华三侧主要配置:
ike keychain a //野蛮模式,指的对端地址为0.0.0.0
match local address LoopBack0
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123 //共享秘钥123,对应centos主机/etc/strongswan/ipsec.secrets下的psk秘钥
ike proposal 1 //对应对应centos主机/etc/strongswan/ipsec.conf下ike3des-sha1-modp1536
encryption-algorithm 3des-cbc
dh group5
ike profile a
keychain a
exchange-mode aggressive //启用野蛮模式,对应centos主机/etc/strongswan/ipsec.conf下aggressive=yes,经测试,H3C设备侧开启主模式也能跟对端野蛮模式对接成功
local-identity fqdn server //本端的FQDN,对应centos主机/etc/strongswan/ipsec.conf下rightid
match remote identity fqdn tj //对端的FQDN,对应centos主机/etc/strongswan/ipsec.conf下leftid
match local address LoopBack0 //本端公网地址,对应centos主机/etc/strongswan/ipsec.conf下right
proposal 1
acl advanced 3347 //感兴趣流,centos主机/etc/strongswan/ipsec.conf下rightsubnet和leftsubnet
rule 0 permit ip source 40.1.1.0 0.0.0.255 destination 10.153.43.0 0.0.0.255
ipsec transform-set 1 //centos主机/etc/strongswan/ipsec.conf下 esp=
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
pfs dh-group5
ipsec policy-template b 40 //必须使用模板方式才能完成对接
transform-set 1
security acl 3347
local-address 1*...*3 //本端公网地址,对应centos主机/etc/strongswan/ipsec.conf下right
ike-profile d
sa duration time-based 28800 //对应centos主机/etc/strongswan/ipsec.conf下lifetime
ipsec policy a 20 isakmp template b
interface Reth1.110
ip address 10.136.93.2 255.255.255.0
ipsec apply policy a //绑定IPsec策略
StrongSwan主要配置:
[root@zx ~]# cat /etc/strongswan/ipsec.conf //配置文件所在路径
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn tj
left=10.153.43.13 //本端私网地址
leftid=tj //本端FQDN
leftsubnet=10.153.43.0/24 //本端业务网段
right=1*...*3 //对端公网地址
rightid=server //对端FQDN
rightsubnet=40.1.1.0/24 //对端业务网段
aggressive=yes //开启野蛮模式
keyexchange=ikev1 //开启ikev1
ike=3des-sha1-modp1536
esp=3des-sha1-modp1536
lifetime=28800s
ikelifetime=86400s
leftauth=psk
rightauth=psk
type=tunnel
auto=start
[root@zx ~]# systemctl restart strongswan //修改完配置文件,需要重启strongswan
[root@zx ~]# cat /etc/strongswan/ipsec.secrets
10.153.43.15 125...*3 : PSK “123”
[root@zx ~]# strongswan up tj sa中断后,需要使用此命令开启ipsec,如下图表示建立成功
查看IPsec状态及业务测试
H3C设备侧查看IPsec状态