Содержание

strongSwan

IKEv2 MTU Size IPv4/IPv6 : 1438/1422

Команды

Переподключить соединение: 

sudo ipsec up connection-name
sudo ipsec down connection-name

Перегрузить секреты: 

sudo ipsec rereadsecrets

Перегрузить ipsec: 

sudo ipsec restart

Статус подключений: 

sudo ipsec status
sudo ipsec statusall

Показать состояние и политики безопасности ipsec: 

sudo ip xfrm state
sudo ip xfrm policy

Сервер

Входящие порты UDP: 500,4500

Установить: 

sudo apt install strongswan strongswan-pki libcharon-extra-plugins

Создать ca.crt и server.crt, server.key в PEM формате:

PKI

PKI 

ORG="Name Organization"
VPNHOST="server_domain_or_IP"
 
mkdir -p ~/pki/{cacerts,certs,private}
pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/ca.key
pki --self --ca --lifetime 3650 --in ~/pki/private/ca.key --type rsa --dn "CN=$ORG VPN CA" --outform pem > ~/pki/cacerts/ca.crt
pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/server.key
pki --pub --in ~/pki/private/server.key --type rsa | pki --issue --lifetime 3600 --cacert ~/pki/cacerts/ca.crt --cakey ~/pki/private/ca.key --dn "CN=$VPNHOST" --san $VPNHOST --flag serverAuth --flag ikeIntermediate --outform pem >~/pki/certs/server.crt
sudo cp -r ~/pki/* /etc/ipsec.d/


Сконфигурировать /etc/ipsec.conf:

ipsec.conf

ipsec.conf 

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no
    strictcrlpolicy=no
    cachecrls=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@vpn.domain.com
    leftcert=server.crt
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=1.1.1.1,8.8.8.8
    rightsendcert=never
    eap_identity=%identity
    ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024
    esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1


Сконфигурировать /etc/ipsec.secrets

ipsec.secrets

ipsec.secrets 

: RSA "server.key"
username : EAP "password"


Добавить в sysctl:

/etc/sysctl.conf

/etc/sysctl.conf 

net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_no_pmtu_disc=1

Командой: 

sudo sed -i '/#net.ipv4.ip_forward/s/#//g' /etc/sysctl.conf
sudo sed -i '/#net.ipv4.conf.all.accept_redirects/s/#//g' /etc/sysctl.conf
sudo sed -i '/#net.ipv4.conf.all.send_redirects/s/#//g' /etc/sysctl.conf
echo net.ipv4.ip_no_pmtu_disc=1 | sudo tee -a /etc/sysctl.conf
sudo sysctl -p


Добавить правила в iptables с помощью if-up.d:

if-up.d

if-up.d 

cat <<'EOF' >> /tmp/ipsec.sh
#!/bin/bash
 
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT
EOF
chmod +x /tmp/ipsec.sh
sudo mv /tmp/ipsec.sh /etc/network/if-up.d
sudo /etc/network/if-up.d/ipsec.sh

или добавить в автозагрузку с помощью iptables-persistent:

iptables-persistent

iptables-persistent 

sudo apt install iptables-persistent
cat <<'EOF' >> /tmp/rules.v4
*filter
-A FORWARD -s 10.10.10.0/24 -o eth0 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
-A FORWARD -s 10.10.10.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 10.10.10.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
COMMIT
*nat
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT
EOF
sudo mv /tmp/rules.v4 /etc/iptables/rules.v4


Strongswan - Mikrotik

ikev2

Strongswan - Strongswan

Описание

Сеть 1: 

IP 1: 1.1.1.1
Сеть 1: 172.16.0.0/24

Cеть 2: 

IP 2: 2.2.2.2
Сеть 2: 172.16.2.0/24

Настройка

Создать psk: 

openssl rand -hex 64

Сеть 1:

ipsec.secrets

ipsec.secrets

1.1.1.1 2.2.2.2 : PSK «i5IeXBXHqXdyScsR4c05OTbL1L42PK0t2ajc96mTNRmd9fri039z4gyRlx4rJyQB»

ipsec.conf

ipsec.conf 

config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no

conn 1-to-2
  authby=secret
  left=%defaultroute
  leftid=1.1.1.1
  leftsubnet=172.16.0.0/24
  right=2.2.2.2
  rightsubnet=172.16.2.0/24
  ike=aes256-sha2_256-modp1024!
  esp=aes256-sha2_256!
  keyingtries=0
  ikelifetime=1h
  lifetime=8h
  dpddelay=30
  dpdtimeout=120
  dpdaction=restart
  auto=start


Cеть 2:

ipsec.secrets

ipsec.secrets

2.2.2.2 1.1.1.1 : PSK «i5IeXBXHqXdyScsR4c05OTbL1L42PK0t2ajc96mTNRmd9fri039z4gyRlx4rJyQB»

ipsec.conf

ipsec.conf 

config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no

conn 2-to-1
  authby=secret
  left=%defaultroute
  leftid=2.2.2.2
  leftsubnet=172.16.2.0/24
  right=1.1.1.1
  rightsubnet=172.16.0.0/24
  ike=aes256-sha2_256-modp1024!
  esp=aes256-sha2_256!
  keyingtries=0
  ikelifetime=1h
  lifetime=8h
  dpddelay=30
  dpdtimeout=120
  dpdaction=restart
  auto=start


docker

Правила SNAT для работы сети докера с сетью ipsec на одном хосте 

ipsec сеть к которой нужен доступ: 172.16.2.0/24
сети docker: 172.17.0.0/16,172.18.0.0/16
ip адрес интерфейса сети хоста для доступа к сети ipsec: 172.16.3.1
внешний интерфейс: eth0 
iptables -t nat -I POSTROUTING 1 -o eth0 -d 172.16.2.0/24 -s 172.17.0.0/16,172.18.0.0/16 -j SNAT --to-source 172.16.3.1

https://unix.stackexchange.com/questions/544725/route-docker-container-traffic-through-ipsec
https://serverfault.com/questions/771108/allow-docker-containers-to-use-ipsec-vpn-on-host/810597#810597

Let's Encrypt

Ipsec с сертификатами Let's Encrypt и передачей маршрутов клиенту

Конфигурация (пример для домена vpn.domain.com):

255.255.255.255 - для запросов ДНС

/etc/ipsec.conf

/etc/ipsec.conf 

config setup
  uniqueids=no

conn ikev2-clients
  auto=add
  keyexchange=ikev2
  fragmentation=yes
  ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
  esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
  dpdaction=clear
  dpddelay=30s
  rekey=no
  left=%any
  leftid=@vpn.domain.com
  leftcert=certificate.pem
  leftsendcert=always
  leftsubnet=255.255.255.255,172.16.0.0/24,10.1.1.0/24
  leftfirewall=yes
  right=%any
  rightid=%any
  rightauth=eap-mschapv2
  rightsourceip=%dhcp
  rightdns=172.16.0.5
  eap_identity=%identity

/etc/ipsec.secret

/etc/ipsec.secret 

vpn.domain.com : RSA key.pem
username : EAP "password"

/etc/strongswan.d/charon/dhcp.conf

/etc/strongswan.d/charon/dhcp.conf 

dhcp {
    load = yes
    force_server_address = yes
    #identity_lease = yes
    interface = eth0
    server = 10.10.10.254
}

Добавить интерфейс и настроить dnsmasq:

ip addr

ip addr 

ip addr add 10.10.10.254/24 brd + dev eth0 label eth0:ipsec

dnsmasq.conf

dnsmasq.conf 

port=0
dhcp-authoritative
bind-interfaces
#interface=eth0
listen-address=10.10.10.254
log-dhcp
log-queries

dhcp-range=10.10.10.10,10.10.10.20,30m

dhcp-option=option:dns-server,172.16.0.5
dhcp-option=option:domain-name,mri.checkpointid.com

dhcp-vendorclass=set:msipsec,MSFT 5.0
dhcp-range=tag:msipsec,172.16.0.0,static
dhcp-option=tag:msipsec,249, 172.16.0.0/24,0.0.0.0, 10.1.1.0/24,0.0.0.0


Добавить правила iptables для DHCP INFORM и NAT:

iptables

iptables 

iptables -t nat -A PREROUTING -s 10.10.10.0/24 -d 255.255.255.255 -p udp -m multiport --dport 67 -j DNAT --to-destination 10.10.10.255
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
#iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE


Получить сертификат:

certbot

certbot 

mkdir -P /data/docker/certbot/etc
docker run -p80:80 -v /data/docker/certbot/etc:/etc/letsencrypt -v /tmp:/var/log/letsencrypt --rm --name certbot certbot/certbot certonly --standalone --agree-tos --no-eff-email -m mail@domain.com -d vpn.domain.com #--dry-run
cp /data/docker/certbot/etc/live/vpn01.checkpointid.com/chain.pem /etc/ipsec.d/cacerts/ca.pem
cp /data/docker/certbot/etc/live/vpn01.checkpointid.com/privkey.pem /etc/ipsec.d/private/key.pem
cp /data/docker/certbot/etc/live/vpn01.checkpointid.com/cert.pem /etc/ipsec.d/certs/certificate.pem


https://docs.strongswan.org/strongswan-docs/5.9/howtos/forwarding.html

Автозагрузка интерфейса и правил:

/etc/networkd-dispatcher/routable.d/50-ipsec

/etc/networkd-dispatcher/routable.d/50-ipsec 

#!/bin/bash
 
if [ "$IFACE" == "eth0" ];
then
  /bin/bash /etc/ipsec.d/ipsec.sh
fi
exit 0

/etc/ipsec.d/ipsec.sh

/etc/ipsec.d/ipsec.sh 

#!/bin/bash
 
ip addr | grep 10.10.10.254  > /dev/null || ip addr add 10.10.10.254/24 brd + dev eth0 label eth0:ipsec
iptables-save | grep "PREROUTING -s 10.10.10.0/24 -d 255.255.255.255/32 -p udp -m multiport --dports 67 -j DNAT --to-destination 10.10.10.255"  > /dev/null || iptables -t nat -A PREROUTING -s 10.10.10.0/24 -d 255.255.255.255/32 -p udp -m multiport --dport 67 -j DNAT --to-destination 10.10.10.255
iptables-save | grep "POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT"  > /dev/null || iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT


Diffie-Hellman groups

NAME NUMBERSYMMETRICRSAKEYWORD
1024-bit MODP Group with 160-bit Prime Order Subgroup2280 1024modp1024s160
2048-bit MODP Group with 224-bit Prime Order Subgroup23112 2048modp2048s224
2048-bit MODP Group with 256-bit Prime Order Subgroup24112 2048modp2048s256
192-bit Random ECP Group 2580 1024ecp192
224-bit Random ECP Group 26112 2048ecp224
256-bit Random ECP Group 19128 3072ecp256
384-bit Random ECP Group 20192 7680ecp384
521-bit Random ECP Group 2125615360ecp521

https://www.rfc-editor.org/rfc/rfc5114#section-3.2
https://www.rfc-editor.org/rfc/rfc5114#section-4
https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-8
https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html#_diffie_hellman_groups

Ссылки

https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection
https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-20-04-ru
https://blog.ruanbekker.com/blog/2018/02/11/setup-a-site-to-site-ipsec-vpn-with-strongswan-and-preshared-key-authentication/
https://medium.com/the-10x-dev/how-to-setup-a-site-to-site-vpn-connection-with-strongswan-32d4ed034ae2