strongSwan搭建点到点ipsecvpn

参考链接:
https://cloud.tencent.com/developer/article/1505715
https://www.strongswan.org/testing/testresults/ikev2/net2net-psk/
https://www.cnblogs.com/edeny/p/13253965.html

serverA:

ip link add net_10 type veth 
ip a a 192.168.11.1/24 dev net_10
route add -net 192.168.11.0/24 gw 172.17.10.47
yum install strongswan
 vim /etc/sysctl.conf
#配置转发,默认是0,必须配置
net.ipv4.ip_forward = 1
#关闭重定向,防止恶意用户可以使用IP重定向来修改远程主机中的路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

ServerB

ip link add net_10 type veth 
ip a a 192.168.10.1/24 dev net_10
route add -net 192.168.11.0/24 gw 172.17.10.51
yum install strongswan
vim /etc/sysctl.conf
#配置转发,默认是0,必须配置
net.ipv4.ip_forward = 1
#关闭重定向,防止恶意用户可以使用IP重定向来修改远程主机中的路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

serverA:

[root@localhost ~]# cat /etc/strongswan/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug="all"

conn %default
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        keyingtries=0
        keyexchange=ikev1   #ike版本
        authby=secret

conn toshanghai
      left=%defaultroute
      leftid=172.17.10.47    #本地端V**网关公网IP
      leftsubnet=192.168.11.0/24    #本地端私有网络地址,如果要确保VPC网段都能通,需要添加整段VPC地址
      right=172.17.10.51 #对端V**网关公网IP
      rightsubnet=192.168.10.0/24     #对端私有网络地址
      auto=start   #进程主动时立即建立 IPsec 安全连接
      type=tunnel
      ike=3des-md5-modp1024
      esp=3des-md5
[root@localhost ~]# cat /etc/strongswan/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file
172.17.10.47 172.17.10.51 : PSK "123456

serverB:

[root@localhost private]# cat /etc/strongswan/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug="all"
 
conn %default
        ikelifetime=1440m   
        keylife=60m
        rekeymargin=3m
        keyingtries=0
        keyexchange=ikev1   #ike版本
        authby=secret
 
conn toshanghai
      left=%defaultroute
      leftid=172.17.10.51    #本地端V**网关公网IP
      leftsubnet=192.168.10.0/24    #本地端私有网络地址,如果要确保VPC网段都能通,需要添加整段VPC地址
      right=172.17.10.47 #对端V**网关公网IP
      rightsubnet=192.168.11.0/24     #对端私有网络地址
      auto=start   #进程主动时立即建立 IPsec 安全连接
      type=tunnel
      ike=3des-md5-modp1024
      esp=3des-md5
[root@localhost private]# cat /etc/strongswan/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file
172.17.10.51 172.17.10.47 : PSK "123456"

与华为防火墙对接

防火墙配置:
备注:这里我放通的是所有策略,实际环境中注意放行策略

#
acl number 3001
 rule 5 permit ip source 192.168.12.0 0.0.0.255 destination 192.168.11.0 0.0.0.255
#
ipsec proposal prop79153254180
 esp authentication-algorithm md5
 esp encryption-algorithm 3des
#
ike proposal 1
 encryption-algorithm 3des
 dh group2
 authentication-algorithm md5
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer ike79153254180
 pre-shared-key %^%#i3!5RSQCq4|BzE2k\9S;-1`F.#+c:9Y4Y5Gib12G%^%#
 ike-proposal 1
 remote-id-type none
 remote-address 172.17.10.47
#
ipsec policy ipsec7915325346 1 isakmp     
 security acl 3001
 ike-peer ike79153254180
 proposal prop79153254180
 tunnel local applied-interface
 alias map1-10
 sa trigger-mode auto
 sa duration traffic-based 10485760
 sa duration time-based 3600
#
interface GigabitEthernet0/0/0
 undo shutdown                            
 ip address 172.17.10.58 255.255.255.192
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 ipsec policy ipsec7915325346

ServerA配置

[root@localhost ~]# cat /etc/strongswan/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug="all"

conn %default
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        keyingtries=0
        keyexchange=ikev1   #ike版本
        authby=secret

conn toshanghai
      left=%defaultroute
      leftid=172.17.10.47    #本地端V**网关公网IP
      leftsubnet=192.168.11.0/24    #本地端私有网络地址,如果要确保VPC网段都能通,需要添加整段VPC地址
      right=172.17.10.51 #对端V**网关公网IP
      rightsubnet=192.168.10.0/24     #对端私有网络地址
      auto=start   #进程主动时立即建立 IPsec 安全连接
      type=tunnel
      ike=3des-md5-modp1024
      esp=3des-md5

conn huawei
      left=%defaultroute
      leftid=172.17.10.47    #本地端V**网关公网IP
      leftsubnet=192.168.11.0/24    #本地端私有网络地址,如果要确保VPC网段都能通,需要添加整段VPC地址
      right=172.17.10.58 #对端V**网关公网IP
      rightsubnet=192.168.12.0/24     #对端私有网络地址
      auto=start   #进程主动时立即建立 IPsec 安全连接
      type=tunnel
      ike=3des-md5-modp1024
      esp=3des-md5
posted @ 2024-09-06 22:05  KuangZhuMing2  阅读(292)  评论(0)    收藏  举报