Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- strongswan [2025/05/09 00:25]
+++ strongswan [2025/07/03 14:25] (aktuell)
@@ Zeile 1: / Zeile 1: @@
+Kostenloses selbst gehostetes Site to Site [[VPN]]. Siehe auch [[Libreswan]]
+<code>
+sudo apt update
+sudo apt install strongswan
+</code>
+<code>
+ipsec status
+ipsec restart
+ip xfrm policy
+ip xfrm state
+</code>
+<code>
+diagnose debug enable
+diagnose debug console timestamp enable
+diagnose debug application ike -1
+diagnose debug disable
+</code>
+=====Beispiel=====
+[[IPSec]] Site-to-site VPN
+^Standort^IP-Adresse^LAN^
+|A (left)|1.1.1.1|192.168.1.0/24|
+|B (right)|2.2.2.2|192.168.2.0/24|
+Standort A
+<code>
+# /etc/ipsec.conf
+config setup
+    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
+conn site-to-site
+    auto=start
+    keyexchange=ikev2
+    authby=secret
+    left=1.1.1.1                # öffentliche IP von A
+    leftsubnet=192.168.1.0/24   # internes Netz von A
+    right=2.2.2.2               # öffentliche IP von B
+    rightsubnet=192.168.2.0/24  # internes Netz von B
+    ike=aes256-sha256-modp1024!
+    esp=aes256-sha256!
+    dpdaction=restart
+    dpddelay=30s
+    dpdtimeout=120s
+</code>
+<code>
+# /etc/ipsec.secrets
+# <local-ip> <remote-ip> : PSK <password>
+.1.1.1 2.2.2.2 : PSK "EinStarkesPasswort123!"
+</code>
+Standort B
+<code>
+# /etc/ipsec.conf
+config setup
+    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
+conn site-to-site
+    auto=start
+    keyexchange=ikev2
+    authby=secret
+    left=2.2.2.2                # öffentliche IP von B
+    leftsubnet=192.168.2.0/24   # internes Netz von B
+    right=1.1.1.1               # öffentliche IP von A
+    rightsubnet=192.168.1.0/24  # internes Netz von A
+    ike=aes256-sha256-modp1024!
+    esp=aes256-sha256!
+    dpdaction=restart
+    dpddelay=30s
+    dpdtimeout=120s
+</code>
+<code>
+# /etc/ipsec.secrets
+# <local-ip> <remote-ip> : PSK <password>
+.2.2.2 1.1.1.1 : PSK "EinStarkesPasswort123!"
+</code>
+Auf beiden Standorten
+<code>
+echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
+sudo sysctl -p
+</code>
+<code>
+# Firewall erlauben
+sudo ufw allow 500,4500/udp
+# Leite Traffic für 192.168.1.0/24 nach 192.168.2.0/24
+iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
+# Leite Traffic für 192.168.2.0/24 nach 192.168.1.0/24
+iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
+</code>
+<code>
+sudo systemctl restart strongswan #Nope
+sudo systemctl restart strongswan-starter
+sudo ipsec statusall
+ip route
+ip xfrm policy
+</code>
+=====Mitschnitt=====
+<code>
+C:\Users\manuel.zarat>ssh root@176.103.220.16
+The authenticity of host '176.103.220.16 (176.103.220.16)' can't be established.
+ED25519 key fingerprint is SHA256:3zNch+1SSWrLC/ZO/wN0G+6MMxLweIzh3tWL1V106FM.
+This key is not known by any other names.
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+Warning: Permanently added '176.103.220.16' (ED25519) to the list of known hosts.
+Enter passphrase for key 'C:\Users\manuel.zarat/.ssh/id_rsa':
+Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-139-generic x86_64)
+ * Documentation:  https://help.ubuntu.com
+ * Management:     https://landscape.canonical.com
+ * Support:        https://ubuntu.com/pro
+ System information as of Fri May  9 01:42:22 PM CEST 2025
+  System load:  0.92              Processes:             87
+  Usage of /:   9.0% of 24.05GB   Users logged in:       0
+  Memory usage: 9%                IPv4 address for eth0: 176.103.220.16
+  Swap usage:   0%                IPv6 address for eth0: 2a10:fc81:9388:a08c::1
+Expanded Security Maintenance for Applications is not enabled.
+updates can be applied immediately.
+Enable ESM Apps to receive additional future security updates.
+See https://ubuntu.com/esm or run: sudo pro status
+The programs included with the Ubuntu system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
+applicable law.
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~# sudo apt update
+Hit:1 http://archive.ubuntu.com/ubuntu jammy InRelease
+Hit:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
+Hit:3 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
+Hit:4 http://security.ubuntu.com/ubuntu jammy-security InRelease
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+All packages are up to date.
+root@vm-fjqfnd2u:~# sudo apt install strongswan
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+The following additional packages will be installed:
+  libcharon-extauth-plugins libstrongswan libstrongswan-standard-plugins strongswan-charon strongswan-libcharon
+  strongswan-starter
+Suggested packages:
+  libstrongswan-extra-plugins libcharon-extra-plugins
+The following NEW packages will be installed:
+  libcharon-extauth-plugins libstrongswan libstrongswan-standard-plugins strongswan strongswan-charon
+  strongswan-libcharon strongswan-starter
+upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
+Need to get 959 kB of archives.
+After this operation, 4,243 kB of additional disk space will be used.
+Do you want to continue? [Y/n] y
+Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libstrongswan amd64 5.9.5-2ubuntu2.3 [394 kB]
+Get:2 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 strongswan-libcharon amd64 5.9.5-2ubuntu2.3 [266 kB]
+Get:3 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 strongswan-charon amd64 5.9.5-2ubuntu2.3 [23.7 kB]
+Get:4 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 strongswan-starter amd64 5.9.5-2ubuntu2.3 [156 kB]
+Get:5 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libcharon-extauth-plugins amd64 5.9.5-2ubuntu2.3 [24.5 kB]
+Get:6 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libstrongswan-standard-plugins amd64 5.9.5-2ubuntu2.3 [76.6 kB]
+Get:7 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 strongswan all 5.9.5-2ubuntu2.3 [18.7 kB]
+Fetched 959 kB in 1s (1,206 kB/s)
+Preconfiguring packages ...
+Selecting previously unselected package libstrongswan.
+(Reading database ... 93565 files and directories currently installed.)
+Preparing to unpack .../0-libstrongswan_5.9.5-2ubuntu2.3_amd64.deb ...
+Unpacking libstrongswan (5.9.5-2ubuntu2.3) ...
+Selecting previously unselected package strongswan-libcharon.
+Preparing to unpack .../1-strongswan-libcharon_5.9.5-2ubuntu2.3_amd64.deb ...
+Unpacking strongswan-libcharon (5.9.5-2ubuntu2.3) ...
+Selecting previously unselected package strongswan-charon.
+Preparing to unpack .../2-strongswan-charon_5.9.5-2ubuntu2.3_amd64.deb ...
+Unpacking strongswan-charon (5.9.5-2ubuntu2.3) ...
+Selecting previously unselected package strongswan-starter.
+Preparing to unpack .../3-strongswan-starter_5.9.5-2ubuntu2.3_amd64.deb ...
+Unpacking strongswan-starter (5.9.5-2ubuntu2.3) ...
+Selecting previously unselected package libcharon-extauth-plugins.
+Preparing to unpack .../4-libcharon-extauth-plugins_5.9.5-2ubuntu2.3_amd64.deb ...
+Unpacking libcharon-extauth-plugins (5.9.5-2ubuntu2.3) ...
+Selecting previously unselected package libstrongswan-standard-plugins.
+Preparing to unpack .../5-libstrongswan-standard-plugins_5.9.5-2ubuntu2.3_amd64.deb ...
+Unpacking libstrongswan-standard-plugins (5.9.5-2ubuntu2.3) ...
+Selecting previously unselected package strongswan.
+Preparing to unpack .../6-strongswan_5.9.5-2ubuntu2.3_all.deb ...
+Unpacking strongswan (5.9.5-2ubuntu2.3) ...
+Setting up libstrongswan (5.9.5-2ubuntu2.3) ...
+Setting up strongswan-libcharon (5.9.5-2ubuntu2.3) ...
+Setting up libcharon-extauth-plugins (5.9.5-2ubuntu2.3) ...
+Setting up strongswan-charon (5.9.5-2ubuntu2.3) ...
+Setting up libstrongswan-standard-plugins (5.9.5-2ubuntu2.3) ...
+Setting up strongswan-starter (5.9.5-2ubuntu2.3) ...
+Created symlink /etc/systemd/system/multi-user.target.wants/strongswan-starter.service → /lib/systemd/system/strongswan-starter.service.
+Setting up strongswan (5.9.5-2ubuntu2.3) ...
+Processing triggers for man-db (2.10.2-1) ...
+Scanning processes...
+Scanning linux images...
+Running kernel seems to be up-to-date.
+No services need to be restarted.
+No containers need to be restarted.
+No user sessions are running outdated binaries.
+No VM guests are running outdated hypervisor (qemu) binaries on this host.
+root@vm-fjqfnd2u:~# nano /etc/ipsec.conf
+root@vm-fjqfnd2u:~# nano /etc/ipsec.conf
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~# nano /etc/ipsec.secrets
+root@vm-fjqfnd2u:~# sudo systemctl restart strongswan
+Failed to restart strongswan.service: Unit strongswan.service not found.
+root@vm-fjqfnd2u:~# sudo systemctl restart strongswan
+Failed to restart strongswan.service: Unit strongswan.service not found.
+root@vm-fjqfnd2u:~# service strongswan start
+Failed to start strongswan.service: Unit strongswan.service not found.
+root@vm-fjqfnd2u:~# ^C
+root@vm-fjqfnd2u:~# sudo systemctl restart strongswan-starter
+root@vm-fjqfnd2u:~# sudo ipsec statusall
+Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-139-generic, x86_64):
+  uptime: 10 seconds, since May 09 13:52:17 2025
+  malloc: sbrk 2105344, mmap 0, used 1226144, free 879200
+  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
+  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
+Listening IP addresses:
+.103.220.16
+a10:fc81:9388:a08c::1
+Connections:
+site-to-site:  176.103.220.16...213.33.126.194  IKEv1, dpddelay=30s
+site-to-site:   local:  [176.103.220.16] uses pre-shared key authentication
+site-to-site:   remote: [213.33.126.194] uses pre-shared key authentication
+site-to-site:   child:  192.168.150.0/24 === 192.168.160.0/24 TUNNEL, dpdaction=restart
+Security Associations (1 up, 0 connecting):
+site-to-site[1]: ESTABLISHED 10 seconds ago, 176.103.220.16[176.103.220.16]...213.33.126.194[213.33.126.194]
+site-to-site[1]: IKEv1 SPIs: 26f57177203d9634_i* 10720151977037b9_r, pre-shared key reauthentication in 2 hours
+site-to-site[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
+root@vm-fjqfnd2u:~# ip route
+default via 176.103.220.1 dev eth0 proto static
+.103.220.0/23 dev eth0 proto kernel scope link src 176.103.220.16
+root@vm-fjqfnd2u:~# ip xfrm policy
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket in priority 0
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket out priority 0
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket in priority 0
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket out priority 0
+src ::/0 dst ::/0
+        socket in priority 0
+src ::/0 dst ::/0
+        socket out priority 0
+src ::/0 dst ::/0
+        socket in priority 0
+src ::/0 dst ::/0
+        socket out priority 0
+root@vm-fjqfnd2u:~# nano /etc/ipsec.conf
+root@vm-fjqfnd2u:~# ip xfrm policy
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket in priority 0
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket out priority 0
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket in priority 0
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket out priority 0
+src ::/0 dst ::/0
+        socket in priority 0
+src ::/0 dst ::/0
+        socket out priority 0
+src ::/0 dst ::/0
+        socket in priority 0
+src ::/0 dst ::/0
+        socket out priority 0
+root@vm-fjqfnd2u:~# sudo systemctl restart strongswan-starter
+root@vm-fjqfnd2u:~# ip xfrm policy
+src 192.168.150.0/24 dst 192.168.160.0/24
+        dir out priority 375423
+        tmpl src 176.103.220.16 dst 213.33.126.194
+                proto esp spi 0x86d8f2b3 reqid 1 mode tunnel
+src 192.168.160.0/24 dst 192.168.150.0/24
+        dir fwd priority 375423
+        tmpl src 213.33.126.194 dst 176.103.220.16
+                proto esp reqid 1 mode tunnel
+src 192.168.160.0/24 dst 192.168.150.0/24
+        dir in priority 375423
+        tmpl src 213.33.126.194 dst 176.103.220.16
+                proto esp reqid 1 mode tunnel
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket in priority 0
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket out priority 0
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket in priority 0
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket out priority 0
+src ::/0 dst ::/0
+        socket in priority 0
+src ::/0 dst ::/0
+        socket out priority 0
+src ::/0 dst ::/0
+        socket in priority 0
+src ::/0 dst ::/0
+        socket out priority 0
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~# sudo systemctl restart strongswan-starter^C
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~#
+root@vm-fjqfnd2u:~# ip xfrm policy
+src 192.168.150.0/24 dst 192.168.160.0/24
+        dir out priority 375423
+        tmpl src 176.103.220.16 dst 213.33.126.194
+                proto esp spi 0x86d8f2b3 reqid 1 mode tunnel
+src 192.168.160.0/24 dst 192.168.150.0/24
+        dir fwd priority 375423
+        tmpl src 213.33.126.194 dst 176.103.220.16
+                proto esp reqid 1 mode tunnel
+src 192.168.160.0/24 dst 192.168.150.0/24
+        dir in priority 375423
+        tmpl src 213.33.126.194 dst 176.103.220.16
+                proto esp reqid 1 mode tunnel
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket in priority 0
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket out priority 0
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket in priority 0
+src 0.0.0.0/0 dst 0.0.0.0/0
+        socket out priority 0
+src ::/0 dst ::/0
+        socket in priority 0
+src ::/0 dst ::/0
+        socket out priority 0
+src ::/0 dst ::/0
+        socket in priority 0
+src ::/0 dst ::/0
+        socket out priority 0
+root@vm-fjqfnd2u:~#
+</code>
+=====Links=====
+  * [[https://strongswan.org/|Homepage]]

MBCDN

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Unterschiede

Seiten-Werkzeuge