ipsec changes: IKEv2, and more ipsec changes to hopefully inclrease stability

2018-11-18 22:06:53 +01:00 · 2018-11-18 22:06:53 +01:00 · 86d5c80bbb
parent e3fba4ecad
commit 86d5c80bbb
4 changed files with 46 additions and 15 deletions
--- a/debian/wit-network-config.install
+++ b/debian/wit-network-config.install
@ -12,5 +12,5 @@ files/qemu-ifup etc/libvirt/hooks
 files/firewall etc/init.d
 files/frr.conf.wit etc/frr
 files/ipsec.conf.wit etc
-files/swanctl-wit.conf.wit etc/swanctl/conf.d
 files/ips.issue etc/issue.d
+files/wit-logging.conf etc/strongswan.d
--- a/files/ipsec.conf.wit
+++ b/files/ipsec.conf.wit
@ -1,21 +1,15 @@
 config setup
-    #charondebug="all"
    #uniqueids=yes
    #strictcrlpolicy=yes
    cachecrls=yes

-#ca ca-wit       #define alternative CRL distribution point
-#    cacert=ca-wit.crt
-#    crluri=ca-wit.crl
-#    auto=add

 conn %default
+    #keyexchange=ikev1
    keyingtries=%forever
-    dpdtimeout=10
-    dpddelay=3
-    dpdaction=restart
+    dpdtimeout=9
+    dpddelay=2
    type=transport
-    keyexchange=ikev1
    ike=aes256-sha512-modp4096,aes128-sha1-modp2048!
    esp=aes256-sha512-modp4096,aes128-sha1-modp2048!
    leftcert=FQHOSTNAME.crt
@ -24,18 +18,34 @@ conn %default
    auto=route


-conn loopback4
-    #leftsourceip=%config4
+conn local4
    left=LOOPBACKv4
    leftsubnet=LOOPBACKv4
+    right=LOOPBACKv4
+    rightsubnet=LOOPBACKv4
+    auth=none
+    type=passthrough
+
+
+conn loopback4
+    left=LOOPBACKv4
+    leftsubnet=LOOPBACKv4
+    right=IPSEC_IPV4_SUBNETS
    rightsubnet=IPSEC_IPV4_SUBNETS
-    right=%any4
+
+
+conn local6
+    left=LOOPBACKv6
+    leftsubnet=LOOPBACKv6
+    right=LOOPBACKv6
+    rightsubnet=LOOPBACKv6
+    auth=none
+    type=passthrough


 conn loopback6
-    #leftsourceip=%config6
    left=LOOPBACKv6
    leftsubnet=LOOPBACKv6
-    rightsubnet=IPSEC_IPV6_SUBNETS
    right=%any6
+    rightsubnet=IPSEC_IPV6_SUBNETS

--- a/files/wit-logging.conf
+++ b/files/wit-logging.conf
@ -0,0 +1,21 @@
+charon {
+    install_routes = no
+    install_virtual_ip = no
+    interfaces_use = lo
+    syslog {
+        auth {
+            ike_name = yes
+            default  = 0
+        }
+        daemon {
+            ike_name = yes
+            default  = 1
+            knl      = 1
+            cfg      = 1
+            ike      = 0
+            net      = 0
+            enc      = 0
+        }
+    }
+}
+
--- a/files/swanctl-wit.conf.wit
+++ b/files/swanctl-wit.conf.wit