IPSEC – Freebsd (StrongSwan) – Cisco IOS-XE – VTI & IKEv2/PSK

Router configuration

Cisco IOS XE Software, Version 17.03.04a
cisco CSR1000V (VXE) processor (revision VXE) with 2071829K/3075K bytes of memory.
Processor board ID 9WL1PRT9H0W
Router operating mode: Autonomous
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3978432K bytes of physical memory.
6188032K bytes of virtual hard disk at bootflash:.
crypto ikev2 keyring CRYPTO-IKEv2-KEYRING-01
 peer <freebsd-name>
  address <freebsd-ip>
  identity fqdn <freebsd-name>
  pre-shared-key <psk>
crypto ikev2 profile CRYPTO-IKEv2-PROFILE-02
 match identity remote address <freebsd-ip> 255.255.255.255
 match identity remote fqdn <freebsd-name>
 identity local fqdn <router-name>
 authentication remote pre-share
 authentication local pre-share
 keyring local CRYPTO-IKEv2-KEYRING-01
crypto ipsec transform-set CRYPTO-IPSEC-TS-01-TUN esp-aes 256 esp-sha256-hmac
 mode tunnel
crypto ipsec profile CRYPTO-IPSEC-PROFILE-02
 set transform-set CRYPTO-IPSEC-TS-01-TUN
crypto ikev2 nat keepalive 30
crypto ikev2 dpd 10 2 periodic
interface Tunnel0
 ip address <tunnel-net>.1 255.255.255.252
 ip mtu 1400
 tunnel source <router-IP>
 tunnel mode ipsec ipv4
 tunnel destination <freebsd-ip>
 tunnel protection ipsec profile CRYPTO-IPSEC-PROFILE-02 ikev2-profile CRYPTO-IKEv2-PROFILE-02

FreeBSD/StrongSwan configuration

# /etc/rc.conf
ifconfig_vtnet0="inet <freenbsd-ip>/<freebsd-mask>"
defaultrouter="<freebsd-gateway>"
strongswan_enable="YES"
# /usr/local/etc/strongswan.conf
charon {
        install_routes = no
}
# /usr/local/etc/strongswan.d/ike-updown
case "$PLUTO_VERB:$1" in
up-client:)
        if [ ${PLUTO_CONNECTION} = "<router-name>-vti-tunnel" ]
        then
                if_name=ipsec0
                ifconfig $if_name create >/dev/null 2>&1
                ifconfig $if_name reqid ${PLUTO_REQID}
                ifconfig $if_name inet tunnel ${PLUTO_ME} ${PLUTO_PEER}
                ifconfig $if_name inet <tunnel-net>.2/30 <tunnel-net>.1
        fi
        if [ $VPN_LOGGING ]
        then
                logger -t $TAG -p $FAC_PRIO \
                        "+++ ${PLUTO_CONNECTION} - ${PLUTO_REQID} - ${PLUTO_ME} (${PLUTO_MY_ID}) -- ${PLUTO_PEER} (${PLUTO_PEER_ID})"
        fi
        ;;
down-client:)
        if [ ${PLUTO_CONNECTION} = "<router-name>-vti-tunnel" ]
        then
                if_name=ipsec0
                ifconfig $if_name down >/dev/null 2>&1
        fi
        if [ $VPN_LOGGING ]
        then
                logger -t $TAG -p $FAC_PRIO -- \
                        "--- ${PLUTO_CONNECTION} - ${PLUTO_REQID} - ${PLUTO_ME} (${PLUTO_MY_ID}) -- ${PLUTO_PEER} (${PLUTO_PEER_ID})"
        fi
        ;;
# /usr/local/etc/swanctl/conf.d/router-vti.conf
connections {
        <router-name>-vti {
                keyingtries=0
                rekey_time=1h
                version=2
                remote_addrs=%any
                local_addrs=<freebsd-ip>
                children {
                        <router-name>-vti-tunnel {
                                mode=tunnel
                                policies=no
                                life_time=3600s
                                start_action=none
                                local_ts=%any
                                remote_ts=%any
                                updown = /usr/local/etc/strongswan.d/ike-updown
#                               reqid=100
                                local_ts  = 0.0.0.0/0
                                remote_ts = 0.0.0.0/0
                        }

                }
                local {
                        auth = psk
                        id = "<freebsd-name>"
                }
                remote {
                        auth = psk
                        id = "<router-mame>"
                }
        }
}

secrets {
        ike-<router-name> {
                id-fqdn-<router-name> = "<router-name>"
                secret = "<psk>"
        }
}
This entry was posted in Uncategorized. Bookmark the permalink.