search

hwdsl2 / setup-ipsec-vpn

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Other
25.4k stars 6.34k forks source link

Site-Site VPN #972

Closed IronDemiGod closed 3 years ago

IronDemiGod commented 3 years ago

So i know this is not exactly an issue, but i have a question

can i use this to create a site to site vpn? if so, i want to use IPSec with IKEv2

Can you give details on the authentication, decryption and DH group it uses?

Thanks!, Compute165

hwdsl2 commented 3 years ago

@Compute165 Hello! Site-to-site VPN is outside the scope of this project. The VPN setup scripts in this repo cannot create site-to-site VPNs.

However, Libreswan does support this use case. Please refer to these examples [1] and other pages in the Libreswan wiki [2]. Ask questions on the Libreswan users mailing list [3].

[1] https://libreswan.org/wiki/Configuration_examples [2] https://libreswan.org/wiki/Main_Page [3] https://lists.libreswan.org/mailman/listinfo/swan

IronDemiGod commented 3 years ago

Ok, but what authentication, decryption and dh group does this project use?

hwdsl2 commented 3 years ago

@Compute165 In the default configuration of the VPN setup scripts, here is a list of supported VPN ciphers for IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes:

  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2

With Libreswan 4.4, this maps to:

IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128

And these ciphers are supported for IKEv2 mode:

  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2

With Libreswan 4.4, this maps to:

IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
IronDemiGod commented 3 years ago

Ok, Thanks for the help! 😃 👍