I setup a simple IPsec IKEv2 vpn. it works fine but how do I get detail about the network information?
- Where is the interface tun0 or gif0 or whatever is holding the VPN client's IPs 10.11.12.0/24
- Where is the routing table stored?, I can't see anything different on
- I still can't use Multiple-NAT clients behind the same NAT device. I was under the impression that IKEv2 did not have this same problem as L2TP-IKEv1
=============================
Here is the detail of my setup using security/strongswan on FreeBSD-11.0-RELEASE.
I will detail my installation for whoever is interested in setting up a very plain IKEv2 vpn.
1. Custom KERNEL:
FreeBSD-11 comes pre-built with IPSEC now, but you still need a custom KERNEL if you need NAT Traversal (NAT_T).
So I created a custom KERNEL using:
with file: /sys/amd64/conf/GENERIC_IPSEC
2. Customizing IPsec:
install security/strongswan:
/usr/local/etc/ipsec.conf
/usr/local/etc/ipsec.secrets
Activate service:
3. Create NAT rules
A few ipfw() rules to setup NAT:
4. Setup client VPN
In my case, it's an iPhone, a simple config:
=====================
- Where is the interface tun0 or gif0 or whatever is holding the VPN client's IPs 10.11.12.0/24
- Where is the routing table stored?, I can't see anything different on
netstat -rn
- I still can't use Multiple-NAT clients behind the same NAT device. I was under the impression that IKEv2 did not have this same problem as L2TP-IKEv1
=============================
Here is the detail of my setup using security/strongswan on FreeBSD-11.0-RELEASE.
I will detail my installation for whoever is interested in setting up a very plain IKEv2 vpn.
1. Custom KERNEL:
FreeBSD-11 comes pre-built with IPSEC now, but you still need a custom KERNEL if you need NAT Traversal (NAT_T).
So I created a custom KERNEL using:
buildkernel KERNCONF=GENERIC_IPSEC && make installkernel KERNCONF=GENERIC_IPSEC && reboot
with file: /sys/amd64/conf/GENERIC_IPSEC
Code:
include GENERIC
ident GENERIC_IPsec
# Options for an IPsec enabled kernel
#options IPSEC #already included with GENERIC on FreeBSD11
#device crypto #already included with GENERIC on FreeBSD11
options IPSEC_NAT_T
2. Customizing IPsec:
install security/strongswan:
/usr/local/etc/ipsec.conf
Code:
conn nat-t
keyexchange=ikev2
mobike=yes
dpdaction=restart
dpddelay=5
authby=psk
left=%defaultroute
#leftsubnet=0.0.0.0/0 #does not work
leftsubnet=128.0.0.0/1,0.0.0.0/1
leftfirewall=no
right=%any
rightsubnet=10.11.12.0/24
rightsourceip=10.11.12.0/24
auto=add
/usr/local/etc/ipsec.secrets
Code:
: PSK "My_Very_Good_Secret"
Activate service:
service strongswan onestart
3. Create NAT rules
A few ipfw() rules to setup NAT:
Code:
/sbin/kldload ipfw_nat
/sbin/ipfw nat 8668 config same_ports ip my-ipsec-server.example.com
/sbin/ipfw add 2000 nat 8668 ip from 10.11.12.0/24 to any out xmit em0
/sbin/ipfw add 2010 nat 8668 ip from any to my-ipsec-server.example.com in recv em0
4. Setup client VPN
In my case, it's an iPhone, a simple config:
Code:
Settings -> VPN -> Add VPN Configurations:
Type: IKEv2
Description: MyIKEv2
Server: my-ipsec-server.example.com
RemoteID: anything-works
LocalID: anything-works-too
User Authentication: None
Use Certificate: off
Secret: My_Very_Good_Secret
=====================