Posts tagged ipsec

strongswan ipsec vpn site to site
posted on 2016-12-02 09:42

This guide was written for debian 8.

network layout

local/left       lan: 192.168.0.0/16
local/left   gateway: 10.0.0.2
remote/right gateway: 10.0.0.3
remote/right     lan: 172.16.0.0/16

Our network, expressed differently:

192.168.0.0/16 --- unencrypted --- 10.0.0.2 === vpn === 10.0.0.3 --- unencrypted --- 172.16.0.0/16

In strongswan it doesn't matter which side is defined in either left or right, but this convention helps:

  • local = left
  • rremote = right

ipsec settings for the tunnel

These may be somewhat arbitrarily, but we got to use something:

phase1:
ikev1 / aes256 / sha2 / dh5 / 86400s (24h statt 8h)

phase2:
esp / aes256 / sha2 / dh5 / 3600s

( protocol / encryption / hashing / DH group or PFS if present / lifetime )

install

apt-get install strongswan libcharon-extra-plugins

define PSK

Add to /etc/ipsec.secrets:

10.0.0.2 10.0.0.3 : PSK "thatsmydamnsecretPSKwhichreallyshouldbearandomsting"

setup tunnel

/etc/ipsec.conf:

config setup

conn %default
    keyexchange=ikev1
    keyingtries=%forever
    leftauth=psk
    rightauth=psk
    auto=start

conn myconfig-main
    left=10.0.0.2
    ike=aes256-sha256-modp1536
    ikelifetime=86400s
    esp=aes256-sha256-modp1536
    lifetime=3600s

conn myconfig1
    right=10.0.0.3
    leftsubnet=192.168.0.0/24
    rightsubnet=172.16.0.0/16
    also=myconfig-main

include /var/lib/strongswan/ipsec.conf.inc

That way you can add additional phase2 entries analoguous to conn myconfig1.

%default is valid for everything, myconfig-main is included via auto=myconfig-main into other connection definitions.

test

service ipsec restart

These might help:

tail -f /var/log/syslog
watch -n1 -d ipsec statusall

Ping from withing your lan a host inside the remote lan.

For watching the pings, the ones you want to see will be colored:

tcpdump -D # discern the interface you need to have a look at, usually eth0 / 1
tcpdump -nli 1 icmp | grep -color -e $ -e 192.168.

routing rules are automatically added by strongswan, do service ipsec restart while watching:

watch -n1 -d "ip ru; ip r l t 220"
pfsense: iphone ipsec roadwarrior configuration
posted on 2015-12-13 16:47:01

Since this took me a while, but this took me a while, here is an incomplete write-up. (...) If the stars are lucky I will eventually get around to finish this properly.

software versions

  • PFSense 2.2.5
  • IOS 9.2

ios settings for phase 1 + 2

This is straight from the pfsense logs:

# phase 1
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

# phase 2
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, 
ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, 
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, 
ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ

which translates to these alternatives for each phase:

# phase 1 (you should choose the second one :))
enc: aes cbc 128bit
hash: sha1
dh: 1024bit / group 2

enc: aes cbc 256bit
hash sha256
dh: 1536bit / group 3

enc: 3des cbc
hash: sha1
dh: 1024bit / group 2


# phase 2 (basically aes 256/128 / aes 128 / 3des with sha1 / md5, no PFS)
enc: aes cbc 256
hash: sha1

enc: aes cbc 256
hash: md5

enc: aes cbc 128
hash: sha1

enc: aes cbc 128
hash: md5

enc: 3des cbc
hash: sha1

enc: 3des cbc
hash: md5

According to apple documentation here PFS is possible, too.

PFSense IPsec VPN problems
posted on 2014-07-03 10:37:51

When running a PFSense as Firewall and VPN Gateway, trouble might arise. (See here.)

From personal experience, using version 2.1.4 and running like a dozen different tunnels, random connection breaks occurred.

It did not matter which interface was used, which hardware the other tunnel endpoint/gateway was on.

Only helpful solution so far was this:

System >> Advanced >> Tab Miscellaneous >> Section IP Security >> Checkbox Prefer older IPsec SAs

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apachebench, apple, arcconf, arch, architecture, areca, arping, asa, asdm, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factory_reset, factoryreset, fail2ban, fbsd, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, gnutls, gradle, grep, grml, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kemp, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, livedisk, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, powershell, preview, profiling, prompt, proxmox, ps, puppet, pv, pvecm, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scite, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh

View posts from 2017-02, 2017-01, 2016-12, 2016-11, 2016-10, 2016-09, 2016-08, 2016-07, 2016-06, 2016-05, 2016-04, 2016-03, 2016-02, 2016-01, 2015-12, 2015-11, 2015-10, 2015-09, 2015-08, 2015-07, 2015-06, 2015-05, 2015-04, 2015-03, 2015-02, 2015-01, 2014-12, 2014-11, 2014-10, 2014-09, 2014-08, 2014-07, 2014-06, 2014-05, 2014-04, 2014-03, 2014-01, 2013-12, 2013-11, 2013-10


Unless otherwise credited all material Creative Commons License by sjas