A docker IPSec server based on Strongswan and Alpine. With remote access and site to site VPN profile. Below 70 Mb. GNS3 ready.
- Road warrior IKEv2 profile : RSA, PSK and EAP
- Road warrior IKEv1 profile : XAUTH RSA and XAUTH PSK
- Site to site IKEv2 profile : RSA and PSK
- IPv4 and IPv6
- Internal pool or external DHCP server
- Internal certificate authority, with certificate revocation option
- Possibility to use host Let's Encrypt certificate
- Possibility to authenticate with a radius server (AAA)
- Firewall option to Allow/Deny : interclient, lan, internet
The 3 Road warrior IKEv2 profile (RSA, PSK, EAP) are activated by default.
The credentials are randomly generated, if not set.
The container will generate self signed certificate using external (public) ip address as CN, if not set.
The container configurations and credentials can be displayed using the command : docker logs containerName
The /etc/swanctl folder is persistent.
Important, you need at least : --cap-add NET_ADMIN
for strongswan to start.
Create a remote access connection with MSCHAPv2 authentication :
docker run -dt \
\
--cap-add NET_ADMIN --cap-add SYS_MODULE --cap-add SYS_ADMIN \
--sysctl net.ipv4.ip_forward=1 --sysctl net.ipv6.conf.all.forwarding=1 --sysctl net.ipv6.conf.eth0.proxy_ndp=1 \
-v /lib/modules:/lib/modules:ro -e Y_FIREWALL_ENABLE=yes \
-p 50:50/udp -p 51:51/udp -p 500:500/udp -p 4500:4500/udp \
\
-e Y_EAP_USERNAME=tux -e Y_EAP_PASSWORD=StrongPassword \
\
--name myipsec palw3ey/ye3ipsec
- On the host, show the content of the ca certificate
docker exec -it myipsec cat /etc/swanctl/x509ca/caCert.pem
-
On Windows, paste the content to a file named
caCert.crt
and double clic on it (or use certlm.msc) to import the certificate to : Local Computer > Trusted Root Certificate
(You can avoid this step by using Let's Encrypt certificate in docker run options, see HOWTOs) -
On Windows start menu type "add VPN connection", fill in the fields :
- connection name : EAP Test
- server name or address : Type the VPN server external ip address
- VPN type : select "IKEv2"
- Type of sign-in info : select "User name and password"
- User name : type "tux"
- Password : type "StrongPassword"
- Save
- Select "EAP Test" and Connect
- Enable ipv6 in Docker
# Open this file :
vi /etc/docker/daemon.json
# Add these parameters :
{
"experimental": true,
"ip6tables": true
}
# To save and close, press successively these keyboard key : "Escape" ":" "w" "q" "Enter"
# restart docker
sudo systemctl restart docker
- Create a docker network with ipv4 and ipv6, named mynet46
docker network create --ipv6 \
--subnet=10.2.192.0/24 \
--subnet=fd00::a02:c000/120 \
mynet46
- Use mynet46, and customise the network settings to be able to use the VPN from outside,
Use these options with docker run :
--cap-add NET_ADMIN --cap-add SYS_MODULE --cap-add SYS_ADMIN \
--sysctl net.ipv4.ip_forward=1 --sysctl net.ipv6.conf.all.forwarding=1 --sysctl net.ipv6.conf.eth0.proxy_ndp=1 \
-v /lib/modules:/lib/modules:ro -e Y_FIREWALL_ENABLE=yes \
-p 50:50/udp -p 51:51/udp -p 500:500/udp -p 4500:4500/udp \
--net mynet46 --ip 10.2.192.254 --ip6 fd00::a02:c0fe \
- Use the host Let's Encrypt certificate to identify the VPN server instead of the certificate generated by the container,
Use these options with docker run :
-e Y_LOCAL_SELFCERT=no -e Y_SERVER_CERT_CN=www.test.lan \
-v /etc/letsencrypt/live/www.test.lan/chain.pem:/etc/swanctl/x509ca/chain.pem \
-v /etc/letsencrypt/live/www.test.lan/cert.pem:/etc/swanctl/x509/cert.pem \
-v /etc/letsencrypt/live/www.test.lanm/privkey.pem:/etc/swanctl/private/privkey.pem \
- Specify the pool, for remote access client (road warrior),
Use these options with docker run :
-e Y_POOL_IPV4=10.2.200.0/24 -e Y_POOL_IPV6=fd00::a02:c800/120
- Get ip addresses from a DHCP server, for remote access client (road warrior),
Use these options with docker run :
-e Y_POOL_DHCP=yes -e Y_DHCP_FORCE=yes -e Y_DCHP_IDENTITY=yes -e Y_DHCP_SERVER=10.2.152.1
- Specify username and password for the EAP IKEv2 roadwarrior profile,
Use these options with docker run :
-e Y_EAP_USERNAME=carol -e Y_EAP_PASSWORD=StrongPassword
- Get EAP authentication from a radius server, for the EAP IKEv2 roadwarrior profile,
Use these options with docker run :
-e Y_EAP_REMOTE_AUTH=eap-radius -e Y_RADIUS_ENABLE=yes \
-e Y_RADIUS_SERVER=radius.server.lan -e Y_RADIUS_SERET=StrongRadiusSecret \
-e Y_RADIUS_PORT_AUTH=1812 -e Y_RADIUS_PORT_ACCT=1813
- Specify id and secret for the PSK IKEv2 roadwarrior profile,
Use these options with docker run :
-e Y_PSK_REMOTE_ID=10.9.8.7 -e Y_PSK_SECRET=StrongSecret
- Specify CN and password for the RSA Certificate IKEv2 roadwarrior profile,
Use these options with docker run :
-e Y_CERT_CN=carol.laptop.lan -e Y_CERT_PASSWORD=StrongPassword
- Activate the PSK IKEv2 Site to Site profile,
Use these options with docker run :
-e Y_S2S_PSK_ENABLE=yes -e Y_S2S_PSK_REMOTE_ADDRS=10.9.8.7 \
-e Y_S2S_PSK_LOCAL_ID=192.168.7.6 -e Y_S2S_PSK_REMOTE_ID=10.9.8.7 \
-e Y_S2S_PSK_SECRET=StrongSecret \
-e Y_S2S_PSK_LOCAL_TS=10.2.0.0/16,fd00::a02:101/112 \
-e Y_S2S_PSK_REMOTE_TS=10.1.0.0/16,fd00::a01:101/112 \
- Activate the IKEv1 roadwarrior profile : Xauth PSK and Xauth RSA
They are disabled by default. Use these options with docker run :
-e Y_XAUTH_PSK_ENABLE=yes -e Y_XAUTH_RSA_ENABLE=yes
- Specify credentials for the Xauth PSK IKEv1 roadwarrior profile,
Use these options with docker run :
-e Y_XAUTH_PSK_ENABLE=yes \
-e Y_XAUTH_PSK_REMOTE_ID=carol -e Y_XAUTH_PSK_SECRET=StrongSecret \
-e Y_XAUTH_PSK_USERNAME=carol -e Y_XAUTH_PSK_PASSWORD=StrongPassword
- Show credentials
docker logs myipsec | grep "CRED_"
- Show CA
docker exec -it myipsec cat /etc/swanctl/x509ca/caCert.pem
- Copy client p12 file from the container to your Documents folder
docker cp myipsec:/etc/swanctl/pkcs12/clientCert.p12 ~/Documents/
- Show Strongswan log
docker exec -it myipsec swanctl --log
- Start container automatically on system boot
docker update --restart=unless-stopped myipsec
- Start container automatically on system boot with custom host commands, to add routes for example
cat > /etc/systemd/system/myipsec.service <<EOL
[Unit]
Description=ye3ipsec container
PartOf=docker.service
After=docker.service
[Service]
ExecStartPre=-/sbin/ip route del 10.1.0.0/16 via 10.2.192.254
ExecStartPre=-/sbin/ip -6 route del fd00::a01:101/112 via fd00::a02:c0fe
ExecStart=/usr/bin/docker start -a myipsec
ExecStop=/usr/bin/docker stop -t 2 myipsec
ExecStartPost=-/sbin/ip route add 10.1.0.0/16 via 10.2.192.254
ExecStartPost=-/sbin/ip -6 route add fd00::a01:101/112 via fd00::a02:c0fe
[Install]
WantedBy=multi-user.target
EOL
# reload
systemctl daemon-reload
# check presence
systemctl list-unit-files | grep -i myipsec
# enable
systemctl enable myipsec
# restart
systemctl restart myipsec
# status
systemctl status myipsec
Use Docker restart policies or service unit, but don't use both.
- How can i run strongswan without the configurations files provided by ye3ipsec ?
docker run -dt --cap-add NET_ADMIN -e Y_IGNORE_CONFIG=yes --name myipsec palw3ey/ye3ipsec
Y_IGNORE_CONFIG=yes
, This way you only have strongswan without any custom configurations. You can find examples on the strongswan website on how to create connections.
If you are not comfortable, use Y_IGNORE_CONFIG=no
, then use the environment variables which will automatically configure Strongswan with ready-made connection profiles. This is the purpose of the ye3ipsec container.
- With docker environment variables I can only create 1 site to site PSK profile, how do I add another site to site connection ?
You are not restricted to only using docker environment variables to customize the server, you can add new connections as you wish by simply adding a .conf file in this folder: /etc/swanctl/conf.d/
In the example of a PSK site-to-site connection where:
site X:
Server IP address: X.X.X.X
Lan IP address: 10.1.0.0/16,fd00::a01:101/112
site Y:
Server IP address: Y.Y.Y.Y
Lan IP address: 10.2.0.0/16,fd00::a02:101/112
Connect to the site X server, and create the file /etc/swanctl/conf.d/s2s_psk_siteY.conf
:
cat > /etc/swanctl/conf.d/s2s_psk_siteY.conf <<EOL
connections {
conn-s2s_psk_siteY {
version = 2
send_cert = ifasked
encap = yes
rekey_time = 86400s
dpd_delay = 15s
proposals = aes256-sha256-ecp256
remote_addrs = Y.Y.Y.Y
local {
auth = psk
certs = serverCert.pem
id = X.X.X.X
}
remote {
auth = psk
id = Y.Y.Y.Y
}
children {
child-s2s_psk_siteY {
local_ts = 0.0.0.0/0,::/0
remote_ts = 10.2.0.0/16,fd00::a02:101/112
start_action = trap
esp_proposals = aes256-sha256
rekey_time = 28800s
dpd_action = restart
}
}
}
}
secrets {
ike-s2s_psk_siteY {
secret = StrongSecret
id-0 = X.X.X.X
id-1 = Y.Y.Y.Y
}
}
EOL
reload strongswan to apply
swanctl --load-all --noprompt
Connect to the site Y server, and create the file /etc/swanctl/conf.d/s2s_psk_siteX.conf
:
cat > /etc/swanctl/conf.d/s2s_psk_siteX.conf <<EOL
connections {
conn-s2s_psk_siteX {
version = 2
send_cert = ifasked
encap = yes
rekey_time = 86400s
dpd_delay = 15s
proposals = aes256-sha256-ecp256
remote_addrs = X.X.X.X
local {
auth = psk
certs = serverCert.pem
id = Y.Y.Y.Y
}
remote {
auth = psk
id = X.X.X.X
}
children {
child-s2s_psk_siteX {
local_ts = 0.0.0.0/0,::/0
remote_ts = 10.1.0.0/16,fd00::a01:101/112
start_action = trap
esp_proposals = aes256-sha256
rekey_time = 28800s
dpd_action = restart
}
}
}
}
secrets {
ike-s2s_psk_siteX {
secret = StrongSecret
id-0 = Y.Y.Y.Y
id-1 = X.X.X.X
}
}
EOL
reload strongswan to apply
swanctl --load-all --noprompt
You can now ping server Y Lan from server X, this will automatically bring up the connection.
Or you can do it manually using this command from server X :
sudo swanctl --initiate --ike conn-s2s_psk_siteY
- How do i update my running container to the latest ye3ipsec image without losing my container data ?
The folder /etc/swanctl is persistent, and won't be deleted by a docker rm
. You can find its path on the host using this command :
docker inspect -f '{{ json .Mounts }}' myipsec | jq
Now you can stop and delete the container. Update the image.
# Stop and delete the container
docker stop myipsec && docker rm myipsec
# Update the image
docker pull palw3ey/ye3ipsec
You have 2 methods to mount the folder to your new container : use bind or volume.
Bind method :
# Run the container, adding this option
-v YOUR_HOST_OLD_SWANCTL_FOLDER_PATH:/etc/swanctl
Volume method, i recommend this method :
# Create a volume named myipsec_volume
docker volume create myipsec_volume
# get its path
docker volume inspect myipsec_volume -f '{{ .Mountpoint }}'
# copy your host old /etc/swanctl content to myipsec_volume
sudo cp -a /var/lib/docker/volumes/XXXXXXXXXXXXXXXX/_data/. /var/lib/docker/volumes/myipsec_volume/_data/
# finally start your container, adding this option
--mount source=myipsec_volume,target=/etc/swanctl
To run through GNS3, download and import the appliance : ye3ipsec.gns3a
Drag and drop the device in the topology. Right click on the device and select "Edit config".
If you want a static configuration, uncomment the lines just below # Static config for eth0
or otherwise # DHCP config for eth0
for a dhcp configuration. Click "Save".
Add a link to connect the device to a switch or router. Finally, right click on the device, select "Start".
To see the output, right click "Console".
To type commands, right click "Auxiliary console".
These are the env variables and their default values.
variables | format | default | description |
---|---|---|---|
Y_LANGUAGE | text | fr_FR | Language. The list is in the folder /i18n |
Y_DEBUG | yes/no | no | yes, to show charon messages |
Y_IGNORE_CONFIG | yes/no | no | yes, to not apply file changes in the /etc/swanctl folder. A good option if you use a custom /etc/swanctl folder mounted from outside |
Y_PORT_ESP | port number | 50 | esp port |
Y_PORT_AH | port number | 51 | ah port |
Y_PORT_IKE | port number | 500 | ike port |
Y_PORT_NAT | port number | 4500 | nat-t port |
Y_SERVER_CERT_CN | IP address or domain name | if not set, will attempt to detect and use the public ip address otherwise the first local ip address | CN value to use for the server certificate |
Y_SERVER_CERT_DN | text | "C=FR, ST=Ile-de-France, L=Paris, O=IPSec, OU=Example" | DN value to add to the server certificate |
Y_SERVER_CERT_DAYS | integer | 3650 | number of days before expiration, for CA and Server certificate |
Y_PROPOSALS_PHASE1 | cipher suite | "aes256-sha256-ecp256, aes256gcm16-sha384-prfsha384-ecp384, aes256-sha256-modp2048, aes256-sha256-modp1024, aes256-sha1-modp1024, 3des-sha1-modp1024, des-sha1-modp1024" | cipher suites to use for phase 1. Note that by default some weak cipher are present in the list, you should narrow the list to strong ones. If supported by the client |
Y_PROPOSALS_PHASE2 | cipher suite | "aes256-sha256, aes256gcm16-ecp384, aes256-sha1, 3des-sha1, des-sha1" | cipher suites to use for phase 2. Note that by default some weak cipher are present in the list, you should narrow the list to strong ones. If supported by the client |
Y_REKEY_PHASE1 | text | 86400s | rekey time for phase 1 |
Y_REKEY_PHASE2 | text | 28800s | rekey time for phase 2 |
Y_DPD_DELAY | text | 15s | delay for dead peer detection |
Y_DPD_ACTION | text | restart | action to take on dead peer detection timeout |
Y_LOCAL_SELFCERT | yes/no | yes | yes, to use self-signed certificates to identify the VPN server. If set to no, you need to provide 3 files... the CA : /etc/swanctl/x509ca/chain.pem the certificate : /etc/swanctl/x509/cert.pem the private key : /etc/swanctl/private/privkey.pem The same files provided by Let's Encrypt. |
Y_LOCAL_ID | text | if not set, will be equal to Y_SERVER_CERT_CN | IKE identity for the VPN server |
Y_LOCAL_SUBNET | text | "0.0.0.0/0, ::/0" | local traffic selectors |
Y_REMOTE_SUBNET | text | dynamic | remote traffic selectors |
Y_POOL_DHCP | yes/no | no | yes, to set the pool to dhcp and give clients an ip address from an external dhcp server. You need to specify the dhcp server. see Y_DHCP_SERVER |
Y_POOL_IPV6_ENABLE | yes/no | yes | yes, to give clients IPv6 address |
Y_POOL_IPV4 | IP Address, and mask | 192.168.1.1/24 | IPv4 address pool for the clients |
Y_POOL_IPV6 | IPv6 Address, and mask | fd00::c0a8:101/120 | IPv6 address pool for the clients |
Y_POOL_DNS4 | IP Address | "1.1.1.1, 8.8.8.8" | IPv4 DNS for the clients, primary and secondary, default are Cloudflare and Google |
Y_POOL_DNS6 | IPv6 Address | "2606:4700:4700::1111, 2001:4860:4860::8888" | IPv6 DNS for the clients, primary and secondary, default are Cloudflare and Google |
Y_FIREWALL_ENABLE | yes/no | no | yes, to enable the firewall settings |
Y_FIREWALL_INTERCLIENT | yes/no | yes | yes, to allow clients to talk to each other |
Y_FIREWALL_LAN | yes/no | yes | yes, to allow client to communicate to lan address : 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7 |
Y_FIREWALL_INTERNET | yes/no | yes | yes, to allow client to communicate with internet |
Y_CERT_ENABLE | yes/no | yes | yes, to activate the RA (remote access) IKEv2 Certificate profile |
Y_CERT_DAYS | integer | 365 | RA IKEv2 Certificate profile : How long to certify for |
Y_CERT_REMOTE_ID | text | RA IKEv2 Certificate profile : remote identity | |
Y_CERT_CN | text | (randomly generated, if not set) | RA IKEv2 Certificate profile : CN of the client certificate |
Y_CERT_PASSWORD | password | (randomly generated, if not set) | RA IKEv2 Certificate profile : password of the client p12 certificate file (/etc/swanctl/pkcs12/clientCert.p12) |
Y_EAP_ENABLE | yes/no | yes | yes, to activate the RA (remote access) IKEv2 EAP profile |
Y_EAP_REMOTE_AUTH | text | eap-mschapv2 | RA IKEv2 EAP profile : remote authentication method |
Y_EAP_REMOTE_EAP_ID | text | %any | RA IKEv2 EAP profile : remote eap identity |
Y_EAP_USERNAME | text | (randomly generated, if not set) | RA IKEv2 EAP profile : remote username |
Y_EAP_PASSWORD | password | (randomly generated, if not set) | RA IKEv2 EAP profile : remote password |
Y_EAP_USERS | text | RA IKEv2 EAP profile : list of remote username:password separated by a blank space. eg: "emily:123789 elisabeth:987456" | |
Y_PSK_ENABLE | yes/no | yes | yes, to activate the RA (remote access) IKEv2 PSK profile |
Y_PSK_LOCAL_ID | text | (randomly generated, if not set) | RA IKEv2 PSK profile : local identity |
Y_PSK_REMOTE_ID | text | (randomly generated, if not set) | RA IKEv2 PSK profile : remote identity |
Y_PSK_SECRET | password | (randomly generated, if not set) | RA IKEv2 PSK profile : shared secret |
Y_XAUTH_PSK_ENABLE | yes/no | no | yes, to activate the RA (remote access) IKEv1 XAUTH PSK profile |
Y_XAUTH_PSK_AGGRESSIVE | yes/no | yes | RA IKEv1 XAUTH PSK profile : yes, to enable aggressive mode. (use no, for main mode) |
Y_XAUTH_PSK_REMOTE_AUTH | text | xauth | RA IKEv1 XAUTH PSK profile : remote authentication method |
Y_XAUTH_PSK_LOCAL_ID | text | (randomly generated, if not set) | RA IKEv1 XAUTH PSK profile : local identity |
Y_XAUTH_PSK_REMOTE_ID | text | (randomly generated, if not set) | RA IKEv1 XAUTH PSK profile : remote identity |
Y_XAUTH_PSK_SECRET | password | (randomly generated, if not set) | RA IKEv1 XAUTH PSK profile : shared secret |
Y_XAUTH_PSK_USERNAME | text | (randomly generated, if not set) | RA IKEv1 XAUTH PSK profile : remote username |
Y_XAUTH_PSK_PASSWORD | password | (randomly generated, if not set) | RA IKEv1 XAUTH PSK profile : remote password |
Y_XAUTH_RSA_ENABLE | yes/no | no | yes, to activate the RA (remote access) IKEv1 XAUTH RSA profile. The client p12 certificate is the same generated by Y_CERT_DAYS, Y_CERT_CN and Y_CERT_PASSWORD : /etc/swanctl/pkcs12/clientCert.p12 |
Y_XAUTH_RSA_AGGRESSIVE | yes/no | no | RA IKEv1 XAUTH RSA profile : yes, to enable aggressive mode. (use no, for main mode) |
Y_XAUTH_RSA_REMOTE_AUTH | text | xauth | RA IKEv1 XAUTH RSA profile : remote authentication method |
Y_XAUTH_RSA_USERNAME | text | (randomly generated, if not set) | RA IKEv1 XAUTH RSA profile : remote username |
Y_XAUTH_RSA_PASSWORD | password | (randomly generated, if not set) | RA IKEv1 XAUTH RSA profile : remote password |
Y_S2S_PSK_ENABLE | yes/no | no | yes, to activate the S2S (site to site) IKEv2 PSK profile |
Y_S2S_PSK_LOCAL_ADDRS | IP address or domain | S2S IKEv2 PSK profile : local address | |
Y_S2S_PSK_REMOTE_ADDRS | IP address or domain | S2S IKEv2 PSK profile : remote address | |
Y_S2S_PSK_LOCAL_TS | IP Address, and mask | S2S IKEv2 PSK profile : local traffic selectors | |
Y_S2S_PSK_REMOTE_TS | IP Address, and mask | S2S IKEv2 PSK profile : remote traffic selectors | |
Y_S2S_PSK_START_ACTION | text | trap | S2S IKEv2 PSK profile : start action |
Y_S2S_PSK_LOCAL_ID | text | (randomly generated, if not set) | S2S IKEv2 PSK profile : local identity |
Y_S2S_PSK_REMOTE_ID | text | (randomly generated, if not set) | S2S IKEv2 PSK profile : remote identity |
Y_S2S_PSK_SECRET | password | (randomly generated, if not set) | S2S IKEv2 PSK profile : shared secret |
Y_S2S_RSA_ENABLE | yes/no | no | yes, to activate the S2S (site to site) IKEv2 RSA profile |
Y_S2S_RSA_LOCAL_ADDRS | IP address or domain | S2S IKEv2 RSA profile : local address | |
Y_S2S_RSA_REMOTE_ADDRS | IP address or domain | S2S IKEv2 RSA profile : remote address | |
Y_S2S_RSA_LOCAL_CERTS | file path | S2S IKEv2 RSA profile : local certificate. Y_S2S_RSA_LOCAL_ID must be set, otherwise will be ignored and will use the server selfsigned certifate by default. | |
Y_S2S_RSA_LOCAL_ID | text | S2S IKEv2 RSA profile : local identity. Y_S2S_RSA_LOCAL_CERTS must be set, otherwise will be ignored and will use the server selfsigned id by default. | |
Y_S2S_RSA_REMOTE_CERTS | file path | S2S IKEv2 RSA profile : remote certificate | |
Y_S2S_RSA_REMOTE_ID | text | S2S IKEv2 RSA profile : remote identity | |
Y_S2S_RSA_LOCAL_TS | IP address, with mask | S2S IKEv2 RSA profile : local traffic selectors | |
Y_S2S_RSA_REMOTE_TS | IP address, with mask | S2S IKEv2 RSA profile : remote traffic selectors | |
Y_S2S_RSA_START_ACTION | text | trap | S2S IKEv2 RSA profile : start action |
Y_REVOCATION_LOAD | yes/no | yes | yes, to activate revocation plugin |
Y_REVOCATION_ENABLE_CRL | yes/no | yes | REVOCATION : yes, to enable crl |
Y_REVOCATION_ENABLE_OCSP | yes/no | yes | REVOCATION : yes, to enable ocsp |
Y_RADIUS_LOAD | yes/no | no | yes, to activate radius plugin |
Y_RADIUS_CLASS_GROUP | yes/no | no | RADIUS : yes, to enable class group |
Y_RADIUS_ACCOUNTING | yes/no | no | RADIUS : yes, to enable radius accounting |
Y_RADIUS_ADDRESS | IP address | 127.0.0.1 | RADIUS : IP address of the radius server |
Y_RADIUS_SECRET | text | testing123 | RADIUS : secret password to connect to the radius server |
Y_RADIUS_AUTH_PORT | port number | 1812 | RADIUS : authentication port |
Y_RADIUS_ACCT_PORT | port number | 1813 | RADIUS : accounting port |
Y_RADIUS_DAE_ENABLE | yes/no | no | RADIUS : yes, to enable dae (Dynamic Authorization Extensions). If you need coa (Change-of-Authorization) |
Y_RADIUS_DAE_LISTEN | IP address | 0.0.0.0 | DAE : IP address to listen for requests |
Y_RADIUS_DAE_PORT | port number | 3799 | DAE : Port to listen for requests |
Y_RADIUS_DAE_SECRET | password | testing123 | DAE : shared secret |
Y_DHCP_FORCE_SERVER_ADDRESS | yes/no | no | DHCP : yes, to enable force server address |
Y_DCHP_IDENTITY_LEASE | yes/no | no | DHCP : yes, to enable identity lease |
Y_DHCP_SERVER | IP address | 255.255.255.255 | DHCP : IP address of the dhcp server |
Y_FARP_LOAD | yes/no | yes | yes, to activate farp plugin |
Y_FORECAST_LOAD | yes/no | yes | yes, to activate forecast plugin |
Y_BYPASSLAN_LOAD | yes/no | no | yes, to activate bypasslan plugin |
The docker image was compiled to work on these CPU architectures :
- linux/386
- linux/amd64
- linux/arm/v6
- linux/arm/v7
- linux/arm64
- linux/ppc64le
- linux/s390x
Work on most computers including Raspberry Pi
To customize and create your own images.
git clone https://github.com/palw3ey/ye3ipsec.git
cd ye3ipsec
# Make all your modifications, then :
docker build --no-cache --network=host -t ye3ipsec .
docker run -dt --name my_customized_ipsec ye3ipsec
name | version |
---|---|
ye3ipsec | 1.0.2 |
strongswan | 5.9.13 |
alpine | 3.18.4 |
- When Y_SERVER_CERT_CN is not set, entrypoint.sh will auto detect an IP address. But the IP address validation was using a bash syntax, that cause this error : "unknown operand". The fix now use a POSIX syntax.
- Improvement in the auto detect IP address for Y_SERVER_CERT_CN, if an external ip is not found then will get default route interface ip if exist, before going to the last choice : get first ip returned by the command $(hostname -i)
- A FAQ in README.md
- To reduce verbosity, in f_log function, show timestamp and container name only if Y_DEBUG is set to yes.
- new env variable : Y_EAP_USERS, to add multiple username and password to RA IKEv2 EAP profile
- A Changelog in README.md, using this syntax : keepachangelog.com
- first release
need to document env variables(2024-01-20)- add more translation files in i18n folder. Contribute ! Send me your translations by mail ;)
Don't hesitate to send me your contributions, issues, improvements on github or by mail.
MIT
author: palw3ey
maintainer: palw3ey
email: palw3ey@gmail.com
website: https://github.com/palw3ey/ye3ipsec
docker hub: https://hub.docker.com/r/palw3ey/ye3ipsec