diff options
Diffstat (limited to 'extras/strongswan/configs')
17 files changed, 331 insertions, 0 deletions
diff --git a/extras/strongswan/configs/initiator/ipsec.conf b/extras/strongswan/configs/initiator/ipsec.conf new file mode 100644 index 00000000000..6a7c0f6bbea --- /dev/null +++ b/extras/strongswan/configs/initiator/ipsec.conf @@ -0,0 +1,22 @@ +config setup + strictcrlpolicy=no + +conn initiator + mobike=no + auto=add + type=tunnel + keyexchange=ikev2 + ike=aes256gcm16-prfsha256-modp2048! + esp=aes256gcm16-esn! + +# local: + leftauth=psk + leftid=@sswan.vpn.example.com + leftsubnet=192.168.5.0/24 + +# remote: (gateway) + rightid=@roadwarrior.vpp + right=192.168.10.2 + rightauth=psk + rightsubnet=192.168.3.0/24 + diff --git a/extras/strongswan/configs/initiator/ipsec.secrets b/extras/strongswan/configs/initiator/ipsec.secrets new file mode 100644 index 00000000000..adcf9518e9b --- /dev/null +++ b/extras/strongswan/configs/initiator/ipsec.secrets @@ -0,0 +1 @@ +: PSK 'Vpp123' diff --git a/extras/strongswan/configs/initiator/vpp.conf b/extras/strongswan/configs/initiator/vpp.conf new file mode 100644 index 00000000000..36352aa5929 --- /dev/null +++ b/extras/strongswan/configs/initiator/vpp.conf @@ -0,0 +1,30 @@ +create host-interface name vpp +set interface ip addr host-vpp 192.168.10.2/24 +set interface state host-vpp up + +create host-interface name priv +set interface ip addr host-priv 192.168.3.1/24 +set interface state host-priv up + +ikev2 profile add pr1 +ikev2 profile set pr1 auth shared-key-mic string Vpp123 +ikev2 profile set pr1 id local fqdn roadwarrior.vpp +ikev2 profile set pr1 id remote fqdn sswan.vpn.example.com + +ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0 +ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0 + +ikev2 profile set pr1 responder host-vpp 192.168.10.1 +ikev2 profile set pr1 ike-crypto-alg aes-gcm-16 256 ike-dh modp-2048 +ikev2 profile set pr1 esp-crypto-alg aes-gcm-16 256 + +event-logger clear +trace add af-packet-input 100 + +create ipip tunnel src 192.168.10.2 dst 192.168.10.1 +ikev2 profile set pr1 tunnel ipip0 +ip route add 192.168.5.0/24 via 192.168.10.1 ipip0 +set interface unnumbered ipip0 use host-vpp + +ikev2 set liveness 30 4 +ikev2 set logging level 4 diff --git a/extras/strongswan/configs/responder/ipsec.conf b/extras/strongswan/configs/responder/ipsec.conf new file mode 100644 index 00000000000..7ca0d413495 --- /dev/null +++ b/extras/strongswan/configs/responder/ipsec.conf @@ -0,0 +1,23 @@ +config setup + strictcrlpolicy=no + +conn initiator + mobike=no + auto=add + type=tunnel + keyexchange=ikev2 + ike=aes256gcm16-prfsha256-modp2048! + esp=aes256gcm16-esn! + lifetime=1h + +# local: + leftauth=psk + leftid=@roadwarrior.vpn.example.com + leftsubnet=192.168.5.0/24 + +# remote: (gateway) + rightid=@vpp.home + right=192.168.10.2 + rightauth=psk + rightsubnet=192.168.3.0/24 + diff --git a/extras/strongswan/configs/responder/ipsec.secrets b/extras/strongswan/configs/responder/ipsec.secrets new file mode 100644 index 00000000000..adcf9518e9b --- /dev/null +++ b/extras/strongswan/configs/responder/ipsec.secrets @@ -0,0 +1 @@ +: PSK 'Vpp123' diff --git a/extras/strongswan/configs/responder/vpp.conf b/extras/strongswan/configs/responder/vpp.conf new file mode 100644 index 00000000000..291b8173729 --- /dev/null +++ b/extras/strongswan/configs/responder/vpp.conf @@ -0,0 +1,26 @@ +create host-interface name vpp +set interface ip addr host-vpp 192.168.10.2/24 +set interface state host-vpp up + +create host-interface name priv +set interface ip addr host-priv 192.168.3.1/24 +set interface state host-priv up + +ikev2 profile add pr1 +ikev2 profile set pr1 auth shared-key-mic string Vpp123 +ikev2 profile set pr1 id local fqdn vpp.home +ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com + +ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0 +ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0 + +event-logger clear +trace add af-packet-input 100 + +create ipip tunnel src 192.168.10.2 dst 192.168.10.1 +ikev2 profile set pr1 tunnel ipip0 +ip route add 192.168.5.0/24 via 192.168.10.1 ipip0 +set interface unnumbered ipip0 use host-vpp + +ikev2 set liveness 30 4 +ikev2 set logging level 4 diff --git a/extras/strongswan/configs/responder_keepalive/ipsec.conf b/extras/strongswan/configs/responder_keepalive/ipsec.conf new file mode 100644 index 00000000000..7ca0d413495 --- /dev/null +++ b/extras/strongswan/configs/responder_keepalive/ipsec.conf @@ -0,0 +1,23 @@ +config setup + strictcrlpolicy=no + +conn initiator + mobike=no + auto=add + type=tunnel + keyexchange=ikev2 + ike=aes256gcm16-prfsha256-modp2048! + esp=aes256gcm16-esn! + lifetime=1h + +# local: + leftauth=psk + leftid=@roadwarrior.vpn.example.com + leftsubnet=192.168.5.0/24 + +# remote: (gateway) + rightid=@vpp.home + right=192.168.10.2 + rightauth=psk + rightsubnet=192.168.3.0/24 + diff --git a/extras/strongswan/configs/responder_keepalive/ipsec.secrets b/extras/strongswan/configs/responder_keepalive/ipsec.secrets new file mode 100644 index 00000000000..adcf9518e9b --- /dev/null +++ b/extras/strongswan/configs/responder_keepalive/ipsec.secrets @@ -0,0 +1 @@ +: PSK 'Vpp123' diff --git a/extras/strongswan/configs/responder_keepalive/vpp.conf b/extras/strongswan/configs/responder_keepalive/vpp.conf new file mode 100644 index 00000000000..f3f84706f9a --- /dev/null +++ b/extras/strongswan/configs/responder_keepalive/vpp.conf @@ -0,0 +1,26 @@ +create host-interface name vpp +set interface ip addr host-vpp 192.168.10.2/24 +set interface state host-vpp up + +create host-interface name priv +set interface ip addr host-priv 192.168.3.1/24 +set interface state host-priv up + +ikev2 profile add pr1 +ikev2 profile set pr1 auth shared-key-mic string Vpp123 +ikev2 profile set pr1 id local fqdn vpp.home +ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com + +ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0 +ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0 + +event-logger clear +trace add af-packet-input 100 + +create ipip tunnel src 192.168.10.2 dst 192.168.10.1 +ikev2 profile set pr1 tunnel ipip0 +ip route add 192.168.5.0/24 via 192.168.10.1 ipip0 +set interface unnumbered ipip0 use host-vpp + +ikev2 set liveness 10 2 +ikev2 set logging level 4 diff --git a/extras/strongswan/configs/responder_nat/ipsec.conf b/extras/strongswan/configs/responder_nat/ipsec.conf new file mode 100644 index 00000000000..00ebd21e3b3 --- /dev/null +++ b/extras/strongswan/configs/responder_nat/ipsec.conf @@ -0,0 +1,22 @@ +config setup + strictcrlpolicy=no + +conn initiator + mobike=no + auto=add + type=tunnel + keyexchange=ikev2 + ike=aes256gcm16-prfsha256-modp2048! + esp=aes256gcm16-esn! + +# local: + leftauth=psk + leftid=@roadwarrior.vpn.example.com + leftsubnet=192.168.5.0/24 + +# remote: (gateway) + rightid=@vpp.home + right=192.168.10.2 + rightauth=psk + rightsubnet=192.168.3.0/24 + diff --git a/extras/strongswan/configs/responder_nat/ipsec.secrets b/extras/strongswan/configs/responder_nat/ipsec.secrets new file mode 100644 index 00000000000..adcf9518e9b --- /dev/null +++ b/extras/strongswan/configs/responder_nat/ipsec.secrets @@ -0,0 +1 @@ +: PSK 'Vpp123' diff --git a/extras/strongswan/configs/responder_nat/vpp.conf b/extras/strongswan/configs/responder_nat/vpp.conf new file mode 100644 index 00000000000..9ba3fdf2604 --- /dev/null +++ b/extras/strongswan/configs/responder_nat/vpp.conf @@ -0,0 +1,44 @@ +create host-interface name vpp +create host-interface name priv +pipe create + +set interface ip addr host-vpp 192.168.10.2/24 +set interface state host-vpp up + +ip table add 1 +set int ip table host-priv 1 +set int ip table pipe0.1 1 + +set interface ip addr host-priv 192.168.3.1/24 +set interface state host-priv up + +set int ip address pipe0.0 10.0.0.1/24 +set int ip address pipe0.1 10.0.0.2/24 +set int state pipe0 up + +ikev2 profile add pr1 +ikev2 profile set pr1 auth shared-key-mic string Vpp123 +ikev2 profile set pr1 id local fqdn vpp.home +ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com +ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0 +ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0 + +ip route add table 1 192.168.10.0/24 via 10.0.0.1 pipe0.1 + +create ipip tunnel src 10.0.0.2 dst 192.168.10.1 outer-table-id 1 +set interface ip table ipip0 1 + +ikev2 profile set pr1 tunnel ipip0 +ip route add table 1 192.168.5.0/24 via ipip0 +set interface unnumbered ipip0 use pipe0.1 + +nat44 enable sessions 10 +nat44 add address 192.168.10.2 +set interface nat44 in pipe0.0 out host-vpp +nat44 add static mapping udp local 10.0.0.2 500 external 192.168.10.2 500 +nat44 add static mapping udp local 10.0.0.2 4500 external 192.168.10.2 4500 + +event-logger clear +trace add af-packet-input 100 +ikev2 set liveness 10 2 +ikev2 set logging level 4 diff --git a/extras/strongswan/configs/responder_vrf/ipsec.secrets b/extras/strongswan/configs/responder_vrf/ipsec.secrets new file mode 100644 index 00000000000..adcf9518e9b --- /dev/null +++ b/extras/strongswan/configs/responder_vrf/ipsec.secrets @@ -0,0 +1 @@ +: PSK 'Vpp123' diff --git a/extras/strongswan/configs/responder_vrf/ipsec1.conf b/extras/strongswan/configs/responder_vrf/ipsec1.conf new file mode 100644 index 00000000000..0291b8e2832 --- /dev/null +++ b/extras/strongswan/configs/responder_vrf/ipsec1.conf @@ -0,0 +1,23 @@ +config setup + strictcrlpolicy=no + +conn initiator + mobike=no + auto=add + type=tunnel + keyexchange=ikev2 + ike=aes256gcm16-prfsha256-modp2048! + esp=aes256gcm16-esn! + lifetime=1m + +# local: + leftauth=psk + leftid=@roadwarrior1.vpn.example.com + leftsubnet=192.168.5.0/24 + +# remote: (gateway) + rightid=@vpp.home + right=192.168.10.2 + rightauth=psk + rightsubnet=192.168.3.0/24 + diff --git a/extras/strongswan/configs/responder_vrf/ipsec2.conf b/extras/strongswan/configs/responder_vrf/ipsec2.conf new file mode 100644 index 00000000000..c96c1ff2f1b --- /dev/null +++ b/extras/strongswan/configs/responder_vrf/ipsec2.conf @@ -0,0 +1,23 @@ +config setup + strictcrlpolicy=no + +conn initiator + mobike=no + auto=add + type=tunnel + keyexchange=ikev2 + ike=aes256gcm16-prfsha256-modp2048! + esp=aes256gcm16-esn! + lifetime=1m + +# local: + leftauth=psk + leftid=@roadwarrior2.vpn.example.com + leftsubnet=192.168.5.0/24 + +# remote: (gateway) + rightid=@vpp.home + right=192.168.10.2 + rightauth=psk + rightsubnet=192.168.3.0/24 + diff --git a/extras/strongswan/configs/responder_vrf/vpp.conf b/extras/strongswan/configs/responder_vrf/vpp.conf new file mode 100644 index 00000000000..1b32226965f --- /dev/null +++ b/extras/strongswan/configs/responder_vrf/vpp.conf @@ -0,0 +1,48 @@ +ip table add 1 + +create host-interface name gw1 +set interface ip addr host-gw1 192.168.10.2/24 +set interface state host-gw1 up + +create host-interface name gw2 +set int ip table host-gw2 1 +set interface ip addr host-gw2 192.168.10.2/24 +set interface state host-gw2 up + +create host-interface name priv1 +set interface ip addr host-priv1 192.168.3.1/24 +set interface state host-priv1 up + +create host-interface name priv2 +set int ip table host-priv2 1 +set interface ip addr host-priv2 192.168.3.1/24 +set interface state host-priv2 up + +ikev2 profile add pr1 +ikev2 profile set pr1 auth shared-key-mic string Vpp123 +ikev2 profile set pr1 id local fqdn vpp.home +ikev2 profile set pr1 id remote fqdn roadwarrior1.vpn.example.com +ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0 +ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0 +create ipip tunnel src 192.168.10.2 dst 192.168.10.1 +ikev2 profile set pr1 tunnel ipip0 +ip route add 192.168.5.0/24 via 192.168.10.1 ipip0 +set interface unnumbered ipip0 use host-gw1 + +ikev2 profile add pr2 +ikev2 profile set pr2 auth shared-key-mic string Vpp123 +ikev2 profile set pr2 id local fqdn vpp.home +ikev2 profile set pr2 id remote fqdn roadwarrior2.vpn.example.com +ikev2 profile set pr2 traffic-selector local ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0 +ikev2 profile set pr2 traffic-selector remote ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0 +create ipip tunnel src 192.168.10.2 dst 192.168.10.1 outer-table-id 1 +set interface ip table ipip1 1 +ikev2 profile set pr2 tunnel ipip1 +ip route add table 1 192.168.5.0/24 via 192.168.10.1 ipip1 +set interface unnumbered ipip1 use host-gw2 + +ikev2 set liveness 300 4 +ikev2 set logging level 4 +event-logger clear +trace add af-packet-input 100 + diff --git a/extras/strongswan/configs/strongswan.conf b/extras/strongswan/configs/strongswan.conf new file mode 100644 index 00000000000..9a6e2f27280 --- /dev/null +++ b/extras/strongswan/configs/strongswan.conf @@ -0,0 +1,16 @@ +charon { + load_modular = yes + plugins { + include strongswan.d/charon/*.conf + } + filelog { + /tmp/charon.log { + time_format = %b %e %T + ike_name = yes + append = no + default = 2 + flush_line = yes + } + } +} +include strongswan.d/*.conf |