bisher hab ich immer
openvpn als VPN Lösung eingesetzt. Jetzt möchte ich aber auf IPSec und strongswan + charon-systemd + strongswan-swanctl umsteigen. Ich möchte mein Netzwerk umbauen und dabei eben das VPN austauschen.Auf dem Test Server (einem pi4) hab ich den responder installiert. Hier ist die swanctl.conf
Code: Alles auswählen
cat /etc/swanctl/swanctl.conf
connections {
nat-t {
local_addrs = 192.168.160.84
vips = 0.0.0.0
pools = v4
local {
auth = pubkey
certs = pi4-server-cert.der
id = pi4-server
}
remote {
auth = pubkey
}
children {
nat-t {
local_ts = 10.1.0.0/16
remote_ts = 10.2.0.0/16
updown = /usr/lib/ipsec/_updown iptables
esp_proposals = aes128gcm128-x25519
}
}
version = 2
proposals = aes128-sha256-modp3072
}
}
pools {
v4 {
addrs = 10.2.0.0/24
}
}
# Include config snippets
include conf.d/*.conf
Code: Alles auswählen
root@pi4-server:/home/georg# cat /etc/strongswan.conf
# /etc/strongswan.conf - strongSwan configuration file
swanctl {
load = pem pkcs1 x509 revocation constraints pubkey openssl random
}
charon-systemd {
load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
}
charon {
install_virtual_ip_on = eth0
}
Code: Alles auswählen
root@pi4-server:/home/georg# swanctl --list-sas
nat-t: #1, ESTABLISHED, IKEv2, fb1e2f8d4b6bf904_i 3d3a8d3d3ab96ad3_r*
local 'pi4-server' @ 192.168.160.84[4500]
remote 'hammerhead' @ 192.168.160.19[4500] [10.2.0.1]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
established 978s ago, rekeying in 12760s
nat-t: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
installed 978s ago, rekeying in 2522s, expires in 2982s
in c4d982db, 16128 bytes, 192 packets, 676s ago
out c7e2cee8, 16128 bytes, 192 packets, 676s ago
local 10.1.0.0/16
remote 10.2.0.0/16
Auf dem Client (meinem Desktop) schaut das so aus:
Code: Alles auswählen
hammerhead:/etc/swanctl# cat swanctl.conf
connections {
nat-t {
local_addrs = %any
remote_addrs = 192.168.160.84
vips = 0.0.0.0
local {
auth = pubkey
certs = hammerhead-cert.der
id = hammerhead
}
remote {
auth = pubkey
id = pi4-server
}
children {
nat-t {
local_ts = 10.2.0.0/16
remote_ts = 10.1.0.0/16
esp_proposals = aes128gcm128-x25519
updown = /usr/lib/ipsec/_updown iptables
}
}
version = 2
proposals = aes128-sha256-modp3072
}
}
# Include config snippets
include conf.d/*.conf
Code: Alles auswählen
hammerhead:/etc/swanctl# cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
charon {
install_virtual_ip_on = br0
}
include strongswan.d/*.conf
Code: Alles auswählen
hammerhead:/etc/swanctl# swanctl --list-sas
nat-t: #3, ESTABLISHED, IKEv2, fb1e2f8d4b6bf904_i* 3d3a8d3d3ab96ad3_r
local 'hammerhead' @ 192.168.160.19[4500] [10.2.0.1]
remote 'pi4-server' @ 192.168.160.84[4500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
established 970s ago, rekeying in 12999s
nat-t: #3, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
installed 971s ago, rekeying in 2366s, expires in 2990s
in c7e2cee8, 16128 bytes, 192 packets, 668s ago
out c4d982db, 16128 bytes, 192 packets, 668s ago
local 10.2.0.0/16
remote 10.1.0.0/16
Code: Alles auswählen
root@pi4-server:/home/georg# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 192.168.160.84/24 brd 192.168.160.255 scope global dynamic eth0
valid_lft 862756sec preferred_lft 862756sec
inet 10.1.0.1/16 brd 10.1.255.255 scope global eth0
valid_lft forever preferred_lft forever
Code: Alles auswählen
hammerhead:/etc/swanctl# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.160.19/24 brd 192.168.160.255 scope global br0
valid_lft forever preferred_lft forever
inet 10.2.0.1/32 scope global br0
valid_lft forever preferred_lft forever
In den Besispielen sieht man nur nie die "ip addr" Ausgabe. Mit ifconfig sieht man diese virtuellen IPs gar nicht.
Also meine Fragen:
- Sollte man hier unter strongswan/ipsec eine eigene Brücke oder ein tap/tun Device anlegen das beim Start keine IP hat?
- In der Firewall shorewall + shorewall6 Wird meist das Subnetz mit dem Netzwerkgerät gebildet. (zones). Es geht auch mit einer IP Range abder dann ist eben u.U. nicht alles was auf dem Netzwerkgerät passiert in der Regel enthalten. (Multicasts etc)
Code: Alles auswählen
root@pi4-server:/home/georg# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@pi4-server:/home/georg# uname -a
Linux pi4-server 5.7.2-v8-mainline #2 SMP PREEMPT Mon Jun 29 17:57:41 UTC 2020 aarch64 GNU/Linux
Code: Alles auswählen
hammerhead:/etc/swanctl# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
hammerhead:/etc/swanctl# uname -a
Linux hammerhead 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
[2] https://wiki.strongswan.org/projects/st ... teBasedVPN