Professional Documents
Culture Documents
10.30.0.X
192.168.200.X
10/01/2018 1/8
Before 5.0 strongswan version, if you use NAT-Transversal and use ike version 1, add to ipsec.conf file in headnode
nat_traversal=yes. If you use IKE version 2, you can omit this field [1].
10/01/2018 2/8
Create VPN
In VPN services, add the router and define private network that will be exposed.
10/01/2018 3/8
Create site-to-site connection
10/01/2018 4/8
To define a strong PSK, you can use to generate a password this command:
10/01/2018 5/8
If you use NAT-Transversal, permit UDP 4500 (source and destination port).
Install strongswan
For install strongswan in CentOS7, first, you need EPEL repo configured. To do this, install epel-release package.
In Debian distribution-based, the utility used to manage ipsec options is ipsec command. In Red Hat distribution-based, the utility
used is strongswan command.
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=psk
mobike=no
conn ops
keyexchange=ikev2
left=10.11.4.28
leftsubnet=192.168.200.0/24
leftid=10.11.4.28
leftfirewall=yes
right=150.165.85.42
rightsubnet=192.168.15.0/24
rightid=150.165.85.42
auto=route
dpdaction=hold
dpddelay=30s
dpdtimeout=120s
ike=aes128-sha1-modp1536
ikelifetime=360000s
esp=aes128-sha1-modp1536
lifetime=360000s
type=tunnel
Where:
10/01/2018 6/8
authby = Authentication mode.
mobike = MOBIKE protocol (RFC 4555). Permit a remote access VPN user to move from one address to another without
re-establishing all SA with the VPN gateway.
conn <name> = Connection name.
left = Local IP.
leftsubnet = Subnet that will be exposed to on the other side of the connection.
leftid = Local ID (Use Local IP).
leftfirewall = add rules that allow traffic to be forwarded.
right = Remote IP.
rightsubnet = Subnet that will be exposed to on the other side of the connection.
rightid = Remote ID (use Remote IP).
ike = Cryptography algorithm.
ikelifetime = Cryptography Lifetime.
esp = Authentication algorithm.
lifetime = Authentication Lifetime.
type = Connection mode (Tunnel or Transport).
dpdaction = Dead Peer Detection Protocol action. hold installs a trap policy, which will catch matching traffic and tries to
re-negotiate the connection on demand. restart will immediately trigger an attempt to re-negotiate the connection.
This informations are necessary to negotiate Diffie-Hellman group(default, group 5), cryptography and authentication algorithms (IKE
Phase 1) and create SA (IKE Phase 2) between nodes.
A SA is a unidirectional channel. To permit both connect, is necessary create 2 SA (from/to and to/from)
Create ipsec.secrets
In openstack, the connection is only realized using psk (password key). To define what is psk used, edit
/etc/strongswan/ipsec.secrets:
<YOUR_IP> : PSK "<PSK>"
In headnode:
strongswan start
strongswan up <Connection_name>
initiating IKE_SA ops3[1] to 150.165.85.X
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 10.30.0.X[500] to 150.165.85.X[500] (596 bytes)
received packet: from 150.165.85.X[500] to 10.30.0.X[500] (392 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
authentication of '10.30.0.X' (myself) with pre-shared key
establishing CHILD_SA <Connection_name>
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 10.30.0.X[4500] to 150.165.85.X[4500] (332 bytes)
received packet: from 150.165.85.X[4500] to 10.30.0.X[4500] (220 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
authentication of '150.165.85.X' with pre-shared key successful
IKE_SA ops3[1] established between 10.30.0.X[10.30.0.X]...150.165.85.X[150.165.85.X]
scheduling reauthentication in 359673s
maximum IKE_SA lifetime 359853s
connection '<Connection_name>' established successfully
10/01/2018 7/8
As of strongSwan 5.0, NAT traversal is automatic, no configuration is needed [3].
References:
[1] https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal
https://doc.pfsense.org/index.php/IPsec_Troubleshooting#NAT_Problems
https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html
[3] https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server#Server_behind_NAT
Arquivos
ike0.png 59,2 KB 21/06/2017 Luis Eduardo
ipsecp0.png 62,9 KB 21/06/2017 Luis Eduardo
site-2-site.png 44 KB 21/06/2017 Luis Eduardo
vpn0.png 32,2 KB 21/06/2017 Luis Eduardo
10/01/2018 8/8