[strongSwan] Asymmetric PSK auth support for IKEv2 tunnel
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Fri Dec 23 03:08:56 CET 2016
Hi
Followup to the earlier discussion and conclusions on this issue/feature
(as below):
1. I had a further discussions and requested some help from a
Cisco-Engineer, and after analyzing the configurations done by me on the
Cisco-IOS-Router (and on the Strongswan-5.3.0 IPsec-Peer, which was a
Ubuntu Linux machine) on this issue
2. It was identified by the cisco engineer that i had misconfigured the
IKEv2 KEYRING on the Cisco-IOS-Router...
3. As per Cisco-Engineer, in the IKEv2 Keyring config section on a
Cisco-router, the PSKs are to be configured in the Peer's (strongswan)
context. Therefore, in the keyring
"local" means peer's(strongswan) local psk-value
"remote" means peer's(strongswan) remote psk-value
4. So, applying the above logic in point-3, the following are the sample
config (with respect to "ipsec.secrets" and cisco-ikev2-keyring configs) to
be used when we have to establish a IKEv2 tunnel between Strongswan and
Cisco-Router using Asymmetric-PSKs:
On Peer1-Strongswan (with ip-1.1.1.252))
-----------------------------
the ipsec.secrets will be set as:
# /etc/ipsec.secrets - strongSwan IPsec secrets file
1.1.1.252 : PSK "test1234xyz"
2.2.2.123 : PSK "cisco123abc"
On Peer2-CiscoIOS-Router (with ip-2.2.2.123)
---------------------------------------------
the ikev2 keyring will be configured as below on this peer2
crypto ikev2 keyring IKEv2_KEYRING
peer strongswanpeer
address 1.1.1.252
identity address 1.1.1.252
pre-shared-key local test1234xyz
pre-shared-key remote cisco123abc
5. In summary, using the above config logic/method, i could establish
successfully a IKEv2-IPsec Tunnel using Asymmetric-PSK (Asynchronous PSK)
authentication between Strongswan and Cisco-Router. I have been able to
successfully send/recieve traffic thru the tunnel.
Looking at the successful establishment of the IKEv2 tunnel (with
Asymmentric-PSKs),
a) we can see that Strongswan does have the support for Asymmetric-PSKs
IKEv2-authentication method
b) Can you please confirm whether the above is the correct conclusion?
c) Can you please advice whether this conclusion would be acceptable and
therefore somewhat a official support in strongswan?
For future reference for all users of Strongswan, the complete
configurations on Strongswan and on the CiscoIOS-Router are as below:
On Peer1-Strongswan
================
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
charondebug="ike 1, knl 1, cfg 1,net 1"
conn %default
ikelifetime=3h
keylife=1h
mobike=no
dpdaction=clear
dpddelay=30
dpdtimeout=120
conn tociscortr1
left=1.1.1.252
leftsubnet=192.168.1.0/24
right=2.2.2.123
rightsubnet=192.168.25.0/24
leftid=1.1.1.252
rightid=2.2.2.123
leftauth=psk
rightauth=psk
keyexchange=ikev2
type=tunnel
ike=aes128-sha-modp1024
esp=aes128-sha
auto=route
the ipsec.secrets will be set as:
# /etc/ipsec.secrets - strongSwan IPsec secrets file
1.1.1.252 : PSK "test1234xyz"
2.2.2.123 : PSK "cisco123abc"
On Peer2-CiscoIOS-Router
=======================
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco2951-router
!
boot-start-marker
boot-end-marker
!
!
enable password cisco123
!
aaa new-model
!
!
aaa authentication login authen local
aaa authentication login vpn local
aaa authentication enable default none
aaa authorization network author local
aaa authorization network vpn local
!
!
!
aaa session-id common
!
!
ip cef
no ipv6 cef
!
!
username cisco password 0 cisco123
username iosuser1 password 0 test1234
username iosuser2 password 0 test1234
!
redundancy
!
crypto ikev2 proposal IKEv2_PROPOSAL
encryption aes-cbc-128
integrity sha1
group 2
!
crypto ikev2 policy IKEv2_POLICY
proposal IKEv2_PROPOSAL
!
crypto ikev2 keyring IKEv2_KEYRING
peer strongswanpeer
address 1.1.1.252
identity address 1.1.1.252
pre-shared-key local test1234xyz
pre-shared-key remote cisco123abc
!
!
!
crypto ikev2 profile IKEv2_PROFILE
match identity remote address 1.1.1.252 255.255.255.255
identity local address 2.2.2.123
authentication remote pre-share
authentication local pre-share
keyring local IKEv2_KEYRING
!
crypto ikev2 nat keepalive 10
crypto ikev2 dpd 30 5 periodic
!
!
!
crypto isakmp keepalive 30
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set TS1 esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map IKEv2_MAP 1000 ipsec-isakmp
set peer 1.1.1.252
set transform-set TS1
set ikev2-profile IKEv2_PROFILE
match address s2stun1
!
!
!
interface GigabitEthernet0/0
description TO-TESTLAB1-NETWORK
ip address 172.24.1.253 255.255.255.0
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-INTERFACE-TO-TESTSETUP
ip address 2.2.2.123 255.255.255.0
no ip proxy-arp
duplex auto
speed auto
ipv6 nd ra suppress
crypto map IKEv2_MAP
!
interface GigabitEthernet0/2
description LAN-INTERFACE-TO-TESTSETUP
ip address 192.168.25.253 255.255.255.0
no ip proxy-arp
duplex auto
speed auto
ipv6 nd ra suppress
!
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip access-list extended s2stun1
permit ip 192.168.25.0 0.0.0.255 192.168.1.0 0.0.0.255
==================================================
Awaiting your further advice and suggestions, thank you so much for your
help
with regards
Rajiv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161223/3e5fa16a/attachment.html>
More information about the Users
mailing list