關於 StrongSwan IPSec Lan-to-Lan 一問

site to site vpn linux

slack36 2020-11-25 11:27:53 ‧ 2855 瀏覽

想請教一下大家, 我想由 Site A LAN 連線到 Site B LAN, 環境簡介如下:

//// Site A:
ETH0:- Wan: DHCP
ETH1:- LAN: 10.8.0.0/21, LAN GATEWAY: 10.8.7.254

// ipse.conf
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn ikev2-vpn-client
auto=start
right=vpn.domain.com
rightid=@vpn.domain.com
rightsubnet=0.0.0.0/0
rightauth=pubkey
leftsourceip=%config
leftid=ipsec.secret.username
leftauth=eap-mschapv2
eap_identity=%identity

// ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.1, Linux 5.4.77, x86_64):
uptime: 28 minutes, since Nov 24 17:28:51 2020
malloc: sbrk 3141632, mmap 0, used 1064384, free 2077248
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 xcbc cmac hmac drbg curl files sqlite attr kernel-netlink resolve socket-default bypass-lan connmark farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-simaka-pseudonym eap-simaka-reauth eap-mschapv2 eap-radius eap-tls eap-ttls xauth-generic xauth-eap dhcp lookip unity counters
Listening IP addresses:
210.x.xx.110
10.8.7.254
Connections:
ikev2-vpn-client: %any...vpn.domain.com IKEv1/2
ikev2-vpn-client: local: [ipsec.secret.username] uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2-vpn-client: remote: [vpn.domain.com] uses public key authentication
ikev2-vpn-client: child: dynamic === 0.0.0.0/0 TUNNEL
Shunted Connections:
Bypass LAN 10.8.0.0/21: 10.8.0.0/21 === 10.8.0.0/21 PASS
Bypass LAN 127.0.0.0/8: 127.0.0.0/8 === 127.0.0.0/8 PASS
Bypass LAN 210.x.xx.108/30: 210.x.xx.108/30 === 210.x.xx.108/30 PASS
Bypass LAN fe80::/64: fe80::/64 === fe80::/64 PASS
Security Associations (1 up, 0 connecting):
ikev2-vpn-client[1]: ESTABLISHED 28 minutes ago, 210.x.xx.110[ipsec.secret.username]...202.xxx.xxx.228[vpn.domain.com]
ikev2-vpn-client[1]: IKEv2 SPIs: b455a06d59793339_i* 19405f545f34224c_r, EAP reauthentication in 2 hours
ikev2-vpn-client[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
ikev2-vpn-client{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c43d8dde_i c9f9942e_o
ikev2-vpn-client{1}: AES_CBC_128/HMAC_SHA1_96, 168 bytes_i (2 pkts, 1607s ago), 168 bytes_o (2 pkts, 42s ago), rekeying in 15 minutes
ikev2-vpn-client{1}: 10.10.2.1/32 === 0.0.0.0/0

// iptables-save
*nat
:PREROUTING ACCEPT [8873:1192949]
:INPUT ACCEPT [1956:128458]
:OUTPUT ACCEPT [1631:125810]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.10.2.0/24 -j SNAT --to-source 10.8.7.254
-A POSTROUTING -s 10.10.2.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.10.2.0/24 -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [19272:1817571]
:FORWARD ACCEPT [1225744:1396421093]
:OUTPUT ACCEPT [26713:2662390]
COMMIT

// ipsec.secrets
ipsec.secret.username : EAP "ipsec.secret.password"

//// SITE B
eth0:- Wan: Fixed IP: 202.xxx.xxx.228 / 29
bond0 :- 10.10.10.1/29
bond0:192 :- LAN: 192.168.0.0/24, LAN GATEWAY: 192.168.0.254

// ipsec.conf
config setup
charondebug="ike3, cfg 3"
uniqueids=no

conn ikev2
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes2 56-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no

    left=vpn.domain.com
    leftid=@vpn.domain.com
    leftcert=fullchain.pem
    leftauth=pubkey
    leftsendcert=always
    leftfirewall=yes
    leftsubnet=0.0.0.0/0

    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightdns=1.1.1.1,8.8.8.8
    rightsourceip=10.10.2.0/24
    rightsendcert=never
    rightfirewall=yes

    eap_identity=%identity

// iptables-save
*nat
:PREROUTING ACCEPT [551:44170]
:INPUT ACCEPT [533:38118]
:OUTPUT ACCEPT [56:4312]
:POSTROUTING ACCEPT [1:44]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT [10376:870773]
:INPUT ACCEPT [10358:864721]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [20652:1710926]
:POSTROUTING ACCEPT [20652:1710926]
COMMIT
*filter
:INPUT ACCEPT [3122:263405]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8203:589433]
-A FORWARD -s 10.10.2.1/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -d 10.10.2.1/32 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -i bond0 -j ACCEPT
-A FORWARD -i bond0:192 -j ACCEPT
COMMIT

// ipsec.secrests
vpn.domain.com : RSA "privkey.pem"
ipsec.secret.username : EAP "ipsec.secret.password"

// ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.1, Linux 5.4.77, x86_64):
uptime: 45 minutes, since Nov 24 17:28:20 2020
malloc: sbrk 3141632, mmap 0, used 1093472, free 2048160
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 xcbc cmac hmac drbg curl files sqlite attr kernel-netlink resolve socket-default bypass-lan connmark farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-simaka-pseudonym eap-simaka-reauth eap-mschapv2 eap-radius eap-tls eap-ttls xauth-generic xauth-eap dhcp lookip unity counters
Virtual IP pools (size/online/offline):
10.10.2.0/24: 254/1/0
Listening IP addresses:
202.xxx.xxx.228
10.10.10.1
192.168.0.254
Connections:
ikev2: vpn.domain.com...%any IKEv2, dpddelay=300s
ikev2: local: [vpn.domain.com] uses public key authentication
ikev2: cert: "CN=vpn.domain.com"
ikev2: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Shunted Connections:
Bypass LAN 10.10.10.0/29: 10.10.10.0/29 === 10.10.10.0/29 PASS
Bypass LAN 127.0.0.0/8: 127.0.0.0/8 === 127.0.0.0/8 PASS
Bypass LAN 192.168.0.0/24: 192.168.0.0/24 === 192.168.0.0/24 PASS
Bypass LAN 202.xxx.xxx.222/29: 202.xxx.xxx.222/29 === 202.xxx.xxx.222/29 PASS
Bypass LAN fe80::/64: fe80::/64 === fe80::/64 PASS
Security Associations (1 up, 0 connecting):
ikev2[2]: ESTABLISHED 45 minutes ago, 202.xxx.xxx.228[vpn.domain.com]...210.x.xx.110[ipsec.secret.username]
ikev2[2]: IKEv2 SPIs: b455a06d59793339_i 19405f545f34224c_r*, rekeying disabled
ikev2[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
ikev2{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c2f57775_i c8120421_o
ikev2{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
ikev2{2}: 0.0.0.0/0 === 10.10.2.1/32