1200字范文 > 使用libreswan搭建ipsec点对点隧道实现两idc内网网段互通

使用libreswan搭建ipsec点对点隧道实现两idc内网网段互通

时间：2018-08-05 08:46:52

文章目录

使用libreswan搭建ipsec点对点隧道实现两idc内网网段互通一、libreswan 简介- > IKE- > ESPLibreswan功能二、环境介绍环境:三、软件安装:3.1 libreswan下载3.2 libreswan 安装四、配置内核参数加载生效内核参数五、启动服务，验证内核配置是否正常六、防火墙策略开发udp500 和 udp4500端口6.1 保障防火墙关闭或者开通udp500 和udp4500 策略6.2 云主机环境，请在安全组中添加相关ip的 4500 和 500策略6.3 nmap 验证端口连通性七、配置预共享秘钥八、配置 ipsec 连接8.1 主配置:8.2 创建连接配置:九、重启两端服务，建立ipsec隧道9.1 查看ipsec建立情况十、测试网络连通性十一、坑:十二、排错12.1 tcpdump12.2 查看日志12.3 查看状态12.4 手动调试链接十三、参考:

一、libreswan 简介

LibreSwan是IPsec协议的开源实现，它基于FreeSwan项目，可以在RedHat的Linux发行版上使用该软件包。关于LibreSwan的IPsec协议的两个部分的简要信息如下所述。

基于IPsec的***由Internet密钥交换协议和封装安全有效载荷（ESP）协议组成。

- > IKE

正如名称所示，IKE协议的目的是认证（使用***的预共享密钥，公开密钥加密，自由连接）对等体来动态生成密钥并与***对等体共享密钥。 IPsec第二阶段的加密密钥也取决于IKE。 Libreswan使用项目的pluto程序实现IKE协议。

- > ESP

ESP协议是在Linux内核（NETEY / XFRM）IPsec中实现的对等体约定策略的实际规范。

Libreswan功能

支持基于预共享密钥的认证。支持基于公钥的认证。支持IKE v1 / v2版本的密钥交换。支持NSS加密库。还支持Xauth和DNSSec。

本文我们将使用 libreswan 搭建点对点的ipsec网络，实现两idc内网互通。

二、环境介绍

环境:

idc-重庆区域:
内网网段: 172.16.30.0/24公网ip: 192.191.91.71 (公网ip修改)内网ip: 172.16.30.15主机版本: centos7

idc-香港区域:
内网网段: 172.19.0.0/24公网ip: 192.226.50.61(公网ip修改)内网ip: 172.19.0.13主机版本: centos7

架构图:

三、软件安装:

3.1 libreswan下载

centos 系统yum仓库中提供了libreswan的包，但为了安全起见，我们采用最新版本的rpm进行安装

# wget /binaries/rhel/7/x86_64/libreswan-3.31-1.el7_7.x86_64.rpm

3.2 libreswan 安装

yum localinstall -y libreswan-3.31-1.el7_7.x86_64.rpm[root@VM_0_13_centos ipsec.d]# yum info libreswanLoaded plugins: fastestmirror, langpacksLoading mirror speeds from cached hostfileInstalled PackagesName : libreswanArch : x86_64Version: 3.31Release: 1.el7_7Size : 4.4 MRepo : installedFrom repo : /libreswan-3.31-1.el7_7.x86_64Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsecURL : /License: GPLv2Description : Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is: the Internet Protocol Security and uses strong cryptography to provide: both authentication and encryption services. These services allow you: to build secure tunnels through untrusted networks. Everything passing: through the untrusted net is encrypted by the ipsec gateway machine and: decrypted by the gateway at the other end of the tunnel. The resulting: tunnel is a virtual private network or ***.: : This package contains the daemons and userland tools for setting up: Libreswan.: : Libreswan also supports IKEv2 (RFC7296) and Secure Labeling: : Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04[root@VM_0_13_centos ipsec.d]# rpm -ql libreswan|grep -E -v "share|libe"/etc/ipsec.conf # 主配文件/etc/ipsec.d # 配置文件子目录/etc/ipsec.d/policies # 策略目录/etc/ipsec.d/policies/block/etc/ipsec.d/policies/clear/etc/ipsec.d/policies/clear-or-private/etc/ipsec.d/policies/portexcludes.conf/etc/ipsec.d/policies/private/etc/ipsec.d/policies/private-or-clear/etc/ipsec.secrets # 秘钥配置文件/etc/pam.d/pluto # 协议认证模块/etc/prelink.conf.d/etc/prelink.conf.d/libreswan-fips.conf/etc/sysctl.d/50-libreswan.conf # 内置系统内核文件/run/pluto/usr/lib/systemd/system/ipsec.service # 服务systemd启动脚本文件/usr/lib/tmpfiles.d/libreswan.conf/usr/lib64/fipscheck/pluto.hmac/usr/sbin/ipsec # ipsec 二进制文件/var/log/pluto/var/log/pluto/peer

四、配置内核参数

在libereswan软件安装中，内置了一下需要修改的内核参数[ /etc/sysctl.d/50-libreswan.conf ]。但这些还不够，ipsec是一个路由协议，需要开启路由转发

echo "## 开启路由转发功能" >> /etc/sysctl.confecho "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

关闭源路由验证

echo "## 关闭源路由验证(跟进网卡名称添加如:ens33..)" >> /etc/sysctl.d/50-libreswan.confecho "net.ipv4.conf.all.rp_filter = 0" >> /etc/sysctl.d/50-libreswan.confecho "net.ipv4.conf.default.rp_filter = 0" >> /etc/sysctl.d/50-libreswan.confecho "net.ipv4.conf.eth0.rp_filter = 0" >> /etc/sysctl.d/50-libreswan.conf

关闭icmp重定向

echo "## 关闭icmp重定向"sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.d/50-libreswan.conf

加载生效内核参数

sysctl -p

# cat /etc/sysctl.d/50-lireswan.conf# when using 1 interface for two networks when using NETKEY, the kernel# thinks it can be clever by sending a redirect (cause it cannot tell# an encrypted packet came in, but a decrypted packet came out),# so it sends a bogus ICMP redirect## We disable redirects for XFRM/IPsecnet.ipv6.conf.default.accept_redirects = 0net.ipv6.conf.all.accept_redirects = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.all.rp_filter = 0net.ipv4.conf.default.rp_filter = 0net.ipv4.conf.eth0.rp_filter = 0net.ipv4.conf.ip_vti0.rp_filter = 0net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.eth0.accept_redirects = 0net.ipv4.conf.eth0.send_redirects = 0net.ipv4.conf.ip_vti0.accept_redirects = 0net.ipv4.conf.ip_vti0.send_redirects = 0net.ipv4.conf.lo.accept_redirects = 0net.ipv4.conf.lo.send_redirects = 0# sysctl -p

五、启动服务，验证内核配置是否正常

systemctl start ipsec

[root@VM_0_13_centos ~]# systemctl start ipsec[root@VM_0_13_centos ~]# systemctl status ipsec● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsecLoaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled)Active: active (running) since Tue -03-24 09:36:27 CST; 51min agoDocs: man:ipsec(8)man:pluto(8)man:ipsec.conf(5)Process: 2052 ExecStopPost=/usr/sbin/ipsec --stopnflog (code=exited, status=0/SUCCESS)Process: 2050 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)Process: 2048 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)Process: 2044 ExecStop=/usr/libexec/ipsec/whack --shutdown (code=exited, status=0/SUCCESS)Process: 2326 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)Process: 2324 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)Process: 2060 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)Process: 2059 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)Main PID: 2338 (pluto)Status: "Startup completed."CGroup: /system.slice/ipsec.service└─2338 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --noforkMar 24 09:36:26 VM_0_13_centos systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.Mar 24 09:36:26 VM_0_13_centos systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...Mar 24 09:36:27 VM_0_13_centos ipsec[2326]: nflog ipsec capture disabledMar 24 09:36:27 VM_0_13_centos systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.

ipsec verify

[root@VM_0_13_centos ~]# ipsec verifyVerifying installed system and configuration filesVersion check and ipsec on-path [OK]Libreswan 3.31 (netkey) on 3.10.0-1062.9.1.el7.x86_64Checking for IPsec support in kernel [OK]NETKEY: Testing XFRM related proc valuesICMP default/send_redirects [OK]ICMP default/accept_redirects [OK]XFRM larval drop[OK]Pluto ipsec.conf syntax [OK]Checking rp_filter [OK]Checking that pluto is running[OK]Pluto listening for IKE on udp 500[OK]Pluto listening for IKE/NAT-T on udp 4500 [OK]Pluto ipsec.secret syntax [OK]Checking 'ip' command [OK]Checking 'iptables' command [OK]Checking 'prelink' command does not interfere with FIPS[OK]Checking for obsolete ipsec.conf options[OK]

要确保所有检查都为OK，部分内核参数修改sysctl -p也不能立即生效的，可以手动配置，或重启系统。

六、防火墙策略开发udp500 和 udp4500端口

针对 Internet Key Exchange (IKE) 协议的 UDP 端口 500
针对 IKE NAT-Traversal的 UDP 端口 4500
针对 Encapsulated Security Payload (ESP) IPsec 数据包的端口 50
针对 Authenticated Header (AH) IPsec 数据包（非常见）的端口 51

[root@VM_0_13_centos ~]# netstat -unlpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 00 127.0.0.1:45000.0.0.0:* 2338/plutoudp 00 172.19.0.13:4500 0.0.0.0:* 2338/plutoudp 00 127.0.0.1:500 0.0.0.0:* 2338/plutoudp 00 172.19.0.13:500 0.0.0.0:* 2338/plutoudp6 00 ::1:500 :::* 2338/pluto

6.1 保障防火墙关闭或者开通udp500 和udp4500 策略

[root@VM_0_13_centos ~]# iptables -L -nChain INPUT (policy ACCEPT)targetprot opt sourcedestination Chain FORWARD (policy ACCEPT)targetprot opt sourcedestination Chain OUTPUT (policy ACCEPT)targetprot opt sourcedestination

6.2 云主机环境，请在安全组中添加相关ip的 4500 和 500策略

6.3 nmap 验证端口连通性

[root@VM_0_15_centos ~]# nmap -sU 192.226.50.61 -p 500,4500 -PnStarting Nmap 6.40 ( ) at -03-24 10:34 CSTNmap scan report for 192.226.50.61Host is up.PORTSTATE SERVICE500/udp open|filtered isakmp4500/udp open|filtered nat-t-ikeNmap done: 1 IP address (1 host up) scanned in 9.83 seconds[root@VM_0_13_centos ~]# nmap -sU 192.226.50.61 -p 500,4500 -PnStarting Nmap 6.40 ( ) at -03-24 10:35 CSTNmap scan report for 192.226.50.61Host is up.PORTSTATE SERVICE500/udp open|filtered isakmp4500/udp open|filtered nat-t-ikeNmap done: 1 IP address (1 host up) scanned in 3.26 seconds

七、配置预共享秘钥

ipsec ike支持预共享秘钥，证书，x.509 等方式验证，在这里我们使用预共享秘钥

authby=secret

查看 secret 主配文件/etc/ipsec.secrets，创建秘钥

[root@VM_0_13_centos ~]# cat /etc/ipsec.secrets include /etc/ipsec.d/*.secrets[root@VM_0_13_centos ~]# vim /etc/ipsec.d/test-vm.secrets ## 源ip 目的ip : PSK "key" (0.0.0.0 所有ip)0.0.0.0 0.0.0.0 : PSK "1234567890"

测试阶段为了方便我们使用 1234567890 作为所有连接的秘钥

八、配置 ipsec 连接

8.1 主配置:

[root@VM_0_13_centos ~]# cat /etc/ipsec.conf # /etc/ipsec.conf - Libreswan IPsec configuration file## see 'man ipsec.conf' and 'man pluto' for more information## For example configurations and documentation, see /wiki/config setup# Normally, pluto logs via syslog.logfile=/var/log/pluto.log## Do not enable debug options to debug configuration issues!## plutodebug="control parsing"# plutodebug="all crypt"plutodebug=none## NAT-TRAVERSAL support# exclude networks used on server side by adding %v4:!a.b.c.0/24# It seems that T-Mobile in the US and Rogers/Fido in Canada are# using 25/8 as "private" address space on their wireless networks.# This range has never been announced via BGP (at least up to )virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10# if it exists, include system wide crypto-policy defaults# include /etc/crypto-policies/back-ends/libreswan.config# It is best to add your IPsec connections as separate files in /etc/ipsec.d/include /etc/ipsec.d/*.conf

主配置告诉我们自配置文件的在 /etc/ipsec.d/*.conf 和内网bgp传送信息，为了方便起见我们开启日志，调试。

8.2 创建连接配置:

vim /etc/ipsec.d/test-vm.confconn test-vm-test### phase 1 #### 指定认证类型预共享秘钥authby=secret# 指定ike算法为3des-sha1ike=3des-sha1# 指定ikekeyexchange=ike### phase 2 ###phase2=espphase2alg=3des-sha1# 指定是否压缩compress=no# 指定是否加密pfs=yes# 指定连接添加类型。start 为开机自启，add为添加不主动连接auto=start# 指定模式类型为隧道模式|传输模式type=tunnelleft=172.30.0.15leftsubnet=172.30.0.0/24leftid=192.191.91.71leftnexthop=%defaultrouteright=192.226.50.61rightsubnet=172.19.0.0/24rightid=192.226.50.61rightnexthop=%defaultroute

Libreswan 不使用术语 “source”（来源）或 “destination”（目的）。相反，它用术语 “left”（左边）和 “right”（右边）来代指终端（主机）。虽然大多数管理员用 “left” 表示本地主机，“right” 表示远程主机，但是这样可以再大多数情况下在两个终端上使用相同的配置。

由于我们的服务器使用的是vpc网络，采用静态nat的形式，在配置left 和right 时，本端的ip需要使用内网ip，或 %defaultroute。left 和 right 是两端的ip地址，而leftid 和 rightid 为代号id。

跟进实际情况，写对端配置

vim /etc/ipsec.d/test-vm.confconn test-vm-test# 指定认证类型预共享秘钥authby=secret# 指定ike算法为3des-sha1ike=3des-sha1# 指定ikekeyexchange=ike### phase 2 ###phase2=espphase2alg=3des-sha1# 指定是否压缩compress=no# 指定是否加密pfs=yes# 指定连接添加类型。start 为开机自启，add为添加不主动连接auto=start# 指定模式类型为隧道模式|传输模式type=tunnelleft=192.191.91.71leftsubnet=172.30.0.0/24leftid=192.191.91.71leftnexthop=%defaultrouteright=172.19.0.13rightsubnet=172.19.0.0/24rightid=192.226.50.61rightnexthop=%defaultroute

九、重启两端服务，建立ipsec隧道

# 两端都需要重启服务，查看日志[root@VM_0_15_centos ~]# systemctl restart ipsec && tailf /var/log/pluto.log Mar 24 11:13:31.653094: RFC 2104: MD5_HMAC test 2Mar 24 11:13:31.653253: RFC 2104: MD5_HMAC test 3Mar 24 11:13:31.653454: 1 CPU cores onlineMar 24 11:13:31.653463: starting up 1 crypto helpersMar 24 11:13:31.653508: started thread for crypto helper 0Mar 24 11:13:31.653523: Using Linux XFRM/NETKEY IPsec kernel support code on 3.10.0-514.21.1.el7.x86_64Mar 24 11:13:31.653842: selinux support is NOT enabled.Mar 24 11:13:31.653857: systemd watchdog for ipsec service configured with timeout of 200000000 usecsMar 24 11:13:31.653861: watchdog: sending probes every 100 secsMar 24 11:13:31.658117: added connection description "test-vm-test"Mar 24 11:13:31.663092: listening for IKE messagesMar 24 11:13:31.663151: Kernel does not support NIC esp-hw-offload (ETHTOOL_GSSET_INFO failed)Mar 24 11:13:31.663164: adding interface tun0/tun0 (esp-hw-offload not supported by kernel) 10.8.0.1:500Mar 24 11:13:31.663179: adding interface tun0/tun0 10.8.0.1:4500Mar 24 11:13:31.663193: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 172.30.0.15:500Mar 24 11:13:31.663206: adding interface eth0/eth0 172.30.0.15:4500Mar 24 11:13:31.663220: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500Mar 24 11:13:31.663233: adding interface lo/lo 127.0.0.1:4500Mar 24 11:13:31.664646: loading secrets from "/etc/ipsec.secrets"Mar 24 11:13:31.664699: loading secrets from "/etc/ipsec.d/test-vm.secrets"Mar 24 11:13:31.665433: "test-vm-test" #1: initiating IKEv2 IKE SAMar 24 11:13:31.665462: "test-vm-test": local IKE proposals (IKE SA initiator selecting KE): Mar 24 11:13:31.665475: "test-vm-test": 1:IKE=3DES-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519Mar 24 11:13:31.666747: "test-vm-test" #1: STATE_PARENT_I1: sent v2I1, expected v2R1Mar 24 11:13:31.698633: "test-vm-test": local ESP/AH proposals (IKE SA initiator emitting ESP/AH proposals): Mar 24 11:13:31.698669: "test-vm-test": 1:ESP=3DES-HMAC_SHA1_96-NONE-DISABLEDMar 24 11:13:31.698718: "test-vm-test" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=3DES_CBC_192 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}Mar 24 11:13:31.752437: "test-vm-test" #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.226.50.61'Mar 24 11:13:31.752554: "test-vm-test" #2: Authenticated using authby=secretMar 24 11:13:31.795116: "test-vm-test" #2: negotiated connection [172.30.0.0-172.30.0.255:0-65535 0] -> [172.19.0.0-172.19.0.255:0-65535 0]Mar 24 11:13:31.795155: "test-vm-test" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0xead78a70 <0x677c8223 xfrm=3DES_CBC-HMAC_SHA1_96 NATOA=none NATD=192.226.50.61:4500 DPD=passive}

IPsec SA established tunnel mode# 看到日志为建立隧道成功

9.1 查看ipsec建立情况

ipsec auto --status

[root@VM_0_15_centos ~]# ipsec auto --status000 using kernel interface: netkey000 interface lo/lo 127.0.0.1:4500000 interface lo/lo 127.0.0.1:500000 interface eth0/eth0 172.30.0.15:4500000 interface eth0/eth0 172.30.0.15:500000 interface tun0/tun0 10.8.0.1:4500000 interface tun0/tun0 10.8.0.1:500000 000 000 fips mode=disabled;000 SElinux=disabled000 seccomp=disabled000 000 config setup options:000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec000 pluto_version=3.31, pluto_vendorid=OE-Libreswan-3.31, audit-log=yes000 nhelpers=-1, uniqueids=yes, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>000 ocsp-trust-name=<unset>000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get000 global-redirect=no, global-redirect-to=<unset>000 secctx-attr-type=32001000 debug:000 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500000 virtual-private (%priv):000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10000 000 Kernel algorithms supported:000 000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512000 algorithm AH/ESP auth: name=NONE, key-length=0000 000 IKE algorithms supported:000 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64000 algorithm IKE PRF: name=AES_XCBC, hashlen=16000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192000 algorithm IKE DH Key Exchange: name=DH19, bits=512000 algorithm IKE DH Key Exchange: name=DH20, bits=768000 algorithm IKE DH Key Exchange: name=DH21, bits=1056000 algorithm IKE DH Key Exchange: name=DH31, bits=256000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 Connection list:000 000 "test-vm-test": 172.30.0.0/24===172.30.0.15<172.30.0.15>[192.191.91.71]---172.30.0.1...192.226.50.61<192.226.50.61>===172.19.0.0/24; erouted; eroute owner: #2000 "test-vm-test":oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;000 "test-vm-test": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]000 "test-vm-test": our auth:secret, their auth:secret000 "test-vm-test": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;000 "test-vm-test": policy_label:unset;000 "test-vm-test": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;000 "test-vm-test": retransmit-interval: 500ms; retransmit-timeout: 60s;000 "test-vm-test": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;000 "test-vm-test": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;000 "test-vm-test": v2-auth-hash-policy: none;000 "test-vm-test": conn_prio: 24,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;000 "test-vm-test": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;000 "test-vm-test": our idtype: ID_IPV4_ADDR; our id=192.191.91.71; their idtype: ID_IPV4_ADDR; their id=192.226.50.61000 "test-vm-test": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both000 "test-vm-test": newest ISAKMP SA: #1; newest IPsec SA: #2;000 "test-vm-test": IKE algorithms: 3DES_CBC-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31000 "test-vm-test": IKEv2 algorithm newest: 3DES_CBC_192-HMAC_SHA1-MODP2048000 "test-vm-test": ESP algorithms: 3DES_CBC-HMAC_SHA1_96000 "test-vm-test": ESP algorithm newest: 3DES_CBC_192-HMAC_SHA1_96; pfsgroup=<Phase1>000 000 Total IPsec connections: loaded 1, active 1000 000 State Information: DDoS cookies not required, Accepting new IKE connections000 IKE SAs: total(2), half-open(1), open(0), authenticated(1), anonymous(0)000 IPsec SAs: total(1), authenticated(1), anonymous(0)000 000 #1: "test-vm-test":4500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REKEY in 2444s; newest ISAKMP; idle;000 #2: "test-vm-test":4500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REKEY in 27885s; newest IPSEC; eroute owner; isakmp#1; idle;000 #2: "test-vm-test" esp.ead78a70@192.226.50.61 esp.677c8223@172.30.0.15 tun.0@192.226.50.61 tun.0@172.30.0.15 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B 000 #3: "test-vm-test":500 STATE_PARENT_R1 (received v2I1, sent v2R1); EVENT_SO_DISCARD in 37s; idle;000 000 Bare Shunt list:000

十、测试网络连通性

分别在两端ping对端ip

[root@VM_0_15_centos ~]# ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 52:54:00:47:0b:03 brd ff:ff:ff:ff:ff:ffinet 172.30.0.15/20 brd 172.30.15.255 scope global eth0valid_lft forever preferred_lft forever3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100link/none inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0valid_lft forever preferred_lft forever4: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1link/ipip 0.0.0.0 brd 0.0.0.0[root@VM_0_15_centos ~]# ip routedefault via 172.30.0.1 dev eth0 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 169.254.0.0/16 dev eth0 scope link metric 1002 172.30.0.0/20 dev eth0 proto kernel scope link src 172.30.0.15 [root@VM_0_15_centos ~]# ping 172.19.0.13PING 172.19.0.13 (172.19.0.13) 56(84) bytes of data.64 bytes from 172.19.0.13: icmp_seq=1 ttl=64 time=40.2 ms^C---[root@VM_0_13_centos ipsec.d]# ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 52:54:00:16:68:89 brd ff:ff:ff:ff:ff:ffinet 172.19.0.13/20 brd 172.19.15.255 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::5054:ff:fe16:6889/64 scope link valid_lft forever preferred_lft forever3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000link/ipip 0.0.0.0 brd 0.0.0.0[root@VM_0_13_centos ipsec.d]# ping 172.30.0.15PING 172.30.0.15 (172.30.0.15) 56(84) bytes of data.64 bytes from 172.30.0.15: icmp_seq=1 ttl=64 time=40.1 ms^C[root@VM_0_13_centos ipsec.d]# ip routedefault via 172.19.0.1 dev eth0 169.254.0.0/16 dev eth0 scope link metric 1002 172.19.0.0/20 dev eth0 proto kernel scope link src 172.19.0.13

我们看到网络已经通了，查看路由表发现已经新增ipsec相关的路由条目了。

十一、坑:

预共享秘钥不一致

vps nat网络模式下，配置文件本段ip写内网ip，对端写公网

ike=3des-sha1加密算法,dh24 后，ipsec不连接

十二、排错

12.1 tcpdump

tcpdump -n -i interface esp and udp port 500 and udp port 450000:32:32.632165 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1a), length 13200:32:32.632592 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1a), length 13200:32:32.632592 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 7, length 6400:32:33.632221 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1b), length 13200:32:33.632731 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1b), length 13200:32:33.632731 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 8, length 6400:32:34.632183 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1c), length 13200:32:34.632607 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1c), length 13200:32:34.632607 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 9, length 6400:32:35.632233 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1d), length 13200:32:35.632685 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1d), length 13200:32:35.632685 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 10, length 64

12.2 查看日志

# tailf /var/log/pluto.log Mar 24 11:13:31.665433: "test-vm-test" #1: initiating IKEv2 IKE SAMar 24 11:13:31.665462: "test-vm-test": local IKE proposals (IKE SA initiator selecting KE): Mar 24 11:13:31.665475: "test-vm-test": 1:IKE=3DES-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519Mar 24 11:13:31.666747: "test-vm-test" #1: STATE_PARENT_I1: sent v2I1, expected v2R1Mar 24 11:13:31.698633: "test-vm-test": local ESP/AH proposals (IKE SA initiator emitting ESP/AH proposals): Mar 24 11:13:31.698669: "test-vm-test": 1:ESP=3DES-HMAC_SHA1_96-NONE-DISABLEDMar 24 11:13:31.698718: "test-vm-test" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=3DES_CBC_192 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}Mar 24 11:13:31.752437: "test-vm-test" #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.226.50.61'Mar 24 11:13:31.752554: "test-vm-test" #2: Authenticated using authby=secretMar 24 11:13:31.795116: "test-vm-test" #2: negotiated connection [172.30.0.0-172.30.0.255:0-65535 0] -> [172.19.0.0-172.19.0.255:0-65535 0]Mar 24 11:13:31.795155: "test-vm-test" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0xead78a70 <0x677c8223 xfrm=3DES_CBC-HMAC_SHA1_96 NATOA=none NATD=192.226.50.61:4500 DPD=passive}