Strongswan-swanctl zu strongswan psk ikev2 site to site
Version vom 5. September 2022, 13:03 Uhr von Thomas.will (Diskussion | Beiträge) (→/etc/swanctl/conf.d/swanctl.conf)
fw3
/etc/swanctl/conf.d/swanctl.conf
connections {
net {
local_addrs = 10.82.227.112
remote_addrs = 10.82.227.122
local {
auth = psk
id = 10.82.227.112
}
remote {
auth = psk
id = 10.82.227.122
}
children {
net-1 {
local_ts = 192.168.112.0/24
remote_ts = 192.168.122.0/24
start_action = start
esp_proposals = aes256-sha256-modp4096
}
}
version = 2
proposals = aes256-sha256-modp4096
}
}
secrets {
ike-net {
id-fw3 = 10.82.227.112
id-fw4 = 10.82.227.122
secret = suxer
}
}
fw4
/etc/swanctl/conf.d/swanctl.conf
connections {
net {
local_addrs = 10.82.227.122
remote_addrs = 10.82.227.112
local {
auth = psk
id = 10.82.227.122
}
remote {
auth = psk
id = 10.82.227.112
}
children {
net-1 {
local_ts = 192.168.122.0/24
remote_ts = 192.168.112.0/24
start_action = start
esp_proposals = aes256-sha256-modp4096
}
}
version = 2
proposals = aes256-sha256-modp4096
}
}
secrets {
ike-net {
id-fw3 = 10.82.227.112
id-fw4 = 10.82.227.122
secret = suxer
}
}
(re-)load credentials
- swanctl -s
loaded ike secret 'ike-net'
initiate a connection
- swanctl --initiate --child net-1
[IKE] establishing CHILD_SA net-1{4}
[ENC] generating CREATE_CHILD_SA request 9 [ SA No KE TSi TSr ]
[NET] sending packet: from 10.82.227.122[4500] to 10.82.227.112[4500] (736 bytes)
[NET] received packet: from 10.82.227.112[4500] to 10.82.227.122[4500] (736 bytes)
[ENC] parsed CREATE_CHILD_SA response 9 [ SA No KE TSi TSr ]
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
[IKE] CHILD_SA net-1{4} established with SPIs c0dc4962_i c4ef14af_o and TS 10.82.244.0/24 === 10.82.243.0/24
initiate completed successfully