9394952

导航

openwrt配置strongswan对接hillstone ipsec的笔记

一、主要参考资料:

https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/roadwarrior

https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/basic

https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/site2site

https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/basics

https://oldwiki.archive.openwrt.org/inbox/strongswan.howto

https://www.xiaocan.me/linux-strongswan-cilent/

https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/

https://wiki.strongswan.org/issues/2071

http://blog.sina.com.cn/s/blog_517c21c00102wvij.html

 

二、具体笔记

1、安装strongswan:

opkg update
opkg install strongswan-ipsec strongswan-mod-kernel-libipsec kmod-tun

 

2、修改/tmp/ipsec/ipsec.conf

root@OpenWrt:/tmp/ipsec# cat ipsec.conf
# generated by /etc/init.d/ipsec
version 2

conn dmz
  left=%any
  right=111.111.111.111      #主端的公网IP地址
  leftsubnet=192.168.23.0/24     #本地LAN端的IP地址段
  ikelifetime=3h
  lifetime=1h
  margintime=9m
  keyingtries=3
  dpdaction=none
  dpddelay=30s
  leftauth=psk
  rightauth=psk
  rightsubnet=192.168.10.0/24       #主端的内网IP地址段
  auto=route             #这个参数定义IPSEC隧道的启动方式,可选add\route\start
  leftid=IPSEC-TEST      #这个ID根据主端的IPSEC配置来匹配
  keyexchange=ikev1
  type=tunnel
  esp=3des-md5-modp1024        #IPSEC第二阶段的协商加密协议,需与主端匹配,注意dh2对应是modp1024的写法,其它dh组对应值查看上面资料
  ike=3des-md5-modp1024        #IPSEC第一阶段的协商加密协议,需与主商匹配
  forceencaps = yes            #据说是udp包的封装,yes后可以适配更多的网关转发,需视情况yes/no

2、修改/etc/firewall.user

iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT

3、/etc/config/ipsec(无用的,可以无视之)

config 'ipsec'
  list listen ''
  option 'debug' '0'
  option 'interface' 'eth0.3'
  
config 'remote' 'aaa'
  option 'enabled' '1'
  option 'gateway' '1.1.1.1'
  option 'pre_shared_key' 'aaaaaaaaaa'
  option 'exchange_mode' 'main'
  option 'authentication_method' 'psk'
  option 'local_identifier' 'IPSEC-TEST-1'
  list   'p1_proposal' 'pre_g2_des_sha1'

  list   'tunnel' 'aaa_dmz'
  list   'tunnel' 'aaa_lan'

config 'p1_proposal' 'pre_g2_des_sha1'
  option 'encryption_algorithm' 'des'
  option 'hash_algorithm' 'sha1'
  option 'dh_group' '2'

config 'tunnel' 'aaa_lan'
  option 'local_subnet' '192.168.23.0/24'
  option 'remote_subnet' '192.168.10.0/24'
  option 'p2_proposal' 'g2_des_sha1'
  option 'keyexchange' 'ikev1'
  
config 'tunnel' 'aaa_dmz'
  option 'local_subnet' '192.168.23.0/24'
  option 'remote_subnet' '192.168.15.0/24'
  option 'p2_proposal' 'g2_des_sha1'
  option 'keyexchange' 'ikev1'
  
config 'p2_proposal' 'g2_des_sha1'
  option 'pfs_group' '2'
  option 'encryption_algorithm' 'des'
  option 'authentication_algorithm' 'sha1'
  

4、手动启动命令

/usr/sbin/ipsec start      #启动IPSEC进程 
/usr/sbin/ipsec up dmz     #手动启动dmz隧道(当上面的auto=add或route时)
/usr/sbin/ipsec statusall  #查看ipsec的配置及运行状态等

ifconfig ipsec0       #查看隧道打通后是否产生ipsec0这个虚拟网卡

5、添加路由:

route add -net 192.168.10.0/24 dev ipsec0

6、最后发现:

hillstone的垃圾只可以一个连接,当第二个IPSEC连上去会把第一个IPSEC踢掉!!!!!!

posted on 2019-06-01 22:52  9394952  阅读(2308)  评论(0编辑  收藏  举报