FreeBSD | TP-Link | |
---|---|---|
WAN | 192.0.2.105/24 | 198.51.100.106/24 |
LAN | 10.0.1.1/24 | 10.0.0.1/24 |
TP-Link config
IKE Policy
Auth: SHA1
Encryption: AES256
DH Group: DH2
psk: mysupersecret
SA lifetime: 28800
DPD: enable
DPD Interval: 60
IPsec Policy
Security Protocol: ESP
Auth Algorithm: SHA1
Encryption Algorithm: AES256
PFS Group: DH2
Lifetime 28800
Local Subnet: 10.0.0.0/24
Remote Subnet: 10.0.1.0/24
Remote Gw: 192.0.2.105
FreeBSD config
Install
security/strongswan
/usr/local/etc/ipsec.conf
Code:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
strictcrlpolicy=no
#uniqueids = no
# Add connections here.
conn R600VPN
keyexchange=ikev1
ikelifetime=28800
lifetime=3600
ike=aes256-sha1-modp1024!
esp=aes256-sha1-modp1024!
auto=add
left=192.0.2.105
leftid=192.0.2.105
leftauth=psk
rightauth=psk
leftsubnet=10.0.1.0/24
leftfirewall=yes
right=198.51.100.106
rightid=198.51.100.106
rightsubnet=10.0.0.0/24
dpdaction=clear
rekey=no #this must be Yes
/usr/local/etc/ipsec.secrets
Code:
192.0.2.105 198.51.100.106 : PSK "mysupersecret"
sysrc strongswan_enable="yes"
Also you need to enable the forwarding (routing)
sysctl net.inet.ip.forwarding=1
and to make it persistent after restart add it to /etc/rc.conf sysrc gateway_enable="yes"
Start the strongswan
service strongswan start
check the status on FreeBSD and TP-LINK (under IPsec VPN->SA List)
service strongswan statusall
Code:
Status of IKE charon daemon (strongSwan 5.8.4, FreeBSD 12.1-RELEASE-p3, amd64):
uptime: 18 minutes, since May 02 20:17:08 2020
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters
Listening IP addresses:
10.0.1.1
192.0.2.105
Connections:
R600VPN: 192.0.2.105...198.51.100.106 IKEv1, dpddelay=30s
R600VPN: local: [192.0.2.105] uses pre-shared key authentication
R600VPN: remote: [198.51.100.106] uses pre-shared key authentication
R600VPN: child: 10.0.1.0/24 === 10.0.0.0/24 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
R600VPN[1]: ESTABLISHED 18 minutes ago, 192.0.2.105[192.0.2.105]...198.51.100.106[198.51.100.106]
R600VPN[1]: IKEv1 SPIs: f6d8e8b84c189218_i 736e6249239400ef_r*, rekeying disabled
R600VPN[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
R600VPN{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf186482_i 0b180379_o
R600VPN{1}: AES_CBC_256/HMAC_SHA1_96/MODP_1024, 0 bytes_i (0 pkts, 1089s ago), 0 bytes_o, rekeying disabled
R600VPN{1}: 10.0.1.0/24 === 10.0.0.0/24
For troubleshooting:
Enable filelog in strongSwan
/usr/local/etc/strongswan.d/charon-logging.conf
Code:
charon {
# Section to define file loggers, see LOGGER CONFIGURATION in
# strongswan.conf(5).
filelog {
# <name> may be the full path to the log file if it only contains
# characters permitted in section names. Is ignored if path is
# specified.
mylog {
# Loglevel for a specific subsystem.
# <subsystem> = <default>
# If this option is enabled log entries are appended to the existing
# file.
append = yes
# Default loglevel.
default = 1
# Enabling this option disables block buffering and enables line
# buffering.
# flush_line = no
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
# ike_name = no
# Optional path to the log file. Overrides the section name. Must be
# used if the path contains characters that aren't allowed in
# section names.
path = /var/log/charon.log
# Adds the milliseconds within the current second after the
# timestamp (separated by a dot, so time_format should end with %S
# or %T).
# time_add_ms = no
# Prefix each log entry with a timestamp. The option accepts a
# format string as passed to strftime(3).
time_format = %b %e %T
}
}
# Section to define syslog loggers, see LOGGER CONFIGURATION in
# strongswan.conf(5).
syslog {
# Identifier for use with openlog(3).
# identifier =
# <facility> is one of the supported syslog facilities, see LOGGER
# CONFIGURATION in strongswan.conf(5).
# <facility> {
# Loglevel for a specific subsystem.
# <subsystem> = <default>
# Default loglevel.
# default = 1
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
# ike_name = no
# }
}
}
setkey -DP
setkey -D
strongswan will install the routing on connection so there's no need of static route
netstat -rn4
Code:
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.0.2.1 UGS em1
10.0.0.0/24 198.51.100.106 US em1
10.0.1.0/24 link#1 U em0
10.0.1.1 link#1 UHS lo0
127.0.0.1 link#2 UH lo0
192.0.2.0/24 link#3 U em1
192.0.2.105 link#3 UHS lo0
Check the ESP traffic count
netstat -s -p esp
esp:
0 packets shorter than header shows
0 packets dropped; protocol family not supported
0 packets dropped; no TDB
0 packets dropped; bad KCR
0 packets dropped; queue full
0 packets dropped; no transform
0 packets dropped; bad ilen
0 replay counter wraps
0 packets dropped; bad encryption detected
0 packets dropped; bad authentication detected
0 possible replay packets detected
267 packets in
267 packets out
0 packets dropped; invalid TDB
17088 bytes in
16020 bytes out
0 packets dropped; larger than IP_MAXPACKET
0 packets blocked due to policy
0 crypto processing failures
0 tunnel sanity check failures
ESP output histogram:
rijndael-cbc: 534
0 packets shorter than header shows
0 packets dropped; protocol family not supported
0 packets dropped; no TDB
0 packets dropped; bad KCR
0 packets dropped; queue full
0 packets dropped; no transform
0 packets dropped; bad ilen
0 replay counter wraps
0 packets dropped; bad encryption detected
0 packets dropped; bad authentication detected
0 possible replay packets detected
267 packets in
267 packets out
0 packets dropped; invalid TDB
17088 bytes in
16020 bytes out
0 packets dropped; larger than IP_MAXPACKET
0 packets blocked due to policy
0 crypto processing failures
0 tunnel sanity check failures
ESP output histogram:
rijndael-cbc: 534
EDIT:
rekey=yes will fix life duration error in
type=Life Duration, flag=0x8000
Last edited: