StrongSwan
StrongSwan
需求:
1、在客户无vpn硬件情况下,使用服务器为临时解决方案
实施
1、拓扑图
1、SIP 服务器为客户连接公网出口,strongswan site to site ipsec Vpn 搭建平台,目的实现客户机器到Server之间通讯。
SIP1配置:
1、yum install strongswan
2、服务器开启路由转发功能:
echo "1" > /proc/sys/net/ipv4/ip_forward
sysctl –p
2、iptable –F
3、修改strongswan 配置文件
Vi/etc/strongswan/ ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn net-net
left=1.1.1.1
leftsubnet=192.168.1.0/24
leftid=@https://www.wendangku.net/doc/1b10164940.html,
leftfirewall=yes
right=2.2.2.2
rightsubnet=192.168.2.0/24
rightid=@https://www.wendangku.net/doc/1b10164940.html,
auto=add
4、vi /etc/strong/ipsec.secrets
@https://www.wendangku.net/doc/1b10164940.html, @https://www.wendangku.net/doc/1b10164940.html, : PSK
0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
5、vi/etc/strongswan/strongswan.conf
charon {
load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
dh_exponent_ansi_x9_42 = no
}
5、配置ip tables 转发
6、service strongswan start
服务器若为Linux主机 strongswan 配置模式与客户端类似,需改
etc/strongswan/ ipsec.conf 配置
Vi/etc/strongswan/ ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn net-net
left=2.2.2.2
leftsubnet=192.168.2.0/24
leftid=@https://www.wendangku.net/doc/1b10164940.html,
leftfirewall=yes
right=2.2.2.2
rightsubnet=192.168.1.0/24
rightid=@https://www.wendangku.net/doc/1b10164940.html,
auto=add
服务器端配置:
以CISCO IOS 为例:
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 1.1.1.1
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
crypto map cmap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set TS
match address cryptoacl
interface Ethernet1/0
ip address 192.168.2.1 255.255.255.0
interface s 1/0
ip address 172.2.2.2 255.255.255.252
crypto map cmap
ip access-list extended cryptoacl
permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255