使用Strongswan中IPsec协议实现站点到站点

这是IPSec站点到站点连接最后一篇，我们之前已经教导使用libreswan和netbird来搭建，最后补全最后一块版图，使用strongSwan来搭建。
阿里云 - strongSwan配置示例

样例

[!图1]

dnf install epel-release

systemctl enable firewalld.service --now

firewall-cmd --set-default-zone trusted

firewall-cmd --get-active-zones

firewall-cmd --add-forward --permanent

firewall-cmd --add-masquerade --permanent

firewall-cmd --reload

firewall-cmd --list-all

需要安装strongswan和他需要的sqlite. 否则报错plugin ‘sqlite’: failed to load - sqlite_plugin_create not found and no plugin file available.
其实不需要也可以，但是我都安装上吧。

dnf install strongswan strongswan-sqlite -y
```        

复制conf到/etc/strongswan/swanctl/conf.d/*.conf

```sh
192.168.0.1/24 -- | 1.1.1.1 | === | 2.2.2.2 | -- 172.22.224.0/20
Shanghai-vpc        Shanghai          Beijing         Beijing-vpc

Shanghai侧

connections {

   gw-gw {
      local_addrs = 192.168.0.99  # 第1个本地网卡的ip地址 / eth0私网IP地址
      remote_addrs = 2.2.2.2 # 对方公网IP

      version = 2  # 指定IKE版本
      reauth_time = 10800

      dpd_delay = 10
      rekey_time = 84600               # 指定隧道gw-gw的SA生存周期
      over_time = 1800
      proposals = aes-sha1-modp1024    # 指定隧道gw-gw的IKE加密算法、认证算法、DH分组， 你可以设置为aes256-sha256-modp2048
      encap = yes

      local {
         auth = psk
         id = 1.1.1.1 # 本地公网IP
      }
      remote {
         auth = psk
         id = 2.2.2.2 # 对端公网IP
      }
      children {
         net-net {
            local_ts  = 192.168.0.0/24
            remote_ts = 172.22.224.0/20
            mode = tunnel
            rekey_time = 85500
            dpd_action = restart
            start_action = start
            close_action = start
            esp_proposals = aes-sha1-modp1024   # 指定隧道gw-gw的IPSec加密算法、认证算法、DH分组。
            priority = 1
         }
      }
   }

另一台Beijing侧配置如下：

connections {

   gw-gw {
      local_addrs = 172.22.231.242 
      remote_addrs = 1.1.1.1

      version = 2
      reauth_time = 10800

      dpd_delay = 10
      rekey_time = 84600               
      over_time = 1800
      proposals = aes-sha1-modp1024
      encap = yes

      local {
         auth = psk
         id = 2.2.2.2
      }
      remote {
         auth = psk
         id = 1.1.1.1
      }
      children {
         net-net {
            local_ts  = 172.22.224.0/20
            remote_ts = 192.168.0.0/24
            mode = tunnel
            rekey_time = 85500
            dpd_action = restart
            start_action = start
            close_action = start
            esp_proposals = aes-sha1-modp1024
            priority = 1
         }
      }
   }

然后先

swanctl --load-all

之后再

systemctl start strongswan

你可以通过以下方式查看配置

swanctl --list-conns

systemctl restart strongswan
swanctl --load-all
watch swanctl --list-sas

[root@gw2 ~]# swanctl --list-sas
gw-gw: #4, ESTABLISHED, IKEv2, 6311cb1b26cea94f_i a01f379c656fbdc7_r*
  local  '2.2.2.2' @ 172.22.231.242[4500]
  remote '1.1.1.1' @ 1.1.1.1[4500]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 1551s ago, rekeying in 81597s, reauth in 7935s
  net-net: #4, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 1551s ago, rekeying in 77539s, expires in 92499s
    in  c021a60b,      0 bytes,     0 packets
    out c913ef93,      0 bytes,     0 packets
    local  172.22.224.0/20
    remote 192.168.0.0/24

之后只需要在路由器上的路由表设置哪个IP段、下一跳即可。当然你也可以用ip route设置。请记得如果是ECS，也请确保设置好IP转发和IP伪装。

手动连接方式测试

因为我们都自动连接了，在启动systemctl start strongswan后就会尝试协商。但是你也可以通过以下方式来测试。
我们的connection叫”gw-gw”，所以，当我们启动连接的时候，应该如下：

swanctl --initiate --ike gw-gw

swanctl --initiate --child net-net

错误排查

查看最近100条日志

sudo journalctl -u strongswan -n 100

本次教程结束。