场景如下:
-------------- 172.31. /24 ---------------------- ||102.137 | | 192.168.5.0/24| | 192.168.3.1 X strongSwan X================XVPPX=================XHTTP | | Initiator| 101.107| Responder |.1 .2| Server| --------------------------- -------------StrongSwan作为Initiator,其地址是一个动态地址。本案使用了172.31.102.137 地址
VPP作为Responder ,其地址是固定的,对于Initiator来说 网络可达即可。本案例使用了172.31.101.107 地址.
VPP配置如下:假设你有一个网络可达的网卡GigabitEthernetb/0/0,如何将网卡绑定到VPP,请参照http://Fd.io
在Responder 虚拟一个内网
sudo ip netns add serverns sudo ip link add veth_server type veth peer name server sudo ip link set dev veth_server up netns serverns sudo ip netns exec serverns \ bash -c " ip link set dev lo up ip addr add 192.168.5.2/24 dev veth_server ip route add 192.168.3.0/24 via 192.168.5.1 ip route add 0.0.0.0/0 via 192.168.5.1在VPP上配置
set interface ip address GigabitEthernetb/0/0 172.31.101.107/24 set interface state GigabitEthernetb/0/0 up ip route add 0.0.0.0/0 via 172.31.101.1 ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0StrongSwan配置如下:
sudo apt updatesudo apt install strongswan
/etc/ipsec.conf (debian 为 /etc/strongswan/ipsec.conf)
config setup strictcrlpolicy=no conn %default ike=aes256-sha1-modp2048! esp=aes192-sha1-esn! mobike=no keyexchange=ikev2 ikelifetime=24h lifetime=24h conn net-net right=172.31.101.107 rightsubnet=192.168.5.0/24 rightauth=psk [email protected] left=%defaultroute leftsubnet=192.168.3.0/24 leftauth=psk [email protected] auto=start/etc/ipsec.secrets (debian 为 /etc/strongswan/ipsec.secrets )
: PSK "Vpp123"版本5.7 以后必须写成
roadwarrior.vpn.example.com vpp.home : PSK "Vpp123"sudo ipsec restartsudo ipsec statusall
Security Associations (1 up, 0 connecting): net-net[1]: ESTABLISHED 62 minutes ago, 172.31.102.137[roadwarrior.vpn.example.com]...172.31.101.107[vpp.home] net-net{1}:INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4ac9055_i 0899f024_o net-net{1}: 192.168.3.0/24 === 192.168.5.0/24在Initiator 增加一个虚拟内网:
ip link add dev loop1 type dummy ipaddr add 192.168.3.1/24 dev loop1 ip link set loop1 up在VPP上可以看到
show ikev2 sa iip 172.31.102.137 ispi f6d418ce rip 172.31.101.107 rspi a5e295fbad在VPP上增加配置
ip route add 192.168.3.0/24 via 172.31.101.107 ipip0 set interface state ipip0 up set interface unnumbered ipip0 use GigabitEthernetb/0/0 create host-interface name server set interface ip address host-server 192.168.5.1/24 set interface state host-server up此时在Initiator 上可以测试
ping 192.168.5.2可以测试通同样在responser上,可以
sudo ip netns exec serverns ping 192.168.3.1 也可以成功