I have been using OpenVPN on my OpenWrt router for remote access. OpenVPN is a SSLVPN solution similar to Anyconnect from Cisco. IPsec is a IETF standard for providing network layer security. The support of IPsec is builtin to recent Linux kernel. However, the kernel needs the encryption key before setting up IPsec. You can manually create IPsec tunnels with a preshared key, but this approach does not support mobile clients which have dynamic IP addresses.
The Internet Key Exchange protocol is aimed at negotiating security parameters before setting up an IPsec tunnel. Usually, an IKE daemon listens on UDP/500 for requests and then does several rounds of exchanges with the remote client and then send negotiated parameters to the Linux kernel and thus sets up an IPsec tunnel.
IKEv2 is the latest one which is much easier to deploy than its predecessor IKEv1. StrongSwan is an IKE daemon with full support of IKEv2. To install strongSwan on OpenWrt, you need install strongswan-minimal package. You also need to install strongswan-mod-openssl in order to use pubkey authentication.
There are several configuration files:
/etc/ipsec.conf contains information of IPsec tunnels.
/etc/strongswan.conf contains configuration for strongswan.
/etc/ipsec.secrets contains various credentials of IPsec tunnels.
The following is all needed to setup a tunnel with PSK. PSK is not so safe as public key, especially if the PSK is very weak.
in /etc/ipsec.conf:
conn mytunnel
left=%any
leftsubnet=10.1.0.0/16
leftid=home
leftfirewall=yes
right=IP_OF_THE_PEER
rightsubnet=10.2.0.0/16
rightid=moon
auto=add
mobike=no
authby=psk
in /etc/ipsec.secrets:
moon : PSK YOUR_PSK_FOR_TUNNEL
use `ipsec up mytunnel` to establish the tunnel and `ipsec statusall` to check tunnel status.
from https://jim-think.blogspot.co.id/2016/08/setting-up-ikev2-with-strongswan-on.html
The Internet Key Exchange protocol is aimed at negotiating security parameters before setting up an IPsec tunnel. Usually, an IKE daemon listens on UDP/500 for requests and then does several rounds of exchanges with the remote client and then send negotiated parameters to the Linux kernel and thus sets up an IPsec tunnel.
IKEv2 is the latest one which is much easier to deploy than its predecessor IKEv1. StrongSwan is an IKE daemon with full support of IKEv2. To install strongSwan on OpenWrt, you need install strongswan-minimal package. You also need to install strongswan-mod-openssl in order to use pubkey authentication.
There are several configuration files:
/etc/ipsec.conf contains information of IPsec tunnels.
/etc/strongswan.conf contains configuration for strongswan.
/etc/ipsec.secrets contains various credentials of IPsec tunnels.
The following is all needed to setup a tunnel with PSK. PSK is not so safe as public key, especially if the PSK is very weak.
in /etc/ipsec.conf:
conn mytunnel
left=%any
leftsubnet=10.1.0.0/16
leftid=home
leftfirewall=yes
right=IP_OF_THE_PEER
rightsubnet=10.2.0.0/16
rightid=moon
auto=add
mobike=no
authby=psk
in /etc/ipsec.secrets:
moon : PSK YOUR_PSK_FOR_TUNNEL
use `ipsec up mytunnel` to establish the tunnel and `ipsec statusall` to check tunnel status.
from https://jim-think.blogspot.co.id/2016/08/setting-up-ikev2-with-strongswan-on.html
No comments:
Post a Comment