Strongswan-swanctl zu strongswan cert ikev2 site to site
Zur Navigation springen
Zur Suche springen
Grundlegendes
fw3
Cert Localisation
- Die Dateien müssen genau an diesen Stellen liegen
- find /etc/swanctl -type f
/etc/swanctl/private/fw3.key /etc/swanctl/x509/fw3.crt /etc/swanctl/x509ca/ca.crt
Config
- /etc/swanctl/conf.d/swanctl.conf
connections {
net-cert {
local_addrs = 10.82.227.112
remote_addrs = 10.82.227.122
local {
auth = pubkey
certs = fw3.crt
id = "CN=fw3"
}
remote {
auth = pubkey
id = "CN=fw4"
}
children {
net-2 {
local_ts = 192.168.112.0/24
remote_ts = 192.168.122.0/24
start_action = start
esp_proposals = aes256-sha256-modp4096
}
}
version = 2
proposals = aes256-sha256-modp4096
}
}
fw4
Cert Localisation
- Die Dateien müssen genau an diesen Stellen liegen
- find /etc/swanctl -type f
/etc/swanctl/private/fw4.key /etc/swanctl/x509/fw4.crt /etc/swanctl/x509ca/ca.crt
Config
- /etc/swanctl/conf.d/swanctl.conf
connections {
net-cert {
local_addrs = 10.82.227.122
remote_addrs = 10.82.227.112
local {
auth = pubkey
certs = fw4.crt
id = "CN=fw4"
}
remote {
auth = pubkey
id = "CN=fw3"
}
children {
net-2 {
local_ts = 192.168.122.0/24
remote_ts = 192.168.112.0/24
start_action = start
esp_proposals = aes256-sha256-modp4096
}
}
version = 2
proposals = aes256-sha256-modp4096
}
}
Konfig neu einlesen und Starten
- swanctl -q
loaded certificate from '/etc/swanctl/x509/fw4.crt' loaded certificate from '/etc/swanctl/x509ca/ca.crt' loaded RSA key from '/etc/swanctl/private/fw4.key' no authorities found, 0 unloaded no pools found, 0 unloaded loaded connection 'net-cert' successfully loaded 1 connections, 0 unloaded
- swanctl --initiate --child net-2
[IKE] establishing CHILD_SA net-2{8}
[ENC] generating CREATE_CHILD_SA request 5 [ SA No KE TSi TSr ]
[NET] sending packet: from 10.82.227.122[4500] to 10.82.227.112[4500] (736 bytes)
[NET] received packet: from 10.82.227.112[4500] to 10.82.227.122[4500] (736 bytes)
[ENC] parsed CREATE_CHILD_SA response 5 [ SA No KE TSi TSr ]
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
[IKE] CHILD_SA net-2{8} established with SPIs c82d7e3a_i c8947502_o and TS 192.168.122.0/24 === 192.168.112.0/24
initiate completed successfully
Zertifakte anzeigen
- swanctl --list-certs
List of X.509 End Entity Certificates
subject: "CN=fw4"
issuer: "CN=vpn-ca"
validity: not before Sep 05 14:06:40 2022, ok
not after Sep 04 14:06:40 2024, ok (expires in 729 days)
serial: 5d:7e:2c:c0:50:31:3b:7d:42:50:54:85:8b:65:96:f1:61:5c:66:b2
flags:
subjkeyId: 0d:32:e9:6f:4c:bd:a7:ae:74:84:49:f2:d4:2d:4b:53:23:11:ea:ae
pubkey: RSA 4096 bits, has private key
keyid: 7e:dd:e5:ee:e1:47:38:81:48:c3:95:d2:bf:4a:06:8e:11:02:bf:bd
subjkey: 0d:32:e9:6f:4c:bd:a7:ae:74:84:49:f2:d4:2d:4b:53:23:11:ea:ae
subject: "CN=fw3"
issuer: "CN=vpn-ca"
validity: not before Sep 05 14:05:48 2022, ok
not after Sep 04 14:05:48 2024, ok (expires in 729 days)
serial: 5d:7e:2c:c0:50:31:3b:7d:42:50:54:85:8b:65:96:f1:61:5c:66:b1
flags:
subjkeyId: c0:d3:25:aa:ae:04:c9:df:af:b2:65:bd:7e:5e:e0:e6:1b:f6:ad:4a
pubkey: RSA 4096 bits
keyid: e3:6f:06:40:92:16:4d:14:fe:56:b5:02:60:9f:e9:db:80:f5:1b:42
subjkey: c0:d3:25:aa:ae:04:c9:df:af:b2:65:bd:7e:5e:e0:e6:1b:f6:ad:4a
List of X.509 CA Certificates
subject: "CN=vpn-ca"
issuer: "CN=vpn-ca"
validity: not before Sep 05 09:15:56 2022, ok
not after Sep 02 09:15:56 2032, ok (expires in 3649 days)
serial: 41:4f:7d:44:e7:80:5c:ce:35:ce:02:18:ce:f7:b0:b7:59:af:74:97
flags: CA self-signed
authkeyId: 42:1c:d8:56:47:0c:ac:08:f7:74:a1:68:98:7c:57:3e:85:47:09:67
subjkeyId: 42:1c:d8:56:47:0c:ac:08:f7:74:a1:68:98:7c:57:3e:85:47:09:67
pubkey: RSA 4096 bits
keyid: 5b:f4:b2:37:45:66:bd:71:56:60:18:d6:74:1f:b8:29:dc:8b:f7:d2
subjkey: 42:1c:d8:56:47:0c:ac:08:f7:74:a1:68:98:7c:57:3e:85:47:09:67