Configuration example without VRF¶
We will configure a VPN gateway on a network that interconnects two sites via a public network.
Network topology:
10.22.1.0/24 ================ 10.23.1.0/24 +--------------+ 10.24.1.0/24
-------------| VPN gateway |==============| remote |-------------
private | with | public | VPN | private
network | cp-ipsec-ike | network | gateway | network
(plaintext) ================ (IPsec) +--------------+ (plaintext)
.101 .201
The network interfaces belong to the default network namespace.
Configure IP addresses and routes:
# ip link set eth0 up # ip addr add 10.22.1.101/24 dev eth0 # ip link set eth2 up # ip addr add 10.23.1.101/24 dev eth2 # ip route add default via 10.23.1.201
Create the strongSwan PID directory:
# mkdir -p /etc/ike/ipsec.d/runEdit the
/etc/ike/ipsec.confconfiguration file as follows:config setup conn %default keyexchange=ikev2 keyingtries=1 mobike=no ikelifetime=57600s rekeymargin=5760s keylife=28800s conn myconnection auto=route left=10.23.1.101 right=10.23.1.201 leftsubnet=10.22.1.0/24 rightsubnet=10.24.1.0/24 type=tunnel ike=aes-sha1-modp1024! esp=aes-sha1-modp1024! authby=pskThis file defines the SPs and the negotiation parameters of the SAs.
Add the following line to the
/etc/ike/ipsec.secretsfile:10.23.1.101 10.23.1.201 : PSK 0x12345678
This file defines authentication secrets, such as pre-shared keys or certificates.
Add the following lines to the
/etc/ike/strongswan.conffile:charon { install_routes = no }
This file defines global configuration options for IKE daemons.
Start strongSwan daemons:
# ipsec startStart IKE daemons:
# ipsec start Starting strongSwan 5.4.0 IPsec [starter]... no netkey IPsec stack detected no KLIPS IPsec stack detected no known IPsec stack detected, ignoring!
Once IKE daemons are started, the IPsec SPs are configured in the kernel and in the fast path.
A negotiation is automatically initiated the next time the IPsec gateway must forward a dataplane packet from the private network 10.22.1.0/24 to the remote private network 10.24.1.0/24. It also possible to initiate the negotiation manually with the command ‘ipsec up myconnection’.
Display the IKE daemons’ state:
Before a negotiation:
# ipsec statusall Status of IKE charon daemon (strongSwan 5.4.0, Linux 4.4.6, x86_64): uptime: 70 seconds, since Jun 09 12:31:28 2016 malloc: sbrk 1613824, mmap 0, used 456864, free 1156960 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-radius xauth-generic Listening IP addresses: 10.0.2.15 10.22.1.101 10.23.1.101 Connections: myconnection: 10.23.1.101...10.23.1.201 IKEv2 myconnection: local: [10.23.1.101] uses pre-shared key authentication myconnection: remote: [10.23.1.201] uses pre-shared key authentication myconnection: child: 10.22.1.0/24 === 10.24.1.0/24 TUNNEL Routed Connections: myconnection{1}: ROUTED, TUNNEL, reqid 1 myconnection{1}: 10.22.1.0/24 === 10.24.1.0/24 Security Associations (0 up, 0 connecting): none
After a successful negotiation:
# ipsec statusall Status of IKE charon daemon (strongSwan 5.4.0, Linux 4.4.6, x86_64): uptime: 4 minutes, since Jun 09 12:31:27 2016 malloc: sbrk 2154496, mmap 0, used 482624, free 1671872 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-radius xauth-generic Listening IP addresses: 10.0.2.15 10.22.1.101 10.23.1.101 Connections: myconnection: 10.23.1.101...10.23.1.201 IKEv2 myconnection: local: [10.23.1.101] uses pre-shared key authentication myconnection: remote: [10.23.1.201] uses pre-shared key authentication myconnection: child: 10.22.1.0/24 === 10.24.1.0/24 TUNNEL Routed Connections: myconnection{1}: ROUTED, TUNNEL, reqid 1 myconnection{1}: 10.22.1.0/24 === 10.24.1.0/24 Security Associations (1 up, 0 connecting): myconnection[1]: ESTABLISHED 2 minutes ago, 10.23.1.101[10.23.1.101]...10.23.1.201[10.23.1.201] myconnection[1]: IKEv2 SPIs: 9217d43e81075119_i* a7a2a27f487e7598_r, pre-shared key reauthentication in 11 hours myconnection[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 myconnection{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c83bbb1d_i ca86380f_o myconnection{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 5 hours myconnection{2}: 10.22.1.0/24 === 10.24.1.0/24
Display the Linux IPsec SPs:
# ip xfrm policy show src 10.24.1.0/24 dst 10.22.1.0/24 dir fwd priority 2883 ptype main tmpl src 10.23.1.201 dst 10.23.1.101 proto esp reqid 1 mode tunnel src 10.24.1.0/24 dst 10.22.1.0/24 dir in priority 2883 ptype main tmpl src 10.23.1.201 dst 10.23.1.101 proto esp reqid 1 mode tunnel src 10.22.1.0/24 dst 10.24.1.0/24 dir out priority 2883 ptype main tmpl src 10.23.1.101 dst 10.23.1.201 proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main
Display the negotiated Linux IPsec SAs:
# ip xfrm state show src 10.23.1.101 dst 10.23.1.201 proto esp spi 0xca86380f reqid 1 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x8239c2887f263f346ff555a72355ff7146b8f240 96 enc cbc(aes) 0x1f25429035e5d86455ce7af4ba0755c9 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 10.23.1.201 dst 10.23.1.101 proto esp spi 0xc83bbb1d reqid 1 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0xe028f32ecc1a53d80940fca70d49351bb26d035e 96 enc cbc(aes) 0x35d05466e993ff1793da4d4e80d3773b anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
Display the fast path IPsec SPs:
<fp-0> ipsec4-spd all Inbound SPD: 1 rules 1: 10.24.1.0/24 10.22.1.0/24 proto any vr0 protect prio 2883 link-vr0 ESP tunnel 10.23.1.201 - 10.23.1.101 reqid=1 sp_packets=0 sp_bytes=0 sp_exceptions=0 sp_errors=0 Outbound SPD: 1 rules 1: 10.22.1.0/24 10.24.1.0/24 proto any vr0 protect prio 2883 link-vr0 cached-SA 0 (genid 0) ESP tunnel 10.23.1.101 - 10.23.1.201 reqid=1 sp_packets=0 sp_bytes=0 sp_exceptions=0 sp_errors=0
Display the negotiated fast path IPsec SAs:
<fp-0> ipsec4-sad all SAD 2 SA. 1: 10.23.1.201 - 10.23.1.101 vr0 spi 0xc83bbb1d ESP tunnel x-vr0 reqid=1 counter 1 (genid 1) AES-CBC HMAC-SHA1 key enc:35d05466e993ff1793da4d4e80d3773b digest length: 12 key auth:e028f32ecc1a53d80940fca70d49351bb26d035e sa_packets=0 sa_bytes=0 sa_auth_errors=0 sa_decrypt_errors=0 sa_replay_errors=0 sa_selector_errors=0 replay width=32 seq=0x0 - oseq=0x0 00000000 2: 10.23.1.101 - 10.23.1.201 vr0 spi 0xca86380f ESP tunnel x-vr0 reqid=1 counter 1 (genid 2) AES-CBC HMAC-SHA1 key enc:1f25429035e5d86455ce7af4ba0755c9 digest length: 12 key auth:8239c2887f263f346ff555a72355ff7146b8f240 sa_packets=0 sa_bytes=0 sa_auth_errors=0 sa_decrypt_errors=0 sa_replay_errors=0 sa_selector_errors=0 replay width=32 seq=0x0 - oseq=0x0 00000000
Stop IKE daemons:
# ipsec stopThis command stops IKE daemons and removes all SPs and SAs.