Route based (VTI) PSK setup - OPNsense vs. Linux
Version vom 10. April 2025, 15:29 Uhr von Thomas.will (Diskussion | Beiträge) (→Linux (it114): StrongSwan-Konfiguration mit VTI)
| Einstellung | OPNsense | Linux |
|---|---|---|
| IP Address | 194.59.156.244 | 78.47.133.194 |
| Tunnel IP | 10.82.247.1 | 10.82.247.2 |
| Internes Netz | 10.80.0.0/14 | 10.82.247.4/30 |
| Pre-Shared Key (PSK) | 123Start$ | |
| Phase 1 | AES256 – SHA256 – DH16 | |
| Phase 2 | AES256 – SHA256 – DH16 | |
Linux : StrongSwan-Konfiguration mit VTI
Pakete installieren
- apt install strongswan-swanctl
sysctl aktivieren
- echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/99-ipsec.conf
- echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-ipsec.conf
- echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.d/99-ipsec.conf
- sysctl -p /etc/sysctl.d/99-ipsec.conf
swanctl.conf
- vi /etc/swanctl/swanctl.conf
connections {
it114-it113 {
version = 2
local_addrs = 192.168.6.114
remote_addrs = 192.168.6.113
local {
id = 192.168.6.114
auth = psk
}
remote {
id = 192.168.6.113
auth = psk
}
children {
vti {
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
mode = tunnel
start_action = trap
esp_proposals = aes256-sha256-modp4096
reqid = 10
dpd_action = clear
policies = no
}
}
proposals = aes256-sha256-modp4096
mobike = no
}
}
secrets {
ike-psk {
id-1 = 192.168.6.114
id-2 = 192.168.6.113
secret = 123Start$
}
}
systemd-unit aktivieren
- systemctl enable strongswan-swanctl
- systemctl start strongswan-swanctl
VTI-Interface erstellen
- ip tunnel add vti10 local 192.168.6.114 remote 192.168.6.113 mode vti key 10
- ip link set vti10 up
- ip addr add 169.254.100.2/30 peer 169.254.100.1 dev vti10
Routing setzen
- ip route add 172.16.113.0/24 via 169.254.100.1 dev vti10
optional: persistent machen
- vi /etc/network/interfaces
Firewall öffnen
- iptables -A INPUT -p udp --dport 500 -j ACCEPT
- iptables -A INPUT -p udp --dport 4500 -j ACCEPT
- iptables -A INPUT -p esp -j ACCEPT