Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 58519200B9A for ; Fri, 7 Oct 2016 21:27:46 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 56F9D160AE8; Fri, 7 Oct 2016 19:27:46 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 18F83160AC6 for ; Fri, 7 Oct 2016 21:27:44 +0200 (CEST) Received: (qmail 18148 invoked by uid 500); 7 Oct 2016 19:27:40 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 17196 invoked by uid 99); 7 Oct 2016 19:27:39 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 07 Oct 2016 19:27:39 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id A56BDDFF5A; Fri, 7 Oct 2016 19:27:39 +0000 (UTC) From: swill To: dev@cloudstack.apache.org Reply-To: dev@cloudstack.apache.org References: In-Reply-To: Subject: [GitHub] cloudstack issue #872: Strongswan vpn feature Content-Type: text/plain Message-Id: <20161007192739.A56BDDFF5A@git1-us-west.apache.org> Date: Fri, 7 Oct 2016 19:27:39 +0000 (UTC) archived-at: Fri, 07 Oct 2016 19:27:46 -0000 Github user swill commented on the issue: https://github.com/apache/cloudstack/pull/872 At @serg38's request, here are the current configs... ``` # cat /etc/strongswan.conf # strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf ``` ``` # cat /etc/strongswan.d/charon/*.conf addrblock { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } aes { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } af-alg { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } # Section to specify arbitrary attributes that are assigned to a peer via # configuration payload (CP). attr { # is an attribute name or an integer, values can be an IP address, # subnet or arbitrary value. # = # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } ccm { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } certexpire { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes csv { # Cron style string specifying CSV export times. # cron = # String to use in empty intermediate CA fields. # empty_string = # Use a fixed intermediate CA field count. # fixed_fields = yes # Force export of all trustchains we have a private key for. # force = yes # strftime(3) format string to export expiration dates as. # format = %d:%m:%Y # strftime(3) format string for the CSV file name to export local # certificates to. # local = # strftime(3) format string for the CSV file name to export remote # certificates to. # remote = # CSV field separator. # separator = , } } cmac { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } constraints { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } ctr { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } curl { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } dhcp { # Always use the configured server address. # force_server_address = no # Derive user-defined MAC address from hash of IKE identity. # identity_lease = no # Interface name the plugin uses for address allocation. # interface = # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # DHCP server unicast or broadcast IP address. # server = 255.255.255.255 } dnskey { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } eap-aka { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # request_identity = yes } eap-gtc { # XAuth backend to be used for credential verification. # backend = pam # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } eap-identity { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } eap-md5 { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } eap-mschapv2 { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } eap-radius { # Send RADIUS accounting information to RADIUS servers. # accounting = no # Close the IKE_SA if there is a timeout during interim RADIUS accounting # updates. # accounting_close_on_timeout = yes # Interval for interim RADIUS accounting updates, if not specified by the # RADIUS server in the Access-Accept message. # accounting_interval = 0 # If enabled, accounting is disabled unless an IKE_SA has at least one # virtual IP. # accounting_requires_vip = no # Use class attributes in Access-Accept messages as group membership # information. # class_group = no # Closes all IKE_SAs if communication with the RADIUS server times out. If # it is not set only the current IKE_SA is closed. # close_all_on_timeout = no # Send EAP-Start instead of EAP-Identity to start RADIUS conversation. # eap_start = no # Use filter_id attribute as group membership information. # filter_id = no # Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the # EAP method. # id_prefix = # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # NAS-Identifier to include in RADIUS messages. # nas_identifier = strongSwan # Port of RADIUS server (authentication). # port = 1812 # Shared secret between RADIUS and NAS. If set, make sure to adjust the # permissions of the config file accordingly. # secret = # IP/Hostname of RADIUS server. # server = # Number of sockets (ports) to use, increase for high load. # sockets = 1 dae { # Enables support for the Dynamic Authorization Extension (RFC 5176). # enable = no # Address to listen for DAE messages from the RADIUS server. # listen = 0.0.0.0 # Port to listen for DAE requests. # port = 3799 # Shared secret used to verify/sign DAE messages. If set, make sure to # adjust the permissions of the config file accordingly. # secret = } forward { # RADIUS attributes to be forwarded from IKEv2 to RADIUS. # ike_to_radius = # Same as ike_to_radius but from RADIUS to IKEv2. # radius_to_ike = } # Section to specify multiple RADIUS servers. servers { } # Section to configure multiple XAuth authentication rounds via RADIUS. xauth { } } eap-tls { # Maximum size of an EAP-TLS packet. # fragment_size = 1024 # Include length in non-fragmented EAP-TLS packets. # include_length = yes # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # Maximum number of processed EAP-TLS packets (0 = no limit). # max_message_count = 32 } eap-tnc { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # Maximum number of processed EAP-TNC packets (0 = no limit). # max_message_count = 10 # IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, # tnccs-dynamic). # protocol = tnccs-2.0 } eap-ttls { # Maximum size of an EAP-TTLS packet. # fragment_size = 1024 # Include length in non-fragmented EAP-TTLS packets. # include_length = yes # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # Maximum number of processed EAP-TTLS packets (0 = no limit). # max_message_count = 32 # Phase2 EAP client authentication method. # phase2_method = md5 # Phase2 EAP Identity request piggybacked by server onto TLS Finished # message. # phase2_piggyback = no # Start phase2 EAP TNC protocol after successful client authentication. # phase2_tnc = no # Phase2 EAP TNC transport protocol (pt as IETF standard or legacy tnc) # phase2_tnc_method = pt # Request peer authentication based on a client certificate. # request_peer_auth = no } error-notify { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # Socket provided by the error-notify plugin. # socket = unix://${piddir}/charon.enfy } farp { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } fips-prf { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } gcrypt { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # Use faster random numbers in gcrypt; for testing only, produces weak keys! # quick_random = no } gmp { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } ha { # Interval in seconds to automatically balance handled segments between # nodes. Set to 0 to disable. # autobalance = 0 # fifo_interface = yes # heartbeat_delay = 1000 # heartbeat_timeout = 2100 # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # local = # monitor = yes # pools = # remote = # resync = yes # secret = # segment_count = 1 } hmac { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } kernel-netlink { # Firewall mark to set on the routing rule that directs traffic to our # routing table. # fwmark = # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # MSS to set on installed routes, 0 to disable. # mss = 0 # MTU to set on installed routes, 0 to disable. # mtu = 0 # Whether to trigger roam events when interfaces, addresses or routes # change. # roam_events = yes # Whether to set protocol and ports in the selector installed on transport # mode IPsec SAs in the kernel. # set_proto_port_transport_sa = no # Lifetime of XFRM acquire state in kernel. # xfrm_acq_expires = 165 } ldap { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } led { # activity_led = # blink_time = 50 # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } lookip { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # Socket provided by the lookip plugin. # socket = unix://${piddir}/charon.lkp } md5 { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } medcli { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } medsrv { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } nonce { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } pem { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } pgp { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } pkcs11 { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # Whether to load certificates from tokens. # load_certs = yes # Reload certificates from all tokens if charon receives a SIGHUP. # reload_certs = no # Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc # option). # use_dh = no # Whether the PKCS#11 modules should be used for ECDH and ECDSA public key # operations. ECDSA private keys can be used regardless of this option. # use_ecc = no # Whether the PKCS#11 modules should be used to hash data. # use_hasher = no # Whether the PKCS#11 modules should be used for public key operations, even # for keys not stored on tokens. # use_pubkey = no # Whether the PKCS#11 modules should be used as RNG. # use_rng = no # List of available PKCS#11 modules. modules { } } pkcs12 { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } pkcs1 { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } pkcs7 { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } pkcs8 { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } pubkey { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } random { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # File to read random bytes from. # random = ${random_device} # If set to yes the RNG_STRONG class reads random bytes from the same source # as the RNG_TRUE class. # strong_equals_true = no # File to read pseudo random bytes from. # urandom = ${urandom_device} } rc2 { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } rdrand { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } resolve { # File where to add DNS server entries. # file = /etc/resolv.conf # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes resolvconf { # Prefix used for interface names sent to resolvconf(8). # iface_prefix = lo.inet.ipsec. } } revocation { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } sha1 { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } sha2 { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } socket-default { # Firewall mark to set on outbound packets. # fwmark = # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # Set source address on outbound packets, if possible. # set_source = yes # Listen on IPv4, if possible. # use_ipv4 = yes # Listen on IPv6, if possible. # use_ipv6 = yes } sshkey { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } stroke { # Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA # certificates even if they don't contain a CA basic constraint. # ignore_missing_ca_basic_constraint = no # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # Maximum number of stroke messages handled concurrently. # max_concurrent = 4 # If enabled log level changes via stroke socket are not allowed. # prevent_loglevel_changes = no # Location of the ipsec.secrets file # secrets_file = ${sysconfdir}/ipsec.secrets # Socket provided by the stroke plugin. # socket = unix://${piddir}/charon.ctl # Timeout in ms for any stroke command. Use 0 to disable the timeout. # timeout = 0 } test-vectors { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } tnc-tnccs { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } unity { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } updown { # Whether the updown script should handle assigned DNS servers (if enabled # they can't be handled by other plugins, like resolve). # dns_handler = no # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } x509 { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } xauth-eap { # EAP plugin to be used as backend for XAuth credential verification. # backend = radius # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } xauth-generic { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } xauth-pam { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # PAM service to be used for authentication. # pam_service = login # Open/close a PAM session for each active IKE_SA. # session = no # If an email address is received as an XAuth username, trim it to just the # username part. # trim_email = yes } xcbc { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } ``` ``` # cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file config setup nat_traversal=yes charonstart=yes plutostart=yes include /etc/ipsec.d/*.conf ``` ``` # cat /etc/ipsec.d/*.conf #ipsec remote access vpn configuration conn L2TP-PSK authby=psk pfs=no type=transport ikelifetime=60m keylife=20m rekey=no keyingtries=3 keyexchange=ikev1 forceencaps=yes leftfirewall=yes leftnexthop=%defaultroute # # ---------------------------------------------------------- # The VPN server. # # Allow incoming connections on the external network interface. # If you want to use a different interface or if there is no # defaultroute, you can use: left=your.ip.addr.ess # left=74.121.ff.gg # leftprotoport=17/1701 # If you insist on supporting non-updated Windows clients, # you can use: leftprotoport=17/%any # # ---------------------------------------------------------- # The remote user(s). # # Allow incoming connections only from this IP address. right=%any # If you want to allow multiple connections from any IP address, # you can use: right=%any # rightprotoport=17/%any # # ---------------------------------------------------------- # Change 'ignore' to 'add' to enable this configuration. # rightsubnetwithin=0.0.0.0/0 auto=add ``` --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastructure@apache.org or file a JIRA ticket with INFRA. ---