Route based (VTI) PSK setup - OPNsense vs. Linux
Version vom 10. April 2025, 15:33 Uhr von Thomas.will (Diskussion | Beiträge) (→VTI-Interface persistent erstellen)
Szenario
| Einstellung | OPNsense | Linux |
|---|---|---|
| IP Address | 194.59.156.244 | 78.47.133.194 |
| Tunnel IP | 10.82.247.1 | 10.82.247.2 |
| Internes Netz | 10.80.0.0/14 | 10.82.247.4/30 |
| Pre-Shared Key (PSK) | 123Start$ | |
| Phase 1 | AES256 – SHA256 – DH16 | |
| Phase 2 | AES256 – SHA256 – DH16 | |
Linux : StrongSwan-Konfiguration mit VTI
Pakete installieren
- apt install strongswan-swanctl
sysctl aktivieren
- echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/99-ipsec.conf
- echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-ipsec.conf
- echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.d/99-ipsec.conf
- sysctl -p /etc/sysctl.d/99-ipsec.conf
swanctl.conf
- vi /etc/swanctl/swanctl.conf
connections {
it114-it113 {
version = 2
local_addrs = 78.47.133.194
remote_addrs = 194.59.156.244
local {
id = 78.47.133.194
auth = psk
}
remote {
id = 194.59.156.244
auth = psk
}
children {
vti {
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
mode = tunnel
start_action = trap
esp_proposals = aes256-sha256-modp4096
reqid = 10
dpd_action = clear
policies = no
}
}
proposals = aes256-sha256-modp4096
mobike = no
}
}
secrets {
ike-psk {
id-1 = 78.47.133.194
id-2 = 194.59.156.244
secret = 123Start$
}
}
systemd-unit aktivieren
- systemctl enable strongswan-swanctl
- systemctl start strongswan-swanctl
VTI-Interface persistent erstellen
- vi /etc/network/interfaces
auto vti20
iface vti20 inet static
pre-up ip tunnel add vti10 local 78.47.133.194 remote 194.59.156.244 mode vti key 10
address 10.82.247.2 peer 10.82.247.1
netmask 255.255.255.252
post-up ip link set vti10 up
post-up ip route add 10.80.0.0/14 via 10.82.247.1 dev vti10
post-down ip tunnel del vti10
Firewall öffnen
- iptables -A INPUT -p udp --dport 500 -j ACCEPT
- iptables -A INPUT -p udp --dport 4500 -j ACCEPT
- iptables -A INPUT -p esp -j ACCEPT