{"id":1948,"date":"2022-09-08T11:41:04","date_gmt":"2022-09-08T03:41:04","guid":{"rendered":"http:\/\/notes4it.com\/?p=1948"},"modified":"2022-09-09T08:23:55","modified_gmt":"2022-09-09T00:23:55","slug":"freebsd-firewall-with-strongswan-building-site-to-site-vpn-tunnel-sample","status":"publish","type":"post","link":"http:\/\/notes4it.com\/?p=1948","title":{"rendered":"FreeBSD firewall with Strongswan building site to site vpn tunnel &#8211; sample"},"content":{"rendered":"\n<p>I recently has upgraded the FreeBSD version to 13 and found that the IPSec site to site between FreeBSD 13 to Juniper SRX is not working anymore. Strongswan is ditching the ipsec.conf and move to swanctl.conf. If we are moving to the vici, this requires some effort to translate the config.<\/p>\n\n\n\n<p>I have attached the quick and dirty sample to build a Policy based site to site IPSec vpn with Strongswan. Enhancement is required for production.<br>The sample is suitable for the following:<br>&#8211; policy based VPN<br>&#8211; using PSK.<br>&#8211; source vpn termination point is NATTed and behind a internet gateway.<br>&#8211; dynamic public IP address for source vpn termination point.<br>&#8211; dynamic destination IP address for the remote IPSec VPN termination point. (required the DNS lookup for the source vpn termination point.)<br>&#8211; multiple VPN termination points from the same source public IP address are allowed.<br><\/p>\n\n\n\n<!--more-->\n\n\n\n<p>Install the Strongswan into the FreeBSD:<br><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">pkg install strongswan\n\nThe default strongSwan configuration interface have been updated to vici since version 5.9.2_1.\nTo use the stroke interface by default either compile the port without the vici option or\nset 'strongswan_interface=\"stroke\"' in your rc.conf file.<\/pre>\n\n\n\n<p>The swanctl config is located as listed below:<br><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/usr\/local\/etc\/swanctl\/conf.d # ls\nFBSD-AJ1401SRX01.conf\n\/usr\/local\/etc\/swanctl\/conf.d # vi FBSD-AJ1401SRX01.conf<\/pre>\n\n\n\n<p>Add the following into the \/etc\/rc.conf<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">##### enable strongswan for IPSec VPN\n##### \/usr\/local\/etc. Edit ipsec.conf\nstrongswan_enable=\"YES\"\n########################<\/pre>\n\n\n\n<p><br><br>Once the config file is completed, then reset the service.<br>service strongswan restart<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>connections {\nAJ1401SRX01 {\n    aggressive = yes\n    remote_addrs = &lt;ip address or domain name&gt;\n# if using domain then the machine needs to be able to perform DNS lookup.\n    version = 1\n# using ikev1 only.\n    proposals = &lt;same format as the ipsec.conf&gt;\n    local-1 {\n        auth = psk\n        id = AJHKGMATFWL01.ddns.sample\n# this is the local identity using hostname\n    }\n    remote-1 {\n        id = fatball.ddns.sample\n# this is the remote identity using hostname\n        auth = psk\n    }\n    children {\n# this is the phase 2 section.\n        AJ1401SRX01-1 {\n            local_ts = 172.16.254.13\/32 \n            remote_ts = 172.16.254.12\/32\n# the lines above are the interested traffic for policy based vpn.\n            esp_proposals = &lt;same format as the ipsec.conf&gt;\n            start_action = trap\n            dpd_action = restart\n        }\n    }\n}\n}\nsecrets {\nike-AJ1401SRX01 {\nsecret = \"the_PSK_secret_of_the_tunnel\"\nid-1 = fatball.ddns.sample\n}\n}<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>The following command can be used for troubleshooting and checking:<br>swanctl &#8211;list-conns<br># this lists out the loaded config.<br><br>swanctl &#8211;log<br># this gives you the error log for live troubleshoot.<br><br>swanctl &#8211;list-sas<br># this lists out the connected tunnel.<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"849\" height=\"273\" src=\"http:\/\/notes4it.com\/wp-content\/uploads\/2022\/09\/IPSec_swanctl-list-sas.png\" alt=\"\" class=\"wp-image-1952\" srcset=\"http:\/\/notes4it.com\/wp-content\/uploads\/2022\/09\/IPSec_swanctl-list-sas.png 849w, http:\/\/notes4it.com\/wp-content\/uploads\/2022\/09\/IPSec_swanctl-list-sas-300x96.png 300w, http:\/\/notes4it.com\/wp-content\/uploads\/2022\/09\/IPSec_swanctl-list-sas-768x247.png 768w, http:\/\/notes4it.com\/wp-content\/uploads\/2022\/09\/IPSec_swanctl-list-sas-624x201.png 624w\" sizes=\"auto, (max-width: 849px) 100vw, 849px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Allow to use aggressive mode with PSK.<br>vi \/usr\/local\/etc\/strongswan.conf<br>add the following.<br><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    i_dont_care_about_security_and_use_aggressive_mode_psk = yes        <\/code><\/pre>\n\n\n\n<p><br><\/p>\n\n\n\n<p>Reference:<br>&#8211; Strongswan ipsec.conf to swanctl.conf migration sample.<br>https:\/\/wiki.strongswan.org\/projects\/strongswan\/wiki\/Fromipsecconf<br><br>&#8211; Strongswan sample.<br>https:\/\/wiki.strongswan.org\/projects\/strongswan\/wiki\/UsableExamples<br><br>&#8211; Cipher options.<br>https:\/\/wiki.strongswan.org\/projects\/strongswan\/wiki\/IKEv1CipherSuites<br>https:\/\/wiki.strongswan.org\/projects\/strongswan\/wiki\/IKEv2CipherSuites<br><br>&#8211; allow  aggressive mode with PSK in Strongswan.<br>error message: Aggressive Mode PSK disabled for security reasons<br>https:\/\/support.fortinet.com.cn\/uploadfile\/wangxiang\/IPSEC%20VPN%20_between_Strongswan_and_FGT.pdf<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I recently has upgraded the FreeBSD version to 13 and found that the IPSec site to site between FreeBSD 13 to Juniper SRX is not working anymore. Strongswan is ditching the ipsec.conf and move to swanctl.conf. If we are moving to the vici, this requires some effort to translate the config. I have attached the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[233,234,225,231,232,230],"class_list":["post-1948","post","type-post","status-publish","format-standard","hentry","category-networking","tag-behind-nat","tag-dynamic-public-ip","tag-freebsd","tag-policy-based-vpn","tag-psk","tag-site-to-site-vpn"],"_links":{"self":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/posts\/1948","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1948"}],"version-history":[{"count":17,"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/posts\/1948\/revisions"}],"predecessor-version":[{"id":1984,"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/posts\/1948\/revisions\/1984"}],"wp:attachment":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1948"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1948"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}