Freebsd – Why use strongswan rather than native vpn support

freebsdipsecstrongswan

As far as I understand, FreeBSD comes with the native ability to make vpn connections.

Ist strongswan a package, that comes on top of the freebsd ipsec stack or is it a replacement?

Best Answer

FreeBSD's network stack supports IPsec, but that's just the lower layer of IPsec-based VPN connections.

If you don't want to configure security associations (SAs) manually (with encryption/authentication keys you need to place securely on both ends and have to replace regularly) you'll want to use a keying daemon that implements the Internet Key Exchange (IKE) protocol to automate this. strongSwan implements both versions of that protocol and allows setting up and replacing SAs automatically, the hosts are thereby authenticated securely (e.g. using X.509 certificates) and keys are dynamically generated using e.g. the Diffie-Hellman key exchange.

strongSwan operates as a userland daemon that communicates with the FreeBSD kernel using the PF_KEYv2 protocol in order to configure the negotiated IPsec SAs and policies (which define which traffic is secured by which SA) in the network stack.

racoon is an alternative keying daemon, but it only implements the IKEv1 protocol and it's not actively developed anymore (unless you consider its forks in e.g. iOS/OS X and Android). The ipsec-tools package that provides racoon also comes with setkey, which may be used for manual keying but also allows querying the kernel state. So this utility might be useful even when using other keying daemons like strongSwan to check if the installed SAs and policies are as they should be.

Related Solutions

StrongSwan – gives error “no known IPsec stack detected, ignoring!”

That legacy check looks for /proc/net/pfkey. If not found, the code tries to load the af_key module via modprobe and then checks again. However, the PF_KEYv2 interface provided by the af_key module is not used on Linux, by default. Instead, the Netlink/XFRM interface provided by the xfrm_user module is used. The starter process has no explicit check for that, though.

So if your kernel provides all required modules for IPsec and XFRM but just not the af_key module that's not a problem and you should be able to establish the connection just fine. As the message suggests, ignore these warnings and simply try to initiate the connection with ipsec up.

IPsec VPN with strongSwan to FortiGate

I've blogged about that when I needed it last. The main trick is that Fortinet requires aggressive mode, so the configuration parameters need to match closely already in the beginning.

For reference, my configuration is

conn fortinet
    left=%any
    leftauth=psk
    leftid=""
    leftauth2=xauth
    xauth_identity="your username"
    leftsourceip=%config
    right=gateway IP address
    rightsubnet=VPN subnet
    rightauth=psk
    keyexchange=ikev1
    aggressive=yes
    ike=aes128-sha1-modp1536!
    esp=aes128-sha1-modp1536!
    auto=add

You also need to configure the PSK and XAUTH secrets.

This was 2016, so the ike and esp modes could have been updated to use longer keys -- note that I enforce a particular cipher for each.

Best Answer

Related Solutions

StrongSwan – gives error “no known IPsec stack detected, ignoring!”

IPsec VPN with strongSwan to FortiGate

Related Question