Strongswan: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Keine Bearbeitungszusammenfassung |
Chris (Diskussion | Beiträge) |
||
| (9 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
= StrongSwan Success Stories = | = StrongSwan Success Stories = | ||
== IPv6 nicht anpingbar == | |||
FritzBox: Auch IPv6-Präfixe zulassen, die andere IPv6-Router im Heimnetz bekanntgeben --> AUS | |||
FritzBox: Keine statischen Routen definieren, nicht für IPv4 und nicht für IPv6 | |||
== Windows 10 == | == Windows 10 == | ||
=== Windows 10 EAP-MSCHAPV2 === | === Windows 10 EAP-MSCHAPV2 === | ||
Windows 10 braucht das CA-Zertifikat in Zertifikate->Lokaler Computer->Vertrauenswürde Stammzertifizierungsstellen. | |||
<pre> | |||
connections { | |||
win-vpn { | |||
local_addrs = 192.168.0.253 | |||
remote_addrs = %any | |||
proposals = 3des-sha-prfsha1-modp1024,aes256-sha2_384-prfsha384-modp1024,default | |||
pools = v4pool,v6pool | |||
local { | |||
auth = pubkey | |||
certs = darkrealm.crt | |||
} | |||
remote { | |||
auth = eap-mschapv2 | |||
id = 192.168.122.24 | |||
eap_id = %any | |||
} | |||
children { | |||
win-vpn { | |||
local_ts = 192.168.0.0/22,fd00:ffff:aaaa::/64,224.0.0.0/4,ff00::/8 | |||
remote_ts = dynamic,224.0.0.0/4 | |||
#mark_in = %unique | |||
#mark_out = %unique | |||
ipcomp = yes | |||
} | |||
} | |||
} | |||
} | |||
pools { | |||
v4pool { | |||
addrs = 192.168.4.0/24 | |||
dns = 192.168.1.240 | |||
dhcp = 192.168.1.240 | |||
} | |||
v6pool { | |||
addrs = fd00:ffff:aaaa::/64 | |||
dns = fd00:ffff:aaaa::ffff | |||
dhcp = fd00:ffff:aaaa::ffff | |||
} | |||
} | |||
secrets { | |||
eap-chris { | |||
id = chris | |||
secret = punkd | |||
} | |||
} | |||
</pre> | |||
Somehow working: | Somehow working: | ||
| Zeile 55: | Zeile 115: | ||
} | } | ||
</pre> | </pre> | ||
== Linux 2 Linux with Multicast working on responder side == | |||
=== Responder === | |||
/etc/swanctl/conf.d/linux-site2site.conf | |||
<pre> | |||
connections { | |||
linux-site2site { | |||
#local_addrs = neorealm.dyndns.org | |||
local_addrs = 192.168.3.253 | |||
remote_addrs = darkrealm.dyndns.org | |||
local { | |||
auth = pubkey | |||
certs = neorealm-vpn.crt | |||
id = neorealm.dyndns.org | |||
} | |||
remote { | |||
auth = pubkey | |||
certs = darkrealm-vpn.crt | |||
id = darkrealm.dyndns.org | |||
} | |||
children { | |||
linux-route { | |||
local_ts = 192.168.2.0/23,239.255.255.250/32,fd00:ffff:bbbb::/48 | |||
remote_ts = 192.168.0.0/23,239.255.255.250/32,fd00:ffff:aaaa::/48 | |||
ipcomp = no | |||
mark_in = %unique | |||
mark_out = %unique | |||
} | |||
} | |||
} | |||
} | |||
</pre> | |||
/etc/strongswan.d/charon/forecast.conf: | |||
<pre> | |||
forecast { | |||
# Multicast groups to join locally, allowing forwarding of them. | |||
#groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250 | |||
groups = 239.255.255.250 | |||
# Local interface to listen for broadcasts to forward. | |||
interface = BRIDGE_LAN | |||
# Whether to load the plugin. Can also be an integer to increase the | |||
# priority of this plugin. | |||
load = yes | |||
# CHILD_SA configurations names to perform multi/broadcast reinjection. | |||
reinject = linux-route | |||
} | |||
</pre> | |||
=== Initiator === | |||
/etc/swanctl/conf.d/linux-site2site.conf: | |||
<pre> | |||
connections { | |||
linux-site2site { | |||
#local_addrs = darkrealm.dyndns.org | |||
local_addrs = 192.168.0.253 | |||
remote_addrs = neorealm.dyndns.org | |||
keyingtries = 0 | |||
local { | |||
auth = pubkey | |||
certs = darkrealm-vpn.crt | |||
id = darkrealm.dyndns.org | |||
} | |||
remote { | |||
auth = pubkey | |||
certs = neorealm-vpn.crt | |||
id = neorealm.dyndns.org | |||
} | |||
children { | |||
linux-route { | |||
local_ts = 192.168.0.0/23,239.255.255.250/32,fd00:ffff:aaaa::/48 | |||
remote_ts = 192.168.2.0/23,239.255.255.250/32,fd00:ffff:bbbb::/48 | |||
ipcomp = no | |||
start_action = trap | |||
close_action = start | |||
dpd_action = restart | |||
} | |||
} | |||
} | |||
} | |||
</pre> | |||
/etc/strongswan.d/charon/forecast.conf: | |||
<pre> | |||
forecast { | |||
# Multicast groups to join locally, allowing forwarding of them. | |||
# groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250 | |||
groups = 239.255.255.250 | |||
# Local interface to listen for broadcasts to forward. | |||
interface = BRIDGE_LAN | |||
# Whether to load the plugin. Can also be an integer to increase the | |||
# priority of this plugin. | |||
load = no | |||
# CHILD_SA configurations names to perform multi/broadcast reinjection. | |||
reinject = linux-route | |||
} | |||
</pre> | |||
=== Notes === | |||
* IKE Connection had to be established via IPv4 -- IPv6 had not found any DLNA servers. | |||
* IPv6 pings shodan<->nexus gave "no route to host", IPv4 pings working fine. | |||
** The moment "mark=%unique" was commented out, IPv6 pings worked again | |||
* install_routes in /etc/strongswan.d/charon.conf is set to "yes" | |||
* no XFRM interface | |||
* only one side needs to have forecast enabled | |||
Aktuelle Version vom 19. März 2023, 22:44 Uhr
StrongSwan Success Stories
IPv6 nicht anpingbar
FritzBox: Auch IPv6-Präfixe zulassen, die andere IPv6-Router im Heimnetz bekanntgeben --> AUS
FritzBox: Keine statischen Routen definieren, nicht für IPv4 und nicht für IPv6
Windows 10
Windows 10 EAP-MSCHAPV2
Windows 10 braucht das CA-Zertifikat in Zertifikate->Lokaler Computer->Vertrauenswürde Stammzertifizierungsstellen.
connections {
win-vpn {
local_addrs = 192.168.0.253
remote_addrs = %any
proposals = 3des-sha-prfsha1-modp1024,aes256-sha2_384-prfsha384-modp1024,default
pools = v4pool,v6pool
local {
auth = pubkey
certs = darkrealm.crt
}
remote {
auth = eap-mschapv2
id = 192.168.122.24
eap_id = %any
}
children {
win-vpn {
local_ts = 192.168.0.0/22,fd00:ffff:aaaa::/64,224.0.0.0/4,ff00::/8
remote_ts = dynamic,224.0.0.0/4
#mark_in = %unique
#mark_out = %unique
ipcomp = yes
}
}
}
}
pools {
v4pool {
addrs = 192.168.4.0/24
dns = 192.168.1.240
dhcp = 192.168.1.240
}
v6pool {
addrs = fd00:ffff:aaaa::/64
dns = fd00:ffff:aaaa::ffff
dhcp = fd00:ffff:aaaa::ffff
}
}
secrets {
eap-chris {
id = chris
secret = punkd
}
}
Somehow working:
forecast {
# Multicast groups to join locally, allowing forwarding of them.
groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
# Local interface to listen for broadcasts to forward.
interface = BRIDGE_LAN
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# CHILD_SA configurations names to perform multi/broadcast reinjection.
# reinject = mobile,linux
}
connections {
linux {
local_addrs = 192.168.3.253
remote_addrs = darkrealm.dyndns.org
keyingtries = 0
local {
auth = pubkey
certs = neorealm.crt
}
remote {
auth = pubkey
certs = darkrealm.crt
}
children {
linux {
local_ts = 192.168.2.0/24,192.168.3.0/24,224.0.0.0/4,fd00:ffff:bbbb::/64,ff00::/8
remote_ts = 192.168.0.0/24,192.168.1.0/24,224.0.0.0/4,fd00:ffff:aaaa::/64,ff00::/8
mark_in = %unique
mark_out = %unique
ipcomp = yes
start_action = trap
close_action = trap
dpd_action = trap
}
}
}
}
Linux 2 Linux with Multicast working on responder side
Responder
/etc/swanctl/conf.d/linux-site2site.conf
connections {
linux-site2site {
#local_addrs = neorealm.dyndns.org
local_addrs = 192.168.3.253
remote_addrs = darkrealm.dyndns.org
local {
auth = pubkey
certs = neorealm-vpn.crt
id = neorealm.dyndns.org
}
remote {
auth = pubkey
certs = darkrealm-vpn.crt
id = darkrealm.dyndns.org
}
children {
linux-route {
local_ts = 192.168.2.0/23,239.255.255.250/32,fd00:ffff:bbbb::/48
remote_ts = 192.168.0.0/23,239.255.255.250/32,fd00:ffff:aaaa::/48
ipcomp = no
mark_in = %unique
mark_out = %unique
}
}
}
}
/etc/strongswan.d/charon/forecast.conf:
forecast {
# Multicast groups to join locally, allowing forwarding of them.
#groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
groups = 239.255.255.250
# Local interface to listen for broadcasts to forward.
interface = BRIDGE_LAN
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# CHILD_SA configurations names to perform multi/broadcast reinjection.
reinject = linux-route
}
Initiator
/etc/swanctl/conf.d/linux-site2site.conf:
connections {
linux-site2site {
#local_addrs = darkrealm.dyndns.org
local_addrs = 192.168.0.253
remote_addrs = neorealm.dyndns.org
keyingtries = 0
local {
auth = pubkey
certs = darkrealm-vpn.crt
id = darkrealm.dyndns.org
}
remote {
auth = pubkey
certs = neorealm-vpn.crt
id = neorealm.dyndns.org
}
children {
linux-route {
local_ts = 192.168.0.0/23,239.255.255.250/32,fd00:ffff:aaaa::/48
remote_ts = 192.168.2.0/23,239.255.255.250/32,fd00:ffff:bbbb::/48
ipcomp = no
start_action = trap
close_action = start
dpd_action = restart
}
}
}
}
/etc/strongswan.d/charon/forecast.conf:
forecast {
# Multicast groups to join locally, allowing forwarding of them.
# groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
groups = 239.255.255.250
# Local interface to listen for broadcasts to forward.
interface = BRIDGE_LAN
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = no
# CHILD_SA configurations names to perform multi/broadcast reinjection.
reinject = linux-route
}
Notes
- IKE Connection had to be established via IPv4 -- IPv6 had not found any DLNA servers.
- IPv6 pings shodan<->nexus gave "no route to host", IPv4 pings working fine.
- The moment "mark=%unique" was commented out, IPv6 pings worked again
- install_routes in /etc/strongswan.d/charon.conf is set to "yes"
- no XFRM interface
- only one side needs to have forecast enabled