Route based (VTI) PSK setup - OPNsense vs. Linux

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen

Szenario

Einstellung OPNsense Linux
IP Address 194.59.156.244 78.47.133.194
Tunnel IP 10.82.247.1 10.82.247.2
Internes Netz 10.80.0.0/14 10.82.247.4/30
Pre-Shared Key (PSK) 123Start$
Phase 1 AES256 – SHA256 – DH16
Phase 2 AES256 – SHA256 – DH16

Linux : StrongSwan-Konfiguration mit VTI

Pakete installieren

  • apt install strongswan-swanctl charon-systemd libcharon-extra-plugins

sysctl aktivieren

  • echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/99-ipsec.conf
  • echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-ipsec.conf
  • echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.d/99-ipsec.conf
  • sysctl -p /etc/sysctl.d/99-ipsec.conf

swanctl.conf

  • mkdir -p /etc/swanctl
  • vi /etc/swanctl/swanctl.conf
connections {
  it114-it113 {
    version = 2
    local_addrs  = 78.47.133.194
    remote_addrs = 194.59.156.244

    local {
      id = 78.47.133.194
      auth = psk
    }
    remote {
      id = 194.59.156.244
      auth = psk
    }

    children {
      vti {
        local_ts  = 0.0.0.0/0
        remote_ts = 0.0.0.0/0
        mode = tunnel
        start_action = trap
        esp_proposals = aes256-sha256-modp4096
        reqid = 10
        dpd_action = clear
        policies = no
      }
    }

    proposals = aes256-sha256-modp4096
    mobike = no
  }
}

secrets {
  ike-psk {
    id-1 = 78.47.133.194
    id-2 = 194.59.156.244
    secret = 123Start$
  }
}

systemd-unit aktivieren

  • systemctl enable strongswan
  • systemctl start strongswan
  • swanctl --load-all

VTI-Interface persistent erstellen

  • vi /etc/network/interfaces
auto vti10
iface vti10 inet static
    pre-up ip tunnel add vti10 local 78.47.133.194 remote 194.59.156.244 mode vti key 10
    address 10.82.247.2 peer 10.82.247.1
    netmask 255.255.255.252
    post-up ip link set vti10 up
    post-up ip route add 10.80.0.0/14 via 10.82.247.1 dev vti10
    post-down ip tunnel del vti10

Firewall öffnen

  • iptables -A INPUT -p udp --dport 500 -j ACCEPT
  • iptables -A INPUT -p udp --dport 4500 -j ACCEPT
  • iptables -A INPUT -p esp -j ACCEPT

OPNsense : StrongSwan-Konfiguration mit VTI

VPN: IPsec: Pre-Shared Keys

Einstellung Wert
Local Identifier 194.59.156.244
Remote Identifier 78.47.133.194
Pre-Shared Key 123Start$
Type PSK
Description

VPN: IPsec: Virtual Tunnel Interfaces

Einstellung Wert
Enabled aktiviert (✓)
Reqid 10
Local address 194.59.156.244
Remote address 78.47.133.194
Tunnel local address 10.82.247.1
Tunnel remote address 10.82.247.2
Name IPSEC10

VPN: IPsec: Connections

Einstellung Wert
Enabled aktiviert (✓)
Proposals default
Version IKEv2
MOBIKE deaktiviert
Local addresses 194.59.156.244
Remote addresses 78.47.133.194

Authentication

Local

Einstellung Wert
Authentication Pre-Shared Key
Id 194.59.156.244

Remote

Einstellung Wert
Authentication Pre-Shared Key
Id 78.47.133.194

Children

Einstellung Wert
Mode Tunnel
Policies deaktiviert
Start action Trap
DPD action Clear
Reqid 10
ESP Proposals aes256-sha256-modp4096
Local 0.0.0.0/0
Remote 0.0.0.0/0

System: Gateways: Configuration

Einstellung Wert
Name IPSEC10_GW
Interface IPSEC10
IP Address 10.82.247.2
Disable Gateway Monitoring aktiviert (✓)

System: Routes: Configuration

Einstellung Wert
Network Address 10.82.247.4/30
Gateway IPSEC10_GW – 10.82.247.2
Description Route zu Linux über VTI
Abgerufen von „http://wiki.ixheim.de/index.php?title=Route_based_(VTI)_PSK_setup_-_OPNsense_vs._Linux&oldid=61354