测试环境使用两台VMware Fusion虚拟机,网络模式为NAT模式,虚拟机主要配置:一个单核CPU、一块网卡、操作系统为CentOS 7
执行dhclient ens33 &后,vm1的ip为192.168.153.128,vm2的ip为192.168.153.130
创建vti
vm1:
ip tunnel add ipsec1 local 192.168.153.128 remote 0.0.0.0 mode vti key 42
ifconfig ipsec1 up
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.ip_vti0.disable_policy=1
sysctl -w net.ipv4.conf.ens33.disable_policy=1
vm2:
ip tunnel add ipsec1 local 192.168.153.130 remote 0.0.0.0 mode vti key 42
ifconfig ipsec1 up
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.ip_vti0.disable_policy=1
sysctl -w net.ipv4.conf.ens33.disable_policy=1
配置strongswan
vm1:
yum install epel-release -y
yum install strongswan -y
# vi /etc/strongswan/strongswan.d/charon.conf
install_routes = no
# vi /etc/strongswan/ipsec.conf
conn vco-vtitest
keyexchange=ikev2
aggressive=yes
left=192.168.153.128
right=192.168.153.130
leftid=sun
rightid=moon
leftsubnet=20.20.20.0/24
rightsubnet=30.30.30.0/24
leftsendcert=never
authby=psk
auto=route
ike=aes-sha1-modp3072
esp=aes-sha1-modp3072
type=tunnel
mark=42
# vi /etc/strongswan/ipsec.secrets
sun moon : PSK "bbss2gvpg0r1ts5w"
vm2:
yum install epel-release -y
yum install strongswan -y
# vi /etc/strongswan/strongswan.d/charon.conf
install_routes = no
# vi /etc/strongswan/ipsec.conf
conn vco-vtitest
keyexchange=ikev2
aggressive=yes
left=192.168.153.130
right=192.168.153.128
leftid=moon
rightid=sun
leftsubnet=30.30.30.0/24
rightsubnet=20.20.20.0/24
leftsendcert=never
authby=psk
auto=route
ike=aes-sha1-modp3072
esp=aes-sha1-modp3072
type=tunnel
mark=42
# vi /etc/strongswan/ipsec.secrets
moon sun : PSK "bbss2gvpg0r1ts5w"
配置路由
vm1:
ip addr add 20.20.20.1/32 dev lo
ip route add 30.30.30.0/24 dev ipsec1
vm2:
ip addr add 30.30.30.1/32 dev lo
ip route add 20.20.20.0/24 dev ipsec1
启动strongswan、更新配置、协商
/usr/sbin/strongswan start --daemon charon
/usr/sbin/strongswan update
/usr/sbin/strongswan stroke down vco-vtitest
/usr/sbin/strongswan stroke up vco-vtitest
注意
1、keyexchange=ikev2,不是ikev1
2、修改PSK后需要执行/usr/sbin/strongswan rereadsecrets生效
3、执行swanctl --list-sas查看ipsec隧道状态
4、发起方能ping通接收方(ping 30.30.30.1 -I 20.20.20.1),在发起方访问接收方前,接收方不能ping通发起方