From 86d5c80bbbe4759dcbbc0f6385d15f24133d9201 Mon Sep 17 00:00:00 2001 From: toby Date: Sun, 18 Nov 2018 22:06:53 +0100 Subject: [PATCH] ipsec changes: IKEv2, and more ipsec changes to hopefully inclrease stability --- debian/wit-network-config.install | 2 +- files/ipsec.conf.wit | 38 ++++++++++++------- files/wit-logging.conf | 21 ++++++++++ ...{swanctl-wit.conf.wit => wit-swanctl.conf} | 0 4 files changed, 46 insertions(+), 15 deletions(-) create mode 100644 files/wit-logging.conf rename files/{swanctl-wit.conf.wit => wit-swanctl.conf} (100%) diff --git a/debian/wit-network-config.install b/debian/wit-network-config.install index 018f391..b9aadc9 100644 --- a/debian/wit-network-config.install +++ b/debian/wit-network-config.install @@ -12,5 +12,5 @@ files/qemu-ifup etc/libvirt/hooks files/firewall etc/init.d files/frr.conf.wit etc/frr files/ipsec.conf.wit etc -files/swanctl-wit.conf.wit etc/swanctl/conf.d files/ips.issue etc/issue.d +files/wit-logging.conf etc/strongswan.d diff --git a/files/ipsec.conf.wit b/files/ipsec.conf.wit index 0c2be5d..1de4e92 100644 --- a/files/ipsec.conf.wit +++ b/files/ipsec.conf.wit @@ -1,21 +1,15 @@ config setup - #charondebug="all" #uniqueids=yes #strictcrlpolicy=yes cachecrls=yes -#ca ca-wit #define alternative CRL distribution point -# cacert=ca-wit.crt -# crluri=ca-wit.crl -# auto=add conn %default + #keyexchange=ikev1 keyingtries=%forever - dpdtimeout=10 - dpddelay=3 - dpdaction=restart + dpdtimeout=9 + dpddelay=2 type=transport - keyexchange=ikev1 ike=aes256-sha512-modp4096,aes128-sha1-modp2048! esp=aes256-sha512-modp4096,aes128-sha1-modp2048! leftcert=FQHOSTNAME.crt @@ -24,18 +18,34 @@ conn %default auto=route -conn loopback4 - #leftsourceip=%config4 +conn local4 left=LOOPBACKv4 leftsubnet=LOOPBACKv4 + right=LOOPBACKv4 + rightsubnet=LOOPBACKv4 + auth=none + type=passthrough + + +conn loopback4 + left=LOOPBACKv4 + leftsubnet=LOOPBACKv4 + right=IPSEC_IPV4_SUBNETS rightsubnet=IPSEC_IPV4_SUBNETS - right=%any4 + + +conn local6 + left=LOOPBACKv6 + leftsubnet=LOOPBACKv6 + right=LOOPBACKv6 + rightsubnet=LOOPBACKv6 + auth=none + type=passthrough conn loopback6 - #leftsourceip=%config6 left=LOOPBACKv6 leftsubnet=LOOPBACKv6 - rightsubnet=IPSEC_IPV6_SUBNETS right=%any6 + rightsubnet=IPSEC_IPV6_SUBNETS diff --git a/files/wit-logging.conf b/files/wit-logging.conf new file mode 100644 index 0000000..0cea9b4 --- /dev/null +++ b/files/wit-logging.conf @@ -0,0 +1,21 @@ +charon { + install_routes = no + install_virtual_ip = no + interfaces_use = lo + syslog { + auth { + ike_name = yes + default = 0 + } + daemon { + ike_name = yes + default = 1 + knl = 1 + cfg = 1 + ike = 0 + net = 0 + enc = 0 + } + } +} + diff --git a/files/swanctl-wit.conf.wit b/files/wit-swanctl.conf similarity index 100% rename from files/swanctl-wit.conf.wit rename to files/wit-swanctl.conf