root@Server01:~# apt -y install strongswan
root@Server01:~# vim /etc/ipsec.conf
conn %default //配置IKE参数
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=0
keyexchange=ikev1 //使用IKEv1版本
authby=secret
conn n2n
left=201.1.1.1 //本地公网地址
leftid=201.1.1.1
leftsubnet=192.168.10.0/24 //本地内网网络地址
right=201.1.1.2 //远端公网地址
rightsubnet=192.168.20.0/24 //远端内网网络地址
auto=start //主模式
type=tunnel //隧道模式
ike=3des-md5-modp1024 //IKE使用3des-md5-modp1024加密套件
esp=3des-md5 //esp使用3des-md5加密套件
root@Server01:~# vim /etc/ipsec.secrets
201.1.1.1 201.1.1.2 : PSK admin123
root@Server01:~# systemctl restart strongswan.service
root@Server01:~# ipsec reload
Reloading strongSwan IPsec configuration...
root@Server01:~# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.7.2 IPsec [starter]...
root@Server01:~# ipsec up n2n
generating QUICK_MODE request 502978981 [ HASH SA No ID ID ]
sending packet: from 201.1.1.1[500] to 201.1.1.2[500] (196 bytes)
received packet: from 201.1.1.2[500] to 201.1.1.1[500] (172 bytes)
parsed QUICK_MODE response 502978981 [ HASH SA No ID ID ]
selected proposal: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
detected rekeying of CHILD_SA n2n{1}
CHILD_SA n2n{2} established with SPIs c9c6efe2_i c3129a29_o and TS 192.168.10.0/24 === 192.168.20.0/24
generating QUICK_MODE request 502978981 [ HASH ]
sending packet: from 201.1.1.1[500] to 201.1.1.2[500] (52 bytes)
connection 'n2n' established successfully
root@Server01:~#
root@Server02:~# apt -y install strongswan
root@Server02:~# vim /etc/ipsec.conf
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=0
keyexchange=ikev1
authby=secret
conn n2n
left=201.1.1.2 #//本地公网地址
leftid=201.1.1.2
leftsubnet=192.168.20.0/24 #//本地内网网络地址
right=201.1.1.1 #//远端公网地址
rightsubnet=192.168.10.0/24
auto=start
type=tunnel
ike=3des-md5-modp1024
esp=3des-md5
root@Server02:~# vim /etc/ipsec.secrets
201.1.1.2 201.1.1.1 : PSK admin123
root@Server02:~# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.7.2 IPsec [starter]...
root@Server02:~# ipsec up n2n
generating QUICK_MODE request 3704682612 [ HASH SA No ID ID ]
sending packet: from 201.1.1.2[500] to 201.1.1.1[500] (196 bytes)
received packet: from 201.1.1.1[500] to 201.1.1.2[500] (172 bytes)
parsed QUICK_MODE response 3704682612 [ HASH SA No ID ID ]
selected proposal: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
detected rekeying of CHILD_SA n2n{1}
CHILD_SA n2n{2} established with SPIs c55955a3_i ceee62e6_o and TS 192.168.20.0/24 === 192.168.10.0/24
generating QUICK_MODE request 3704682612 [ HASH ]
sending packet: from 201.1.1.2[500] to 201.1.1.1[500] (52 bytes)
connection 'n2n' established successfully
验证: