Szenario
| Einstellung |
OPNsense |
Linux
|
| IP Address |
194.59.156.244 |
78.47.133.194
|
| Tunnel IP |
10.82.247.1 |
10.82.247.2
|
| Internes Netz |
10.80.0.0/14 |
10.82.247.4/30
|
| Pre-Shared Key (PSK) |
123Start$
|
| Phase 1 |
AES256 – SHA256 – DH16
|
| Phase 2 |
AES256 – SHA256 – DH16
|
Linux : StrongSwan-Konfiguration mit VTI
Pakete installieren
- apt install strongswan-swanctl
sysctl aktivieren
- echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/99-ipsec.conf
- echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-ipsec.conf
- echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.d/99-ipsec.conf
- sysctl -p /etc/sysctl.d/99-ipsec.conf
swanctl.conf
- vi /etc/swanctl/swanctl.conf
connections {
it114-it113 {
version = 2
local_addrs = 78.47.133.194
remote_addrs = 194.59.156.244
local {
id = 78.47.133.194
auth = psk
}
remote {
id = 194.59.156.244
auth = psk
}
children {
vti {
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
mode = tunnel
start_action = trap
esp_proposals = aes256-sha256-modp4096
reqid = 10
dpd_action = clear
policies = no
}
}
proposals = aes256-sha256-modp4096
mobike = no
}
}
secrets {
ike-psk {
id-1 = 78.47.133.194
id-2 = 194.59.156.244
secret = 123Start$
}
}
systemd-unit aktivieren
- systemctl enable strongswan-swanctl
- systemctl start strongswan-swanctl
VTI-Interface persistent erstellen
- vi /etc/network/interfaces
auto vti20
iface vti20 inet static
pre-up ip tunnel add vti10 local 78.47.133.194 remote 194.59.156.244 mode vti key 10
address 10.82.247.2 peer 10.82.247.1
netmask 255.255.255.252
post-up ip link set vti10 up
post-up ip route add 10.80.0.0/14 via 10.82.247.1 dev vti10
post-down ip tunnel del vti10
Firewall öffnen
- iptables -A INPUT -p udp --dport 500 -j ACCEPT
- iptables -A INPUT -p udp --dport 4500 -j ACCEPT
- iptables -A INPUT -p esp -j ACCEPT
OPNsense : StrongSwan-Konfiguration mit VTI
VPN: IPsec: Pre-Shared Keys
opnsense.it113.int PSK
| Einstellung |
Wert
|
| Local Identifier |
192.168.6.113
|
| Remote Identifier |
192.168.6.114
|
| Pre-Shared Key |
123Start$
|
| Type |
PSK
|
| Description |
–
|
VPN: IPsec: Virtual Tunnel Interfaces
opnsense.it113.int VTI
| Einstellung |
Wert
|
| Enabled |
aktiviert (✓)
|
| Reqid |
10
|
| Local address |
192.168.6.113
|
| Remote address |
192.168.6.114
|
| Tunnel local address |
169.254.100.1
|
| Tunnel remote address |
169.254.100.2
|
| Tunnel secondary local address |
–
|
| Tunnel secondary remote address |
–
|
| Name |
IPSEC10
|
opnsense.it113.int Connections
| Einstellung |
Wert
|
| Enabled |
aktiviert (✓)
|
| Proposals |
default
|
| Version |
IKEv2
|
| MOBIKE |
deaktiviert
|
| Local addresses |
192.168.6.113
|
| Remote addresses |
192.168.6.114
|
| DPD delay (s) |
–
|
| Pools |
Nothing selected
|
| Description |
–
|
opnsense.it113.int Connections
| Einstellung |
Wert
|
| Enabled |
aktiviert (✓)
|
| Proposals |
default
|
| Version |
IKEv2
|
| MOBIKE |
deaktiviert
|
| Local addresses |
192.168.6.113
|
| Remote addresses |
192.168.6.114
|
| DPD delay (s) |
–
|
| Pools |
Nothing selected
|
| Description |
–
|
opnsense.it113.int Connections
| Einstellung |
Wert
|
| Enabled |
aktiviert (✓)
|
| Proposals |
default
|
| Version |
IKEv2
|
| MOBIKE |
deaktiviert
|
| Local addresses |
192.168.6.113
|
| Remote addresses |
192.168.6.114
|
| DPD delay (s) |
–
|
| Pools |
Nothing selected
|
| Description |
–
|