Szenario

Linux : StrongSwan-Konfiguration mit VTI

Pakete installieren

• apt install strongswan-swanctl

sysctl aktivieren

• echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/99-ipsec.conf
• echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-ipsec.conf
• echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.d/99-ipsec.conf
• sysctl -p /etc/sysctl.d/99-ipsec.conf

swanctl.conf

• vi /etc/swanctl/swanctl.conf

connections {
  it114-it113 {
    version = 2
    local_addrs  = 78.47.133.194
    remote_addrs = 194.59.156.244

    local {
      id = 78.47.133.194
      auth = psk
    }
    remote {
      id = 194.59.156.244
      auth = psk
    }

    children {
      vti {
        local_ts  = 0.0.0.0/0
        remote_ts = 0.0.0.0/0
        mode = tunnel
        start_action = trap
        esp_proposals = aes256-sha256-modp4096
        reqid = 10
        dpd_action = clear
        policies = no
      }
    }

    proposals = aes256-sha256-modp4096
    mobike = no
  }
}

secrets {
  ike-psk {
    id-1 = 78.47.133.194
    id-2 = 194.59.156.244
    secret = 123Start$
  }
}

systemd-unit aktivieren

• systemctl enable strongswan-swanctl
• systemctl start strongswan-swanctl

VTI-Interface persistent erstellen

• vi /etc/network/interfaces

auto vti20
iface vti20 inet static
    pre-up ip tunnel add vti10 local 78.47.133.194 remote 194.59.156.244 mode vti key 10
    address 10.82.247.2 peer 10.82.247.1
    netmask 255.255.255.252
    post-up ip link set vti10 up
    post-up ip route add 10.80.0.0/14 via 10.82.247.1 dev vti10
    post-down ip tunnel del vti10

Firewall öffnen

• iptables -A INPUT -p udp --dport 500 -j ACCEPT
• iptables -A INPUT -p udp --dport 4500 -j ACCEPT
• iptables -A INPUT -p esp -j ACCEPT

OPNsense : StrongSwan-Konfiguration mit VTI

VPN: IPsec: Pre-Shared Keys

opnsense.it113.int PSK