I got installed on all of my FreeBSD machines the latest security/strongswan v5.5.1 from the ports, and I use this to establish IPsec-IKEv2 VPN tunnels between the respective sites.Anybody get StrongSwan configure Site-to-Site certificated VPN tunnel.
I use FreeBSD 11.0 with StrongSwan 5.4.
conn IKEv2-Tunnel
keyexchange = ikev2
mobike = no
leftcert = ipsec-service-cert.pem
leftid = @service.example.com
left = %defaultroute
leftsubnet = 192.168.1.0/24
rightcert = ipsec-clients-cert.pem
rightid = %any
right = %any
rightsubnet = 192.168.2.0/24
auto = add
: RSA ipsec-service-key.pem
conn IKEv2-Tunnel
keyexchange = ikev2
mobike = no
leftcert = ipsec-clients-cert.pem
leftid = client-X@example.com
leftsubnet = 192.168.2.0/24
rightcert = ipsec-service-cert.pem
rightid = @service.example.com
right = service.example.com
rightsubnet = 192.168.1.0/24
auto = start
: RSA ipsec-clients-key.pem
How To Ask Questions The Smart WayCMD=ipsec statusall
Security Associations (0 up, 0 connecting)
hostname="service.c.com"
#External Network
ifconfig_ue0="inet 10.0.0.1 netmask 255.0.0.0"
#Internal Network
ifconfig_ue1="inet 192.168.1.1 netmask 255.255.255.0"
#IP Forwarding
gateway_enable="YES"
#Default Gateway
defaultrouter="10.0.0.2"
#Static Route
static_routes="vpn"
route_vpn="-net 192.168.2.0/24 10.0.0.2"
#IP Security
strongswan_enable="YES"
#Packet Filter
pf_enable="YES"
pf_rules="/usr/local/etc/racoon/filter.conf"
pflog_enable="YES"
sshd_enable="NO"
powerd_enable="YES"
# Nice if you have a network, else annoying.
#ntpd_enable="YES"
ntpd_sync_on_start="YES"
# Uncomment to disable common services (more memory)
#cron_enable="NO"
#syslogd_enable="NO"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
# On first boot, enlarge the root filesystem to fill the SD card
growfs_enable="YES"
config setup
conn %default
ikelifetime = 60m
keylife = 20m
rekeymargin = 3m
keyintries = 1
keyexchange = ikev2
esp = aes256-sha256-modp4096
ike = aes256-sha512-modp4096
mobike = no
conn IKEv2-Tunnel
leftcert = ipsec-service-cert.pem
leftid = @service.c.com
left = %defaultroute
leftsubnet = 192.168.1.0/24
rightcert = ipsec-clients-cert.pem
rightid = %any
right = %any
rightsubnet = 192.168.2.0/24
auto = add
: RSA ipsec-service-key.pem
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
hostname="clients.c.com"
#External Network
ifconfig_ue0="inet 10.0.0.2 netmask 255.0.0.0"
#Internal Network
ifconfig_ue1="inet 192.168.2.2 netmask 255.255.255.0"
#IP Forwarding
gateway_enable="YES"
#Default Gateway
defaultrouter="10.0.0.1"
#Static Route
static_routes="vpn"
route_vpn="-net 192.168.1.0/24 10.0.0.1"
#IP Security
strongswan_enable="YES"
#Packet Filter
pf_enable="YES"
pf_rules="/usr/local/etc/racoon/filter.conf"
pflog_enable="YES"
sshd_enable="NO"
powerd_enable="YES"
# Nice if you have a network, else annoying.
#ntpd_enable="YES"
ntpd_sync_on_start="YES"
# Uncomment to disable common services (more memory)
#cron_enable="NO"
#syslogd_enable="NO"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
# On first boot, enlarge the root filesystem to fill the SD card
growfs_enable="YES"
config setup
conn $default
ikelifetime = 60m
keylife = 20m
rekeymargin = 3m
keyingtries = 1
keyexchange = ikev2
esp = aes256-sha256-modp4096
ike = aes256-sha512-modp4096
mobike = no
conn IKEv2-Tunnel
leftcert = ipsec-clients-cert.pem
leftid = clients@c.com
leftsubnet = 192.168.2.0/24
rightcert = ipsec-service-cert.pem
rightid = @service.c.com
right = service.c.com
rightsubnet = 192.168.1.0/24
auto = start
: RSA ipsec-clients-key.pem
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
service strongswan restart
on the VPN-Service machine and then on the VPN-Client machine, the respective logs on my systems show the following (IP addresses and domain names are obfuscated):Jan 3 18:09:08 obsigna charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, FreeBSD 11.0-RELEASE-p6, amd64)
Jan 3 18:09:08 obsigna charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Jan 3 18:09:08 obsigna charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Jan 3 18:09:08 obsigna charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jan 3 18:09:08 obsigna charon: 00[CFG] loaded ca certificate "C=DE, O=Example, CN=example.com CA" from '/usr/local/etc/ipsec.d/cacerts/ipsec-ca-cert.pem'
Jan 3 18:09:08 obsigna charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jan 3 18:09:08 obsigna charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jan 3 18:09:08 obsigna charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jan 3 18:09:08 obsigna charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Jan 3 18:09:08 obsigna charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jan 3 18:09:08 obsigna charon: 00[CFG] loaded IKE secret for %any
Jan 3 18:09:08 obsigna charon: 00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/ipsec-clients-key.pem'
Jan 3 18:09:08 obsigna charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Jan 3 18:09:08 obsigna charon: 00[JOB] spawning 16 worker threads
Jan 3 18:09:08 obsigna charon: 06[CFG] received stroke: add connection 'IKEv2-Tunnel'
Jan 3 18:09:08 obsigna charon: 06[CFG] loaded certificate "C=DE, O=Example, CN=ipsec-clients.example.com" from 'ipsec-clients-cert.pem'
Jan 3 18:09:08 obsigna charon: 06[CFG] loaded certificate "C=DE, O=Example, CN=example.com" from 'ipsec-service-cert.pem'
Jan 3 18:09:08 obsigna charon: 06[CFG] added configuration 'IKEv2-Tunnel'
Jan 3 18:09:08 obsigna charon: 16[CFG] received stroke: initiate 'IKEv2-Tunnel'
Jan 3 18:09:08 obsigna charon: 16[IKE] initiating IKE_SA IKEv2-Tunnel[1] to 11.22.33.44
Jan 3 18:09:08 obsigna charon: 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 3 18:09:08 obsigna charon: 16[NET] sending packet: from 192.168.2.1[500] to 11.22.33.44[500] (1156 bytes)
Jan 3 18:09:08 obsigna charon: 16[NET] received packet: from 11.22.33.44[500] to 192.168.2.1[500] (617 bytes)
Jan 3 18:09:08 obsigna charon: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan 3 18:09:09 obsigna charon: 16[IKE] local host is behind NAT, sending keep alives
Jan 3 18:09:09 obsigna charon: 16[IKE] remote host is behind NAT
Jan 3 18:09:09 obsigna charon: 16[IKE] received cert request for "C=DE, O=Example, CN=example.com CA"
Jan 3 18:09:09 obsigna charon: 16[IKE] sending cert request for "C=DE, O=Example, CN=example.com CA"
Jan 3 18:09:09 obsigna charon: 16[IKE] authentication of 'C=DE, O=Example, CN=ipsec-clients.example.com' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Jan 3 18:09:09 obsigna charon: 16[IKE] sending end entity cert "C=DE, O=Example, CN=ipsec-clients.example.com"
Jan 3 18:09:09 obsigna charon: 16[IKE] establishing CHILD_SA IKEv2-Tunnel
Jan 3 18:09:09 obsigna charon: 16[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Jan 3 18:09:09 obsigna charon: 16[ENC] splitting IKE message with length of 1600 bytes into 2 fragments
Jan 3 18:09:09 obsigna charon: 16[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
Jan 3 18:09:09 obsigna charon: 16[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
Jan 3 18:09:09 obsigna charon: 16[NET] sending packet: from 192.168.2.1[4500] to 11.22.33.44[4500] (1236 bytes)
Jan 3 18:09:09 obsigna charon: 16[NET] sending packet: from 192.168.2.1[4500] to 11.22.33.44[4500] (436 bytes)
Jan 3 18:09:09 obsigna charon: 16[NET] received packet: from 11.22.33.44[4500] to 192.168.2.1[4500] (1236 bytes)
Jan 3 18:09:09 obsigna charon: 16[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Jan 3 18:09:09 obsigna charon: 16[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan 3 18:09:09 obsigna charon: 15[NET] received packet: from 11.22.33.44[4500] to 192.168.2.1[4500] (212 bytes)
Jan 3 18:09:09 obsigna charon: 15[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Jan 3 18:09:09 obsigna charon: 15[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Jan 3 18:09:09 obsigna charon: 15[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
Jan 3 18:09:09 obsigna charon: 15[IKE] received end entity cert "C=DE, O=Example, CN=example.com"
Jan 3 18:09:09 obsigna charon: 15[CFG] using trusted ca certificate "C=DE, O=Example, CN=example.com CA"
Jan 3 18:09:09 obsigna charon: 15[CFG] checking certificate status of "C=DE, O=Example, CN=example.com"
Jan 3 18:09:09 obsigna charon: 15[CFG] certificate status is not available
Jan 3 18:09:09 obsigna charon: 15[CFG] reached self-signed root ca with a path length of 0
Jan 3 18:09:09 obsigna charon: 15[CFG] using trusted certificate "C=DE, O=Example, CN=example.com"
Jan 3 18:09:09 obsigna charon: 15[IKE] authentication of 'C=DE, O=Example, CN=example.com' with RSA_EMSA_PKCS1_SHA2_256 successful
Jan 3 18:09:09 obsigna charon: 15[IKE] IKE_SA IKEv2-Tunnel[1] established between 192.168.2.1[C=DE, O=Example, CN=ipsec-clients.example.com]...11.22.33.44[C=DE, O=Example, CN=example.com]
Jan 3 18:09:09 obsigna charon: 15[IKE] scheduling reauthentication in 9886s
Jan 3 18:09:09 obsigna charon: 15[IKE] maximum IKE_SA lifetime 10426s
Jan 3 18:09:09 obsigna charon: 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 3 18:09:09 obsigna charon: 15[IKE] CHILD_SA IKEv2-Tunnel{1} established with SPIs ce7e450a_i cebca5a5_o and TS 192.168.2.0/24 === 192.168.1.0/24
Jan 3 18:09:09 obsigna charon: 15[IKE] received AUTH_LIFETIME of 10107s, scheduling reauthentication in 9567s
Jan 3 18:09:33 obsigna charon: 15[IKE] sending keep alive to 11.22.33.44[4500]
Jan 3 18:09:53 obsigna charon: 13[IKE] sending keep alive to 11.22.33.44[4500]
Jan 3 20:08:56 aws charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, FreeBSD 10.3-RELEASE-p15, amd64)
Jan 3 20:08:56 aws charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Jan 3 20:08:56 aws charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Jan 3 20:08:56 aws charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jan 3 20:08:56 aws charon: 00[CFG] loaded ca certificate "C=DE, O=Example, CN=example.com CA" from '/usr/local/etc/ipsec.d/cacerts/ipsec-ca-cert.pem'
Jan 3 20:08:56 aws charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jan 3 20:08:56 aws charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jan 3 20:08:56 aws charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jan 3 20:08:56 aws charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Jan 3 20:08:56 aws charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jan 3 20:08:56 aws charon: 00[CFG] loaded IKE secret for %any
Jan 3 20:08:56 aws charon: 00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/ipsec-service-key.pem'
Jan 3 20:08:56 aws charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Jan 3 20:08:56 aws charon: 00[JOB] spawning 16 worker threads
Jan 3 20:08:56 aws charon: 14[CFG] received stroke: add connection 'IKEv2-Tunnel'
Jan 3 20:08:56 aws charon: 14[CFG] loaded certificate "C=DE, O=Example, CN=example.com" from 'ipsec-service-cert.pem'
Jan 3 20:08:56 aws charon: 14[CFG] loaded certificate "C=DE, O=Example, CN=ipsec-clients.example.com" from 'ipsec-clients-cert.pem'
Jan 3 20:08:56 aws charon: 14[CFG] added configuration 'IKEv2-Tunnel'
Jan 3 20:09:11 aws charon: 13[NET] received packet: from 44.33.22.11[47442] to 192.168.1.1[500] (1156 bytes)
Jan 3 20:09:11 aws charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 3 20:09:11 aws charon: 13[IKE] 44.33.22.11 is initiating an IKE_SA
Jan 3 20:09:11 aws charon: 13[IKE] local host is behind NAT, sending keep alives
Jan 3 20:09:11 aws charon: 13[IKE] remote host is behind NAT
Jan 3 20:09:11 aws charon: 13[IKE] sending cert request for "C=DE, O=Example, CN=example.com CA"
Jan 3 20:09:11 aws charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan 3 20:09:11 aws charon: 13[NET] sending packet: from 192.168.1.1[500] to 44.33.22.11[47442] (617 bytes)
Jan 3 20:09:12 aws charon: 06[NET] received packet: from 44.33.22.11[54568] to 192.168.1.1[4500] (1236 bytes)
Jan 3 20:09:12 aws charon: 06[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Jan 3 20:09:12 aws charon: 06[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan 3 20:09:12 aws charon: 08[NET] received packet: from 44.33.22.11[54568] to 192.168.1.1[4500] (436 bytes)
Jan 3 20:09:12 aws charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Jan 3 20:09:12 aws charon: 08[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Jan 3 20:09:12 aws charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Jan 3 20:09:12 aws charon: 08[IKE] received cert request for "C=DE, O=Example, CN=example.com CA"
Jan 3 20:09:12 aws charon: 08[IKE] received end entity cert "C=DE, O=Example, CN=ipsec-clients.example.com"
Jan 3 20:09:12 aws charon: 08[CFG] looking for peer configs matching 192.168.1.1[C=DE, O=Example, CN=example.com]...44.33.22.11[C=DE, O=Example, CN=ipsec-clients.example.com]
Jan 3 20:09:12 aws charon: 08[CFG] selected peer config 'IKEv2-Tunnel'
Jan 3 20:09:12 aws charon: 08[CFG] using trusted ca certificate "C=DE, O=Example, CN=example.com CA"
Jan 3 20:09:12 aws charon: 08[CFG] checking certificate status of "C=DE, O=Example, CN=ipsec-clients.example.com"
Jan 3 20:09:12 aws charon: 08[CFG] certificate status is not available
Jan 3 20:09:12 aws charon: 08[CFG] reached self-signed root ca with a path length of 0
Jan 3 20:09:12 aws charon: 08[CFG] using trusted certificate "C=DE, O=Example, CN=ipsec-clients.example.com"
Jan 3 20:09:12 aws charon: 08[IKE] authentication of 'C=DE, O=Example, CN=ipsec-clients.example.com' with RSA_EMSA_PKCS1_SHA2_256 successful
Jan 3 20:09:12 aws charon: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 3 20:09:12 aws charon: 08[IKE] authentication of 'C=DE, O=Example, CN=example.com' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Jan 3 20:09:12 aws charon: 08[IKE] IKE_SA IKEv2-Tunnel[1] established between 192.168.1.1[C=DE, O=Example, CN=example.com]...44.33.22.11[C=DE, O=Example, CN=ipsec-clients.example.com]
Jan 3 20:09:12 aws charon: 08[IKE] scheduling reauthentication in 10107s
Jan 3 20:09:12 aws charon: 08[IKE] maximum IKE_SA lifetime 10647s
Jan 3 20:09:12 aws charon: 08[IKE] sending end entity cert "C=DE, O=Example, CN=example.com"
Jan 3 20:09:12 aws charon: 08[IKE] CHILD_SA IKEv2-Tunnel{1} established with SPIs cebca5a5_i ce7e450a_o and TS 192.168.1.0/24 === 192.168.2.0/24
Jan 3 20:09:12 aws charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
Jan 3 20:09:12 aws charon: 08[ENC] splitting IKE message with length of 1376 bytes into 2 fragments
Jan 3 20:09:12 aws charon: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jan 3 20:09:12 aws charon: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jan 3 20:09:12 aws charon: 08[NET] sending packet: from 192.168.1.1[4500] to 44.33.22.11[54568] (1236 bytes)
Jan 3 20:09:12 aws charon: 08[NET] sending packet: from 192.168.1.1[4500] to 44.33.22.11[54568] (212 bytes)