared_key' 'yourpasswordhere' list 'p1_proposal' 'pre_g2_aes_sha1' list 'sainfo' 'acme_dmz' list 'sainfo' 'acme_lan' config 'p1_proposal' 'pre_g2_aes_sha1' option 'encryption_algorithm' 'aes128' option 'hash_algorithm' 'sha1' option 'dh_group' 'modp1024' config 'tunnel' 'acme_lan' option 'local_subnet' '192.168.2.64/26' option 'remote_subnet' '10.1.2.0/24' option 'p2_proposal' 'g2_aes_sha1' config 'p2_proposal' 'g2_aes_sha1' option 'pfs_group' 'modp1024' option 'encryption_algorithm' 'aes 128' option 'authentication_algorithm' 'sha1'
Windows Native VPN Client Proposals
The following table lists the phase 1 proposals offered by the Windows native VPN client (as tested with Windows 7)
| Proposal | Encryption | Hash | DH Group |
|---|---|---|---|
| #1 | aes256 | sha1 | 20 |
| #2 | aes128 | sha1 | 19 |
| #3 | aes256 | sha1 | modp2048 |
| #4 | 3des | sha1 | modp2048 |
| #5 | 3des | sha1 | modp1024 |
doc/uci/ipsec.txt · Last modified: 2013/05/05 11:32 by birnenschnitzel
This text is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.