Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- root@OpenWrt:/tmp# uname -a
- Linux OpenWrt 3.3.8 #1 Sat Mar 23 16:01:31 UTC 2013 mips GNU/Linux
- root@OpenWrt:/tmp# opkg list-installed strongswan\*
- strongswan - 5.0.0-1
- strongswan-charon - 5.0.0-1
- strongswan-default - 5.0.0-1
- strongswan-mod-aes - 5.0.0-1
- strongswan-mod-af-alg - 5.0.0-1
- strongswan-mod-attr - 5.0.0-1
- strongswan-mod-blowfish - 5.0.0-1
- strongswan-mod-constraints - 5.0.0-1
- strongswan-mod-des - 5.0.0-1
- strongswan-mod-dhcp - 5.0.0-1
- strongswan-mod-dnskey - 5.0.0-1
- strongswan-mod-eap-identity - 5.0.0-1
- strongswan-mod-eap-md5 - 5.0.0-1
- strongswan-mod-eap-mschapv2 - 5.0.0-1
- strongswan-mod-farp - 5.0.0-1
- strongswan-mod-fips-prf - 5.0.0-1
- strongswan-mod-gcrypt - 5.0.0-1
- strongswan-mod-gmp - 5.0.0-1
- strongswan-mod-hmac - 5.0.0-1
- strongswan-mod-kernel-netlink - 5.0.0-1
- strongswan-mod-md4 - 5.0.0-1
- strongswan-mod-md5 - 5.0.0-1
- strongswan-mod-nonce - 5.0.0-1
- strongswan-mod-openssl - 5.0.0-1
- strongswan-mod-pem - 5.0.0-1
- strongswan-mod-pgp - 5.0.0-1
- strongswan-mod-pkcs1 - 5.0.0-1
- strongswan-mod-pkcs11 - 5.0.0-1
- strongswan-mod-pkcs8 - 5.0.0-1
- strongswan-mod-pubkey - 5.0.0-1
- strongswan-mod-random - 5.0.0-1
- strongswan-mod-resolve - 5.0.0-1
- strongswan-mod-revocation - 5.0.0-1
- strongswan-mod-sha1 - 5.0.0-1
- strongswan-mod-sha2 - 5.0.0-1
- strongswan-mod-socket-default - 5.0.0-1
- strongswan-mod-stroke - 5.0.0-1
- strongswan-mod-test-vectors - 5.0.0-1
- strongswan-mod-updown - 5.0.0-1
- strongswan-mod-x509 - 5.0.0-1
- strongswan-mod-xauth-eap - 5.0.0-1
- strongswan-mod-xauth-generic - 5.0.0-1
- strongswan-mod-xcbc - 5.0.0-1
- strongswan-utils - 5.0.0-1
- root@OpenWrt:/tmp# ipsec statusall
- Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.8, mips):
- uptime: 107 minutes, since Nov 04 23:22:17 2013
- malloc: sbrk 258048, mmap 0, used 161256, free 96792
- worker threads: 6 of 16 idle, 9/1/0/0 working, job queue: 0/0/0/0, scheduled: 8
- loaded plugins: charon test-vectors pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-mschapv2 xauth-generic xauth-eap dhcp
- Virtual IP pools (size/online/offline):
- android: 1/0/1
- iOS: 1/0/1
- Windows: 1/0/1
- Listening IP addresses:
- 10.2.2.2
- 192.168.1.1
- Connections:
- android: %any...%any IKEv2
- android: local: [C=JP, O=OpenWRT02_Router, CN=gtx.odwtztk.wjg.jp] uses public key authentication
- android: cert: "C=JP, O=OpenWRT02_Router, CN=gtx.odwtztk.wjg.jp"
- android: remote: [C=JP, O=Test Android Phone, CN=Test Android Client Cert] uses public key authentication
- android: cert: "C=JP, O=Test Android Phone, CN=Test Android Client Cert"
- android: crl: status must be GOOD or SKIPPED
- android: remote: [%any] uses EAP_MSCHAPV2 authentication with EAP identity '%any'
- android: child: 0.0.0.0/0 === dynamic TUNNEL
- iOS: %any...%any IKEv1
- iOS: local: [C=JP, O=OpenWRT02_Router, CN=gtx.odwtztk.wjg.jp] uses public key authentication
- iOS: cert: "C=JP, O=OpenWRT02_Router, CN=gtx.odwtztk.wjg.jp"
- iOS: remote: [C=JP, O=Test iPhone, CN=My iPhone Client Cert] uses public key authentication
- iOS: cert: "C=JP, O=Test iPhone, CN=My iPhone Client Cert"
- iOS: crl: status must be GOOD or SKIPPED
- iOS: remote: [%any] uses XAuth authentication: any
- iOS: child: 0.0.0.0/0 === dynamic TUNNEL
- Windows: %any...%any IKEv2
- Windows: local: [C=JP, O=OpenWRT02_Router, CN=gtx.odwtztk.wjg.jp] uses public key authentication
- Windows: cert: "C=JP, O=OpenWRT02_Router, CN=gtx.odwtztk.wjg.jp"
- Windows: remote: [C=JP, O=Test Windows PC, CN=Test Windows Client Cert] uses public key authentication
- Windows: cert: "C=JP, O=Test Windows PC, CN=Test Windows Client Cert"
- Windows: crl: status must be GOOD or SKIPPED
- Windows: child: 0.0.0.0/0 === dynamic TUNNEL
- Security Associations (0 up, 0 connecting):
- none
- root@OpenWrt:/tmp# cat /etc/ipsec.conf
- # ipsec.conf - strongSwan IPsec configuration file
- # basic configuration
- config setup
- # plutodebug=all
- # crlcheckinterval=600
- # strictcrlpolicy=yes
- strictcrlpolicy=ifuri
- # cachecrls=yes
- # nat_traversal=yes
- # charonstart=no
- # plutostart=no
- ca myca
- cacert=OpenWrt02caCert.pem
- auto=add
- # Add connections here.
- conn %default
- left=%any
- leftsubnet=0.0.0.0/0
- leftcert=OpenWrtserverCert.pem
- # rightsourceip=%dhcp
- leftfirewall=yes
- leftsourceip=192.168.1.1
- ike=aes256-sha1-modp1024!
- esp=aes256-sha1!
- compress=yes
- conn android
- keyexchange=ikev2
- leftauth=pubkey
- right=%any
- rightsourceip=192.168.1.21
- rightauth=pubkey
- rightauth2=eap-mschapv2
- rightcert=androidCert.pem
- eap_identity=%any
- auto=add
- conn iOS
- keyexchange=ikev1
- authby=xauthrsasig
- xauth=server
- rightcert=iPhoneCert.pem
- forceencaps=yes
- auto=add
- rightsourceip=192.168.1.22
- conn Windows
- keyexchange=ikev2
- rightsourceip=192.168.1.23
- auto=add
- rightcert=WindowsCert.pem
- root@OpenWrt:/tmp# cat /etc/strongswan.conf
- # strongswan.conf - strongSwan configuration file
- charon {
- # number of worker threads in charon
- threads = 16
- # send strongswan vendor ID?
- # send_vendor_id = yes
- plugins {
- sql {
- # loglevel to log into sql database
- loglevel = -1
- # URI to the database
- # database = sqlite:///path/to/file.db
- # database = mysql://user:password@localhost/database
- }
- }
- # ...
- }
- pluto {
- }
- libstrongswan {
- # set to no, the DH exponent size is optimized
- # dh_exponent_ansi_x9_42 = no
- # integrity_test = yes
- crypto_test {
- on_add = yes
- }
- }
- root@OpenWrt02:/tmp# cat /etc/ipsec.secrets
- # /etc/ipsec.secrets - strongSwan IPsec secrets file
- : RSA OpenWrtserverKey.pem
- android : EAP "hogehoge"
- iPhone : XAUTH "hogehoge"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement