Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
I
I
Ilya Rodionov2020-03-15 14:54:37
Cisco
Ilya Rodionov, 2020-03-15 14:54:37

IPsec. Racoon to strongswarn. Has anyone migrated?

Colleagues, in fact, the essence of the question is simple - has anyone moved from racoon to strongswarn?
The problem arose when rewriting the racon config to strongswarn, there are too many misunderstandings now.

Can anyone suggest / help what exactly needs to be redone here? Thank you.

path certificate "/etc/racoon/certs";
path pre_shared_key "/etc/racoon/psk.txt";

log debug;

padding {
  maximum_length 20; # maximum padding length.
  randomize off; # enable randomize length.
  strict_check off; # enable strict check.
  exclusive_tail off; # extract last one octet.
}

remote anonymous {

        exchange_mode main;
        my_identifier fqdn "vpn.xxx.xxx";

        passive on;
        generate_policy on;
        nat_traversal on;

#	desktop clients
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 14;
        }

#	iOS clients
  proposal {
    encryption_algorithm 3des;
    hash_algorithm sha1;
    authentication_method xauth_psk_server;
    dh_group 2;
    lifetime time 1 hour;
  }

  proposal {
    encryption_algorithm  aes;
    hash_algorithm        sha1;
    authentication_method pre_shared_key;
    dh_group              modp1024;
  }

  proposal {
    encryption_algorithm  3des;
    hash_algorithm        sha1;
    authentication_method pre_shared_key;
    dh_group              modp1024;
  }


#	Android clients
  proposal {
    encryption_algorithm 3des;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group 2;
  }

}

sainfo anonymous {
        encryption_algorithm aes, 3des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

###########

listen {
  isakmp_natt 1.1.1.1 [4500];
  isakmp 1.1.1.1 [500];
}

timer {
  counter 100000;
  interval 5 sec;
  persend 1;
  phase1 30 sec;
  phase2 15 sec;
}

remote 2.2.2.2 {
        exchange_mode main;
        my_identifier address "1.1.1.1";
        peers_identifier address "2.2.2.2";

        initial_contact on;
        proposal_check obey;

        proposal {
                encryption_algorithm aes256;
                authentication_method pre_shared_key;
                hash_algorithm sha1;
                dh_group 2;
        }
}

sainfo address 0.0.0.0/0 any address 192.168.0.0/16 any {
        lifetime time 28800 seconds;
        encryption_algorithm aes256;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        pfs_group 2;
}

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
C
CityCat4, 2020-03-15
@CityCat4

Well, I migrated. Well, as it migrated - in one place there was a Raccoon and FreeBSD, in another place - there was a linux and a shwan. There is nothing to redo. Everything is rewritten. The ideology is changing. Fully.
The settings for the strongswan daemon itself are /etc/strongswan/strongswan.conf and a bunch of subconfigs in strongswan.d. For example, I set up logs (debug!) like this:
/etc/strongswan/strongswan.d/charon-logging.conf

charon {

    # Section to define file loggers, see LOGGER CONFIGURATION in
    # strongswan.conf(5).
    filelog {

        # <filename> is the full path to the log file.
        /var/log/ipsec {

            # Loglevel for a specific subsystem.
            # <subsystem> = <default>

            # If this option is enabled log entries are appended to the existing
            # file.
            append = yes

            # Default loglevel.
            default = 2
            
            
            # job management do not need to logging usually
            job = 0
            
            # For debugging purpose
            asn = 1
            enc = 1
            ike = 4
            net = 4
            cfg = 3

            # Enabling this option disables block buffering and enables line
            # buffering.
            flush_line = yes
            # Prefix each log entry with the connection name and a unique
            # numerical identifier for each IKE_SA.
            ike_name = no

            # Prefix each log entry with a timestamp. The option accepts a
            # format string as passed to strftime(3).
            time_format =  %b %e %T

        }

    }
}

This is the debug log, for testing!
Peer certificates, keys, CRLs, etc. are in /etc/strongswan/ipsec.d - there are a bunch of subdirectories. Passwords and certificate keys are written in /etc/strongswan/ipsec.secrets, the connections themselves are described in /etc/strongswan/ipsec.conf. You will have to smoke the manuals for a long time, which are on the site of the shwan - at least #opy chew, and there are a lot of examples there.

Similar questions
S
Sergey Mikhalev2016-09-21 10:32:07
How to configure access from one VLAN to another VLAN? 2Reply
A
Alexander2014-09-21 13:44:57
Registering a cisco 6921 phone on a cisco 2911 router? 1Reply
A
Alexander2014-09-25 17:13:22
Cisco 2801 limit? 3Reply
F
frolov4ynga2020-11-27 00:12:30
How to split an already functioning network into VLANs? 4Reply
P
pff_fail2016-10-10 15:33:25
How to set up a rule on an L2 switch? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question