Good evening, good morning.,
If this is of interest to some network admins, to pass on the information to you.
I installed strongSwan 6.0beta Vici Post-Quantum IKEv2 Daemon. Of course you can use today's official version, version 5.9 without compiling, but you will not be able to encrypt with OQS algorithms.
I don't know "stroongSwan VICI (doc)" i.e. an IPSec configuration without the "ipsec.conf" file (I'm probably late):
So with these files:I wanted to create a “memo” on Debian-FR.org → Network IPv6 - IPSec - strongSwan - Modern Security communication
Rapid :
![:D]( "Very Happy")
20240313: I add my script "firewall-icmpv6" where I added the function "ipv6_strongswan()" which allows UDP/TCP requests to pass on the "IPv6 SWAN Site-Local scoped" address prefix in addition of ICMPv6 (ping)![:D]( "Very Happy")
A piece of the firewall-ipv6 - check the network range fe80::/10 and fec0::/10 and the multicast ff00::/8![;)]( "Wink")
GestióIP : IPv6 subnet calculator
Greetings,
Romain.
If this is of interest to some network admins, to pass on the information to you.
I installed strongSwan 6.0beta Vici Post-Quantum IKEv2 Daemon. Of course you can use today's official version, version 5.9 without compiling, but you will not be able to encrypt with OQS algorithms.
I don't know "stroongSwan VICI (doc)" i.e. an IPSec configuration without the "ipsec.conf" file (I'm probably late):
So with these files:
Code:
/etc/strongswan.conf/etc/swanctl/swanctl.confRapid :
We should try other authentication methods -- EAP (Extensible Authentication Protocol)→ My configuration tests (I have nothing better at the moment)
1. Config “1” is an example of the “/etc/strongSwan.conf” files (Server / Client)
2. Config "2" is OK without subnets (public IPv4 to public IPv4 - the traceroute does not jump between the 2 connected machines).
3. Config “3” is OK from “site” to “site” (ping & services) with IPv6 subnetworks.
4. Config "4" is OK from “site” to “server” to “site”: (ping and services) with subnets, I am here at 20240313.
20240313: I add my script "firewall-icmpv6" where I added the function "ipv6_strongswan()" which allows UDP/TCP requests to pass on the "IPv6 SWAN Site-Local scoped" address prefix in addition of ICMPv6 (ping)
A piece of the firewall-ipv6 - check the network range fe80::/10 and fec0::/10 and the multicast ff00::/8
Code:
###### we set the rules for IPv6 addresses#####function ipv6_link_multicast(){ echo " |"; echo " + IPv6 - Addrs Link-Local Unicast and Multicast -----------------------"; # Allow Link-Local addresses # network range : fe80:0000:0000:0000:0000:0000:0000:0000-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff echo " |"; $IP6TABLE -A INPUT -s fe80::/10 -j ACCEPT $IP6TABLE -A FORWARD -s fe80::/10 -d fe80::/10 -j ACCEPT $IP6TABLE -A OUTPUT -d fe80::/10 -j ACCEPT echo " +--? "fe80::/10 : ACCEPT; echo " |"; echo " "+ IPv6 - Addrs Link-Local : [OK] # Allow multicast # network range : ff00:0000:0000:0000:0000:0000:0000:0000-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff echo " |"; $IP6TABLE -A INPUT -d ff00::/8 -j ACCEPT $IP6TABLE -A FORWARD -s ff00::/8 -d ff00::/8 -j ACCEPT $IP6TABLE -A OUTPUT -d ff00::/8 -j ACCEPT echo " +--? "ff00::/8 : ACCEPT; echo " |"; echo " "+ IPv6 - Addrs Multicast : [OK]}###### we set the rules for secure IPv6 addresses (VPN/strongSwan)#####function ipv6_strongswan(){ echo " |"; echo " + IPv6 - Addrs Site-Local Secure Area Network -------------------------"; # Allow Secure Area Network addresses # network range : fec0:0000:0000:0000:0000:0000:0000:0000-feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff echo " |"; $IP6TABLE -A INPUT -s fec0::/10 -j ACCEPT $IP6TABLE -A FORWARD -s fec0::/10 -d fec0::/10 -j ACCEPT $IP6TABLE -A OUTPUT -d fec0::/10 -j ACCEPT echo " +--? "fec0::/10 : ACCEPT; echo " |"; echo " "+ IPv6 - Addrs Secure Area Network : [OK]}Greetings,
Romain.
Statistics: Posted by LAB3W.ORJ — Fri Mar 15, 2024 4:05 pm