Router configuration
Cisco IOS XE Software, Version 17.03.04a
cisco CSR1000V (VXE) processor (revision VXE) with 2071829K/3075K bytes of memory.
Processor board ID 9WL1PRT9H0W
Router operating mode: Autonomous
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3978432K bytes of physical memory.
6188032K bytes of virtual hard disk at bootflash:.
crypto ikev2 keyring CRYPTO-IKEv2-KEYRING-01
peer <freebsd-name>
address <freebsd-ip>
identity fqdn <freebsd-name>
pre-shared-key <psk>
crypto ikev2 profile CRYPTO-IKEv2-PROFILE-02
match identity remote address <freebsd-ip> 255.255.255.255
match identity remote fqdn <freebsd-name>
identity local fqdn <router-name>
authentication remote pre-share
authentication local pre-share
keyring local CRYPTO-IKEv2-KEYRING-01
crypto ipsec transform-set CRYPTO-IPSEC-TS-01-TUN esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile CRYPTO-IPSEC-PROFILE-02
set transform-set CRYPTO-IPSEC-TS-01-TUN
crypto ikev2 nat keepalive 30
crypto ikev2 dpd 10 2 periodic
interface Tunnel0
ip address <tunnel-net>.1 255.255.255.252
ip mtu 1400
tunnel source <router-IP>
tunnel mode ipsec ipv4
tunnel destination <freebsd-ip>
tunnel protection ipsec profile CRYPTO-IPSEC-PROFILE-02 ikev2-profile CRYPTO-IKEv2-PROFILE-02
FreeBSD/StrongSwan configuration
# /etc/rc.conf
ifconfig_vtnet0="inet <freenbsd-ip>/<freebsd-mask>"
defaultrouter="<freebsd-gateway>"
strongswan_enable="YES"
# /usr/local/etc/strongswan.conf
charon {
install_routes = no
}
# /usr/local/etc/strongswan.d/ike-updown
case "$PLUTO_VERB:$1" in
up-client:)
if [ ${PLUTO_CONNECTION} = "<router-name>-vti-tunnel" ]
then
if_name=ipsec0
ifconfig $if_name create >/dev/null 2>&1
ifconfig $if_name reqid ${PLUTO_REQID}
ifconfig $if_name inet tunnel ${PLUTO_ME} ${PLUTO_PEER}
ifconfig $if_name inet <tunnel-net>.2/30 <tunnel-net>.1
fi
if [ $VPN_LOGGING ]
then
logger -t $TAG -p $FAC_PRIO \
"+++ ${PLUTO_CONNECTION} - ${PLUTO_REQID} - ${PLUTO_ME} (${PLUTO_MY_ID}) -- ${PLUTO_PEER} (${PLUTO_PEER_ID})"
fi
;;
down-client:)
if [ ${PLUTO_CONNECTION} = "<router-name>-vti-tunnel" ]
then
if_name=ipsec0
ifconfig $if_name down >/dev/null 2>&1
fi
if [ $VPN_LOGGING ]
then
logger -t $TAG -p $FAC_PRIO -- \
"--- ${PLUTO_CONNECTION} - ${PLUTO_REQID} - ${PLUTO_ME} (${PLUTO_MY_ID}) -- ${PLUTO_PEER} (${PLUTO_PEER_ID})"
fi
;;
# /usr/local/etc/swanctl/conf.d/router-vti.conf
connections {
<router-name>-vti {
keyingtries=0
rekey_time=1h
version=2
remote_addrs=%any
local_addrs=<freebsd-ip>
children {
<router-name>-vti-tunnel {
mode=tunnel
policies=no
life_time=3600s
start_action=none
local_ts=%any
remote_ts=%any
updown = /usr/local/etc/strongswan.d/ike-updown
# reqid=100
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
}
}
local {
auth = psk
id = "<freebsd-name>"
}
remote {
auth = psk
id = "<router-mame>"
}
}
}
secrets {
ike-<router-name> {
id-fqdn-<router-name> = "<router-name>"
secret = "<psk>"
}
}