User Tools

Site Tools



This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:uci:ipsec [2013/01/20 19:01]
doc:uci:ipsec [2015/04/17 16:27] (current)
folke [p2_proposal] tunnel changed to remote
Line 1: Line 1:
 +====== Strongswan IPsec Configuration ======
 +Linux Charon IPsec daemon can be configured through /​etc/​config/​ipsec.
 +===== Sections =====
 +==== ipsec ====
 +|zone|string|no|vpn|Firewall zone. Has to match the defined [[doc:​howto:​vpn.ipsec.firewall#​zones|firewall zone]]|
 +|listen|list|yes|''​|Interface that accept VPN traffic (empty for all interfaces, multiple lines for several interfaces)|
 +|debug|string|no|0|Trace level. Logs are written to /​var/​log/​charon.log|
 +==== remote ====
 +Contains tunnel definition.
 +|enabled|boolean|yes|(none)|Configuration is enabled or not|
 +|gateway|ipaddr|yes|(none)|IP address or FQDN name of the tunnel remote endpoint. |
 +|exchange_mode|string|no|main|Phase 1 negotiation (main, aggressive)| ​
 +|local_identifier|string|no|(none)|local identifier for phase 1 |
 +|remote_identifier|string|no|(none)|remote identifier for phase 1 |
 +|authentication_method|string|yes|(none)|Phase 1 authentication. Only allowed value ath the moment is psk|
 +|pre_shared_key|string|no|(none)|The preshared key for the tunnel if authentication is psk|
 +|p1_proposal|list|yes|(none)|Name of phase 1 proposal (see below)|
 +|tunnel|list|yes|(none)|Name of phase 2 section (see below)|
 +==== p1_proposal ====
 +Definition of phase 1 proposals. Derived from [[https://​​projects/​strongswan/​wiki/​IKEv1CipherSuites|stronSwan cipher suites]]
 +|encryption_algorithm|string|yes|(none)|Phase 1 encryption method (aes128, aes192, aes256, 3des)|
 +|hash_alogrithm|string|yes|(none)|Phase 1 hash alogrithm (md5,sha1) |
 +|dh_group|string|yes|(none)|Diffie-Hellman exponentiation (modp768, modp1024, ...|
 +==== tunnel ====
 +Contains network defintion per tunnel.
 +|local_subnet|subnet|yes|(none)|Local network|
 +|remote_subnet|subnet|yes|(none)|Remote network|
 +|local_nat|subnet|no|(none)|NAT range for tunnels with [[doc:​howto:​vpn.ipsec.overlappingsubnets|overlapping IP addresses]]|
 +|p2_proposal|string|yes|(none)|link to phase 2 proposal|
 +==== p2_proposal ====
 +Definition of phase 2 proposal. Derived from [[https://​​projects/​strongswan/​wiki/​IKEv1CipherSuites|stronSwan cipher suites]]
 +|pfs_group|string|yes|(none)|Comma separated list of of Diffie-Hellman exponentiations (you can omit this, when peer is Cisco ASA)|
 +|encryption_algorithm|string|yes|(none)|Comma separaeted list of encryption algorithms (aes128, aes192, aes256, 3des)|
 +|authentication_algorithm|string|yes|(none)|Comma separated list of authentications (md5, sha1)|
 +Example 1 taken from the [[doc:​howto:​vpn.ipsec.site2site|IPSec site to site howto]].
 +config '​ipsec'​
 +  option '​zone'​ '​vpn'​
 +config '​remote'​ '​acme'​
 +  option '​enabled'​ '​1'​
 +  option '​gateway'​ '​'​
 +  option '​authentication_method'​ '​psk'​
 +  option '​pre_shared_key'​ '​yourpasswordhere'​
 +  list   '​p1_proposal'​ '​pre_g2_aes_sha1'​
 +  list   '​sainfo'​ '​acme_dmz'​
 +  list   '​sainfo'​ '​acme_lan'​
 +config '​p1_proposal'​ '​pre_g2_aes_sha1'​
 +  option '​encryption_algorithm'​ '​aes128'​
 +  option '​hash_algorithm'​ '​sha1'​
 +  option '​dh_group'​ '​modp1024'​
 +config '​tunnel'​ '​acme_lan'​
 +  option '​local_subnet'​ '​​26'​
 +  option '​remote_subnet'​ '​​24'​
 +  option '​p2_proposal'​ '​g2_aes_sha1'​
 +config '​p2_proposal'​ '​g2_aes_sha1'​
 +  option '​pfs_group'​ '​modp1024'​
 +  option '​encryption_algorithm'​ 'aes 128'
 +  option '​authentication_algorithm'​ '​sha1'​
 +===== Windows Native VPN Client Proposals =====
 +The following table lists the phase 1 proposals offered by the Windows native VPN client (as tested with Windows 7)
 +^Proposal^Encryption^Hash^DH Group^