strongswan ipsec环境搭建及swanctl.conf配置含ca证书配置(tunnel模式,esp封装,psk认证)

在这里插入图片描述

vm1:192.168.182.144 host1:192.168.182.254 9.94.189.225 host2:9.94.189.226 192.168.152.254 vm2:192.168.152.132
环境如图所示,两台物理机充当网关,分别启动一台虚拟机组成局域网。

一、虚拟机启动

使用qume脚本启动,关键信息:

-enable-kvm -display none -cpu host
-smp 4
-m 4096
-kernel KaTeX parse error: Expected group after '_' at position 19: …workdir/bzImage_̲vm_id
-device virtio-scsi-pci
-net nic,model=virtio,macaddr= m a c − n e t b r i d g e , b r = mac -net bridge,br= macnetbridge,br=vm_br
-drive file=KaTeX parse error: Expected group after '_' at position 21: …rkdir/rootfs.gz_̲vm_id,if=none,cache=none,id=root
-device virtio-blk,drive=root,id=d_root
KaTeX parse error: Undefined control sequence: \ at position 9: cfg_new \̲ ̲ -ap…{vm_ip} root=/dev/vda1 rw kmemleak=on oops=panic panic_on_oops=1"
-qmp tcp:localhost:KaTeX parse error: Undefined control sequence: \ at position 20: …,server,nowait \̲ ̲ -mo…serial_log/vm.log
-daemonize

二、路由配置

VM1:
添加路由:route add -net 192.168.152.0/24 gw 192.168.182.254 dev ens3
查看路由信息:

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.182.1   0.0.0.0         UG    0      0        0 ens3
192.168.152.0   192.168.182.254 255.255.255.0   UG    0      0        0 ens3
192.168.182.0   0.0.0.0         255.255.255.0   U     0      0        0 ens3

HOST1:
添加路由:

route add -net 192.168.152.0/24 gw 9.94.189.225 dev enp2s0f0

查看路由:

 route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         9.94.0.1        0.0.0.0         UG    0      0        0 enp2s0f0
9.94.0.0        0.0.0.0         255.255.0.0     U     102    0        0 enp2s0f0
192.168.152.0   9.94.189.225    255.255.255.0   UG    0      0        0 enp2s0f0
192.168.182.0   0.0.0.0         255.255.255.0   U     0      0        0 br10

HOST2:
添加路由:

route add -net 192.168.182.0/24 gw 9.94.189.226 dev enp2s0f0

查看路由:

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         9.94.0.1        0.0.0.0         UG    0      0        0 enp2s0f0
9.94.0.0        0.0.0.0         255.255.0.0     U     102    0        0 enp2s0f0
192.168.152.0   0.0.0.0         255.255.255.0   U     0      0        0 br10
192.168.182.0   9.94.189.226    255.255.255.0   UG    0      0        0 enp2s0f0

VM2:
添加路由:route add -net 192.168.182.0/24 gw 192.168.152.254 dev ens3
查看路由:

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.152.1   0.0.0.0         UG    0      0        0 ens3
192.168.152.0   0.0.0.0         255.255.255.0   U     0      0        0 ens3
192.168.182.0   192.168.152.254 255.255.255.0   UG    0      0        0 ens3

三、网关配置

1、host1和host2分别执行

vim /etc/sysctl.conf

添加:

net.ipv4.ip_forward = 1 
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0

2、之后分别执行:

sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.conf
/sbin/sysctl -p

四、strongwan安装配置

1、host1和host2分别源码安装:https://download.strongswan.org/ 源码下载
我是4.4内核,担心不能适配高版本所以下载的5.6.2版本,5.10内核可以下载更高版本

tar -xvzf  Openswan-2.6.52.tar.gz
./configure --sysconfdir=/etc  --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap  --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap  --enable-xauth-pam  --enable-dhcp  --enable-openssl  --enable-addrblock --enable-unity  --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp
make && make install

安装完成
2、strongswan配置:
ipsec.conf和ipsec.secrets配置方法即将被淘汰,可能遇到一些问题,所以采用swanctl.conf配置方法
host1执行:

vim  /etc/swanctl/swanctl.conf 

改为:

connections {
  
   gw-gw {
      local_addrs  = 9.94.189.225
      remote_addrs = 9.94.189.226

      local {
         auth = psk
         id = moon.strongswan.org
      }
      remote {
         auth = psk
         id = sun.strongswan.org
      }
      children {
         net-net {
            local_ts  = 192.168.182.0/24
            remote_ts = 192.168.152.0/24

            updown = /usr/local/libexec/ipsec/_updown iptables
            rekey_time = 5400
            rekey_bytes = 500000000
            rekey_packets = 1000000
            esp_proposals = aes128gcm128-x25519
         }
      }
      version = 2
      mobike = no
      reauth_time = 10800
      proposals = aes128-sha256-x25519
   }
}

secrets {
   ike-1 {
      id-1 = moon.strongswan.org
      secret = 0x45a30759df97dc26a15b88ff
   }
   ike-2 {
      id-2 = sun.strongswan.org
      secret = "This is a strong password"
   }
   ike-3 {
      id-3a = moon.strongswan.org
      id-3b =sun.strongswan.org
      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
   }
ike-4 {
      secret = 'My "home" is my "castle"!'
   }
   ike-5 {
     id-5 = 9.94.189.225
     secret = "Andi's home"
   }
}

host2执行:

vim /etc/swanctl/swanctl.conf

改为:

connections {
  
   gw-gw {
      local_addrs  = 9.94.189.226
      remote_addrs = 9.94.189.225

      local {
         auth = psk
         id = sun.strongswan.org
      }
      remote {
         auth = psk
         id = moon.strongswan.org
      }
      children {
         net-net {
            local_ts  = 192.168.152.0/24
            remote_ts = 192.168.182.0/24

            updown = /usr/local/libexec/ipsec/_updown iptables
            rekey_time = 5400
            rekey_bytes = 500000000
            rekey_packets = 1000000
            esp_proposals = aes128gcm128-x25519
         }
      }
      version = 2
      mobike = no
      reauth_time = 10800
      proposals = aes128-sha256-x25519
   }
}

secrets {
   ike-1 {
      id-moon = moon.strongswan.org
      id-sun =sun.strongswan.org
      secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
   }
}

启动ipsec:
host1和2分别执行:

systemctl start strongswan
swanctl --load-all
swanctl --initiate --child net-net
swanctl --list-sas --raw

之后

ip xfrm policy ls
ip xfrm state ls

可以看到规则
ipsec statusall 也可查看隧道状态
至此,ipsec隧道搭建完成
3、验证:
vm1 ping vm2,host1抓包tcpdump -i enp2s0f0 esp可以看到esp报文

五、注意事项

1、网关关闭防火墙systemctl stop firewalld.service
2、依赖相关内核模块和config:

CONFIG_XFRM_USER   net/xfrm/xfrm_user.c

CONFIG_XFRM_ALGO   net/xfrm/xfrm_algo.c

CONFIG_XFRM_AH    对应代码XFRM_ALGO和CRYPTO相关    

CONFIG_XFRM_ESP   对应代码XFRM_ALGO和CRYPTO相关

CONFIG_INET_XFRM_MODE_TRANSPORT   net/ipv4/xfrm4_mode_transport.c

CONFIG_INET_XFRM_MODE_TUNNEL     net/ipv4/xfrm4_mode_tunnel.c

CONFIG_NET_KEY   net/key/af_key.c

CONFIG_INET_AH   net/ipv4/ah.c

CONFIG_INET_ESP   net/ipv4/esp.c

CONFIG_NETFILTER_XTABLES      net/netfilter/x_tables.c   xt_tcpudp.c

CONFIG_NETFILTER_XT_MATCH_POLICY   net/netfilter/xt_policy.c 

3、网关需要安装python2(python3不可)

  • 1
    点赞
  • 2
    收藏
  • 打赏
    打赏
  • 1
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
©️2022 CSDN 皮肤主题:数字20 设计师:CSDN官方博客 返回首页
评论 1

打赏作者

算法我可以的

你的鼓励将是我创作的最大动力

¥2 ¥4 ¥6 ¥10 ¥20
输入1-500的整数
余额支付 (余额:-- )
扫码支付
扫码支付:¥2
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值