root@responder:/etc/swanctl # cat /etc/strongswan.conf charon { # load_modular = yes # plugins { # include strongswan.d/charon/*.conf # } start-scripts { creds = swanctl --load-creds conns = swanctl --load-conns pools = swanctl --load-pools } filelog { charon { path = /var/log/charon.log # add a timestamp prefix time_format = %b %e %T # prepend connection name, simplifies grepping ike_name = yes # overwrite existing files append = no # increase default loglevel for all daemon subsystems default = 1 tls = 2 # flush each line to disk flush_line = yes } stderr { # default = 1 # more detailed loglevel for a specific subsystem, overriding the # default loglevel. # applications other than daemons app = -1 # Low-level encoding/decoding (ASN.1, X.509 etc.) asn = -1 # Configuration management and plugins cfg = -1 # CHILD_SA/IPsec SA chd = -1 # Main daemon setup/cleanup/signal handling dmn = -1 # Packet encoding/decoding encryption/decryption operations enc = -1 # libipsec library messages esp = -1 # IKE_SA/ISAKMP SA ike = -1 # Integrity Measurement Collector imc = -1 # Integrity Measurement Verifier imv = -1 # Jobs queuing/processing and thread pool management job = -1 # IPsec/Networking kernel interface knl = -1 # libstrongswan library messages lib = -1 # IKE_SA manager, handling synchronization for IKE_SA access mgr = -1 # IKE network communication net = -1 # Platform Trust Service pts = -1 # libtls library messages tls = 2 # Trusted Network Connect tnc = -1 } # and two loggers using syslog syslog { # prefix for each log message identifier = charon-custom # use default settings to log to the LOG_DAEMON facility daemon { } # very minimalistic IKE auditing logs to LOG_AUTHPRIV auth { default = -1 ike = 0 } } } eap-dynamic { prefer_user = yes preferred = md5, tls } send_vendor_id = yes prefer_configured_proposals = no fragment_size = 1480 max_packet = 30000 # install_routes = no # install_virtual_ip = yes # install_virtual_ip_on = vti1 # interfaces_use = vti0 # interfaces_ignore = vmbr0 } pki { load = plugins: random drbg x509 pubkey pkcs1 pkcs8 pkcs12 pem openssl oqs } # for strongSwan 6.9 libtls { version_max = 1.3 suites = TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384 } root@responder:/etc/swanctl # cat /etc/swanctl/swanctl.conf connections { include gw-gw.conf # include rw.conf # include psk.conf # include eap.conf } authorities { strongswan { # cacert = caCert-ed25519.pem cacert = caCert-falcon1024.pem # crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl } } pools { rw_pool { # addrs = 10.133.0.0/24 addrs = 172.16.5.10-172.16.5.100 # addrs = 176.16.5.8 } v4pool_home { addrs = 172.16.1.0/24 } v6pool_home { addrs = fec3::/120 } } secrets { ike-orj { id = orj@lab3w.fr secret = 0sTtd7IOin6FuyjLsWtiM9o/1c } ike-hacker { id = hack3r@zw3b.eu secret = 0sH7+o6wysMoaELv5OBihKVa3F } eap-orj { id = orj # secret = 3s9RFGdWE5EW secret = saxo } eap-hacker { id = hack3r secret = K8FW9/N0VIAJ } } root@responder:/etc/swanctl # cat /etc/swanctl/gw-gw.conf gw-gw { remote_addrs = 109.210.56.240 # vips = 0.0.0.0, :: pools = v4pool_home, v6pool_home # pools = v4pool_home local { auth = pubkey certs = vpsCert-dilithium5-sign_ca-falcon1024.pem id = vps.zw3b.eu } remote { auth = pubkey id = bw.zw3b.eu } children { gw-gw { # local_ts = 10.133.0.0/24,fec1::0/16 local_ts = 10.133.0.0/24,fec1::0/16 # local_ts = 10.133.0.0/24 # remote_ts = 10.106.42.0/24 start_action = trap #-------------------------------- # ESP #------- # DEFAUT : no cipher # selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ # My Config ciphers list # ok CHILD_SA net{1} established esp_proposals = aes256-sha256-x25519-ke1_kyber3-ke2_bike3-ke3_hqc3 # selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ # ok CHILD_SA net{1} established # esp_proposals = aes256-sha256-x25519-ke1_kyber3-ke2_bike3-ke3_hqc3-ke3_none-ke4_hqc5-ke4_none # selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ #--------------------------------- rekey_time = 5400 rekey_bytes = 500000000 rekey_packets = 1000000 } } #-------------------------------- # IKE #------- version = 2 dpd_delay = 60s # DEFAULT : no cipher config # selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 # ok IKE_SA home[1] established proposals = aes256-sha256-x25519-ke1_kyber3-ke1_frodoa3-ke2_bike3-ke2_hqc3-ke3_hqc3-ke3_none-ke4_hqc5-ke4_none # selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519/KE1_KYBER_L3/KE2_BIKE_L3/KE3_HQC_L3/KE4_HQC_L5 # test # proposals = aes256-sha256-x25519 # proposals = aes256-sha256-x25519-ke1_kyber3-ke2_bike3-ke3_hqc3 # proposals = aes256-sha256-x25519-modp3072-ke1_kyber3-ke1_frodoa3-ke2_bike3-ke2_hqc3-ke3_hqc3-ke3_none-ke4_hqc5-ke4_none #-------------------------------- }