GLaNET - Linux IPSec Virtual Tunnel Interface Configuration

<VTI_NAME> Name of the VPN interface
<VTI_INNER_ADDRESS_INET4> IPv4 inner tunnel address
<VTI_INNER_NETMASK_INET4> IPv4 inner tunnel netmask
<VTI_INNER_ADDRESS_INET6> IPv6 inner tunnel address
<VTI_INNER_NETMASK_INET6> IPv6 inner tunnel netmask
<VTI_OUTER_LOCAL_ADDRESS> Outer tunnel local address
<VTI_OUTER_REMOTE_ADDRESS> Outer tunnel local address
<VTI_KEY> Tunnel identifier (integer)
<IPSEC_CONNECTION_NAME> Connection name
<IPSEC_LOCAL_ID> Local IPSec identifier (IP, FQDN, etc.)
<IPSEC_REMOTE_ID> Remote IPSec identifier (IP, FQDN, etc.)
<IPSEC_PSK> IPSec Pre-Shared-Key
<IPSEC_RSA_PRIVATE_KEY_PATH> IPSec RSA private key path
/etc/network/interfaces
auto <VTI_NAME>
iface <VTI_NAME> inet static
        address <VTI_INNER_ADDRESS_INET4>
        netmask <VTI_INNET_NETMASK_INET4>
        pre-up ip tunnel add $IFACE local <VTI_OUTER_LOCAL_ADDRESS> remote <VTI_OUTER_REMOTE_ADDRESS> mode vti key <VTI_KEY>
        pre-up sysctl -w net.ipv4.conf.$IFACE.disable_policy=1
        up ip link set up mtu 1436 dev $IFACE
        down ip tunnel del $IFACE
iface <VTI_NAME> inet6 static
        address <VTI_INNER_ADDRESS_INET6>
        netmask <VTI_INNER_NETMASK_INET6>
        up ip -6 addr add fe80::1/64 dev $IFACE
ifup <VTI_NAME>

Installation

apt-get install strongswan

Configuration

/etc/ipsec.conf
conn %default
  # Authentication Method    : Pre-Shared Key
  #authby=psk
  leftauth=psk
  rightauth=psk
  # Encryption Algorithm     : aes-256-cbc
  # Authentication Algorithm : sha-384
  # Perfect Forward Secrecy  : Diffie-Hellman Group 5
  ike=aes256-sha384-modp1536
  # Lifetime                 : 28800 seconds
  ikelifetime=28800s
  # Phase 1 Negotiation Mode : main
  aggressive=no
  # Protocol                 : esp
  # Encryption Algorithm     : aes-256-cbc
  # Authentication Algorithm : hmac-sha-256-128
  # Perfect Forward Secrecy  : Diffie-Hellman Group 5
  esp=aes256-sha256-modp1536
  # Lifetime                 : 3600 seconds
  lifetime=3600s
  # Mode                     : tunnel
  type=tunnel
  # DPD Interval             : 20
  dpddelay=20s
  # DPD Retries              : 5
  dpdtimeout=100s
  keyexchange=ikev2
  rekey=yes
  reauth=no
  dpdaction=restart
  closeaction=restart
  leftsubnet=0.0.0.0/0,::/0
  rightsubnet=0.0.0.0/0,::/0
  installpolicy=yes
  compress=no
  mobike=no
 
conn <IPSEC_CONNECTION_NAME>
  left=<VTI_OUTER_LOCAL_ADDRESS>
  right=<VTI_OUTER_REMOTE_ADDRESS>
  leftid=<IPSEC_LOCAL_ID>
  rightid=<IPSEC_REMOTE_ID>
  auto=start
  mark=<VTI_KEY>

For more information on IKEv2 cipher suites, please read the following documentation.

/etc/ipsec.secrets
<IPSEC_LOCAL_ID> <IPSEC_REMOTE_ID> : PSK "<IPSEC_PSK>"
# or
# <IPSEC_LOCAL_ID> <IPSEC_REMOTE_ID> : RSA <IPSEC_RSA_PRIVATE_KEY_PATH>
/etc/strongswan.d/charon.conf
...
    # Install routes into a separate routing table for established IPsec
    # tunnels.
    install_routes = no
 
    # Install virtual IP addresses.
    install_virtual_ip = no
...

Starting

systemctl restart ipsec
  • services/documentation/linux-glanet-ipsec.txt
  • Last modified: 2016/12/11 15:24
  • by Benjamin Collet