Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Configuration: OpenWRT's IPSec Configuration is defined in /etc/config/ipsec, the detail configuration content and map to StrongSwan configuration are described in below table

SectionOptionTypeStrongSwan configuration fileStrongSwan configuration optionValidated values Description
ipsec




Global configuration 

debugintstrongswan.confcharon.syslog
whether to enable log information

rtinstall_enabledbooleanstrongswan.confcharon.install_routes
Install routes into a separate routing table for established IPsec tunnels.

ignore_routing_tablesliststrongswan.confcharon.ignore_routing_tables
A space-separated list of routing tables to be excluded from route lookup.

interfaceliststrongswan.confcharon.interfaces_use
A comma-separated list of network interfaces that should be used by charon. All other interfaces are ignored.
remote 




Define a group remote tunnels with same security configuration

tunnellist 




transport list




enabled boolean 


whether this configuration is enabled 

gateway String 

ipsec.secrets

ipsec.conf

local_gateway/remote_gateway

right 

192.168.0.5Defines the counter party ip address here

pre_shared_key String ipsec.secrets PSK 
Add the PSK inside the secrets file

auth_method String ipsec.conf leftauth/rightauth pubkey, psk, eap, xauthDefines the auth method that going to be used by two counter parties.

local_identifier String 

ipsec.secrets

ipsec.conf

 

local_identifier

leftid 

"C=CH, O=strongSwan, CN=peer"Assigns a specific identifier for the itself (This identity will be send to the counter party inside the request)

remote_identifier String 

ipsec.secrets

ipsec.conf

 

remote_identifier

rightid

"C=CH, O=strongSwan, CN=peerB"Assigns a specific identifier for the counter party

crypto_proposal listipsec.conf ike default: aes128-sha256-modp3072Defines list of IKE/ISAKMP SA encryption/authentication algorithms to be used

force_crypto_proposal boolean



tunnel

/transport






Define configuration for a tunnel or transport

modeString ipsec.conf autoadd/start/routeSets the operation for the connection while starts. 

local_subnetString ipsec.conf leftsubnet192.168.1.1/24Mostly used in site-to-site case. Sets the local subnet

local_natString ipsec.conf leftsubnet192.168.1.1/24Mostly used in site-to-site case. Sets the local subnet

local_sourceipString ipsec.conf leftsourceip192.168.1.2, %configSets the ip address of local site. The value can be set to '%config' if the site is going to request a dynamic ip from the counter party

local_updownString ipsec.conf leftupdown
The Updown plugin can be used to set custom firewall rules.

local_firewallString ipsec.conf leftfirewallyes, no(default)

remote_subnetString ipsec.conf rightsubnet192.168.0.1/24Mostly used in site-to-site case. Sets the subnet of the counter party

remote_sourceipString ipsec.conf rightsourceip192.168.0.2, 192.168.0.3-192.168.0.15Sets the ip address of the remote site. An ip pool can also be assigned when using the virtual ip

remote_updownString ipsec.conf rightupdown


remote_firewallString ipsec.conf rightfirewall


ikelifetimeString ipsec.conf ikelifetime60mSets the life time of the ike process before its re-negotiation

lifetimeString ipsec.conf lifetime1h(default)Set the life time of a particular instance would last

margintime String  ipsec.conf margintime 9m(default)Sets how long before connection expiry or keying-channel expiry should attempts to negotiate a replacement begin

keyingtries String  ipsec.conf  keyingtries 3(default)Sets the maxium attempts to negotiate for a connection

dpdaction String  ipsec.conf  dpdaction clear, hold, restart, none(default)Sets the action against peer timeout, validated through Dead Peer Protection Protocol

dpddelay String  ipsec.conf  dpddelay 30s(default)Defines the time interval for the informational exchange sent to peer

inactivity boolean ipsec.conf  inactivity 30mDefines the timeout interval, after which a CHILD_SA is closed if it did not send or receive any traffic

keyexchange String  ipsec.conf  keyexchange ikev2, ikev1, ike(default, same as ikev2)Defines the protocol being used to initialize the connection

crypto_proposal list ipsec.conf  espaes128-sha256(default)Defines the comma-separated list of ESP encryption/authentication algorithms to be used for the connection
proposal  




Define configuration for a proposal 

encryption_algorithm String   ipsec.conf   ike/esp aes128Defines the encryption algorithm(together in ike)

hash_algorithm String   ipsec.conf   ike/esp sha256Defines the hash algorithm(together in ike)

dh_groupString  ipsec.conf  ike/espmodp3072Define the Diffie-Hellman group(together in ike)

IPSec CRD

IPSec CRD will be created by EWAN config Agent to configurate a remote configuration. it is defined as below, with filed map to ipsec configuration.

...

  • Normal response codes: 200
  • Response Parameters

    Name

    In

    Type

    Description

    proposalsbodyarraya list of defined proposals


  • Response Example

    {
        "proposals": [

            {

                "name":"proposal1",

                "encryption_algorithm": "aes128",

                "hash_algorithm": "sha256",

                "dh_group": "modp3072"

            }

        ]
    }



GET /cgi-bin/luci/sdewan/ipsec/v1/proposal/{proposal}

...

  • Normal response codes: 200
  • Error response code: 404
  • Response Parameters

    Name

    In

    Type

    Description

    namebodystringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodyintstringDiffie-Hellman group


  • Response Example

    {

          "name":"proposal1",

          "encryption_algorithm": "aes128",

          "hash_algorithm": "sha256",

          "dh_group": "modp3072"

    }


POST /cgi-bin/luci/sdewan/ipsec/v1/proposal

...

  • Request Parameters:

    Name

    In

    Type

    Description

    proposalpathstringproposal name
    encryption_algorithmbodystringencryption algorithm
    hash_algorithmbodystringhash algorithm
    dh_groupbodyintstringDiffie-Hellman group


  • Request Example


    {

          "encryption_algorithm": "aes256",

          "hash_algorithm": "sha256",

          "dh_group": "modp4096"

    }


Response

  • Normal response codes: 204
  • Error response codes: 400, 401, 404

...

  • Normal response codes: 200
  • Response Parameters

    Name

    In

    Type

    Description

    sitesbodyarraya list of defined sites


  • Response Example

    {
        "sites": [

            {

                "name": "site1"

                "gateway":"10.10.10.10",

                "crypto_proposal": "proposal1"

                "connections": [

                  {

                    "type": "tunnel"

                    "local_subnet": "192.168.1.1/24"

                    "remote_subnet": "192.168.0.1/24"

                    "crypto_proposal": "proposal1"

                  }

            }

        ]
    }


...