Strongswan zu strongswan ikev1 site to site vti: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
(Die Seite wurde neu angelegt: „=IPsec-VTI mit StrongSwan und swanctl unter Debian= ==Szenario== {| class="wikitable" ! Einstellung !! deb113 !! deb114 |- | '''WAN-IP''' || 192.168.6.113 ||…“)
 
Zeile 78: Zeile 78:
  
 
===deb113===
 
===deb113===
 +
 
<pre>
 
<pre>
 
connections {
 
connections {
 
   it113-it114 {
 
   it113-it114 {
    version = 2
 
    proposals = aes256-sha256-modp4096
 
 
     local_addrs = 192.168.6.113
 
     local_addrs = 192.168.6.113
 
     remote_addrs = 192.168.6.114
 
     remote_addrs = 192.168.6.114
Zeile 98: Zeile 97:
 
         remote_ts = 0.0.0.0/0
 
         remote_ts = 0.0.0.0/0
 
         esp_proposals = aes256-sha256-modp4096
 
         esp_proposals = aes256-sha256-modp4096
        mode = tunnel
 
        start_action = trap
 
        dpd_action = clear
 
        reqid = 10
 
 
         policies = no
 
         policies = no
 
         updown = /usr/lib/ipsec/_updown_vti
 
         updown = /usr/lib/ipsec/_updown_vti
 
       }
 
       }
 
     }
 
     }
 
    send_cert = never
 
    mobike = no
 
 
   }
 
   }
 
}
 
}
Zeile 118: Zeile 110:
 
     secret = "123Start$"
 
     secret = "123Start$"
 
   }
 
   }
 +
}
 +
</pre>
 +
 +
===/etc/strongswan.d/charon.conf===
 +
<pre>
 +
charon {
 +
  install_routes = no
 +
  install_virtual_ip = no
 
}
 
}
 
</pre>
 
</pre>

Version vom 4. April 2025, 15:18 Uhr

IPsec-VTI mit StrongSwan und swanctl unter Debian

Szenario

Einstellung deb113 deb114
WAN-IP 192.168.6.113 192.168.6.114
Tunnel-IP 169.254.100.1 169.254.100.2
Internes Netz 172.16.113.0/24 172.16.114.0/24
PSK 123Start$

Pakete installieren

  • apt install strongswan-swanctl strongswan-charon

IP-Forwarding aktivieren

  • echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
  • sysctl -p

VTI-Setup-Skript erstellen

Datei: /usr/local/sbin/setup-vti.sh (auf beiden Seiten unterschiedlich)

deb113

#!/bin/bash
ip link add vti10 type vti local 192.168.6.113 remote 192.168.6.114 key 10
ip addr add 169.254.100.1/30 dev vti10
ip link set vti10 up
ip route add 172.16.114.0/24 dev vti10

deb114

#!/bin/bash
ip link add vti10 type vti local 192.168.6.114 remote 192.168.6.113 key 10
ip addr add 169.254.100.2/30 dev vti10
ip link set vti10 up
ip route add 172.16.113.0/24 dev vti10
  • chmod +x /usr/local/sbin/setup-vti.sh

Systemd-Unit für VTI

Datei: /etc/systemd/system/ipsec-vti10.service (identisch auf beiden Hosts) 

[Unit]
Description=VTI interface for IPsec (vti10)
After=network-online.target
Wants=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/setup-vti.sh
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
  • systemctl daemon-reexec
  • systemctl enable ipsec-vti10.service
  • systemctl start ipsec-vti10.service

strongswan.conf

Datei: /etc/strongswan.d/strongswan.conf 

charon {
  install_routes = no
  install_virtual_ip = no
}

swanctl.conf

Datei: /etc/swanctl/swanctl.conf

deb113

connections {
  it113-it114 {
    local_addrs = 192.168.6.113
    remote_addrs = 192.168.6.114

    local {
      id = 192.168.6.113
    }
    remote {
      id = 192.168.6.114
    }

    children {
      vti-child {
        local_ts = 0.0.0.0/0
        remote_ts = 0.0.0.0/0
        esp_proposals = aes256-sha256-modp4096
        policies = no
        updown = /usr/lib/ipsec/_updown_vti
      }
    }
  }
}

secrets {
  ike-1 {
    id-1 = 192.168.6.113
    id-2 = 192.168.6.114
    secret = "123Start$"
  }
}

/etc/strongswan.d/charon.conf

charon {
  install_routes = no
  install_virtual_ip = no
}

deb114

connections {
  it114-it113 {
    version = 2
    proposals = aes256-sha256-modp4096
    local_addrs = 192.168.6.114
    remote_addrs = 192.168.6.113

    local {
      id = 192.168.6.114
    }
    remote {
      id = 192.168.6.113
    }

    children {
      vti-child {
        local_ts = 0.0.0.0/0
        remote_ts = 0.0.0.0/0
        esp_proposals = aes256-sha256-modp4096
        mode = tunnel
        start_action = trap
        dpd_action = clear
        reqid = 10
        policies = no
        updown = /usr/lib/ipsec/_updown_vti
      }
    }

    send_cert = never
    mobike = no
  }
}

secrets {
  ike-1 {
    id-1 = 192.168.6.114
    id-2 = 192.168.6.113
    secret = "123Start$"
  }
}

Start und Prüfung

  • systemctl enable strongswan-swanctl
  • systemctl start strongswan-swanctl
  • swanctl --load-all
  • swanctl --initiate --child vti-child

Verbindung prüfen

  • ip a → vti10 muss IP haben
  • ping 172.16.114.1 → von deb113 aus
  • swanctl --list-sas → zeigt aktive Security Associations

Firewall-Hinweis

UDP-Port 500 und 4500 müssen auf beiden Seiten offen sein.

Hinweis

Die VTI-Interfaces werden über systemd automatisch eingerichtet. Der StrongSwan-Dienst übernimmt anschließend den Tunnelbetrieb. Routing erfolgt manuell über das VTI.

Links

Abgerufen von „http://wiki.ixheim.de/index.php?title=Strongswan_zu_strongswan_ikev1_site_to_site_vti&oldid=61065