Benutzer:Leo/IPSec Test-Konfigurationsanleitung: Unterschied zwischen den Versionen
Aus Opennet
Leo (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „<pre> Tasks a) L2TP Server auf gai aufsetzen: (siehe /etc/xl2tpd/* und /etc/ppp/options.l2tpd) b)* Linux Client aufsetzen: (siehe /etc/xl2tpd/* und /etc/ppp/o…“) |
Leo (Diskussion | Beiträge) (Dateien hinzugefügt für IPSec) |
||
(Eine dazwischenliegende Version von einem Benutzer wird nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
+ | Hier wird beschrieben, wie man testweise | ||
+ | * L2TP installieren/konfigurieren | ||
+ | * IPSec installieren/konfigurieren | ||
+ | kann. | ||
+ | |||
+ | ==Anleitung== | ||
<pre> | <pre> | ||
Tasks | Tasks | ||
Zeile 271: | Zeile 277: | ||
------------------------------ | ------------------------------ | ||
+ | </pre> | ||
+ | |||
+ | ==Dateien L2TP/PPP== | ||
+ | |||
+ | ===Client=== | ||
+ | |||
+ | Client: /etc/xl2tpd/xl2tpd.conf | ||
+ | <pre> | ||
+ | [lac gai] | ||
+ | lns = gai.on-i.de | ||
+ | redial = yes | ||
+ | redial timeout = 15 | ||
+ | require authentication = yes | ||
+ | refuse pap = yes | ||
+ | require chap = yes ; * Require CHAP auth. by peer | ||
+ | name = lini ; * Report this as our hostname | ||
+ | ppp debug = no ; * Turn on PPP debugging | ||
+ | pppoptfile = /etc/ppp/options.l2tpd | ||
+ | </pre> | ||
+ | |||
+ | Client: /etc/xl2tpd/l2tp-secrets | ||
+ | <pre> | ||
+ | # Secrets for authenticating l2tp tunnels | ||
+ | # us them secret | ||
+ | # * marko blah2 | ||
+ | # zeus marko blah | ||
+ | # * * interop | ||
+ | lini gai ............ | ||
+ | </pre> | ||
+ | |||
+ | Client: /etc/ppp/options.l2tpd | ||
+ | <pre> | ||
+ | refuse-eap | ||
+ | noccp | ||
+ | noauth | ||
+ | nodefaultroute | ||
+ | crtscts | ||
+ | idle 1800 | ||
+ | mtu 1410 | ||
+ | mru 1410 | ||
+ | lock | ||
+ | connect-delay 5000 | ||
+ | +ipv6 | ||
+ | ipv6cp-accept-local | ||
+ | debug | ||
+ | </pre> | ||
+ | |||
+ | ===Server=== | ||
+ | Server: /etc/xl2tpd/xl2tpd.conf | ||
+ | <pre> | ||
+ | [global] | ||
+ | port = 1701 | ||
+ | auth file = /etc/l2tpd/l2tp-secrets | ||
+ | rand source = dev ; Source for entropy for random | ||
+ | ; ; numbers, options are: | ||
+ | ; ; dev - reads of /dev/urandom | ||
+ | ; ; sys - uses rand() | ||
+ | ; ; egd - reads from egd socket | ||
+ | ; ; egd is not yet implemented | ||
+ | |||
+ | [lns default] | ||
+ | assign ip = no ; * Only permit one tunnel per host | ||
+ | require chap = yes | ||
+ | refuse pap = yes | ||
+ | require authentication = yes | ||
+ | unix authentication = no | ||
+ | name = gai | ||
+ | ppp debug = no | ||
+ | pppoptfile = /etc/ppp/options.l2tpd | ||
+ | </pre> | ||
+ | |||
+ | Server: /etc/xl2tpd/l2tp-secrets | ||
+ | <pre> | ||
+ | # Secrets for authenticating l2tp tunnels | ||
+ | # us them secret | ||
+ | # * marko blah2 | ||
+ | # zeus marko blah | ||
+ | # * * interop | ||
+ | gai lini ......insert-pwd-here... | ||
+ | </pre> | ||
+ | |||
+ | Server: /etc/ppp/options.l2tpd | ||
+ | <pre> | ||
+ | refuse-eap | ||
+ | noccp | ||
+ | noauth | ||
+ | nodefaultroute | ||
+ | crtscts | ||
+ | idle 1800 | ||
+ | mtu 1410 | ||
+ | mru 1410 | ||
+ | lock | ||
+ | connect-delay 5000 | ||
+ | +ipv6 | ||
+ | ipv6 ::1,::2 | ||
+ | ipv6cp-accept-local | ||
+ | </pre> | ||
+ | |||
+ | ==Dateien IPSec== | ||
+ | |||
+ | === Server=== | ||
+ | |||
+ | cat /etc/ipsec.conf | ||
+ | <pre> | ||
+ | # ipsec.conf - strongSwan IPsec configuration file | ||
+ | |||
+ | ca strongswan | ||
+ | cacert=strongswanCert.pem | ||
+ | certuribase=http://ip6-winnetou.strongswan.org/certs/ | ||
+ | crluri=http://ip6-winnetou.strongswan.org/strongswan.crl | ||
+ | auto=add | ||
+ | |||
+ | config setup | ||
+ | # By default only one client can connect at the same time with an identical | ||
+ | # certificate and/or password combination. Enable this option to disable | ||
+ | # this behavior. | ||
+ | # uniqueids=never | ||
+ | # | ||
+ | # Slightly more verbose logging. Very useful for debugging. | ||
+ | #charondebug="cfg 2, dmn 2, ike 2, net 2" | ||
+ | charondebug="cfg 4, dmn 4, ike 4, net 4" | ||
+ | |||
+ | # Default configuration options, used below if an option is not specified. | ||
+ | # See: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection | ||
+ | conn %default | ||
+ | # Use IKEv2 by default | ||
+ | keyexchange=ikev2 | ||
+ | # Prefer modern cipher suites that allow PFS (Perfect Forward Secrecy) | ||
+ | ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! | ||
+ | esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! | ||
+ | # | ||
+ | # Dead Peer Discovery | ||
+ | dpdaction=clear | ||
+ | dpddelay=300s | ||
+ | # | ||
+ | # Do not renegotiate a connection if it is about to expire | ||
+ | rekey=no | ||
+ | # | ||
+ | # Server side | ||
+ | left=2001:67c:1400:2430::1 | ||
+ | leftid=@gai.on-i.de | ||
+ | leftcert=vpnHostCert.pem | ||
+ | # | ||
+ | # Client side | ||
+ | right=%any | ||
+ | type=transport | ||
+ | |||
+ | # IKEv2: Newer version of the IKE protocol | ||
+ | conn IPSec-IKEv2 | ||
+ | keyexchange=ikev2 | ||
+ | auto=add | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | |||
+ | Server: /etc/ipsec.secrets | ||
+ | <pre> | ||
+ | # This file holds shared secrets or RSA private keys for authentication. | ||
+ | |||
+ | # RSA private key for this host, authenticating it to any other host | ||
+ | # which knows the public part. | ||
+ | |||
+ | # this file is managed with debconf and will contain the automatically created private key | ||
+ | include /var/lib/strongswan/ipsec.secrets.inc | ||
+ | |||
+ | : RSA vpnHostKey.pem | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | ===Client Linux-Ubuntu=== | ||
+ | Client: leo@lini:/etc/xl2tpd$ cat /etc/ipsec.conf | ||
+ | <pre> | ||
+ | # ipsec.conf - strongSwan IPsec configuration file | ||
+ | config setup | ||
+ | # By default only one client can connect at the same time with an identical | ||
+ | # certificate and/or password combination. Enable this option to disable | ||
+ | # this behavior. | ||
+ | # uniqueids=never | ||
+ | # | ||
+ | # Slightly more verbose logging. Very useful for debugging. | ||
+ | charondebug="cfg 2, dmn 2, ike 2, net 2" | ||
+ | |||
+ | # Default configuration options, used below if an option is not specified. | ||
+ | # See: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection | ||
+ | conn %default | ||
+ | # | ||
+ | # Use IKEv2 by default | ||
+ | keyexchange=ikev2 | ||
+ | # | ||
+ | # Prefer modern cipher suites that allow PFS (Perfect Forward Secrecy) | ||
+ | #for OpenWRT there has to be found supported crypto algos (see long description above) | ||
+ | ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! | ||
+ | esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! | ||
+ | # | ||
+ | # Dead Peer Discovery | ||
+ | dpdaction=clear | ||
+ | dpddelay=300s | ||
+ | # | ||
+ | # Do not renegotiate a connection if it is about to expire | ||
+ | rekey=no | ||
+ | # | ||
+ | # Server side | ||
+ | #left=%any | ||
+ | left=2001:67c:1400:2430::1 | ||
+ | leftid=@gai.on-i.de | ||
+ | # | ||
+ | #setting not needed on client side | ||
+ | #leftcert=vpnHostCert.pem | ||
+ | # | ||
+ | # Client side | ||
+ | #right=%any | ||
+ | # | ||
+ | #IPv6 of tunnel interface gai | ||
+ | #right=2a02:8108:1a80:d3c:863a:4bff:fe44:ba50 | ||
+ | # | ||
+ | #IPv6 of client | ||
+ | right=2a02:8108:1a80:d3c:863a:4bff:fe44:ba50 | ||
+ | # | ||
+ | rightcert=ClientCert.pem | ||
+ | type=transport | ||
+ | |||
+ | # IKEv2: Newer version of the IKE protocol | ||
+ | conn IPSec-IKEv2 | ||
+ | keyexchange=ikev2 | ||
+ | auto=route | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | client: cat /etc/ipsec.secrets | ||
+ | <pre> | ||
+ | # This file holds shared secrets or RSA private keys for authentication. | ||
+ | |||
+ | # RSA private key for this host, authenticating it to any other host | ||
+ | # which knows the public part. Suitable public keys, for ipsec.conf, DNS, | ||
+ | # or configuration of other implementations, can be extracted conveniently | ||
+ | # with "ipsec showhostkey". | ||
+ | : RSA ClientKey.pem | ||
</pre> | </pre> |
Aktuelle Version vom 5. Juni 2016, 21:40 Uhr
Hier wird beschrieben, wie man testweise
- L2TP installieren/konfigurieren
- IPSec installieren/konfigurieren
kann.
Inhaltsverzeichnis |
[Bearbeiten] Anleitung
Tasks a) L2TP Server auf gai aufsetzen: (siehe /etc/xl2tpd/* und /etc/ppp/options.l2tpd) b)* Linux Client aufsetzen: (siehe /etc/xl2tpd/* und /etc/ppp/options.l2tpd) -- start Client mit: xl2tpd -D echo "c gai" > /var/run/xl2tpd/l2tp-control -- nun ist ppp0 Interface vorhandenmit fe80::1/10 auf gai und fe80:......./10 auf client -- Test vom client: ping6 -I ppp0 fe80::1 c) IPv6 globale IPs konfigurieren gai: ip -6 addr add 2001:67c:1400:2431::245/64 dev ppp0 client: ip -6 addr add 2001:67c:1400:2431::99/64 dev ppp0 d)* Um IPSec erweitern: (siehe Beispiel https://wiki.archlinux.org/index.php/StrongSwan) -- certs generieren, siehe Tutorial -- starten von ipsec im Vordergrund: ipsec start --nofork e)* OpenWRT hinzunehmen: https://wiki.openwrt.org/doc/howto/vpn.ipsec.basics -- strongswan compiliert auf minato ~/trunk/tmp/. Von hier erstmal neue Firmware installieren und strongswan per opkg installieren scp -r minato:/home/leo/trunk/tmp/on_firmware/openwrt/bin/ar71xx/packages . folgende opkg Zeile einfügen: src/gz oni_chaos_calmer_base http://172.16.0.207/packages/base src/gz oni_chaos_calmer_packages http://172.16.0.207/packages/packages src/gz oni_chaos_calmer_routing http://172.16.0.207/packages/routing src/gz oni_chaos_calmer_luci http://172.16.0.207/packages/luci -- strongswan-default installieren (viele Packet aber dies scheint nötig - charon, hashs, crypto algos,...), siehe auch f) -- erster Konfigurationsversuch (siehe e) ) gescheitert, weil OpenWRT Luci config nur PSK unterstützt laut https://wiki.openwrt.org/doc/uci/ipsec ; TODO überprüfen im Detail -- Test ob x509 eincompiliert ist. Auf Automatismen verzichten und alles per Hand machen. ipsec.conf per Handerstellen (siehe Vorlage auf Linux PC). Firewall temporär aktivieren/deaktivieren -- ipsec test scp /etc/ipsec.d/certs/ClientCert.pem defgw:/etc/ipsec.d/certs/ClientCert.pem scp /etc/ipsec.d/cacerts/strongswanCert.pem defgw:/etc/ipsec.d/cacerts/strongswanCert.pem sudo scp /etc/ipsec.secrets defgw:/etc/ipsec.secrets (hier root Rechte nötig) scp /tmp/ClientKey.pem defgw:/etc/ipsec.d/private/ClientKey.pem chmod 600 /etc/ipsec.d/private/ClientKey.pem 09[IKE] configured DH group ECP_256 not supported ipsec.conf crypto algos geändert auf ike=aes128-sha256-modp2048 esp=aes128-sha256-modp2048 ip6tables -A input_rule -p esp -j ACCEPT ip6tables -A input_rule -p udp --dport 500 -j ACCEPT ip6tables -A input_rule -p udp --dport 4500 -j ACCEPT 02[KNL] received netlink error: Function not implemented (89) 02[KNL] unable to add SAD entry with SPI ca1c6bd4 -- https://wiki.strongswan.org/issues/718 crypto algos in ipsec.conf geändert auf (nodp2048 wird anscheinend vom Kernel nicht unterstützt): ike=aes128-sha1-modp1536 esp=aes128-sha1-modp1536 jetzt wird der Tunnel auch erfolgreich aufgebaut!!!! YEAH!!! -- xl2tp test Configuring kmod-udptunnel4. Configuring kmod-udptunnel6. Configuring kmod-l2tp. Configuring kmod-lib-crc-ccitt. Configuring kmod-slhc. Configuring kmod-ppp. Configuring kmod-pppox. Configuring resolveip. Configuring kmod-pppol2tp. Configuring ppp-mod-pppol2tp. Configuring xl2tpd. -- alte Anleitung siehe https://wiki.openwrt.org/inbox/openswanxl2tpvpn d2) um OLSRv2 erweitern e2) überprüfen: läuft l2tp im kernel space? Müsste man beim Start von xl2tpd sehen (siehe logread) g)* Mehrere Knoten in Reihe. zu a) ---------- root@gai:/etc# cat xl2tpd/xl2tpd.conf [global] port = 1701 auth file = /etc/l2tpd/l2tp-secrets rand source = dev [lns default] assign ip = no ; * Only permit one tunnel per host require chap = yes refuse pap = yes require authentication = yes unix authentication = no name = gai ppp debug = no pppoptfile = /etc/ppp/options.l2tpd ---------- root@gai:/etc# cat xl2tpd/l2tp-secrets gai lini XXXXXXXXX -------------- root@gai:/etc# cat ppp/options.l2tpd refuse-eap noccp noauth nodefaultroute crtscts idle 1800 mtu 1410 mru 1410 lock connect-delay 5000 +ipv6 ipv6 ::1,::2 ipv6cp-accept-local zu b) ----------------- leo@lini:/etc/xl2tpd$ cat xl2tpd.conf [lac gai] lns = gai.on-i.de redial = yes redial timeout = 15 require authentication = yes refuse pap = yes require chap = yes ; * Require CHAP auth. by peer name = lini ; * Report this as our hostname ppp debug = no ; * Turn on PPP debugging pppoptfile = /etc/ppp/options.l2tpd --------------------- leo@lini:/etc/xl2tpd$ sudo cat l2tp-secrets lini gai XXXXXX --------------------- leo@lini:/etc/xl2tpd$ cat ../ppp/options.l2tpd refuse-eap noccp noauth nodefaultroute crtscts idle 1800 mtu 1410 mru 1410 lock connect-delay 5000 +ipv6 ipv6cp-accept-local debug zu c) zu e) #/etc/config/ipsec config 'ipsec' # option 'zone' 'wan' option 'debug' '1' config 'remote' 'gai' option 'enabled' '1' option 'gateway' '2001:67c:1400:2430::1' #laut https://wiki.openwrt.org/doc/uci/ipsec is psk derzeit das einzig unterstuetzte :( #TODO nochmal gegenpruefen option 'authentication_method' 'psk' option 'pre_shared_key' 'yourpasswordhere' list 'p1_proposal' 'pre_g2_aes_sha1' list 'sainfo' 'acme_dmz' list 'sainfo' 'acme_lan' #werden folgende Optionen unterstuetzt? type=transport keyexchange=ikev2 auto=route config 'p1_proposal' 'pre_g2_aes_sha1' option 'encryption_algorithm' 'aes128' option 'hash_algorithm' 'sha1' option 'dh_group' 'modp1024' config 'tunnel' 'acme_lan' option 'local_subnet' '192.168.2.64/26' option 'remote_subnet' '10.1.2.0/24' option 'p2_proposal' 'g2_aes_sha1' config 'p2_proposal' 'g2_aes_sha1' option 'pfs_group' 'modp1024' option 'encryption_algorithm' 'aes 128' option 'authentication_algorithm' 'sha1' -------------------------------- zu f) Configuring kmod-crypto-aead. Configuring kmod-crypto-hash. Configuring kmod-crypto-pcompress. Configuring kmod-crypto-manager. Configuring kmod-crypto-rng. Configuring kmod-crypto-wq. Configuring kmod-crypto-iv. Configuring kmod-lib-zlib. Configuring kmod-crypto-deflate. Configuring kmod-crypto-md5. Configuring kmod-crypto-authenc. Configuring kmod-crypto-des. Configuring kmod-crypto-hmac. Configuring kmod-crypto-sha1. Configuring kmod-crypto-cbc. Configuring kmod-ipsec. Configuring kmod-iptunnel4. Configuring kmod-ipsec4. Configuring kmod-iptunnel6. Configuring kmod-ipsec6. Configuring kmod-ipt-ipsec. Configuring iptables-mod-ipsec. Configuring strongswan. Configuring strongswan-mod-constraints. Configuring strongswan-mod-sha1. Configuring strongswan-mod-sha2. Configuring strongswan-mod-pem. Configuring strongswan-mod-rc2. Configuring strongswan-mod-aes. Configuring strongswan-mod-pgp. Configuring strongswan-mod-sshkey. Configuring strongswan-mod-xcbc. Configuring strongswan-mod-random. Configuring strongswan-mod-pkcs1. Configuring strongswan-mod-dnskey. Configuring strongswan-utils. Configuring strongswan-mod-hmac. Configuring strongswan-charon. Configuring strongswan-mod-des. Configuring strongswan-mod-fips-prf. Configuring strongswan-mod-socket-default. Configuring strongswan-mod-resolve. Configuring strongswan-mod-pubkey. Configuring strongswan-mod-kernel-netlink. Configuring strongswan-mod-attr. Configuring libgmp. Configuring strongswan-mod-gmp. Configuring strongswan-mod-md5. Configuring strongswan-mod-nonce. Configuring strongswan-mod-revocation. Configuring strongswan-mod-stroke. Configuring strongswan-mod-updown. Configuring strongswan-mod-x509. Configuring strongswan-mod-xauth-generic. Configuring strongswan-default. ------------------------------
[Bearbeiten] Dateien L2TP/PPP
[Bearbeiten] Client
Client: /etc/xl2tpd/xl2tpd.conf
[lac gai] lns = gai.on-i.de redial = yes redial timeout = 15 require authentication = yes refuse pap = yes require chap = yes ; * Require CHAP auth. by peer name = lini ; * Report this as our hostname ppp debug = no ; * Turn on PPP debugging pppoptfile = /etc/ppp/options.l2tpd
Client: /etc/xl2tpd/l2tp-secrets
# Secrets for authenticating l2tp tunnels # us them secret # * marko blah2 # zeus marko blah # * * interop lini gai ............
Client: /etc/ppp/options.l2tpd
refuse-eap noccp noauth nodefaultroute crtscts idle 1800 mtu 1410 mru 1410 lock connect-delay 5000 +ipv6 ipv6cp-accept-local debug
[Bearbeiten] Server
Server: /etc/xl2tpd/xl2tpd.conf
[global] port = 1701 auth file = /etc/l2tpd/l2tp-secrets rand source = dev ; Source for entropy for random ; ; numbers, options are: ; ; dev - reads of /dev/urandom ; ; sys - uses rand() ; ; egd - reads from egd socket ; ; egd is not yet implemented [lns default] assign ip = no ; * Only permit one tunnel per host require chap = yes refuse pap = yes require authentication = yes unix authentication = no name = gai ppp debug = no pppoptfile = /etc/ppp/options.l2tpd
Server: /etc/xl2tpd/l2tp-secrets
# Secrets for authenticating l2tp tunnels # us them secret # * marko blah2 # zeus marko blah # * * interop gai lini ......insert-pwd-here...
Server: /etc/ppp/options.l2tpd
refuse-eap noccp noauth nodefaultroute crtscts idle 1800 mtu 1410 mru 1410 lock connect-delay 5000 +ipv6 ipv6 ::1,::2 ipv6cp-accept-local
[Bearbeiten] Dateien IPSec
[Bearbeiten] Server
cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file ca strongswan cacert=strongswanCert.pem certuribase=http://ip6-winnetou.strongswan.org/certs/ crluri=http://ip6-winnetou.strongswan.org/strongswan.crl auto=add config setup # By default only one client can connect at the same time with an identical # certificate and/or password combination. Enable this option to disable # this behavior. # uniqueids=never # # Slightly more verbose logging. Very useful for debugging. #charondebug="cfg 2, dmn 2, ike 2, net 2" charondebug="cfg 4, dmn 4, ike 4, net 4" # Default configuration options, used below if an option is not specified. # See: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection conn %default # Use IKEv2 by default keyexchange=ikev2 # Prefer modern cipher suites that allow PFS (Perfect Forward Secrecy) ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! # # Dead Peer Discovery dpdaction=clear dpddelay=300s # # Do not renegotiate a connection if it is about to expire rekey=no # # Server side left=2001:67c:1400:2430::1 leftid=@gai.on-i.de leftcert=vpnHostCert.pem # # Client side right=%any type=transport # IKEv2: Newer version of the IKE protocol conn IPSec-IKEv2 keyexchange=ikev2 auto=add
Server: /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. # this file is managed with debconf and will contain the automatically created private key include /var/lib/strongswan/ipsec.secrets.inc : RSA vpnHostKey.pem
[Bearbeiten] Client Linux-Ubuntu
Client: leo@lini:/etc/xl2tpd$ cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file config setup # By default only one client can connect at the same time with an identical # certificate and/or password combination. Enable this option to disable # this behavior. # uniqueids=never # # Slightly more verbose logging. Very useful for debugging. charondebug="cfg 2, dmn 2, ike 2, net 2" # Default configuration options, used below if an option is not specified. # See: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection conn %default # # Use IKEv2 by default keyexchange=ikev2 # # Prefer modern cipher suites that allow PFS (Perfect Forward Secrecy) #for OpenWRT there has to be found supported crypto algos (see long description above) ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! # # Dead Peer Discovery dpdaction=clear dpddelay=300s # # Do not renegotiate a connection if it is about to expire rekey=no # # Server side #left=%any left=2001:67c:1400:2430::1 leftid=@gai.on-i.de # #setting not needed on client side #leftcert=vpnHostCert.pem # # Client side #right=%any # #IPv6 of tunnel interface gai #right=2a02:8108:1a80:d3c:863a:4bff:fe44:ba50 # #IPv6 of client right=2a02:8108:1a80:d3c:863a:4bff:fe44:ba50 # rightcert=ClientCert.pem type=transport # IKEv2: Newer version of the IKE protocol conn IPSec-IKEv2 keyexchange=ikev2 auto=route
client: cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". : RSA ClientKey.pem