Strongswan-swanctl zu strongswan cert ikev2 site to site

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen

Grundlegendes

fw3

Cert Localisation

Die Dateien müssen genau an diesen Stellen liegen
  • find /etc/swanctl -type f
/etc/swanctl/private/fw3.key
/etc/swanctl/x509/fw3.crt
/etc/swanctl/x509ca/ca.crt

Config

  • /etc/swanctl/conf.d/swanctl.conf
connections {
   net-cert {
      local_addrs  = 10.82.227.112
      remote_addrs  = 10.82.227.122
        local {
         auth = pubkey
         certs = fw3.crt
         id = "CN=fw3"
      }
      remote {
         auth = pubkey
         id = "CN=fw4"
      }
      children {
         net-2 {
            local_ts  = 192.168.112.0/24
            remote_ts  = 192.168.122.0/24
            start_action = start
            esp_proposals = aes256-sha256-modp4096
            start_action=start
         }
      }
      version = 2
      proposals = aes256-sha256-modp4096
   }
}

fw4

Cert Localisation

Die Dateien müssen genau an diesen Stellen liegen
  • find /etc/swanctl -type f
/etc/swanctl/private/fw4.key
/etc/swanctl/x509/fw4.crt
/etc/swanctl/x509ca/ca.crt

Config

  • /etc/swanctl/conf.d/swanctl.conf
connections {
   net-cert {
      local_addrs  = 10.82.227.122
      remote_addrs  = 10.82.227.112
      local {
         auth = pubkey
         certs = fw4.crt
         id = "CN=fw4"
      }
      remote {
         auth = pubkey
         id = "CN=fw3"
      }

      children {
         net-2 {
            local_ts  = 192.168.122.0/24
            remote_ts  = 192.168.112.0/24
            start_action = start
            esp_proposals = aes256-sha256-modp4096
            start_action=start
         }
      }
      version = 2
      proposals = aes256-sha256-modp4096
   }
}

Konfig neu einlesen und Starten

  • swanctl -q
loaded certificate from '/etc/swanctl/x509/fw4.crt'
loaded certificate from '/etc/swanctl/x509ca/ca.crt'
loaded RSA key from '/etc/swanctl/private/fw4.key'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'net-cert'
successfully loaded 1 connections, 0 unloaded
  • swanctl --initiate --child net-2
[IKE] establishing CHILD_SA net-2{8}
[ENC] generating CREATE_CHILD_SA request 5 [ SA No KE TSi TSr ]
[NET] sending packet: from 10.82.227.122[4500] to 10.82.227.112[4500] (736 bytes)
[NET] received packet: from 10.82.227.112[4500] to 10.82.227.122[4500] (736 bytes)
[ENC] parsed CREATE_CHILD_SA response 5 [ SA No KE TSi TSr ]
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
[IKE] CHILD_SA net-2{8} established with SPIs c82d7e3a_i c8947502_o and TS 192.168.122.0/24 === 192.168.112.0/24
initiate completed successfully
Abgerufen von „http://wiki.ixheim.de/index.php?title=Strongswan-swanctl_zu_strongswan_cert_ikev2_site_to_site&oldid=34622