User Tools

Site Tools

This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at <<<<<<<<<<


This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:uci:ipsec [2013/01/20 19:01]
doc:uci:ipsec [2015/04/17 16:27] (current)
folke [p2_proposal] tunnel changed to remote
Line 1: Line 1:
 +====== Strongswan IPsec Configuration ======
 +Linux Charon IPsec daemon can be configured through /​etc/​config/​ipsec.
 +===== Sections =====
 +==== ipsec ====
 +|zone|string|no|vpn|Firewall zone. Has to match the defined [[doc:​howto:​vpn.ipsec.firewall#​zones|firewall zone]]|
 +|listen|list|yes|''​|Interface that accept VPN traffic (empty for all interfaces, multiple lines for several interfaces)|
 +|debug|string|no|0|Trace level. Logs are written to /​var/​log/​charon.log|
 +==== remote ====
 +Contains tunnel definition.
 +|enabled|boolean|yes|(none)|Configuration is enabled or not|
 +|gateway|ipaddr|yes|(none)|IP address or FQDN name of the tunnel remote endpoint. |
 +|exchange_mode|string|no|main|Phase 1 negotiation (main, aggressive)| ​
 +|local_identifier|string|no|(none)|local identifier for phase 1 |
 +|remote_identifier|string|no|(none)|remote identifier for phase 1 |
 +|authentication_method|string|yes|(none)|Phase 1 authentication. Only allowed value ath the moment is psk|
 +|pre_shared_key|string|no|(none)|The preshared key for the tunnel if authentication is psk|
 +|p1_proposal|list|yes|(none)|Name of phase 1 proposal (see below)|
 +|tunnel|list|yes|(none)|Name of phase 2 section (see below)|
 +==== p1_proposal ====
 +Definition of phase 1 proposals. Derived from [[https://​​projects/​strongswan/​wiki/​IKEv1CipherSuites|stronSwan cipher suites]]
 +|encryption_algorithm|string|yes|(none)|Phase 1 encryption method (aes128, aes192, aes256, 3des)|
 +|hash_alogrithm|string|yes|(none)|Phase 1 hash alogrithm (md5,sha1) |
 +|dh_group|string|yes|(none)|Diffie-Hellman exponentiation (modp768, modp1024, ...|
 +==== tunnel ====
 +Contains network defintion per tunnel.
 +|local_subnet|subnet|yes|(none)|Local network|
 +|remote_subnet|subnet|yes|(none)|Remote network|
 +|local_nat|subnet|no|(none)|NAT range for tunnels with [[doc:​howto:​vpn.ipsec.overlappingsubnets|overlapping IP addresses]]|
 +|p2_proposal|string|yes|(none)|link to phase 2 proposal|
 +==== p2_proposal ====
 +Definition of phase 2 proposal. Derived from [[https://​​projects/​strongswan/​wiki/​IKEv1CipherSuites|stronSwan cipher suites]]
 +|pfs_group|string|yes|(none)|Comma separated list of of Diffie-Hellman exponentiations (you can omit this, when peer is Cisco ASA)|
 +|encryption_algorithm|string|yes|(none)|Comma separaeted list of encryption algorithms (aes128, aes192, aes256, 3des)|
 +|authentication_algorithm|string|yes|(none)|Comma separated list of authentications (md5, sha1)|
 +Example 1 taken from the [[doc:​howto:​vpn.ipsec.site2site|IPSec site to site howto]].
 +config '​ipsec'​
 +  option '​zone'​ '​vpn'​
 +config '​remote'​ '​acme'​
 +  option '​enabled'​ '​1'​
 +  option '​gateway'​ '​'​
 +  option '​authentication_method'​ '​psk'​
 +  option '​pre_shared_key'​ '​yourpasswordhere'​
 +  list   '​p1_proposal'​ '​pre_g2_aes_sha1'​
 +  list   '​sainfo'​ '​acme_dmz'​
 +  list   '​sainfo'​ '​acme_lan'​
 +config '​p1_proposal'​ '​pre_g2_aes_sha1'​
 +  option '​encryption_algorithm'​ '​aes128'​
 +  option '​hash_algorithm'​ '​sha1'​
 +  option '​dh_group'​ '​modp1024'​
 +config '​tunnel'​ '​acme_lan'​
 +  option '​local_subnet'​ '​​26'​
 +  option '​remote_subnet'​ '​​24'​
 +  option '​p2_proposal'​ '​g2_aes_sha1'​
 +config '​p2_proposal'​ '​g2_aes_sha1'​
 +  option '​pfs_group'​ '​modp1024'​
 +  option '​encryption_algorithm'​ 'aes 128'
 +  option '​authentication_algorithm'​ '​sha1'​
 +===== Windows Native VPN Client Proposals =====
 +The following table lists the phase 1 proposals offered by the Windows native VPN client (as tested with Windows 7)
 +^Proposal^Encryption^Hash^DH Group^