Last active
July 12, 2023 09:10
-
-
Save daks/4b93210dd8b4c85292d68664b6e82d80 to your computer and use it in GitHub Desktop.
strongswan swanctl IPSec tunnels
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Configuration files for strongswan to create an IPSec tunnel between two peers: peer1 which has IP 192.168.231.1 and peer2 | |
| with IP 192.168.231.2. | |
| Tunnel will be established between those two IPs and each peer will have an in-tunnel network subnet of 10.0.1.0/24 for peer1 | |
| and 10.0.2.0/24 for peer2. | |
| swanctl configuration is used, and XFRM interfaces too |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/swanctl/conf.d/peer1.conf on peer1 | |
| connections { | |
| # Section for an IKE connection named <conn>. | |
| peer1-to-peer2 { | |
| # IKE major version to use for connection. | |
| version = 2 | |
| # Local address(es) to use for IKE communication, comma separated. | |
| local_addrs = 192.168.231.1 | |
| # Remote address(es) to use for IKE communication, comma separated. | |
| remote_addrs = 192.168.231.2 | |
| # Default inbound XFRM interface ID for children. | |
| if_id_in = 1 | |
| # Default outbound XFRM interface ID for children. | |
| if_id_out = 1 | |
| # Section for a local authentication round. | |
| local { | |
| auth = psk | |
| id = peer1 | |
| } | |
| # Section for a remote authentication round. | |
| remote { | |
| auth = psk | |
| id = peer2 | |
| } | |
| # useful options to control tunnel behaviour, adapt to your needs | |
| mobike = no | |
| encap = no | |
| rekey_time = 1200s | |
| dpd_delay = 1m | |
| children { | |
| # CHILD_SA configuration sub-section. | |
| peer1-to-peer2 { | |
| start_action = start | |
| # updown script to enable/disable the XFRM interface | |
| updown = /usr/local/bin/strongswan_updown.sh | |
| # Local traffic selectors to include in CHILD_SA. | |
| local_ts = 10.0.1.0/24 | |
| # Remote selectors to include in CHILD_SA. | |
| remote_ts = 10.0.2.0/24 | |
| } | |
| } | |
| } | |
| } | |
| secrets { | |
| ike-peer1-to-peer2 { | |
| id = peer1 | |
| id = peer2 | |
| secret = STRONG-PASSWORD-PEER1-TO-PEER2 | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/swanctl/conf.d/peer2.conf on peer2 | |
| connections { | |
| # Section for an IKE connection named <conn>. | |
| peer2-to-peer1 { | |
| # IKE major version to use for connection. | |
| version = 2 | |
| # Local address(es) to use for IKE communication, comma separated. | |
| local_addrs = 192.168.231.2 | |
| # Remote address(es) to use for IKE communication, comma separated. | |
| remote_addrs = 192.168.231.1 | |
| # Default inbound XFRM interface ID for children. | |
| if_id_in = 1 | |
| # Default outbound XFRM interface ID for children. | |
| if_id_out = 1 | |
| # Section for a local authentication round. | |
| local { | |
| auth = psk | |
| id = peer2 | |
| } | |
| # Section for a remote authentication round. | |
| remote { | |
| auth = psk | |
| id = peer1 | |
| } | |
| # useful options to control tunnel behaviour, adapt to your needs | |
| mobike = no | |
| encap = no | |
| rekey_time = 1200s | |
| dpd_delay = 1m | |
| children { | |
| # CHILD_SA configuration sub-section. | |
| peer2-to-peer1 { | |
| start_action = start | |
| # updown script to enable/disable the XFRM interface | |
| updown = /usr/local/bin/strongswan_updown.sh | |
| # Local traffic selectors to include in CHILD_SA. | |
| local_ts = 10.0.2.0/24 | |
| # Remote selectors to include in CHILD_SA. | |
| remote_ts = 10.0.1.0/24 | |
| } | |
| } | |
| } | |
| } | |
| secrets { | |
| ike-peer2-to-peer1 { | |
| id = peer2 | |
| id = peer1 | |
| secret = STRONG-PASSWORD-PEER1-TO-PEER2 | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -e | |
| # shell script to use with Strongswan updown plugin https://docs.strongswan.org/docs/5.9/plugins/updown.html | |
| # This is just an example script which must be adapted to your needs | |
| # | |
| # creates XFRM interface with `if_id` from strongswan swanctl connection | |
| # assigns it the IP address from the connection local_ts | |
| # NEEDED? set charon.install_virtual_ip = no to prevent the daemon from also installing the VIP | |
| set -o nounset | |
| set -o errexit | |
| XFRM_IF="ipsec${PLUTO_IF_ID_OUT}" | |
| case "${PLUTO_VERB}" in | |
| up-client) | |
| ip link add "${XFRM_IF}" type xfrm dev lo \ | |
| if_id "${PLUTO_IF_ID_OUT}" | |
| #ip link set "${XFRM_IF}" mtu 1360 | |
| ip link set "${XFRM_IF}" up | |
| ip route add "${PLUTO_PEER_CLIENT}" dev "${XFRM_IF}" | |
| ip addr add ${PLUTO_MY_CLIENT} dev "${XFRM_IF}" | |
| #sysctl -w "net.ipv4.conf.${XFRM_IF}.disable_policy=1" | |
| ;; | |
| down-client) | |
| ip link del "${XFRM_IF}" | |
| ;; | |
| esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment