Strongswan IPSEC Linux SWANCTL PSK VTI - Security und Firewall Labor
Zur Navigation springen
Zur Suche springen
Installation
- apt update
- apt install strongswan strongswan-swanctl libstrongswan-extra-plugins
Voraussetzungen
- Beide Systeme: Linux mit strongswan und swanctl
- Linke Seite: LAN 172.16.101.0/24, VPN-IP 192.168.178.101
- Rechte Seite: LAN 172.16.102.0/24, VPN-IP 192.168.178.102
- Es wird ausschließlich VICI (swanctl) verwendet, keine ipsec.conf
Szenario
| Einstellung | links.lab.int | rechts.lab.int |
|---|---|---|
| IP Address | 192.168.178.101 | 192.168.178.102 |
| Internes Netz | 172.16.101.0/24 | 172.16.102.0/24 |
| Tunnel-IP (vti0) | 169.254.100.1 | 169.254.100.2 |
| Pre-Shared Key (PSK) | 123Start$ | |
| Phase 1 | AES256 – SHA256 – DH16 | |
| Phase 2 | AES256 – SHA256 – DH16 | |
VICI aktivieren
- vi /etc/strongswan.d/charon/vici.conf
load = yes
Damit die Verbindungen beim Start von charon geladen werden
- vi /etc/strongswan.conf
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
start-scripts {
load-all = /usr/sbin/swanctl --load-all
}
}
include strongswan.d/*.conf
VTI Module laden und reboot fähig machen
- modprobe -v ip_vti
- echo "ip_vti" >> /etc/modules
Konfiguration linke Seite (/etc/swanctl/swanctl.conf)
- vi /etc/swanctl/swanctl.conf
connections {
vti {
local_addrs = 192.168.178.101
remote_addrs = 192.168.178.102
local {
auth = psk
id = 192.168.178.101
}
remote {
auth = psk
id = 192.168.178.102
}
children {
vti-child {
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
mode = tunnel
start_action = trap
esp_proposals = aes256-sha256-modp4096
reqid = 10
dpd_action = clear
policies = no
vti {
interface_id = 10
mark_in = 10
mark_out = 10
}
}
}
version = 2
proposals = aes256-sha256-modp4096
}
}
secrets {
ike-psk {
id-1 = 192.168.178.101
id-2 = 192.168.178.102
secret = 123Start$
}
}
Konfiguration rechte Seite (/etc/swanctl/swanctl.conf)
- vi /etc/swanctl/swanctl.conf
connections {
vti {
local_addrs = 192.168.178.102
remote_addrs = 192.168.178.101
local {
auth = psk
id = 192.168.178.102
}
remote {
auth = psk
id = 192.168.178.101
}
children {
vti-child {
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
mode = tunnel
start_action = trap
esp_proposals = aes256-sha256-modp4096
reqid = 10
dpd_action = clear
policies = no
vti {
interface_id = 10
mark_in = 10
mark_out = 10
}
}
}
version = 2
proposals = aes256-sha256-modp4096
}
}
secrets {
ike-psk {
id-1 = 192.168.178.102
id-2 = 192.168.178.101
secret = 123Start$
}
}
Dienst starten
- systemctl enable strongswan-starter
- systemctl start strongswan-starter
- swanctl --load-all
Verbindung prüfen
- Listet alle geladenen Verbindungen aus swanctl.conf
- swanctl -L
- Zeigt aktive IKE- und CHILD-SAs, wenn der Tunnel aufgebaut ist
- swanctl -l
- Journalctl
- journalctl -u strongswan-starter
Fehlerbehandlung
- Falls beim Initiieren der Verbindung folgende Meldung erscheint
not establishing CHILD_SA ... due to existing duplicate Tunnel ist bereits aktiv. Prüfung mit:
- swanctl --list-sas
- Neuaufbau erzwingen mit
- swanctl --terminate --child vti-child
- swanctl --initiate --child vti-child