VPN

Defining a VPN

Define a VPN:

router{conf:myconfig}sec
router{conf:myconfig-sec}vpn VPNNAME static ENDPOINT1 ENDPOINT2
                    [vrf-id VRF-ID]
                    [svti SVTI]
router{conf:myconfig-sec}vpn VPNNAME TEMPLATENAME LOCALPEER REMOTEPEER
                    [vrf-id VRF-ID]
                    [svti SVTI]
                    [certificate CERTNAME]
                    [local-id ID]
                    [remote-id ID]
                    [dpdaction DPDACTION [dpddelay DPDDELAY]]
                    [replay-window-size REPLAYWINSIZE]
                    [esn disable|enable|negotiate]
                    [add|route|start]
VPNNAME
Name of the VPN.
static
Static IPsec configuration.
TEMPLATENAME

Name of the template to be used by the VPN. Should be one of the following:

IKEv1 name IKEv2 name Description
psk-strong ikev2-psk-strong
psk-lite ikev2-psk-lite
  • Lighter security
  • Lower overhead
  • Pre-shared key authentication
cer-strong ikev2-cer-strong
cer-lite ikev2-cer-lite
  • Lighter security
  • Lower overhead
  • Certificates based authentication
VPNTEMPLATEUSERNAME

Optional. User defined template defined using a vpntemplate command.

The following tables summarize the IKE parameters selected for the pre-defined dynamic VPN templates.

IKEv1 param. cer-strong cer-lite psk-strong psk-lite
mode main aggressive main aggressive
phase1_crypt 3des des 3des des
phase1_hash sha1 md5 sha1 md5
phase1_time 1 hour 16 hour 1 hour 16 hour
dh_group 2 1 2 1
auth_method rsasig rsasig pre-shared-key pre-shared-key
id_type asn1dn asn1dn address fqdn
phase2_crypt 3des des 3des des
phase2_auth hmac-sha1 hmac-md5 hmac-sha1 hmac-md5
phase2_time 1 hour 8 hour 1 hour 8 hour
pfs_group 1 1 1 1
IKEv2 Param. ikev2-cer-strong ikev2-cer-lite ikev2-psk-strong ikev2-psk-lite
phase1_crypt 3des 3des 3des 3des
phase1_hash sha1 md5 sha1 md5
phase1_time 1 hour 16 hour 1 hour 16 hour
dh_group 2 1 2 1
auth_method rsasig rsasig pre-shared-key pre-shared-key
id_type asn1dn asn1dn address fqdn
phase2_crypt 3des 3des 3des 3des
phase2_auth hmac-sha1 hmac-md5 hmac-sha1 hmac-md5
phase2_time 1 hour 8 hour 1 hour 8 hour
pfs_group 1 1 1 1

Caution

  • When using the IKEv1 main mode and pre-shared key authentication method, the only supported identifier type is address.
  • cer-strong, cer-lite, psk-strong and psk-lite VPN templates and their IKEv2 equivalents are already defined in Turbo IPsec. You can use them by defining a new VPN using one of these directly.
ENDPOINT1
IP address of the local end-point of the VPN. endpoint1 and endpoint2 must be of same IP version (IPv4 or IPv6).
ENDPOINT2
IP of the remote VPN end-point.
LOCALPEER REMOTEPEER
IP address, FQDN, %any, range (i.e. 10.1.0.0-10.2.255.255), subnet (10.1.0.0/16) of the local and remote end-points. It also can be a comma separated list of these items.
VRF-ID
VR for the IPsec-encapsulated traffic.
SVTI
SVTI interface the VPN is bound to.
CERTNAME

Optional. Name of the CA if you use certificate based authentication. You must have installed on Turbo IPsec a certificate, delivered by this CA authority, matching the IKE ID.

Ignored if the VPN does not use certificate authentication.

local-id ID

The local IKE identifier can be an IP address, an FQDN, an user FQDN (e-mail address) or a Distinguished Name. The identifier type is determined automatically and the string is converted to the appropriate encoding.

To use other ID types or enforce a specific encoding, please refer to the left|rightid options documentation on strongSwan website

See also

the default values section for details about how the local identifier is determined if local-id option is not set.

remote-id ID
The remote IKE identifier supports the same ID types as the local-id.
dpdaction DPDACTION [dpddelay DPDDELAY]

Activate the use of the Dead Peer Detection protocol.

The DPDACTION determines the action to perform on a timeout:

  • clear: the connection is closed with no further actions taken
  • hold: the connection is closed but SPs are maintained, so that traffic may trigger a new negotiation
  • restart: the connection is closed, and a new negotiation is immediately started

The DPDDELAY defines the time interval (in seconds) with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer if no IKE or IPsec traffic is received. Valid range: 1-2147483647. Default 30.

replay-window-size REPLAYWINSIZE
Size of the replay window in packets. Valid range: 0-4096. Default: 32. Value 0 disables anti-replay check.
esn disable|enable|negotiate
Extended Sequence Number policy. Default: disable. Value negotiate means negotiate with the peer whether to use a 64 bit sequence number.
add|route|start

Specify the VPN startup operation:

  • add: just declare the VPN to the IKE daemon. Security policies will only be configured into the Kernel if and when a negotiation is established.
  • route: (default) security policies are configured into the Kernel. The negotiation may be triggered if output traffic matches the security policies.
  • start: start the negotiation immediately. Security policies will only be configured into the Kernel if and when the negotiation is established.

Default values

local-id ID

The local IKE identifier is determined, if possible, according to the template phase 1 ID type and authentication method:

  • for certificate authentication (rsasig):
    • if ID type is fqdn a DNS name is extracted from the subjectAltNames of the certificate, if any,
    • if ID type is user-fqdn an e-mail address is extracted from the subjectAltNames of the certificate, if any,
    • in all other cases, the local-id will be %any. The IKE deamon will then use the certificate subjectName as its identifier.
  • for pre-shared key authentication (pre-shared-key):
    • if ID type is fqdn the default FQDN is used, if any,
    • if ID type is user-fqdn (e-mail address) the default user FQDN is used, if any,
    • in all other cases, the local-id will be %any. The IKE daemon will then use its IP address as identifier, determined at negotiation time.
remote-id ID
By default the remote identifier is set to %any.

VPN deletion

  • Delete a single VPN:

    router{conf:myconfig}sec
    router{conf:myconfig-sec}delete vpn VPNNAME
    
  • Delete all VPNs:

    router{conf:myconfig}sec
    router{conf:myconfig-sec}delete vpn all
    

Example

router{conf:myconfig-sec}vpn vpn1 cer-lite 192.0.0.1 192.0.0.2 cacommunity1
router{conf:myconfig-sec}vpn vpn2 psk-lite 3ffe::1 3ffe::2

router{conf:myconfig-sec}delete vpn vpn1

Monitoring VPNs

You can monitor VPNs by regularly sending ICMP echo requests via IPsec tunnels. When a connectivity loss is detected, you can be warned via syslog, or the tunnel may be re-negotiated.

  • Configure VPN monitoring:

    router{conf:myconfig}sec
    router{conf:myconfig-sec}vpn-monitor RULENAME LOCALADDR REMOTEADDR
    log|rekey PERIOD WARNTHRESHOLD DOWNTHRESHOLD [vrf-id VRFID]
    
    RULENAME

    IPsec rule name of the VPN to monitor

    LOCALADDR

    VPN IPv4 local endpoint

    REMOTEADDR

    VPN IPv4 remote endpoint

    log|rekey

    Behavior when the state of a VPN changes

    PERIOD

    Frequency (in seconds) at which to monitor the VPN

    WARNTHRESHOLD

    Number of unreplied ping requests before logging a warning message

    DOWNTHRESHOLD

    Number of unreplied ping requests before regarding the VPN as down

    vrf-id VRFID

    VRF identifier on which the VPN must be monitored