IKE Configuration Interface*. The deprecated **ipsec** command using the legacy
**stroke** configuration interface is described [**here**](README_LEGACY.md).
For more detailed information consult the man pages and
-[**our wiki**](http://wiki.strongswan.org).
+[**our wiki**](https://wiki.strongswan.org).
## Quickstart ##
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/moonCert.pem
- /etc/swanctl/priv/moonKey.pem
+ /etc/swanctl/private/moonKey.pem
/etc/swanctl/swanctl.conf:
local_ts = 10.1.0.0/16
remote_ts = 10.2.0.0/16
start_action = trap
- }
+ }
}
}
}
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/sunCert.pem
- /etc/swanctl/priv/sunKey.pem
+ /etc/swanctl/private/sunKey.pem
/etc/swanctl/swanctl.conf:
local_ts = 10.2.0.0/16
remote_ts = 10.1.0.0/16
start_action = trap
- }
+ }
}
}
}
| 192.168.0.1 | === | 192.168.0.2 |
moon sun
- Configuration on host _moon_:
+Configuration on host _moon_:
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/moonCert.pem
- /etc/swanctl/priv/moonKey.pem
+ /etc/swanctl/private/moonKey.pem
/etc/swanctl/swanctl.conf:
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/sunCert.pem
- /etc/swanctl/priv/sunKey.pem
+ /etc/swanctl/private/sunKey.pem
/etc/swanctl/swanctl.conf:
children {
host-host {
start_action = trap
- }
+ }
}
}
}
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/moonCert.pem
- /etc/swanctl/priv/moonKey.pem
+ /etc/swanctl/private/moonKey.pem
/etc/swanctl/swanctl.conf:
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/carolCert.pem
- /etc/swanctl/priv/carolKey.pem
+ /etc/swanctl/private/carolKey.pem
/etc/swanctl/swanctl.conf:
- connections {
+ connections {
home {
remote_addrs = moon.strongswan.org
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/moonCert.pem
- /etc/swanctl/rsa/moonKey.pem
+ /etc/swanctl/private/moonKey.pem
/etc/swanctl/swanctl.conf:
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/carolCert.pem
- /etc/swanctl/priv/carolKey.pem
+ /etc/swanctl/private/carolKey.pem
/etc/swanctl/swanctl.conf:
- connections {
+ connections {
home {
remote_addrs = moon.strongswan.org
vips = 0.0.0.0
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/moonCert.pem
- /etc/swanctl/priv/moonKey.pem
+ /etc/swanctl/private/moonKey.pem
/etc/swanctl/swanctl.conf:
The `swanctl.conf` file additionally contains a `secrets` section defining all
client credentials
- secrets {
- eap-carol {
- id = carol@strongswan.org
- secret = Ar3etTnp
- }
- eap-dave {
- id = dave@strongswan.org
- secret = W7R0g3do
- }
- }
+ secrets {
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = W7R0g3do
+ }
+ }
Configuration on roadwarrior _carol_:
/etc/swanctl/swanctl.conf:
- connections {
+ connections {
home {
remote_addrs = moon.strongswan.org
}
}
- secrets {
- eap-carol {
- id = carol@strongswan.org
- secret = Ar3etTnp
- }
- }
+ secrets {
+ eap-carol {
+ id = carol@strongswan.org
+ secret = Ar3etTnp
+ }
+ }
### Roadwarrior Case with EAP Identity ###
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/moonCert.pem
- /etc/swanctl/priv/moonKey.pem
+ /etc/swanctl/private/moonKey.pem
/etc/swanctl/swanctl.conf:
}
}
- secrets {
- eap-carol {
- id = carol
- secret = Ar3etTnp
- }
- eap-dave {
- id = dave
- secret = W7R0g3do
- }
- }
+ secrets {
+ eap-carol {
+ id = carol
+ secret = Ar3etTnp
+ }
+ eap-dave {
+ id = dave
+ secret = W7R0g3do
+ }
+ }
Configuration on roadwarrior _carol_:
/etc/swanctl/swanctl.conf:
- connections {
+ connections {
home {
remote_addrs = moon.strongswan.org
}
}
- secrets {
- eap-carol {
- id = carol
- secret = Ar3etTnp
- }
- }
+ secrets {
+ eap-carol {
+ id = carol
+ secret = Ar3etTnp
+ }
+ }
## Generating Certificates and CRLs ##
pki --req --type priv --in moonKey.pem \
--dn "C=CH, O=strongswan, CN=moon.strongswan.org \
- --san moon.strongswan.org -- outform pem > moonReq.pem
+ --san moon.strongswan.org --outform pem > moonReq.pem
creates a PKCS#10 certificate request that has to be signed by the CA.
Through the [multiple] use of the `--san` parameter any number of desired