Roadwarrior-swanctl zu strongswan cert ikev2 EAP AKA authentication
Grundlegendes
fw3
Cert Localisation
- Die Dateien müssen genau an diesen Stellen liegen
- find /etc/swanctl -type f
/etc/swanctl/private/fw3.key /etc/swanctl/x509/fw3.crt /etc/swanctl/x509ca/ca.crt
Config
- /etc/swanctl/conf.d/roadwarrior.conf
connections {
rw-eap {
local_addrs = 10.82.227.112
local {
auth = pubkey
certs = fw3.crt
id = "CN=fw3"
}
remote {
auth = eap-mschapv2
eap_id = %any
}
children {
net {
local_ts = 192.168.112.0/24
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm128-x25519
}
}
version = 2
send_certreq = no
proposals = aes128-sha256-x25519
}
}
secrets {
eap-carol {
id = carol
secret = Ar3etTnp
}
eap-dave {
id = dave
secret = W7R0g3do
}
}
roadwarrior
Cert Localisation
- Die Dateien müssen genau an diesen Stellen liegen
- find /etc/swanctl -type f
/etc/swanctl/x509ca/ca.crt
Config
- /etc/swanctl/conf.d/roadwarrior.conf
connections {
home {
local_addrs = 10.82.227.39
remote_addrs = 10.82.227.112
local {
auth = eap
eap_id = carol
}
remote {
auth = pubkey
id = "CN=fw3"
}
children {
home {
remote_ts = 192.168.112.0/24
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm128-x25519
}
}
version = 2
proposals = aes128-sha256-x25519
}
}
secrets {
eap-carol {
id = carol
secret = Ar3etTnp
}
}
Init
- swanctl --initiate --child home
Roadwarrior Test
root@roadwarrior:~# ping -c 2 192.168.112.1
PING 192.168.112.1 (192.168.112.1) 56(84) bytes of data. 64 bytes from 192.168.112.1: icmp_seq=1 ttl=64 time=0.957 ms 64 bytes from 192.168.112.1: icmp_seq=2 ttl=64 time=0.872 ms