[strongSwan] questions about strongswan 4.4

Andreas Steffen andreas.steffen at strongswan.org
Wed Sep 22 18:11:58 CEST 2010 

On 22.09.2010 17:42, samuel morin wrote:
> Hi,
> 
> Since now, we use strongswan 2.8 for our vpn and we wrote an ipsec.conf 
> generator for our config files (we have several hundred of tunnels)
> 
> Here is an example of a piece of a configuration file :
> 
> version 2
> config setup
>          interfaces=%defaultroute
>          klipsdebug=none
>          plutodebug=none
>          #strictcrlpolicy=yes
>          uniqueids=yes
> 
> 
> conn %default
>          keyingtries=3
>          keylife=8h
>          ikelifetime=3h
>          authby=rsasig
>          pfs=yes
> 
> 
> #DEB: ca-AGRIATES-DIJON-02
> ca ca-AGRIATES-DIJON-02
>          cacert=CertifCa.pem
>          crluri=http://crl1.igc.education.fr/agriates.crl
>          crluri2=http://crl2.igc.education.fr/agriates.crl
>          auto=add
> #FIN: ca-AGRIATES-DIJON-02
> 
> #DEB:0210017E-01-AGRIATES-DIJON-02
> 
> conn C-0210017E-01-0-AGRIATES-DIJON-02
>          rightrsasigkey=%cert
>          leftrsasigkey=%cert
> 
> rightid="@/C=fr/O=gouv/OU=education/OU=ac-dijon/CN=AGRIATES-DIJON-02"
>          right=xxx.xxx.xxx.xxa
>          rightsubnet=172.30.107.224/255.255.255.240
>          rightnexthop=xxx.xxx.xxx.xxb
>          leftid="@/C=fr/O=gouv/OU=education/OU=ac-dijon/CN=0210017E-01"
>          left=yyy.yyy.yyy.yya
>          leftcert=/etc/freeswan/ipsec.d/0210017E-01.pem
>          leftsourceip=10.21.11.1
>          leftsubnet=10.21.11.0/255.255.255.0
>          leftnexthop=yyy.yyy.yyy.yyb
> 
> leftupdown="/etc/freeswan/ipsec_updown_AGRIATES-DIJON-02-0210017E-01-0"
>          lefthostaccess=yes
> 
> ike=aes256-sha2_512-modp8192,aes128-sha2_256-modp2048,aes128-sha-modp2048,aes128-sha2_256-modp1536,aes128-sha-modp1536,3des-md5-modp1536,3des-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024
>          esp=aes256-sha2_512,aes128-sha2_256,aes128-sha1,3des-md5,3des-sha1
>          pfsgroup=modp2048
>          auto=start
> 
> Each school may have 10 tunnels to a central gateway.
> 
> Now, we need to change our strongswan version (4.4) and using new 
> functionalities.
> We would like to generate our config in sqlite format (more easier to 
> generate and to update than a config file). I have a lot of question 
> about this version compared to the old.
> 
> Is it possible, to mix, in sqlite mode, ikev1 and ikev2 connexions ?
>
Currently only the IKEv2 charon daemon allows to store connection
definitions in an SQLite database. You can mix IKEv1 and IKEv2
connections if you define the IKEv1 ones in ipsec.conf and the
IKEv2 ones in the database.

> Is it possible to reproduce the same behaviour that we used until now, 
> in using sqlite database instead of file configuration ?
>
> I don't find how to put some parameters like crluri, sourceip.
>
ca sections containing crluri information currently cannot be stored
in a database yet, but I could have a look if it could be easily
done.

The leftsourceip parameter is not needed by the IKEv2 daemon
since charon finds out if one of the gateway's network interfaces
belongs to leftsubnet and automatically adds a source route.

> I don't really understand some columns of tables like "kind" column into 
> "child_config_traffic_selector" table. How do I use it ?
>
http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql;h=54086643f6ecf47f49d90ed22bf9c3f4266218f0;hb=HEAD#l129

shows an example. Kind can take on the following values:

TS_LOCAL  = 0
TS_REMOTE = 1
TS_LOCAL_DYNAMIC  = 2
TS_REMOTE_DYNAMIC = 3

as shown in

http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/plugins/sql/sql_config.c;h=a47d93f7b1399a98dda65ddc14490525097d9043;hb=HEAD#l49

TS_LOCAL/TS_REMOTE are used with predefined left/rightsubnets
and TS_LOCAL_DYNAMIC/TS_REMOTE_DYNAMIC are used in host mode
and might include the assignment of a virtual IP as shown in
this roadwarrior example

http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql;h=d2cd51debf19f6b5406197e38c18fcfb5c14beb9;hb=HEAD#l129

> 
> I saw that, in stongswan 4.4.x there were options to manage High 
> Availability. I saw how to active it but not how to use it. Is it 
> possible to have some example ?
>
A HOWTO can be found under the link

http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability

> Thank you very much for your help
> 
> Best regards
> 
> samuel
> 

Best regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list