strongswan
IPsec-based VPN software (IKEv1/IKEv2) with XAUTH and EAP
WWW CVSWeb GITHub-
Package versionstrongswan-5.9.1p0
-
MaintainerThe OpenBSD ports mailing-list
strongSwan is reasonably portable open source VPN software supporting
both IKEv1 and IKEv2. It has wide support for authentication types
including IKEv1 XAUTH (username and password) and multiple IKEv2 EAP
mechanisms on both server and client side.
The OpenBSD port currently provides only the "kernel-libipsec" plugin.
This operates in userland via tun(4) devices and strongSwan's own
IPsec implementation rather than using kernel IPsec - it is suggested
that this is only used for testing or in client situations where the
native IPsec software (isakmpd and iked) does not support the required
functionality.
+-------------------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-------------------------------------------------------------------------------
Caveats
=======
This package currently provides only the "kernel-ipsec" plugin which operates
in userland via tun(4) devices and uses strongSwan's own IPsec implementation
rather than OpenBSD's kernel IPsec. It is not recommended for production use
on security gateways.
To use this plugin, kernel ESP handling must be disabled:
# sysctl net.inet.esp.enable=0
# sysctl net.inet.esp.udpencap=0
The kernel-pfkey plugin (which interfaces with kernel IPsec) has not yet
been ported to OpenBSD.
Example configuration
---------------------
This is for an IKEv2 client with EAP username/password authentication:
# cat /etc/strongswan/ipsec.conf
conn ikev2-eap-mschapv2
dpdaction=restart
dpddelay=30
dpdtimeout=90
fragmentation=yes
leftsourceip=%config
keyexchange=ikev2
leftauth=eap-mschapv2
eap_identity=username
rightauth=pubkey
right=vpn.example.net
rightid=@vpn.example.net
rightca="C=GB, ST=Cornwall, O=Example Net, CN=Example CA, E=hostmaster@example.net"
rightsubnet=10.71.0.0/18
auto=add
# cat /etc/strongswan/ipsec.secrets
username : EAP "password"
# ls -l /etc/strongswan/ipsec.d/cacerts/
total 8
-rw-r--r-- 1 root wheel 2106 Mar 30 00:05 example-ca.pem
# ipsec start
# ipsec up ikev2-eap-mschapv2
- devel/bison
- devel/gmake
- archivers/bzip2