- 1RabbitMQ 学习:Work Queues 轮询(工作队列)_rabbitmq的轮询
- 2ubuntu 20.04LTS + gerrit + git + jenkins安装指南_gerrit 安装教程
- 3mysql中提供的函数
- 4conda&pytorch环境搭建笔记
- 5安装MindFormers
- 6有限状态机(FSM)
- 7AI新手的福音:两大原则助你精通Prompt_如何使用jina写prompt
- 8如何高效运用《霍格沃茨之遗》风灵月影修改器:全面教程与技巧_霍格沃兹之遗如何修改金钱
- 9支付宝开放平台-开发者社区——AI 日报「 7月 29日 」
- 10C语言实现扫雷(具体步骤和代码)_扫雷程序代码c语言
openwrt配置strongswan对接hillstone ipsec的笔记_openwrt安装strongswan
赞
踩
一、主要参考资料:
https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/roadwarrior
https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/basic
https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/site2site
https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/basics
https://oldwiki.archive.openwrt.org/inbox/strongswan.howto
https://www.xiaocan.me/linux-strongswan-cilent/
https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/
https://wiki.strongswan.org/issues/2071
http://blog.sina.com.cn/s/blog_517c21c00102wvij.html
二、具体笔记
1、安装strongswan:
- opkg update
- opkg install strongswan-ipsec strongswan-mod-kernel-libipsec kmod-tun
2、修改/tmp/ipsec/ipsec.conf
- root@OpenWrt:/tmp/ipsec# cat ipsec.conf
- # generated by /etc/init.d/ipsec
- version 2
-
- conn dmz
- left=%any
- right=111.111.111.111 #主端的公网IP地址
- leftsubnet=192.168.23.0/24 #本地LAN端的IP地址段
- ikelifetime=3h
- lifetime=1h
- margintime=9m
- keyingtries=3
- dpdaction=none
- dpddelay=30s
- leftauth=psk
- rightauth=psk
- rightsubnet=192.168.10.0/24 #主端的内网IP地址段
- auto=route #这个参数定义IPSEC隧道的启动方式,可选add\route\start
- leftid=IPSEC-TEST #这个ID根据主端的IPSEC配置来匹配
- keyexchange=ikev1
- type=tunnel
- esp=3des-md5-modp1024 #IPSEC第二阶段的协商加密协议,需与主端匹配,注意dh2对应是modp1024的写法,其它dh组对应值查看上面资料
- ike=3des-md5-modp1024 #IPSEC第一阶段的协商加密协议,需与主商匹配
- forceencaps = yes #据说是udp包的封装,yes后可以适配更多的网关转发,需视情况yes/no
2、修改/etc/firewall.user
- iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
- iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
- iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
- iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
3、/etc/config/ipsec(无用的,可以无视之)
- config 'ipsec'
- list listen ''
- option 'debug' '0'
- option 'interface' 'eth0.3'
-
- config 'remote' 'aaa'
- option 'enabled' '1'
- option 'gateway' '1.1.1.1'
- option 'pre_shared_key' 'aaaaaaaaaa'
- option 'exchange_mode' 'main'
- option 'authentication_method' 'psk'
- option 'local_identifier' 'IPSEC-TEST-1'
- list 'p1_proposal' 'pre_g2_des_sha1'
-
- list 'tunnel' 'aaa_dmz'
- list 'tunnel' 'aaa_lan'
-
- config 'p1_proposal' 'pre_g2_des_sha1'
- option 'encryption_algorithm' 'des'
- option 'hash_algorithm' 'sha1'
- option 'dh_group' '2'
-
- config 'tunnel' 'aaa_lan'
- option 'local_subnet' '192.168.23.0/24'
- option 'remote_subnet' '192.168.10.0/24'
- option 'p2_proposal' 'g2_des_sha1'
- option 'keyexchange' 'ikev1'
-
- config 'tunnel' 'aaa_dmz'
- option 'local_subnet' '192.168.23.0/24'
- option 'remote_subnet' '192.168.15.0/24'
- option 'p2_proposal' 'g2_des_sha1'
- option 'keyexchange' 'ikev1'
-
- config 'p2_proposal' 'g2_des_sha1'
- option 'pfs_group' '2'
- option 'encryption_algorithm' 'des'
- option 'authentication_algorithm' 'sha1'
4、手动启动命令
- /usr/sbin/ipsec start #启动IPSEC进程
- /usr/sbin/ipsec up dmz #手动启动dmz隧道(当上面的auto=add或route时)
- /usr/sbin/ipsec statusall #查看ipsec的配置及运行状态等
-
- ifconfig ipsec0 #查看隧道打通后是否产生ipsec0这个虚拟网卡
5、添加路由:
route add -net 192.168.10.0/24 dev ipsec06、最后发现:
hillstone的垃圾只可以一个连接,当第二个IPSEC连上去会把第一个IPSEC踢掉!!!!!!
