Strongswan IPSEC Linux SWANCTL PSK XFRM - Security und Firewall Labor
Zur Navigation springen
Zur Suche springen
Installation
- apt update
- apt install strongswan strongswan-swanctl libstrongswan-extra-plugins
Voraussetzungen
- Beide Systeme: Linux mit strongswan und swanctl
- Linke Seite: LAN 172.16.101.0/24, VPN-IP 192.168.178.101
- Rechte Seite: LAN 172.16.102.0/24, VPN-IP 192.168.178.102
- Es wird ausschließlich VICI (swanctl) verwendet, keine ipsec.conf
Szenario
| Einstellung | links.lab.int | rechts.lab.int |
|---|---|---|
| IP Address | 192.168.178.101 | 192.168.178.102 |
| Internes Netz | 172.16.101.0/24 | 172.16.102.0/24 |
| Tunnel-IP (xfrm0) | 169.254.100.1 | 169.254.100.2 |
| Pre-Shared Key (PSK) | 123Start$ | |
| Phase 1 | AES256 – SHA256 – DH16 | |
| Phase 2 | AES256 – SHA256 – DH16 | |
VICI aktivieren
- vi /etc/strongswan.d/charon/vici.conf
load = yes
Damit die Verbindungen beim Start von charon geladen werden
- vi /etc/strongswan.conf
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
start-scripts {
load-all = /usr/sbin/swanctl --load-all
}
}
include strongswan.d/*.conf
Konfiguration linke Seite (/etc/swanctl/swanctl.conf)
- vi /etc/swanctl/swanctl.conf
connections {
gw-gw {
local_addrs = 192.168.178.101
remote_addrs = 192.168.178.102
local {
auth = psk
id = 192.168.178.101
}
remote {
auth = psk
id = 192.168.178.102
}
children {
net-net {
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
if_id_out = 10
if_id_in = 10
start_action = start
esp_proposals = aes256-sha256-modp4096
}
}
version = 2
proposals = aes256-sha256-modp4096
}
}
secrets {
ike-psk {
id-1 = 192.168.178.101
id-2 = 192.168.178.102
secret = 123Start$
}
}
Konfiguration rechte Seite (/etc/swanctl/swanctl.conf)
- vi /etc/swanctl/swanctl.conf
connections {
gw-gw {
local_addrs = 192.168.178.102
remote_addrs = 192.168.178.101
local {
auth = psk
id = 192.168.178.102
}
remote {
auth = psk
id = 192.168.178.101
}
children {
net-net {
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
if_id_out = 10
if_id_in = 10
start_action = start
esp_proposals = aes256-sha256-modp4096
}
}
version = 2
proposals = aes256-sha256-modp4096
}
}
secrets {
ike-psk {
id-1 = 192.168.178.102
id-2 = 192.168.178.101
secret = 123Start$
}
}
XFRM-Interface erstellen
Manuell zum Testen=
- links
- ip link add ipsec0 type xfrm if_id 10
- ip link set ipsec0 up
- ip addr add 169.254.100.1/30 dev ipsec0
- ip route add 172.16.102.0/24 dev ipsec0
- rechts
- ip link add ipsec0 type xfrm if_id 10
- ip link set ipsec0 up
- ip addr add 169.254.100.2/30 dev ipsec0
- ip route add 172.16.101.0/24 dev ipsec0
Statisch und rebootfähig
- links
Eintrag in der interfaces
- cat /etc/network/intefaces
auto ipsec0 iface ipsec0 inet static address 169.254.100.1/30 pre-up ip link add ipsec0 type xfrm if_id 10 post-up ip route add 172.16.102.0/24 dev ipsec0
- rechts
Eintrag in der interfaces
- cat /etc/network/intefaces
auto ipsec0 iface ipsec0 inet static address 169.254.100.2/30 pre-up ip link add ipsec0 type xfrm if_id 10 post-up ip route add 172.16.101.0/24 dev ipsec0
Dienst starten
- systemctl enable strongswan-starter
- systemctl start strongswan-starter
- swanctl --load-all
Verbindung prüfen
- Listet alle geladenen Verbindungen aus swanctl.conf
- swanctl -L
- Zeigt aktive IKE- und CHILD-SAs, wenn der Tunnel aufgebaut ist
- swanctl -l
- Journalctl
- journalctl -u strongswan-starter
Fehlerbehandlung
- Falls beim Initiieren der Verbindung folgende Meldung erscheint
not establishing CHILD_SA ... due to existing duplicate Tunnel ist bereits aktiv. Prüfung mit:
- swanctl -l
- Neuaufbau erzwingen mit
- swanctl --t -c xfrm-child
- swanctl --i -c xfrm-child