使用StrongSwan搭建IPsecVPN环境

StrongSwan变迁

1. strongswan 5之前

• pluto: IKEv1
• charon： IKEv2
• starter: 启动charon
• 配置: ipsec.conf ipsec.secrets

2. strongswan 5

• charon: IKEv1/IKEv2
• starter: 启动charon
• 配置: ipsec.conf ipsec.secrets
• 废弃：pluto

3. strongswan 5.9之后

• charon
• swanctl
• 配置: swanctl.conf
• 废弃：starter ipsec.conf ipsec.secrets

安装

ubuntu

$ apt-get update
$ apt-get upgrade
$ apt-get install strongswan

centos

$ yum install epel-release
$ yum clean all
$ yum makecache
$ yum install strongswan -y

alpine

$ apk add strongswan

配置

• 配置目录: /etc/strongswan/

调试命令

• 查看连接状态: swanctl -l
• 查看协商日志: tailf /var/log/messages

使用示例

1. alpine配置

隧道配置：/etc/ipsec.conf

conn psk181
    authby=psk
    keyexchange=ikev1
    left=100.100.1.182
    leftsubnet=10.1.0.0/16
    right=100.100.2.181
    rightsubnet=10.2.0.0/16
    ike=aes256-sha256-modp2048
    esp=aes256-sha256-modp2048
    auto=start

认证配置：/etc/ipsec.secrets:

100.100.1.182 100.100.2.181 : PSK "123456"

配置IP防火墙

# 配置防火墙路由等
$ ip r add 100.100.0.0/16 via 100.100.1.254

$ iptables -A INPUT -p udp --dport 500 -j ACCEPT
$ iptables -A INPUT -p udp --dport 4500 -j ACCEPT

$ ip a add 10.1.1.1/24 dev eth1

$ # 重启strongswan
$ rc-service strongswan restart

查看隧道信息

localhost:~# swanctl -l
psk181: #1, ESTABLISHED, IKEv1, 3e9725e73e1c4daa_i* 2b693ac50175a0c9_r
  local  '100.100.1.182' @ 100.100.1.182[4500]
  remote '100.100.2.181' @ 100.100.2.181[4500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 507s ago, reauth in 9557s
  psk181: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 507s ago, rekeying in 2183s, expires in 3093s
    in  c03ce698,      0 bytes,     0 packets
    out cab5f66d,      0 bytes,     0 packets
    local  10.1.0.0/16
    remote 10.2.0.0/16

2. centos配置

隧道配置：/etc/strongswan/swanctl/conf.d/pks182.conf

connections {
    psk182 {
        version = 1
        local_addrs = 100.100.2.181
        remote_addrs = 100.100.1.182

        local {
            auth = psk
            id = 100.100.2.181
        }

        remote {
            auth = psk
            id = 100.100.1.182
        }

        proposals = aes256-sha256-modp2048

    children {
            child_sa {     # 只有一个 CHILD_SA, 叫做 "child_sa"
                local_ts = 10.2.0.0/16  # Local traffic selector
                remote_ts = 10.1.0.0/16 # Remote traffic selector
                mode = tunnel        # 使用 Tansport 模式而不是 Tunnel 模式
                esp_proposals = aes256-sha256-modp2048
            }

    }
}

secrets {
    psk {
        id = "100.100.2.181"
        secret = "123456"
    }
}

配置IP防火墙

# 配置防火墙路由等
$ iptables -A INPUT -p udp --dport 500 -j ACCEPT
$ iptables -A INPUT -p udp --dport 4500 -j ACCEPT
$ ip a add 10.2.2.2/24 dev ens19

$ echo 1 >  /proc/sys/net/ipv4/ip_forward
$ systemctl stop firewalld.service
$ systemctl disable firewalld.service
$ # 临时关闭selinux
$ setenforce 0
$ setenforce Permissive

$ # 重启strongswan
$ systemctl restart strongswan

查看隧道状态

[root@localhost ~]# swanctl -l
psk182: #1, ESTABLISHED, IKEv1, 3e9725e73e1c4daa_i 2b693ac50175a0c9_r*
  local  '100.100.2.181' @ 100.100.2.181[4500]
  remote '100.100.1.182' @ 100.100.1.182[4500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 471s ago, rekeying in 12839s
  child_sa: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 471s ago, rekeying in 2795s, expires in 3489s
    in  cab5f66d,      0 bytes,     0 packets
    out c03ce698,      0 bytes,     0 packets
    local  10.2.0.0/16
    remote 10.1.0.0/16

参考

• strongSwan - IPsec-based VPN
• strongSwan KVM Tests
• strongSwan配置、运行及测试
• SDB:Setup Ipsec VPN with Strongswan