Настройка Site-to-Site IPSec VPN на Strongswan в Ubuntu 22.04
Настройка Site-to-Site IPSec VPN на Strongswan в Ubuntu 22.04
Два сервера с публичными адресами
Site A
Private IP: 172.31.11.254
Private subnet: 172.31.11.0/24
Public IP: 1.1.1.1
Site B
Private IP: 10.1.32.254
Private subnet: 172.31.11.0/24
Public IP: 2.2.2.2
# apt update && # apt upgrade -y
# nano /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
# sysctl -p
# apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins libtss2-tcti-tabrmd0 -y
# systemctl enable strongswan-starter
# systemctl status strongswan-starter
head -c 24 /dev/urandom | base64
output:
wu1DcUd+4bJav5doD8gsD36CZBZdwuCl
Добавьте сгенерированный выше ключ в файл: /etc/ipsec.secrets
# nano /etc/ipsec.secrets
#на сервере Site-A
1.1.1.1 2.2.2.2 : PSK "0kfrp1vSj006fxz2qjcwitqEGPepAnIR"
#на сервере Site-B
2.2.2.2 1.1.1.1 : PSK "0kfrp1vSj006fxz2qjcwitqEGPepAnIR"
# cp /etc/ipsec.conf /etc/ipsec.conf.bak
# nano /etc/ipsec.conf
#На Site-A:
config setup
charondebug="all"
uniqueids=yes
conn site-a
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=172.31.11.254
leftsubnet=172.31.11.0/24
leftsourceip=172.31.11.256
leftid=1.1.1.1
right=2.2.2.2
rightsubnet=10.1.32.0/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=86400s
lifetime=43200s
lifebytes=576000000
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
#На Site-B:
config setup
charondebug="all"
conn site-b
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
right=1.1.1.1
rightsubnet=172.31.11.0/24
rightsourceip=172.31.11.254
left=10.1.32.254
leftid=2.2.2.2
leftsubnet=10.1.32.0/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=86400s
lifetime=43200s
lifebytes=576000000
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
# ipsec restart
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.19.0-1026-aws, x86_64):
uptime: 24 minutes, since Jun 05 13:18:48 2023
malloc: sbrk 2588672, mmap 0, used 1801344, free 787328
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
172.31.11.254
Connections:
site-a: 172.31.11.254...2.2.2.2 IKEv2, dpddelay=30s
site-a: local: [1.1.1.1] uses pre-shared key authentication
site-a: remote: [2.2.2.2] uses pre-shared key authentication
site-a: child: 172.31.11.0/24 === 10.1.32.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
site-a[2]: ESTABLISHED 24 minutes ago, 172.31.11.187[18.184.129.96]...13.245.167.45[13.245.167.45]
site-a[2]: IKEv2 SPIs: ..., pre-shared key reauthentication in 23 hours
site-a[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
site-a{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c885ed77_i cdd1a184_o
site-a{2}: AES_CBC_256/HMAC_SHA1_96, 1869 bytes_i (16 pkts, 722s ago), 1495 bytes_o (14 pkts, 722s ago), rekeying in 11 hours
site-a{2}: 172.31.11.0/24 === 10.1.32.0/24
Комментарии пользователей
Анонимам нельзя оставоять комментарии, зарегистрируйтесь!
| 
Код обмена баннерами