IPsec

IPSec (Internet Protocol Security) is a collection of protocol extensions for the Internet Protocol (IP). The official information on encryption and authentication of those responsible for IP information and security for secure communication in IP rights such as the Internet.

IPsec strongSwan

strongSwan is an OpenSource IPsec implementation. It was originally based on the discontinued FreeS/WAN project and the X.509 patch that we developed. In order to have a stable IPsec platform to base the extensions of the X.509 capability on, we decided to launch the strongSwan project in 2005. Since then a new IKE daemon has been written in a modern object-oriented coding style so that the current code base does not share code with its ancestor anymore. Initially that daemon only supported IKEv2, while IKEv1 was handled by an extended version of FreeS/WAN's pluto daemon. But because adoption of IKEv2 by other vendors took longer than anticipated support for IKEv1 was added to the new daemon with strongSwan 5.0.0.

strongSwan originally was designed for Linux, but has since been ported to Android, FreeBSD, Mac OS X, Windows and other platforms.

The focus of strongSwan is on

  • simplicity of configuration
  • strong encryption and authentication methods
  • powerful IPsec policies supporting large and complex VPN networks
  • modular design with great expandability

[Source|https://www.strongswan.org/about.html]

Our current Strongswan Version - Linux strongSwan U5.5.1/K4.19.43

Tested Compatibility to Third Party Vendors

  • Netgear FVL328
  • Firebox X10e
  • CISCO ASA5505
  • CISCO 820
  • Virtual/GNS3 Cisco7200
  • Sarian XR2110
  • Draytek Vigor 2950
  • Astaro Firewall
  • bintec/funkwerk R1200wu

How to setup IPsec

The following step by step instruction will guide you through a IPsec configuration. So basically IPsec does have two different modes:

Tunnel mode:

  • Tunnel mode protects the internal routing information by encrypting the IP header of the original packet. The original packet is encapsulated by a another set of IP headers.
  • It is widely implemented in site-to-site VPN scenarios.
  • NAT traversal is supported with the tunnel mode.
  • Additional headers are added to the packet; so the payload MSS is less.

Transport mode:

  • The transport mode encrypts only the payload and ESP trailer; so the IP header of the original packet is not encrypted.
  • Unordered List ItemThe IPsec Transport mode is implemented for client-to-site VPN scenarios.
  • NAT traversal is not supported with the transport mode.
  • MSS is higher, when compared to Tunnel mode, as no additional headers are required.
  • The transport mode is usually used when another tunneling protocol (such as GRE, L2TP) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets.

Network setup

For this configuration we will use the most common mode, the tunnel mode. For this example we are using PSK as authentification method.

SideA Backend
Local WANRemote WAN - > < - Remote WANLocal WAN
10.10.10.110.10.10.2 10.10.10.110.10.10.2
GeneralParameter-GeneralParameter
Remote peer address10.10.10.2 Remote peer address0.0.0.0
Dead Peer Detection(DPD)Parameter Dead Peer Detection(DPD)Parameter
Detection cycle30 sec Detection cycle30 sec
Failure threshold3 Failure threshold3
Actionhold Actionhold
AuthenticationParameterc AuthenticationParameter
Key exchangeIKEv2 Key exchangeIKEv2
Authentication typepre shared key Authentication typepre shared key
PSK“TopSecret01” PSK“TopSecret01”
Local ID typeFQDN Local ID typeFQDN
Local ID“sideA” Local ID“backend”
Peer ID typeFQDN Peer ID typeFQDN
Peer ID“backend” Peer ID“sideA”
IKE Proposal - Phase1Parameter IKE Proposal - Phase1Parameter
Negotiation modeaggressive Negotiation modeaggressive
Encryption algorithmAES256 Encryption algorithmAES256
Authentication algorithmSHA256 Authentication algorithmSHA256
Diffie-Hellman groupGroup14(modp2048) Diffie-Hellman groupGroup14(modp2048)
Pseudo-random functionundefined Pseudo-random functionundefined
SA life time86400 sec SA life time86400 sec
IPsec Proposal - Phase2Parameter IPsec Proposal - Phase2Parameter
Encapsulation modeTunnel Encapsulation modeTunnel
IPsec protocolESP IPsec protocolESP
Encryption algorithmAES256 Encryption algorithmAES256
Authentication algorithmSHA256 Authentication algorithmSHA256
SA life time28800 sec SA life time28800 sec
Perfect forward secrecy (PFS)disable Perfect forward secrecy (PFS)disable
Force encapsulationenable Force encapsulationenable
NetworksParameter NetworksParameter
Local network192.168.1.0 Local network192.168.2.0
Local netmask24 Local netmask24
Remote network192.168.2.0 Remote network192.168.1.0
Remote netmask24 Remote netmask24

All necessary firewall rules for the IPsec functionality will be set automatically, with the enable of the IPsec service.

Server mode

There is also the opportunity to turn units into a IPsec server mode. By setting the remote peer address to 0.0.0.0 you're enable the mode. It basically means the router will accept any IP address with incoming initizalisation content for IPsec communication.

Expert mode

Our Software also can handle customized IPsec configurations. It's compatibility to the tested third party vendors. By simply uploading the IPsec configuration, the VPN communication can be established easily and fast.


Other How Tos