StrongSwan配置指南
StrongSwan 多子网互通
配置示例
- 官方配置示例仓库:https://github.com/strongswan/strongswan/tree/master
- 多子网配置文档:https://wiki.strongswan.org/projects/strongswan/wiki/SubnetsBehindMoreThanTwoGateways
架构信息
| 网关 | 子网 | 公网IP | 内网IP | 标识 |
|---|---|---|---|---|
| gateways A | 10.1.0.0/16 | 47.97.3.214 | 10.1.1.21 | A |
| gateways B | 10.2.0.0/16 | 120.27.11.160 | 10.2.0.33 | B |
| gateways C | 10.3.0.0/16 | 8.147.132.193 | 10.3.0.214 | C |
开放端口
- 协议:UDP
- IKEv1 端口:500
- IKEv2 端口:4500
连接模式
HUB模式(推荐)
+---+ +------+ A +------+ | +-+-+ | | | | +-+-+ +-+-+ +-+-+ | B | | C | | D | +---+ +---+ +---+- 需要建立连接数:对于 n 个网关,需建立 n - 1 个连接。例如 4 个网关时,连接为 A <-> B, A <-> C 和 A <-> D
Mesh模式
+---+ +------+ A +------+ | +-+-+ | +-+-+ | +-+-+ | B +------|------+ D | +-+-+ | +-+-+ | +-+-+ | +------+ C +------+ +---+- 需要建立连接数:对于 n 个网关,需建立 n * (n - 1)/2 个连接。例如 4 个网关时,连接为 A <-> B, A <-> C, A <-> D, B <-> C, B <-> D, C <-> D
共享秘钥生成
使用命令:openssl rand -base64 16
内核参数配置
cat >> /etc/sysctl.conf << EOFnet.ipv4.ip_forward = 1net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.all.send_redirects = 0EOFsysctl -p安装 StrongSwan
apt install strongswan strongswan-swanctl charon-systemd libstrongswan-extra-plugins -ysystemctl disable ipsecsystemctl stop ipsecsystemctl status ipsec2个子网互通配置
网关 A 配置
编辑文件 /etc/swanctl/conf.d/AB.conf
#A 10.1.0.0/16 47.97.3.214#B 10.2.0.0/16 120.27.11.160connections { AB { remote_addrs = 120.27.11.160 # B public ip version = 2
local { auth = psk } remote { auth = psk }
children { AB_clildren1 { local_ts = 10.1.0.0/16 # A subnet remote_ts = 10.2.0.0/16 # B subnet start_action = start } } }}
secrets { ike-AB { secret = 9IJ/wn9QZ2uQoNmLHIxRcA== #openssl rand -base64 16 }}网关 B 配置
编辑文件 /etc/swanctl/conf.d/BA.conf
#A 10.1.0.0/16 47.97.3.214#B 10.2.0.0/16 120.27.11.160connections { BA { remote_addrs = 47.97.3.214 # A public ip version = 2
local { auth = psk } remote { auth = psk }
children { BA_clildren1 { local_ts = 10.2.0.0/16 # B subnet remote_ts = 10.1.0.0/16 # A subnet start_action = start } } }}
secrets { ike-BA { secret = 9IJ/wn9QZ2uQoNmLHIxRcA== #openssl rand -base64 16 }}全部网关操作
systemctl enable strongswansystemctl restart strongswansystemctl status strongswanswanctl --list-connsswanctl --list-sas- 注意:VPC需添加自定义路由
3个子网互通配置(使用Hub模式)
网关 A 配置
编辑文件 /etc/swanctl/conf.d/ABC.conf
#A 10.1.0.0/16 47.97.3.214#B 10.2.0.0/16 120.27.11.160#C 10.3.0.0/16 8.147.132.193connections { AB { remote_addrs = 120.27.11.160 # B public ip version = 2
local { auth = psk } remote { auth = psk }
children { AB_clildren1 { local_ts = 10.1.0.0/16,10.3.0.0/16 # AC subnet remote_ts = 10.2.0.0/16 # B subnet start_action = start } } }
AC { remote_addrs = 8.147.132.193 # C public ip version = 2
local { auth = psk } remote { auth = psk }
children { AB_clildren1 { local_ts = 10.1.0.0/16,10.2.0.0/16 # AB subnet remote_ts = 10.3.0.0/16 # C subnet start_action = start } } }
}
secrets { ike-AB { secret = 9IJ/wn9QZ2uQoNmLHIxRcA== #openssl rand -base64 16 } ike-AC { secret = 9IJ/wn9QZ2uQoNmLHIxRcA== #openssl rand -base64 16 }}网关 B 配置
编辑文件 /etc/swanctl/conf.d/BA.conf
#A 10.1.0.0/16 47.97.3.214#B 10.2.0.0/16 120.27.11.160#C 10.3.0.0/16 8.147.132.193connections { BA { remote_addrs = 47.97.3.214 # A public ip version = 2
local { auth = psk } remote { auth = psk }
children { BA_clildren1 { local_ts = 10.2.0.0/16 # B subnet remote_ts = 10.1.0.0/16,10.3.0.0/16 # AC subnet start_action = start } } }}
secrets { ike-BA { secret = 9IJ/wn9QZ2uQoNmLHIxRcA== #openssl rand -base64 16 }}网关 C 配置
编辑文件 /etc/swanctl/conf.d/CA.conf
#A 10.1.0.0/16 47.97.3.214#B 10.2.0.0/16 120.27.11.160#C 10.3.0.0/16 8.147.132.193connections { CA { remote_addrs = 47.97.3.214 # A public ip version = 2
local { auth = psk } remote { auth = psk }
children { CA_clildren1 { local_ts = 10.3.0.0/16 # C subnet remote_ts = 10.1.0.0/16,10.2.0.0/16 # AB subnet start_action = start } } }}
secrets { ike-CA { secret = 9IJ/wn9QZ2uQoNmLHIxRcA== #openssl rand -base64 16 }}全部网关操作
systemctl enable strongswansystemctl restart strongswansystemctl status strongswanswanctl --list-connsswanctl --list-sas个人VPN模式(基于Debian 12,服务器位于香港)
环境准备
- 更新软件包列表:
apt update- 安装相关软件包:
apt install iptables charon-systemd strongswan-swanctl libcharon-extra-plugins strongswan-pki libstrongswan-extra-plugins libtss2-tcti-tabrmd0 -y配置文件设置
编辑 /etc/swanctl/conf.d/vpn.conf 文件,内容如下:
connections { ikev2-eap-mschapv2 { version = 2 unique = never rekey_time = 0s fragmentation = yes dpd_delay = 60s send_cert = always pools = ipv4-addrs, ipv6-addrs proposals = aes256-sha256-prfsha256-modp2048, aes256gcm16-prfsha384-modp1024, default local_addrs = %any local { certs = cert.pem id = www.gaojinbo.com } remote { auth = eap-mschapv2 eap_id = %any } children { ikev2-eap-mschapv2 { local_ts = 0.0.0.0/0,::/0 rekey_time = 0s dpd_action = clear esp_proposals = aes256-sha256, aes128-sha1, default } } }}pools { ipv4-addrs { addrs = 10.10.0.0/24 dns = 8.8.8.8,1.1.1.1 } ipv6-addrs { addrs = fec1::0/24 dns = 2001:4860:4860::8888,2606:4700:4700::1111 }}secrets { private-xxx { file = privkey.pem } eap-user1 { id = gaojinbo secret = "123456" }}开启转发
- 将
net.ipv4.ip_forward=1写入系统配置文件:
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.confsudo sysctl -p- 设置iptables规则进行地址转换:
iptables -t nat -A POSTROUTING -j MASQUERADE证书设置
注意:live 下的是符号链接,需要把 letsencrypt 整个复制过来。
ln -s /etc/letsencrypt/live/gaojinbo.com/cert.pem /etc/swanctl/x509/cert.pemln -s /etc/letsencrypt/live/gaojinbo.com/privkey.pem /etc/swanctl/private/privkey.pemln -s /etc/letsencrypt/live/gaojinbo.com/chain.pem /etc/swanctl/x509ca/ca.pem服务管理
- 启用
strongswan服务:
systemctl enable strongswan- 重启
strongswan服务:
systemctl restart strongswan- 查看
strongswan服务状态:
systemctl status strongswan- 列出连接配置:
swanctl --list-conns- 查看
strongswan服务日志:
journalctl -f -u strongswan无公网IP解决方案
如果 strongswan 服务器没有公网IP,可以使用 frp 进行穿透,配置示例如下:
[[proxies]]name = "ipsec-nat-t"type = "udp"localIP = "127.0.0.1"localPort = 4500remotePort = 4500Windows客户端连接步骤
- 打开“设置” -> “网络和 Internet” -> “VPN”。
- 点击“添加 VPN 连接”。
- 填写域名
www.gaojinbo.com。 - 设置“VPN类型”为
IKEv2。 - 输入用户名和密码。
- 点击“连接”。
注意:不能填写IP,域名必须要和证书的一致。