动态地址的StrongSwan和VPP建立iKev2 vpn连接

场景如下：

-------------- 172.31. /24 ---------------------- ||102.137 | | 192.168.5.0/24| | 192.168.3.1 X strongSwan X================XVPPX=================XHTTP | | Initiator| 101.107| Responder |.1 .2| Server| --------------------------- -------------

StrongSwan作为Initiator，其地址是一个动态地址。本案使用了172.31.102.137 地址

VPP作为Responder ,其地址是固定的，对于Initiator来说 网络可达即可。本案例使用了172.31.101.107 地址.

VPP配置如下：假设你有一个网络可达的网卡GigabitEthernetb/0/0，如何将网卡绑定到VPP,请参照http://Fd.io

在Responder 虚拟一个内网

sudo ip netns add serverns sudo ip link add veth_server type veth peer name server sudo ip link set dev veth_server up netns serverns sudo ip netns exec serverns \ bash -c " ip link set dev lo up ip addr add 192.168.5.2/24 dev veth_server ip route add 192.168.3.0/24 via 192.168.5.1 ip route add 0.0.0.0/0 via 192.168.5.1

在VPP上配置

set interface ip address GigabitEthernetb/0/0 172.31.101.107/24 set interface state GigabitEthernetb/0/0 up ip route add 0.0.0.0/0 via 172.31.101.1 ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0

StrongSwan配置如下：

sudo apt updatesudo apt install strongswan

/etc/ipsec.conf (debian 为 /etc/strongswan/ipsec.conf)

config setup strictcrlpolicy=no conn %default ike=aes256-sha1-modp2048! esp=aes192-sha1-esn! mobike=no keyexchange=ikev2 ikelifetime=24h lifetime=24h conn net-net right=172.31.101.107 rightsubnet=192.168.5.0/24 rightauth=psk [email protected] left=%defaultroute leftsubnet=192.168.3.0/24 leftauth=psk [email protected] auto=start

/etc/ipsec.secrets (debian 为 /etc/strongswan/ipsec.secrets )

: PSK "Vpp123"

版本5.7 以后必须写成

roadwarrior.vpn.example.com vpp.home : PSK "Vpp123"

sudo ipsec restartsudo ipsec statusall

Security Associations (1 up, 0 connecting): net-net[1]: ESTABLISHED 62 minutes ago, 172.31.102.137[roadwarrior.vpn.example.com]...172.31.101.107[vpp.home] net-net{1}:INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4ac9055_i 0899f024_o net-net{1}: 192.168.3.0/24 === 192.168.5.0/24

在Initiator 增加一个虚拟内网：

ip link add dev loop1 type dummy ipaddr add 192.168.3.1/24 dev loop1 ip link set loop1 up

在VPP上可以看到

show ikev2 sa iip 172.31.102.137 ispi f6d418ce rip 172.31.101.107 rspi a5e295fbad

在VPP上增加配置

ip route add 192.168.3.0/24 via 172.31.101.107 ipip0 set interface state ipip0 up set interface unnumbered ipip0 use GigabitEthernetb/0/0 create host-interface name server set interface ip address host-server 192.168.5.1/24 set interface state host-server up

此时在Initiator 上可以测试

ping 192.168.5.2可以测试通

同样在responser上，可以

sudo ip netns exec serverns ping 192.168.3.1 也可以成功