summaryrefslogtreecommitdiffstats
path: root/extras/strongswan/configs/responder_vrf
diff options
context:
space:
mode:
Diffstat (limited to 'extras/strongswan/configs/responder_vrf')
-rw-r--r--extras/strongswan/configs/responder_vrf/ipsec.secrets1
-rw-r--r--extras/strongswan/configs/responder_vrf/ipsec1.conf23
-rw-r--r--extras/strongswan/configs/responder_vrf/ipsec2.conf23
-rw-r--r--extras/strongswan/configs/responder_vrf/vpp.conf48
4 files changed, 95 insertions, 0 deletions
diff --git a/extras/strongswan/configs/responder_vrf/ipsec.secrets b/extras/strongswan/configs/responder_vrf/ipsec.secrets
new file mode 100644
index 00000000000..adcf9518e9b
--- /dev/null
+++ b/extras/strongswan/configs/responder_vrf/ipsec.secrets
@@ -0,0 +1 @@
+: PSK 'Vpp123'
diff --git a/extras/strongswan/configs/responder_vrf/ipsec1.conf b/extras/strongswan/configs/responder_vrf/ipsec1.conf
new file mode 100644
index 00000000000..0291b8e2832
--- /dev/null
+++ b/extras/strongswan/configs/responder_vrf/ipsec1.conf
@@ -0,0 +1,23 @@
+config setup
+ strictcrlpolicy=no
+
+conn initiator
+ mobike=no
+ auto=add
+ type=tunnel
+ keyexchange=ikev2
+ ike=aes256gcm16-prfsha256-modp2048!
+ esp=aes256gcm16-esn!
+ lifetime=1m
+
+# local:
+ leftauth=psk
+ leftid=@roadwarrior1.vpn.example.com
+ leftsubnet=192.168.5.0/24
+
+# remote: (gateway)
+ rightid=@vpp.home
+ right=192.168.10.2
+ rightauth=psk
+ rightsubnet=192.168.3.0/24
+
diff --git a/extras/strongswan/configs/responder_vrf/ipsec2.conf b/extras/strongswan/configs/responder_vrf/ipsec2.conf
new file mode 100644
index 00000000000..c96c1ff2f1b
--- /dev/null
+++ b/extras/strongswan/configs/responder_vrf/ipsec2.conf
@@ -0,0 +1,23 @@
+config setup
+ strictcrlpolicy=no
+
+conn initiator
+ mobike=no
+ auto=add
+ type=tunnel
+ keyexchange=ikev2
+ ike=aes256gcm16-prfsha256-modp2048!
+ esp=aes256gcm16-esn!
+ lifetime=1m
+
+# local:
+ leftauth=psk
+ leftid=@roadwarrior2.vpn.example.com
+ leftsubnet=192.168.5.0/24
+
+# remote: (gateway)
+ rightid=@vpp.home
+ right=192.168.10.2
+ rightauth=psk
+ rightsubnet=192.168.3.0/24
+
diff --git a/extras/strongswan/configs/responder_vrf/vpp.conf b/extras/strongswan/configs/responder_vrf/vpp.conf
new file mode 100644
index 00000000000..1b32226965f
--- /dev/null
+++ b/extras/strongswan/configs/responder_vrf/vpp.conf
@@ -0,0 +1,48 @@
+ip table add 1
+
+create host-interface name gw1
+set interface ip addr host-gw1 192.168.10.2/24
+set interface state host-gw1 up
+
+create host-interface name gw2
+set int ip table host-gw2 1
+set interface ip addr host-gw2 192.168.10.2/24
+set interface state host-gw2 up
+
+create host-interface name priv1
+set interface ip addr host-priv1 192.168.3.1/24
+set interface state host-priv1 up
+
+create host-interface name priv2
+set int ip table host-priv2 1
+set interface ip addr host-priv2 192.168.3.1/24
+set interface state host-priv2 up
+
+ikev2 profile add pr1
+ikev2 profile set pr1 auth shared-key-mic string Vpp123
+ikev2 profile set pr1 id local fqdn vpp.home
+ikev2 profile set pr1 id remote fqdn roadwarrior1.vpn.example.com
+ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0
+ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0
+create ipip tunnel src 192.168.10.2 dst 192.168.10.1
+ikev2 profile set pr1 tunnel ipip0
+ip route add 192.168.5.0/24 via 192.168.10.1 ipip0
+set interface unnumbered ipip0 use host-gw1
+
+ikev2 profile add pr2
+ikev2 profile set pr2 auth shared-key-mic string Vpp123
+ikev2 profile set pr2 id local fqdn vpp.home
+ikev2 profile set pr2 id remote fqdn roadwarrior2.vpn.example.com
+ikev2 profile set pr2 traffic-selector local ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0
+ikev2 profile set pr2 traffic-selector remote ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0
+create ipip tunnel src 192.168.10.2 dst 192.168.10.1 outer-table-id 1
+set interface ip table ipip1 1
+ikev2 profile set pr2 tunnel ipip1
+ip route add table 1 192.168.5.0/24 via 192.168.10.1 ipip1
+set interface unnumbered ipip1 use host-gw2
+
+ikev2 set liveness 300 4
+ikev2 set logging level 4
+event-logger clear
+trace add af-packet-input 100
+