Route based (VTI) PSK setup - OPNsense vs. Linux
Zur Navigation springen
Zur Suche springen
Szenario
| Einstellung | OPNsense | Linux |
|---|---|---|
| IP Address | 194.59.156.244 | 78.47.133.194 |
| Tunnel IP | 10.82.247.1 | 10.82.247.2 |
| Internes Netz | 10.80.0.0/14 | 10.82.247.4/30 |
| Pre-Shared Key (PSK) | 123Start$ | |
| Phase 1 | AES256 – SHA256 – DH16 | |
| Phase 2 | AES256 – SHA256 – DH16 | |
Linux : StrongSwan-Konfiguration mit VTI
Pakete installieren
- apt install strongswan-swanctl charon-systemd libcharon-extra-plugins
sysctl aktivieren
- echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/99-ipsec.conf
- echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-ipsec.conf
- echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.d/99-ipsec.conf
- sysctl -p /etc/sysctl.d/99-ipsec.conf
swanctl.conf
- mkdir -p /etc/swanctl
- vi /etc/swanctl/swanctl.conf
connections {
it114-it113 {
version = 2
local_addrs = 78.47.133.194
remote_addrs = 194.59.156.244
local {
id = 78.47.133.194
auth = psk
}
remote {
id = 194.59.156.244
auth = psk
}
children {
vti {
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
mode = tunnel
start_action = trap
esp_proposals = aes256-sha256-modp4096
reqid = 10
dpd_action = clear
policies = no
}
}
proposals = aes256-sha256-modp4096
mobike = no
}
}
secrets {
ike-psk {
id-1 = 78.47.133.194
id-2 = 194.59.156.244
secret = 123Start$
}
}
systemd-unit aktivieren
- systemctl enable strongswan
- systemctl start strongswan
- swanctl --load-all
VTI-Interface persistent erstellen
- vi /etc/network/interfaces
auto vti20
iface vti20 inet static
pre-up ip tunnel add vti10 local 78.47.133.194 remote 194.59.156.244 mode vti key 20
address 10.82.247.2 peer 10.82.247.1
netmask 255.255.255.252
post-up ip link set vti20 up
post-up ip route add 10.80.0.0/14 via 10.82.247.1 dev vt20
post-down ip tunnel del vti20
Firewall öffnen
- iptables -A INPUT -p udp --dport 500 -j ACCEPT
- iptables -A INPUT -p udp --dport 4500 -j ACCEPT
- iptables -A INPUT -p esp -j ACCEPT
OPNsense : StrongSwan-Konfiguration mit VTI
| Einstellung | Wert |
|---|---|
| Local Identifier | 194.59.156.244 |
| Remote Identifier | 78.47.133.194 |
| Pre-Shared Key | 123Start$ |
| Type | PSK |
| Description | – |
VPN: IPsec: Virtual Tunnel Interfaces
| Einstellung | Wert |
|---|---|
| Enabled | aktiviert (✓) |
| Reqid | 10 |
| Local address | 194.59.156.244 |
| Remote address | 78.47.133.194 |
| Tunnel local address | 10.82.247.1 |
| Tunnel remote address | 10.82.247.2 |
| Name | IPSEC10 |
VPN: IPsec: Connections
| Einstellung | Wert |
|---|---|
| Enabled | aktiviert (✓) |
| Proposals | default |
| Version | IKEv2 |
| MOBIKE | deaktiviert |
| Local addresses | 194.59.156.244 |
| Remote addresses | 78.47.133.194 |
Authentication
Local
| Einstellung | Wert |
|---|---|
| Authentication | Pre-Shared Key |
| Id | 194.59.156.244 |
Remote
| Einstellung | Wert |
|---|---|
| Authentication | Pre-Shared Key |
| Id | 78.47.133.194 |
Children
| Einstellung | Wert |
|---|---|
| Mode | Tunnel |
| Policies | deaktiviert |
| Start action | Trap |
| DPD action | Clear |
| Reqid | 10 |
| ESP Proposals | aes256-sha256-modp4096 |
| Local | 0.0.0.0/0 |
| Remote | 0.0.0.0/0 |
System: Gateways: Configuration
| Einstellung | Wert |
|---|---|
| Name | IPSEC10_GW |
| Interface | IPSEC10 |
| IP Address | 10.82.247.2 |
| Disable Gateway Monitoring | aktiviert (✓) |
System: Routes: Configuration
| Einstellung | Wert |
|---|---|
| Network Address | 10.82.247.4/30 |
| Gateway | IPSEC10_GW – 10.82.247.2 |
| Description | Route zu Linux über VTI |