|
| 1 | +# Strongswan on Docker |
| 2 | + |
| 3 | +Base docker image to run a Strongswan IPsec and a XL2TPD server. |
| 4 | + |
| 5 | +## Usage |
| 6 | + |
| 7 | +Run the following to start the container: |
| 8 | + |
| 9 | +``` |
| 10 | +docker run -d -p 500:500/udp -p 4500:4500/udp -p 1701:1701/udp --privileged philplckthun/strongswan |
| 11 | +``` |
| 12 | + |
| 13 | +If you haven't set any login credentials via configuration files or environment variables, then a new random password will be set. To get it, read the logs of the running container: |
| 14 | + |
| 15 | +``` |
| 16 | +docker logs <CONTAINER> |
| 17 | +``` |
| 18 | + |
| 19 | +Search for this line in the output at the top: |
| 20 | + |
| 21 | +``` |
| 22 | +No VPN_PASSWORD set! Generated a random password: mrXEv2S3F |
| 23 | +No VPN_PSK set! Generated a random PSK key: NZESSabnC |
| 24 | +``` |
| 25 | + |
| 26 | +Here, the user hasn't set a PSK secret and password. |
| 27 | + |
| 28 | +## Environment variables |
| 29 | + |
| 30 | +By default a single account is added for EAP and XAuth login. |
| 31 | + |
| 32 | +Its password is specified by the `VPN_PASSWORD` environment variable, and its username is specified by the `VPN_USER` variable. |
| 33 | + |
| 34 | +`VPN_USER` defaults to `user` and `VPN_PASSWORD` is randomised if not changed. |
| 35 | + |
| 36 | +The PSK (pre-shared key) is specified in the `VPN_PSK` environment variable, and is randomised as well. |
| 37 | + |
| 38 | +You can inject these variables through `docker run`: |
| 39 | + |
| 40 | +``` |
| 41 | +docker run ... -e VPN_USER=dave VPN_PASSWORD=dave-is-awesome ... |
| 42 | +``` |
| 43 | + |
| 44 | +## Volume / Configuration files |
| 45 | + |
| 46 | +There is a single volume that is mounted at `/etc/ipsec.d`. Through it you can add a lot of Strongswan configuration. Additionally you can overwrite: |
| 47 | + |
| 48 | +* /etc/ppp/l2tp-secrets |
| 49 | +* /etc/ipsec.secrets |
| 50 | +* /etc/ipsec.conf |
| 51 | +* /etc/strongswan.conf |
| 52 | +* /etc/xl2tpd.conf |
| 53 | + |
| 54 | +with it, by putting your configuration files in that volume folder as well. They will be copied to the correct locations. |
| 55 | + |
| 56 | +## Services running |
| 57 | + |
| 58 | +There are two services running: *Strongswan* and addtionally *XL2TPD* for IPSec/L2TP support. |
| 59 | + |
| 60 | +The default IPSec configuration supports: |
| 61 | + |
| 62 | +* IKEv2 with EAP Authentication (Though a certificate has to be added for that to work) |
| 63 | +* IKEv2 with PSK |
| 64 | +* IKEv1 with PSK and XAuth (Cisco IPSec) |
| 65 | +* IPSec/L2TP with PSK |
| 66 | + |
| 67 | +The ports that are exposed for this container to work are: |
| 68 | + |
| 69 | +* 4500/udp and 500/udp for IPSec |
| 70 | +* 1701/udp for L2TP |
0 commit comments