Tools/Strongswan: Difference between revisions

Strongswan can be considered the most powerful IPsec implementation available in Fedora and EPEL.

Features

• IKEv1, IKEv2 (older and current version of Internet Key Exchange)
• MOBIKE (mobility and multihoming extension to IKEv2)
• IPv4, IPv6 (old and new Internet Protocol)
• Road warror setup
• NAT traversal
• NetworkManager plugin
• And much more...

Things Strongswan can do but Openswan cannot

• IKEv2 + road warrior
• IPv6 + road warrior
• Hybrid IPv4/IPv6 tunnels
• Multiple IPv4 on a single device

Openswan gives confusing error messages when using IPv6 addresses. You can even have problems if you want to choose a single IPv4 address on an interface where other IPv4 addresses are set up.

Tested with: openswan-2.6.33-1.fc15.x86_64

Source: [1] (in Czech)

Use cases

The following usecases may be combined or modified. But they show the basic usage of Strongswan. Right now all of them ignore MOBIKE and use PSK for authentication. All use cases use IPv6 addresses to show that both IPv4 and IPv6 are supported.

Strongswan homepage provides lots of more advanced tested examples.

Simple bi-directional transport channel

conn test
    auto=route
    type=transport
    left=2001:db8::a
    right=2001:db8::b
    authby=psk
    mobike=no

Road warrior (server)

conn test
    auto=add
    type=transport
    left=%any
    right=2001:db8::b
    authby=psk
    mobike=no

Road warrior (client)

conn test
    auto=add
    type=transport
    left=%defaultroute
    leftid=@alpha.example.net
    right=2001:db8::b
    authby=psk
    mobike=no

Tunnel mode

conn test
    auto=route
    type=tunnel
    left=2001:db8::a
    leftsubnet=2001:db8:a:a::/64
    right=2001:db8::b
    leftsubnet=2001:db8:b:b::/64
    authby=psk
    mobike=no

Alternatives

• Tools/Racoon – obsolete but described in http://www.ipsec-howto.org/
• Tools/Racoon2 – similar in features, rather complicated configuration
• Tools/Openswan – similar in configuration, but rather broken