Changes
Add strongSwan roadwarrior instructions
and on '''laptop.example.org''' restart openswan (generally under the rc script name ipsec) in whatever manner perscribed by your favorite distro.
===Linux with strongSwan (laptop) to OpenBSD (router)===
Tested on [[OpenBSD]] 5.5 and [[Arch Linux]] (updated on 2014-10-05).
Assume your router has the hostname home.example.org and you want to route the IPv6 subnet 2001:db8:1::/64 from your laptop, laptop.example.org. Note that DNS entries are not required for either of these. We will be using IKEv1 for key exchange, as IKEv2 support on OpenBSD was not complete at the time of writing.
* Setting up IPsec on OpenBSD is a fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your '''/etc/rc.conf''':
<pre>isakmpd_flags="-K"
ipsec=YES</pre>
* Configure '''/etc/ipsec.conf''' on '''home.example.org''':
ike passive esp from 2001:db8:1::/64 to any \
peer any \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
quick auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid home.example.org tag ipsec-vpn1
* Generate a new host key on '''laptop.example.org''':
sudo openssl genrsa -out /etc/ipsec.d/private/laptop.example.org.pem 4096
* Add the path to that private key you generated to /etc/ipsec.secrets:
: RSA home.example.org.pem
* Extract the corresponding public key for your private key:
sudo openssl rsa -in /etc/ipsec.d/private/laptop.example.org.pem -pubout -out /etc/ipsec.d/certs/laptop.example.org.pem
* Configure '''/etc/ipsec.conf''' on '''laptop.example.org''':
config setup
conn home
keyexchange=ikev1
authby=pubkey
connaddrfamily=ipv6
type=tunnel
ike=aes256-sha256-modp2048
esp=aes256-sha256-modp2048
left=%defaultroute
leftid=@laptop.example.org
leftsubnet=fdf0:f00::1/128
leftrsasigkey=laptop.example.org.pem
# if you don't have home.example.org in DNS or don't want strongswan to do a DNS lookup when it starts, hardcode the right IP
right=home.example.org
rightid=@home.example.org
rightsubnet=2001:db8:1::/64
rightrsasigkey=home.example.org.pem
auto=add
Note that leftsubnet should correspond to the IPv6 source address you want to use. You will need to manually configure this address on your interface, and add a route for traffic to rightsubnet, if one does not exist already.
* Copy the /etc/ipsec.d/certs/home.example.org.pem from '''laptop.example.org''' and place it at /etc/isakmpd/pubkeys/fqdn/home.example.org on '''home.example.org'''.
* Download the /etc/isakmpd/local.pub file from '''home.example.org''' and place it at /etc/ipsec.d/certs/home.example.org.pem.
* After you make the necessary changes, starting IPsec is simply a matter of running the following command on '''home.example.org''':
sudo /etc/rc.d/isakmpd start
sudo ipsecctl -f /etc/ipsec.conf
and on '''laptop.example.org''', restart strongswan:
sudo systemctl restart strongswan.service
== External links ==
