四台虚拟机ABCD,三段Host Only虚拟网络vmnet2、vmnet3、vmnet4,DHCP都禁掉。
1 2 3 4 5 6 7 8 9 10 | A vmnet2: 10.1.0.10/24 gw 10.1.0.2 B vmnet2: 10.1.0.2/24 vmnet3: 192.168.0.2/24 C vmnet3: 192.168.0.3/24 vmnet4: 10.2.0.2/24 D vmnet4: 10.2.0.10/24 gw 10.2.0.2 |
BC两台上下载编译安装strongswan 5.4.0,其版本信息可在config.h中辨认。
1 2 3 4 5 6 | wget http://download.strongswan.org/strongswan-5.4.0.tar.bz2 apt-get install libgmp-dev apt-get install libssl-dev tar -jxvf strongswan-5.4.0.tar.bz2 ./configure --sysconfdir=/etc --enable-openssl --enable-gmp --prefix=`pwd`/installed make && make install |
BC两虚拟机都指向同一个共享文件夹share。
在B中生成证书
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | mkdir cert && cd cert ipsec pki --gen --outform pem > ca.pem ipsec pki --self --in ca.pem --dn "C=CN, O=NetworkLab, CN=NetworkLab CA" --ca --outform pem > ca.cert.pem ipsec pki --gen --outform pem > sun.server.pem ipsec pki --pub --in sun.server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=NetworkLab, CN=sun.com" --san="sun.com" --flag serverAuth --flag ikeIntermediate --outform pem > sun.server.cert.pem ipsec pki --gen --outform pem > moon.server.pem ipsec pki --pub --in moon.server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=NetworkLab, CN=moon.com" --san="moon.com" --flag serverAuth --flag ikeIntermediate --outform pem > moon.server.cert.pem ipsec pki --gen --outform pem > sun.client.pem ipsec pki --pub --in sun.client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=NetworkLab, CN=client" --outform pem > sun.client.cert.pem ipsec pki --gen --outform pem > moon.client.pem ipsec pki --pub --in moon.client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=NetworkLab, CN=client" --outform pem > moon.client.cert.pem mv cert /mnt/hgfs/share/ |
B中安装证书
1 2 3 4 5 | cp -r /mnt/hgfs/share/cert/ca.cert.pem /etc/ipsec.d/cacerts/ cp -r /mnt/hgfs/share/cert/moon.server.cert.pem /etc/ipsec.d/certs/ cp -r /mnt/hgfs/share/cert/moon.server.pem /etc/ipsec.d/private/ cp -r /mnt/hgfs/share/cert/sun.client.cert.pem /etc/ipsec.d/certs/ cp -r /mnt/hgfs/share/cert/sun.client.pem /etc/ipsec.d/private/ |
C中安装证书
1 2 3 4 5 | cp -r /mnt/hgfs/share/cert/ca.cert.pem /etc/ipsec.d/cacerts/ cp -r /mnt/hgfs/share/cert/sun.server.cert.pem /etc/ipsec.d/certs/ cp -r /mnt/hgfs/share/cert/sun.server.pem /etc/ipsec.d/private/ cp -r /mnt/hgfs/share/cert/moon.client.cert.pem /etc/ipsec.d/certs/ cp -r /mnt/hgfs/share/cert/moon.client.pem /etc/ipsec.d/private/ |
B中配置
/etc/ipsec.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | config setup # strictcrlpolicy=yes # uniqueids = no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 mobike=no conn net-net-rsa left=192.168.0.2 leftcert=moon.server.cert.pem leftsubnet=10.1.0.0/24 leftid=@moon.com leftfirewall=yes right=192.168.0.3 rightsubnet=10.2.0.0/24 rightid=@sun.com auto=add conn net-net-psk keyexchange=ikev1 authby=secret left=192.168.0.2 leftsubnet=10.1.0.0/16 leftid=@xxx.server.com leftfirewall=yes right=192.168.0.3 rightsubnet=10.2.0.0/16 rightid=@yyy.server.com ike=aes-sha1-modp1024 esp=aes-sha1-modp1024 auto=route type=tunnel |
/etc/ipsec.secrets
1 2 | @xxx.server.com @yyy.server.com : PSK hello : RSA moon.server.pem |
/etc/strongswan.conf
1 2 3 4 5 6 7 | charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf |
C中配置
/etc/ipsec.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | config setup # strictcrlpolicy=yes # uniqueids = no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 mobike=no conn net-net-rsa left=192.168.0.3 leftcert=sun.server.cert.pem leftsubnet=10.2.0.0/24 leftid=@sun.com leftfirewall=yes right=192.168.0.2 rightsubnet=10.1.0.0/24 rightid=@moon.com auto=add conn net-net-psk keyexchange=ikev1 authby=secret left=192.168.0.3 leftsubnet=10.2.0.0/16 leftid=@yyy.server.com leftfirewall=yes right=192.168.0.2 rightsubnet=10.1.0.0/16 rightid=@xxx.server.com ike=aes-sha1-modp1024 esp=aes-sha1-modp1024 auto=route type=tunnel |
/etc/ipsec.secrets
1 2 | @xxx.server.com @yyy.server.com : PSK hello : RSA sun.server.pem |
/etc/strongswan.conf
1 2 3 4 5 6 7 | charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf |
到此,BC两台机器中都运行
1 2 3 4 5 6 | echo 1 > /proc/sys/net/ipv4/ip_forward ipsec restart --nofork #如果要以rsa方式 ipsec up net-net-rsa #如果要以psk方式 ipsec up net-net-psk |
最后在A中ping机器D。
refer to:
https://www.strongswan.org/
https://blog.csdn.net/puppylpg/article/details/64918562
http://www.hqyman.cn/post/543.html
https://www.cnblogs.com/hugetong/p/10150992.html