[strongSwan] questions about strongswan 4.4

samuel morin samuel.morin at ac-dijon.fr
Wed Sep 22 17:42:37 CEST 2010 

Hi,

Since now, we use strongswan 2.8 for our vpn and we wrote an ipsec.conf 
generator for our config files (we have several hundred of tunnels)

Here is an example of a piece of a configuration file :

version 2
config setup
         interfaces=%defaultroute
         klipsdebug=none
         plutodebug=none
         #strictcrlpolicy=yes
         uniqueids=yes


conn %default
         keyingtries=3
         keylife=8h
         ikelifetime=3h
         authby=rsasig
         pfs=yes


#DEB: ca-AGRIATES-DIJON-02
ca ca-AGRIATES-DIJON-02
         cacert=CertifCa.pem
         crluri=http://crl1.igc.education.fr/agriates.crl
         crluri2=http://crl2.igc.education.fr/agriates.crl
         auto=add
#FIN: ca-AGRIATES-DIJON-02

#DEB:0210017E-01-AGRIATES-DIJON-02

conn C-0210017E-01-0-AGRIATES-DIJON-02
         rightrsasigkey=%cert
         leftrsasigkey=%cert

rightid="@/C=fr/O=gouv/OU=education/OU=ac-dijon/CN=AGRIATES-DIJON-02"
         right=xxx.xxx.xxx.xxa
         rightsubnet=172.30.107.224/255.255.255.240
         rightnexthop=xxx.xxx.xxx.xxb
         leftid="@/C=fr/O=gouv/OU=education/OU=ac-dijon/CN=0210017E-01"
         left=yyy.yyy.yyy.yya
         leftcert=/etc/freeswan/ipsec.d/0210017E-01.pem
         leftsourceip=10.21.11.1
         leftsubnet=10.21.11.0/255.255.255.0
         leftnexthop=yyy.yyy.yyy.yyb

leftupdown="/etc/freeswan/ipsec_updown_AGRIATES-DIJON-02-0210017E-01-0"
         lefthostaccess=yes

ike=aes256-sha2_512-modp8192,aes128-sha2_256-modp2048,aes128-sha-modp2048,aes128-sha2_256-modp1536,aes128-sha-modp1536,3des-md5-modp1536,3des-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024
         esp=aes256-sha2_512,aes128-sha2_256,aes128-sha1,3des-md5,3des-sha1
         pfsgroup=modp2048
         auto=start

Each school may have 10 tunnels to a central gateway.

Now, we need to change our strongswan version (4.4) and using new 
functionalities.
We would like to generate our config in sqlite format (more easier to 
generate and to update than a config file). I have a lot of question 
about this version compared to the old.

Is it possible, to mix, in sqlite mode, ikev1 and ikev2 connexions ?

Is it possible to reproduce the same behaviour that we used until now, 
in using sqlite database instead of file configuration ?

I don't find how to put some parameters like crluri, sourceip.

I don't really understand some columns of tables like "kind" column into 
"child_config_traffic_selector" table. How do I use it ?


I saw that, in stongswan 4.4.x there were options to manage High 
Availability. I saw how to active it but not how to use it. Is it 
possible to have some example ?

Tank you very much for your help

Best regards

samuel



-- 
**********************************
samuel MORIN
Administrateur Systèmes et Réseaux
Equipe Eole
CETIAD, Rectorat de Dijon
33, rue Berbisey
21000 DIJON
samuel.morin at ac-dijon.fr
http://eole.orion.education.fr
*********************************

More information about the Users mailing list