I ran into the same problem with my project involving a Palo Alto GlobalProtect. Either PAN-OS or openconnect limits the potential network on the client end to a single host, not a site to site.
So I went to IPSec, which as you noted is not simple. I'm using the swanctl program which is included in strongswan-default. The old "starter" program named ipsec
is deprecated.
Install these packages: strongswan-default strongswan-mod-openssl kmod-crypto-sha256 kmod-crypto-gcm xfrm
You may need additional crypto kmods if you set up a different crypto proposal than this example.
Configuration involves several files, the primary one being /etc/config/ipsec (that's right, not /etc/config/swanctl, as that would make too much sense). Unlike most packages, a skeleton config file is not included, so enter this /etc/config/ipsec from scratch:
config ipsec
list listen 'wan'
option debug '1'
config remote 'campus'
option enabled '1'
# Other IP, use "any" to accept connections from dynamic.
option gateway '192.0.0.5'
# Identifiers must match either the DN or a SAN(fqdn) of the certificate. Not the CN.
option local_identifier '<REDACTED>.edu'
option remote_identifier '<REDACTED>.edu'
option fragmentation '1'
option authentication_method 'pubkey'
option rekeytime '4h'
option keyingtries '0'
option mobike 0
option dpddelay '60'
list crypto_proposal 'suite_b_cbc_256'
list tunnel 'tun_campus'
config tunnel 'tun_campus'
option keyexchange 'ikev2'
list local_subnet '0.0.0.0/0'
list remote_subnet '0.0.0.0/0'
option if_id '301'
option updown '/etc/swanctl/setroutes.sh xfrm0'
option rekeytime '1h'
option startaction 'start'
option closeaction 'none'
option dpdaction 'start'
list crypto_proposal 'suite_b_cbc_256'
config crypto_proposal 'suite_b_cbc_256'
option encryption_algorithm 'aes256'
option hash_algorithm 'sha256'
# ecp384 aka group 20.
option dh_group 'ecp384'
Here I'm using the same encryption suite for both IKE and traffic. The other side must be configured to use matching methods.
Certificate authentication is used here. For testing, you could start with preshared key. I think the configuration for that is authentication_method 'psk' and pre_shared_key 'secretkey'. If you use certificates, generate them externally (e.g. on your firewall appliance) and copy them to the following locations:
System CA: /etc/swanctl/x509ca
Client certificate: /etc/swanctl/x509
Client certificate private key (if EC): /etc/swanctl/ecdsa
Encrypted private keys are not supported. Decrypt the key and store it in a file with extension .key.
The latest and greatest way to do IPSec is apparently an xfrm interface, which is supported by UCI with the package xfrm
.
In /etc/config/network, add:
config interface 'xfrm0'
option ifid '301'
option tunlink 'wan'
option mtu '1438'
option proto 'xfrm'
config interface 'xfrm0_s'
option ifname '@xfrm0'
option proto 'static'
option ipaddr '10.0.0.10/32'
The second part which assigns an IP address to this end of the tunnel is optional, but highly advisable so you can test the link by pinging from the other side.
In this setup I'm routing all traffic (except DNS, not sure about that yet) through the tunnel. That requires a script which is not included, so I wrote this as setuproutes.sh:
# Simplified updown script for StrongSwan which installs routes to direct
# all IPv4 into the VPN tunnel.
# For xfrm interfaces, swanctl only knows the ID number, not the ifname.
# Therefore the ifname is passed in on the command line.
# (PLUTO_IF_ID_OUT is the number, there would be some way to look it up.)
OUT_INTERFACE=$1
VPN_LOGGING=1
TAG=vpn-$PLUTO_INTERFACE
FAC_PRIO=local0.notice
# Get the ISP default gateway from existing routing table
DEFAULT_GATEWAY=$(route -n | awk '$1=="0.0.0.0" && $3=="0.0.0.0" {print $2}')
if [ $VPN_LOGGING ]
then
logger -t $TAG -p $FAC_PRIO "default gateway is $DEFAULT_GATEWAY"
fi
case $PLUTO_VERB in
up-client)
if [ $VPN_LOGGING ]
then
logger -t $TAG -p $FAC_PRIO "installing IP4 forward all to $OUT_INTERFACE IPSec to $PLUTO_PEER"
fi
ip route add $PLUTO_PEER via $DEFAULT_GATEWAY
ip route add 0.0.0.0/1 dev $OUT_INTERFACE
ip route add 128.0.0.0/1 dev $OUT_INTERFACE
;;
down-client)
if [ $VPN_LOGGING ]
then
logger -t $TAG -p $FAC_PRIO "removing IP4 forward all to $OUT_INTERFACE IPSec to $PLUTO_PEER"
fi
ip route del $PLUTO_PEER via $DEFAULT_GATEWAY
ip route del 0.0.0.0/1 dev $OUT_INTERFACE
ip route del 128.0.0.0/1 dev $OUT_INTERFACE
;;
esac
Of course the usual firewall considerations of any VPN apply. The xfrm interface is a standard layer 3 tunnel.