Skip to content

Instantly share code, notes, and snippets.

@daks
Last active July 12, 2023 09:10
Show Gist options
  • Save daks/4b93210dd8b4c85292d68664b6e82d80 to your computer and use it in GitHub Desktop.
Save daks/4b93210dd8b4c85292d68664b6e82d80 to your computer and use it in GitHub Desktop.
strongswan swanctl IPSec tunnels
Configuration files for strongswan to create an IPSec tunnel between two peers: peer1 which has IP 192.168.231.1 and peer2
with IP 192.168.231.2.
Tunnel will be established between those two IPs and each peer will have an in-tunnel network subnet of 10.0.1.0/24 for peer1
and 10.0.2.0/24 for peer2.
swanctl configuration is used, and XFRM interfaces too
# /etc/swanctl/conf.d/peer1.conf on peer1
connections {
# Section for an IKE connection named <conn>.
peer1-to-peer2 {
# IKE major version to use for connection.
version = 2
# Local address(es) to use for IKE communication, comma separated.
local_addrs = 192.168.231.1
# Remote address(es) to use for IKE communication, comma separated.
remote_addrs = 192.168.231.2
# Default inbound XFRM interface ID for children.
if_id_in = 1
# Default outbound XFRM interface ID for children.
if_id_out = 1
# Section for a local authentication round.
local {
auth = psk
id = peer1
}
# Section for a remote authentication round.
remote {
auth = psk
id = peer2
}
# useful options to control tunnel behaviour, adapt to your needs
mobike = no
encap = no
rekey_time = 1200s
dpd_delay = 1m
children {
# CHILD_SA configuration sub-section.
peer1-to-peer2 {
start_action = start
# updown script to enable/disable the XFRM interface
updown = /usr/local/bin/strongswan_updown.sh
# Local traffic selectors to include in CHILD_SA.
local_ts = 10.0.1.0/24
# Remote selectors to include in CHILD_SA.
remote_ts = 10.0.2.0/24
}
}
}
}
secrets {
ike-peer1-to-peer2 {
id = peer1
id = peer2
secret = STRONG-PASSWORD-PEER1-TO-PEER2
}
}
# /etc/swanctl/conf.d/peer2.conf on peer2
connections {
# Section for an IKE connection named <conn>.
peer2-to-peer1 {
# IKE major version to use for connection.
version = 2
# Local address(es) to use for IKE communication, comma separated.
local_addrs = 192.168.231.2
# Remote address(es) to use for IKE communication, comma separated.
remote_addrs = 192.168.231.1
# Default inbound XFRM interface ID for children.
if_id_in = 1
# Default outbound XFRM interface ID for children.
if_id_out = 1
# Section for a local authentication round.
local {
auth = psk
id = peer2
}
# Section for a remote authentication round.
remote {
auth = psk
id = peer1
}
# useful options to control tunnel behaviour, adapt to your needs
mobike = no
encap = no
rekey_time = 1200s
dpd_delay = 1m
children {
# CHILD_SA configuration sub-section.
peer2-to-peer1 {
start_action = start
# updown script to enable/disable the XFRM interface
updown = /usr/local/bin/strongswan_updown.sh
# Local traffic selectors to include in CHILD_SA.
local_ts = 10.0.2.0/24
# Remote selectors to include in CHILD_SA.
remote_ts = 10.0.1.0/24
}
}
}
}
secrets {
ike-peer2-to-peer1 {
id = peer2
id = peer1
secret = STRONG-PASSWORD-PEER1-TO-PEER2
}
}
#!/bin/bash -e
# shell script to use with Strongswan updown plugin https://docs.strongswan.org/docs/5.9/plugins/updown.html
# This is just an example script which must be adapted to your needs
#
# creates XFRM interface with `if_id` from strongswan swanctl connection
# assigns it the IP address from the connection local_ts
# NEEDED? set charon.install_virtual_ip = no to prevent the daemon from also installing the VIP
set -o nounset
set -o errexit
XFRM_IF="ipsec${PLUTO_IF_ID_OUT}"
case "${PLUTO_VERB}" in
up-client)
ip link add "${XFRM_IF}" type xfrm dev lo \
if_id "${PLUTO_IF_ID_OUT}"
#ip link set "${XFRM_IF}" mtu 1360
ip link set "${XFRM_IF}" up
ip route add "${PLUTO_PEER_CLIENT}" dev "${XFRM_IF}"
ip addr add ${PLUTO_MY_CLIENT} dev "${XFRM_IF}"
#sysctl -w "net.ipv4.conf.${XFRM_IF}.disable_policy=1"
;;
down-client)
ip link del "${XFRM_IF}"
;;
esac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment