Site Tools


IPsec

IPSec (Internet Protocol Security) is a collection of protocol extensions for the Internet Protocol (IP). The official information on encryption and authentication of those responsible for IP information and security for secure communication in IP rights such as the Internet.

IPsec strongSwan

strongSwan is an OpenSource IPsec implementation. It was originally based on the discontinued FreeS/WAN project and the X.509 patch that we developed. In order to have a stable IPsec platform to base the extensions of the X.509 capability on, we decided to launch the strongSwan project in 2005. Since then a new IKE daemon has been written in a modern object-oriented coding style so that the current code base does not share code with its ancestor anymore. Initially that daemon only supported IKEv2, while IKEv1 was handled by an extended version of FreeS/WAN's pluto daemon. But because adoption of IKEv2 by other vendors took longer than anticipated support for IKEv1 was added to the new daemon with strongSwan 5.0.0.

strongSwan originally was designed for Linux, but has since been ported to Android, FreeBSD, Mac OS X, Windows and other platforms.

The focus of strongSwan is on

  • simplicity of configuration
  • strong encryption and authentication methods
  • powerful IPsec policies supporting large and complex VPN networks
  • modular design with great expandability

[Source|https://www.strongswan.org/about.html]

Our current Strongswan Version - Linux strongSwan U5.5.1/K4.19.43

Tested Compatibility to Third Party Vendors

  • Netgear FVL328
  • Firebox X10e
  • CISCO ASA5505
  • CISCO 820
  • Virtual/GNS3 Cisco7200
  • Sarian XR2110
  • Draytek Vigor 2950
  • Astaro Firewall
  • bintec/funkwerk R1200wu

How to setup IPsec

The following step by step instruction will guide you through a IPsec configuration. So basically IPsec does have two different modes:

Tunnel mode:

  • Tunnel mode protects the internal routing information by encrypting the IP header of the original packet. The original packet is encapsulated by a another set of IP headers.
  • It is widely implemented in site-to-site VPN scenarios.
  • NAT traversal is supported with the tunnel mode.
  • Additional headers are added to the packet; so the payload MSS is less.

Transport mode:

  • The transport mode encrypts only the payload and ESP trailer; so the IP header of the original packet is not encrypted.
  • Unordered List ItemThe IPsec Transport mode is implemented for client-to-site VPN scenarios.
  • NAT traversal is not supported with the transport mode.
  • MSS is higher, when compared to Tunnel mode, as no additional headers are required.
  • The transport mode is usually used when another tunneling protocol (such as GRE, L2TP) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets.

Network setup

For this configuration we will use the most common mode, the tunnel mode. For this example we are using PSK as authentification method.

SideABackend
Local WANRemote WANLocal WANRemote WAN
10.10.10.110.10.10.210.10.10.210.10.10.1
GeneralParameterGeneralParameter
Remote peer address10.10.10.2Remote peer address0.0.0.0
Dead Peer Detection(DPD)ParameterDead Peer Detection(DPD)Parameter
Detection cycle30 secDetection cycle30 sec
Failure threshold3Failure threshold3
ActionholdActionhold
AuthenticationParameterAuthenticationParameter
Key exchangeIKEv2Key exchangeIKEv2
Authentication typepre shared keyAuthentication typepre shared key
PSK“TopSecret01”PSK“TopSecret01”
Local ID typeFQDNLocal ID typeFQDN
Local ID“sideA”Local ID“backend”
Peer ID typeFQDN Peer ID typeFQDN
Peer ID“backend”Peer ID“sideA”
IKE Proposal - Phase1ParameterIKE Proposal - Phase1Parameter
Negotiation modeaggressiveNegotiation modeaggressive
Encryption algorithmAES256Encryption algorithmAES256
Authentication algorithmSHA256Authentication algorithmSHA256
Diffie-Hellman groupGroup14(modp2048)Diffie-Hellman groupGroup14(modp2048)
Pseudo-random functionundefinedPseudo-random functionundefined
SA life time86400 secSA life time86400 sec
IPsec Proposal - Phase2ParameterIPsec Proposal - Phase2Parameter
Encapsulation modeTunnelEncapsulation modeTunnel
IPsec protocolESPIPsec protocolESP
Encryption algorithmAES256Encryption algorithmAES256
Authentication algorithmSHA256Authentication algorithmSHA256
SA life time28800 secSA life time28800 sec
Perfect forward secrecy (PFS)disablePerfect forward secrecy (PFS)disable
Force encapsulationenableForce encapsulationenable
NetworksParameterNetworksParameter
Local network192.168.1.0Local network192.168.2.0
Local netmask24Local netmask24
Remote network192.168.2.0Remote network192.168.1.0
Remote netmask24Remote netmask24

All necessary firewall rules for the IPsec functionality will be set automatically, with the enable of the IPsec service.

Server mode

There is also the opportunity to turn units into a IPsec server mode. By setting the remote peer address to 0.0.0.0 you're enable the mode. It basically means the router will accept any IP address with incoming initizalisation content for IPsec communication.

Expert mode

Our Software also can handle customized IPsec configurations. It's compatibility to the tested third party vendors. By simply uploading the IPsec configuration, the VPN communication can be established easily and fast.


Other How Tos