上一篇文章 提到了一点StrongSwan的配置。
本文继续使用StrongSwan。
StrongSwan的left和right是支持使用域名的,利用此可以实现动态IP的支持;上一篇文章用了type=transport模式转发UDP端口构建L2TPv3,如果没有L2组网的需求,其实可以直接利用type=tunnel模式实现L3转发。
网络拓扑:
上图中的路由器lan-router1和lan-router2都是通过pppoe接入互联网的,域名lan-router1.router和lan-router2.router通过ddns分别解析到了各自pppoe0的IP地址上;server1和server2分别通过lan-router1和lan-router2接入互联网。
下面的操作将在server1与lan-router2之间构建site-to-site IPsec VPN,接通192.168.1.0/24与10.0.0.0/24这两个内网。
提醒:用StrongSwan构建site-to-site IPsec VPN的话,需要至少有一端的UDP 500和4500端口在公网可以访问。
1. 配置StrongSwan
安装StrongSwan就不再阐述了。
在IPsec的配置文件中,left指本地,right指对方。
2.1 server1的配置
编辑/etc/ipsec.conf,末尾加入:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
conn peer -server2 -tunnel -1
left =0.0.0.0
leftid ="@server1-id"
right =lan -router2 . router
rightid ="@lan-router2-id"
leftsubnet =192.168.1.0 /24
rightsubnet =10.0.0.0 /24
ike =aes128 -sha1 -modp2048 !
keyexchange =ikev2
reauth =no
ikelifetime =28800s
dpddelay =30s
dpdtimeout =120s
dpdaction =restart
esp =aes128 -sha1 -modp2048 !
keylife =3600s
rekeymargin =540s
type =tunnel
compress =no
authby =secret
auto =route
keyingtries =% forever
这里left直接用0.0.0.0表示任何IP都接受连接,right用lan-router2的ddns域名lan-router2.router。
其中left/rightsubnet分别定义了server1的内网IP段,server2的内网IP段,意思就是leftsubnet和rightsubnet之间的流量将走site-to-site IPsec VPN。left/rightsubnet支持定义多个子网的,用逗号分隔。
在server1的auto是route,意思是当内核遇到目的地为rightsubnet的流量,自动发起协商构建site-to-site IPsec VPN。
left/rightid是不建议省略的,另外记得在开头添加@阻止把字符串当成域名解析成IP。
其余的参数,大概就是使用aes-128加密,sha1签名,ikev2协议交换密钥,30秒发送一次心跳包(使用NAT的话尤其重要),心跳包超过120秒无回应重新构建连接(dpdaction=restart)。
编辑/etc/ipsec.secrets,在末尾加入(其中的pre-shared-key是密码,记得改成你自己定的值) :
0.0.0.0 lan -router2 . router @ server1 -id @ lan -router2 -id : PSK "pre-shared-key"
ipsec.secrets的格式,上一篇文章也有提到,是:
left_ip right_ip left_id right_id : PSK "pre-shared-key"
2.2 server2的配置
server2需开放UDP端口500与4500。
编辑/etc/ipsec.conf,末尾加入:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
conn peer -lan -router1 . router -tunnel -1
left =0.0.0.0
leftid ="@lan-router2-id"
right =lan -router1 . router
rightid ="@server1-id"
leftsubnet =10.0.0.0 /24
rightsubnet =192.168.1.0 /24
ike =aes128 -sha1 -modp2048 !
keyexchange =ikev2
reauth =no
ikelifetime =28800s
dpddelay =30s
dpdtimeout =120s
dpdaction =clear
esp =aes128 -sha1 -modp2048 !
keylife =3600s
rekeymargin =540s
type =tunnel
compress =no
authby =secret
auto =add
keyingtries =% forever
其实大体上就是把server1的配置中的left和right调换过来。
当然,这边的right用了域名lan-router1.router,这个域名是会解析到lan-router1 的pppoe0接口的IP的。
此外,这边的auto是add,dpdaction是clear,主要原因是server1处于内网,在server2是无法主动发起协商请求的,所以让StrongSwan启动时仅加载此配置,不作任何其它操作,并且心跳回应超时后,不重建连接。
编辑/etc/ipsec.secrets,在末尾加入(其中的pre-shared-key是密码,记得改成你自己定的值) :
0.0.0.0 lan -router1 . router @ lan -router2 -id @ server1 -id : PSK "pre-shared-key"
2.3 重启StrongSwan并发起协商构建连接
server1和lan-router2执行下面的命令重启StrongSwan:
发起协商是仅能从server1发起的,原因上一篇文章和开头已提过:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
root @ server1 : ~ # ipsec status
Routed Connections :
peer -server2 -tunnel -1 { 1 } : ROUTED , TUNNEL , reqid 1
peer -server2 -tunnel -1 { 1 } : 192.168.1.0 /24 === 10.0.0.0 /24
Security Associations ( 0 up , 0 connecting ) :
none
root @ server1 : ~ # ipsec up peer-server2-tunnel-1
initiating IKE_SA peer -server2 -tunnel -1 [ 6 ] to 5.3.2.1
generating IKE_SA_INIT request 0 [ SA KE No N ( NATD_S_IP ) N ( NATD_D_IP ) N ( FRAG_SUP ) N ( HASH_ALG ) N ( REDIR_SUP ) ]
sending packet : from 192.168.1.2 [ 500 ] to 5.3.2.1 [ 500 ] ( 464 bytes )
received packet : from 5.3.2.1 [ 500 ] to 192.168.1.2 [ 500 ] ( 462 bytes )
parsed IKE_SA_INIT response 0 [ SA KE No N ( NATD_S_IP ) N ( NATD_D_IP ) N ( FRAG_SUP ) N ( HASH_ALG ) N ( MULT_AUTH ) ]
local host is behind NAT , sending keep alives
authentication of 'server1-id' ( myself ) with pre -shared key
establishing CHILD_SA peer -server2 -tunnel -1
generating IKE_AUTH request 1 [ IDi N ( INIT_CONTACT ) IDr AUTH SA TSi TSr N ( MOBIKE_SUP ) N ( ADD_4_ADDR ) N ( ADD_4_ADDR ) N ( ADD_4_ADDR ) N ( ADD_4_ADDR ) N ( ADD_4_ADDR ) N ( ADD_4_ADDR ) N ( ADD_4_ADDR ) N ( ADD_4_ADDR ) N ( MULT_AUTH ) N ( EAP_ONLY ) ]
sending packet : from 192.168.1.2 [ 4500 ] to 5.3.2.1 [ 4500 ] ( 364 bytes )
received packet : from 5.3.2.1 [ 4500 ] to 192.168.1.2 [ 4500 ] ( 316 bytes )
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N ( MOBIKE_SUP ) N ( ADD_4_ADDR ) N ( ADD_4_ADDR ) N ( ADD_4_ADDR ) N ( ADD_4_ADDR ) N ( ADD_4_ADDR ) N ( ADD_4_ADDR ) N ( ADD_4_ADDR ) N ( ADD_4_ADDR ) ]
authentication of 'lan-router2-id' with pre -shared key successful
IKE_SA peer -server2 -tunnel -1 [ 6 ] established between 192.168.1.2 [ server1 -id ] . . . 5.3.2.1 [ lan -router2 -id ]
scheduling rekeying in 28010s
maximum IKE_SA lifetime 28550s
received netlink error : Network is unreachable ( 101 )
unable to install source route for 192.168.1.6
CHILD_SA peer -server2 -tunnel -1 { 2 } established with SPIs cc4adf80_i c367b3b2_o and TS 192.168.1.0 /24 === 10.0.0.0 /24
peer supports MOBIKE
connection 'peer-server2-tunnel-1' established successfully
root @ server1 : ~ # ping 10.0.0.1
PING 10.0.0.1 ( 10.0.0.1 ) 56 ( 84 ) bytes of data .
64 bytes from 10.0.0.1 : icmp_seq =1 ttl =64 time =202 ms
64 bytes from 10.0.0.1 : icmp_seq =2 ttl =64 time =207 ms
64 bytes from 10.0.0.1 : icmp_seq =3 ttl =64 time =207 ms
64 bytes from 10.0.0.1 : icmp_seq =4 ttl =64 time =202 ms
64 bytes from 10.0.0.1 : icmp_seq =5 ttl =64 time =201 ms
^C
--- 10.0.0.1 ping statistics ---
5 packets transmitted , 5 received , 0 % packet loss , time 4004ms
rtt min /avg /max /mdev = 201.606 /204.301 /207.931 /2.942 ms
如果up有提示successfully,但是ping不通的话,见本文2.3防火墙的配置。
在lan-router2上测试:
root @ lan -router2 : ~ # ping 192.168.1.2
PING 192.168.1.2 ( 192.168.1.2 ) 56 ( 84 ) bytes of data .
64 bytes from 192.168.1.2 : icmp_seq =1 ttl =64 time =205 ms
64 bytes from 192.168.1.2 : icmp_seq =2 ttl =64 time =215 ms
64 bytes from 192.168.1.2 : icmp_seq =3 ttl =64 time =221 ms
64 bytes from 192.168.1.2 : icmp_seq =4 ttl =64 time =214 ms
64 bytes from 192.168.1.2 : icmp_seq =5 ttl =64 time =215 ms
^C
--- 192.168.1.2 ping statistics ---
5 packets transmitted , 5 received , 0 % packet loss , time 4002ms
rtt min /avg /max /mdev = 205.575 /214.439 /221.194 /5.054 ms
因为设置了心跳,所以无需担心路由器上的NAT记录超时,此外server1上设置了自动重连,所以更换IP或者其它原因导致VPN断开后,只要ddns更新的DNS记录生效了或者网络恢复正常,理论上server1是会自动重连的,当然,理论上。
2. 其它配置
2.1 L2TPv3、GRE等应用
通过上面构造的VPN,因为server1和lan-router2都是分别拥有一个固定的内网IP的,所以可以直接指定双方的内网IP构建L2TPv3(详见上一篇文章)或者GRE之类的。
2.2 启用IPv4转发以及设置SNAT规则
上面配置的都是/24的子网,如果两边都未启用IPv4转发,双方都仅能访问对方的IP。
本文的拓扑中,server1是需要启用IPv4转发并设置SNAT的,lan-router2上一般不需要进行这两项配置。
如何启用IPv4转发以及设置SNAT规则,网络上很多资料,这个各位自行按实际情况解决。
2.3 防火墙的配置
这里给个匹配IPsec流量的规则,自行按需应用吧:
-m policy --dir in | out --pol ipsec
例如lan-router2上pppoe0接口可能配了防火墙对入网流量进行了较为严格的入网流量控制,会导致lan-router2可以主动访问server1但server1无法主动访问lan-router2,加入以下规则即可解决:
iptables -I INPUT -i pppoe0 -s 192.168.1.0 /24 -m policy --dir in --pol ipsec -j ACCEPT
转发的类似,加入FORWARD链即可。