首頁 » ipsec » strongswan

strongswan四, 14/01/2021 - 11:07 的修訂版本

修訂版本可以讓你追蹤文章的多個版本的不同之處。

由 datahunter 在 四, 14/01/2021 - 10:06 發表

最後更新: 2021-01-14

 

Install

 

Setup

# OS: Centos7, strongswan-5.7.2

yum install epel-release

yum install strongswan

Enable Service

systemctl start strongswan

systemctl enable strongswan

Checking

netstat -nlup

strongswan --help

strongswan version

 

OS Setting

 

/etc/sysctl.conf

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_forward = 1

sysctl -p

 

Diagram

 

(88.x/24)Site A(10.0.0.88) <-> (10.0.0.160)Site B(160.x/24)

 

Configure

 

Config File Location

cd /etc/strongswan

ipsec.secrets

# man strongswan_ipsec.secrets

strongSwan 的 IKE 會讀它

Generate Preshared Key

openssl rand -base64 16

????

ipsec.secrets

10.0.0.88 10.0.0.160 : PSK "????"

Format

# comment
[ <selectors> ] : PSK <secret>

separated by a colon (:) that is surrounded by whitespace

A selector is an IP address, a Fully Qualified Domain Name, %any

secret

  0x is interpreted as sequence of hexadecimal digits

  0s is interpreted as Base64 encoded binary data.

strongswan.conf

# man strongswan.conf

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

ipsec.conf

# man strongswan_ipsec.conf

config setup
        charondebug="all"
        uniqueids=yes

conn dc-to-office
        auto=start
        type=tunnel
        keyexchange=ikev2
        authby=psk
        # Net
        left=10.0.0.160
        leftsubnet=192.168.160.0/24
        right=10.0.0.88
        rightsubnet=192.168.88.0/24
        # Enc
        ike=aes256-sha128-modp1024!
        esp=aes256-sha128!
        # lifetime
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        # DPD
        dpdaction=restart
        dpddelay=30s
        # IKEv1 Setting
        #aggressive=no
        #dpdtimeout=120s

說明

auto

ipsec 啟動時此 conn 是否啟動(add,  route,  start  and ignore (the  default))

add: loads a connection without starting it.

route: loads a connection  and  installs  kernel  traps.

start: loads a connection and brings  it up immediately.

ignore: ignores the connection.

left or right

left or right is arbitrary, 與 local remote 無關

ike = <cipher suites>

comma-separated list of IKE/ISAKMP SA encryption/authentication

Format: encryption-integrity[-prf]-dhgroup

If no PRF is given, the algorithms defined for integrity are used for the PRF.

i.e.

aes256-sha256-modp2048

In IKEv2, multiple algorithms and  proposals  may  be  included

aes128-aes256-sha1-modp3072-modp2048,3des-sha1-md5-modp1024

The  daemon adds its extensive default proposal to this default or the configured value.

To restrict  it  to the configured proposal an exclamation mark (!) can be added at the end.

esp = <cipher suites>

encryption-integrity[-dhgroup][-esnmode]

aes256-sha128

keyingtries = 3 (default)

how many attempts should be made to negotiate a connection,

or a replacement for one, before  giving up.

 

IKEv1 Setting

aggressive

    whether to use IKEv1 Aggressive or Main Mode (the default)

dpdtimeout

    only applies to IKEv1. In IKEv2 the default retransmission timeout applies

 

strongswan

 

ipsec - invoke IPsec utilities

 

Start / Stop

start|restart [arguments]

update|reload|stop

 

ipsec route <name>

tells the responsible IKE daemon to insert an IPsec policy in the kernel for connection name.

The first payload packet matching the IPsec policy will  automatically  trigger  an IKE connection setup.

 

Status

 

status

 

statusall

 

Other

 

rereadsecrets

flushes and rereads all secrets defined in ipsec.secrets

 

 

swanctl

 

 

Phase 2 proposal (SA/Key Exchange)[IKE]

 

 

»
  • 瀏覽次數: 135