Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
install_24_4_strongswan [2026/01/11 18:39] systeminstall_24_4_strongswan [2026/01/12 06:08] (current) – [Create PKI] system
Line 55: Line 55:
 ------ ------
 ===== Create PKI  ===== ===== Create PKI  =====
-  * Next we will creaate the PKI.+  * Next we will create the PKI.
   * We need to install a helper package that is part of StrongSwan first.   * We need to install a helper package that is part of StrongSwan first.
 <code bash> <code bash>
Line 62: Line 62:
   * We issue the following commands.   * We issue the following commands.
 <code bash> <code bash>
-mkdir -p ~/pki/{cacerts,certs,private}+mkdir -p ~/pki/{ca,certs,private}
 chmod 700 ~/pki chmod 700 ~/pki
 cd ~/pki cd ~/pki
Line 82: Line 82:
  
 </code> </code>
 +<WRAP center round tip 100%>
 +  * StrongSwan has some very good documentation on managing certificates
 +  * https://docs.strongswan.org/docs/latest/pki/pkiQuickstart.html
 +</WRAP>
 +
  
 -------- --------
Line 173: Line 178:
   * The **if_id_in** and **if_if_out** in tern have to terminate into a **xfrm** interface.   * The **if_id_in** and **if_if_out** in tern have to terminate into a **xfrm** interface.
   * We will create a startup script that prepare this interface for us **BEFORE** we start StrongSwan.   * We will create a startup script that prepare this interface for us **BEFORE** we start StrongSwan.
 +  * Create the file **/usr/local/sbin/xfrm-up.sh** with the following contents.
 +  * We assume eth0 is the interface name where the server gets it Internet from. Please adapt if your server is different.
 +<code bash>
 +#!/bin/sh
 +set -e
 +#
 +IFACE=xfrm0
 +IF_ID=100
 +ADDR=10.3.0.1/32
 +SUBNET=10.3.0.0/24
  
 +# Create XFRM interface
 +ip link show "$IFACE" >/dev/null 2>&1 || \
 +ip link add "$IFACE" type xfrm if_id "$IF_ID"
 +
 +# Assign IP
 +ip addr show "$IFACE" | grep -q "$ADDR" || \
 +ip addr add "$ADDR" dev "$IFACE"
 +
 +# Bring interface up
 +ip link set "$IFACE" up
 +
 +# Route for remote side
 +ip route show "$SUBNET" | grep -q "$IFACE" || \
 +ip route add "$SUBNET" dev "$IFACE"
 +
 +# ---- NAT via nftables ----
 +
 +# Create table if missing
 +nft list table ip nat >/dev/null 2>&1 || \
 +nft add table ip nat
 +
 +# Create postrouting chain if missing
 +nft list chain ip nat postrouting >/dev/null 2>&1 || \
 +nft add chain ip nat postrouting { type nat hook postrouting priority 100\; }
 +
 +# Add SNAT/MASQUERADE rule (idempotent)
 +nft list chain ip nat postrouting | grep -q "$IFACE" || \
 +nft add rule ip nat postrouting oifname "$IFACE" masquerade
 +nft add rule ip nat postrouting oifname "eth0" masquerade
 +
 +</code>
 +  * Create a startup script called **/etc/systemd/system/xfrm0.service** which calls the script above.
 +<code bash>
 +[Unit]
 +Description=XFRM Interface xfrm0
 +Before=strongswan.service
 +Wants=network-online.target
 +After=network-online.target
 +
 +[Service]
 +Type=oneshot
 +ExecStart=/usr/local/sbin/xfrm-up.sh
 +RemainAfterExit=yes
 +
 +[Install]
 +WantedBy=multi-user.target
 +</code>
 +  * Enable the startup script and start it up
 +<code bash>
 +systemctl enable xfrm0
 +systemctl start xfrm0
 +</code>
 +  * Everything is now prepared on the server side.
 +  * We can now configure clients in APdesk and MESHdesk to route certain traffic through the IPsec tunnel.
 +  * These are covered in a dedicated Wiki page.
  • install_24_4_strongswan.1768149590.txt.gz
  • Last modified: 2026/01/11 18:39
  • by system