strongswan配置使用(一)_strongswan配置详解

安装strongswan

https://github.com/matfabia/strongswan

strongswan 的配置文件如下所示

• ipsec.conf //配置ipsec隧道信息
• ipsec.secerts //psk密钥 配置设备私钥证书 配置eap用户名和密码
• strongswan.conf //为strongswan提供所有组件配置

ipsec.conf官网配置示例

官网https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# strictcrlpolicy=yes
 	# uniqueids = no
 	
# Add connections here.

# Sample VPN connections

#conn sample-self-signed           //ipsec隧道名 一条ipsec配置的起始处
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start
#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

服务端-实例配置

只配置了必要的参数

config setup
        charondebug="cfg 4, dmn 4, ike 4, net 4, knl 4"
        uniqueids=yes
        strictcrlpolicy=no
        
conn %default
        ikelifetime=24h       //在重新协商之前应该持续多长时间
        keylife=8h             //从成功协商到期应该持续多长时间
        rekeymargin=30m        
        keyingtries=3        
        keyexchange=ikev2        
        authby=psk   
        dpddelay=180s     
        ike=aes256-sha1-modp2048!        
        esp=aes192-sha1-esn!    //用于连接ESP加密认证算法
        mobike=no
        
conn test        			//隧道名称，一条ipsec的起始处
        left=%any        		//ipsec协商公网IP 填写IP或者%defaultroute
        leftcert=vrf_0.pem     		//公钥证书
        leftsubnet=192.168.0.1/32         //本段保护子网
        leftid=198.18.0.1		//本端id
        leftfirewall=yes        	//关闭防火
        right=%any        		//ipsec对端IP  %any表示任意，服务端配置为%any
        rightid=198.18.0.2		//对端id
        rightsubnet=0.0.0.0/0        	//对端保护子网
        rightdns=114.114.114.114 	
        auto=add                        //不发起ipsec连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

客户端-实例配置

conn %default
...
type=tunnel
dpddelay=180s
apdaction=restart   //dpd检测失败后重新连接


conn test-cli
	left=192.168.100.180
	auto=start   		 //主动发起连接
	keyingtries=%forever 	//直到协商成功
	letfsubnet=192.18.0.2	 //保护子网
	right=192.168.100.161	//服务端IP
	leftid=198.18.0.2       //移动端ios作为标识要用
	reghtid=198.18.0.1     //对端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

ipsec.secrets配置

• 配置psk密钥

   :PSK  “vpp123”   //默认psk
   rightid :PSK    “123456”   //psk绑定隧道
  1
  2

• 配置私钥证书

     :RSA  1-key.pem      //存放于 /usr/local/etc/ipsec.d/peivate/ 目录下
  1

• 配置EAP用户名和密码

   :test :EAP  "123456"  //用户名test 密码123456
   :EAP “vpp123”        //用户名任意，密码vpp123
  1
  2

ipsec.secrets配置文件

strongswan.conf配置文件

ron {
    load_modular = yes   
    plugins {
            include strongswan.d/charon/*.conf    //加载插件
    }
     filelog {
		  /var/log/strongswan-log {
		  time_format-log = %b %e %T
		  default = 1  //日志调试级别
		  append = no
		  flush_line = yes
		}
    }
}
include strongswan.d/*.conf         //加载其下的所有.conf文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

所有.conf文件

所有插件