一、主要參考資料:
https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/roadwarrior
https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/basic
https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/site2site
https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/basics
https://oldwiki.archive.openwrt.org/inbox/strongswan.howto
https://www.xiaocan.me/linux-strongswan-cilent/
https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/
https://wiki.strongswan.org/issues/2071
http://blog.sina.com.cn/s/blog_517c21c00102wvij.html
二、具體筆記
1、安裝strongswan:
opkg update
opkg install strongswan-ipsec strongswan-mod-kernel-libipsec kmod-tun
2、修改/tmp/ipsec/ipsec.conf
root@OpenWrt:/tmp/ipsec# cat ipsec.conf
# generated by /etc/init.d/ipsec
version 2
conn dmz
left=%any
right=111.111.111.111 #主端的公網IP地址
leftsubnet=192.168.23.0/24 #本地LAN端的IP地址段
ikelifetime=3h
lifetime=1h
margintime=9m
keyingtries=3
dpdaction=none
dpddelay=30s
leftauth=psk
rightauth=psk
rightsubnet=192.168.10.0/24 #主端的內網IP地址段
auto=route #這個參數定義IPSEC隧道的啓動方式,可選add\route\start
leftid=IPSEC-TEST #這個ID根據主端的IPSEC配置來匹配
keyexchange=ikev1
type=tunnel
esp=3des-md5-modp1024 #IPSEC第二階段的協商加密協議,需與主端匹配,注意dh2對應是modp1024的寫法,其它dh組對應值查看上面資料
ike=3des-md5-modp1024 #IPSEC第一階段的協商加密協議,需與主商匹配
forceencaps = yes #據說是udp包的封裝,yes後可以適配更多的網關轉發,需視情況yes/no
2、修改/etc/firewall.user
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
3、/etc/config/ipsec(無用的,可以無視之)
config 'ipsec'
list listen ''
option 'debug' '0'
option 'interface' 'eth0.3'
config 'remote' 'aaa'
option 'enabled' '1'
option 'gateway' '1.1.1.1'
option 'pre_shared_key' 'aaaaaaaaaa'
option 'exchange_mode' 'main'
option 'authentication_method' 'psk'
option 'local_identifier' 'IPSEC-TEST-1'
list 'p1_proposal' 'pre_g2_des_sha1'
list 'tunnel' 'aaa_dmz'
list 'tunnel' 'aaa_lan'
config 'p1_proposal' 'pre_g2_des_sha1'
option 'encryption_algorithm' 'des'
option 'hash_algorithm' 'sha1'
option 'dh_group' '2'
config 'tunnel' 'aaa_lan'
option 'local_subnet' '192.168.23.0/24'
option 'remote_subnet' '192.168.10.0/24'
option 'p2_proposal' 'g2_des_sha1'
option 'keyexchange' 'ikev1'
config 'tunnel' 'aaa_dmz'
option 'local_subnet' '192.168.23.0/24'
option 'remote_subnet' '192.168.15.0/24'
option 'p2_proposal' 'g2_des_sha1'
option 'keyexchange' 'ikev1'
config 'p2_proposal' 'g2_des_sha1'
option 'pfs_group' '2'
option 'encryption_algorithm' 'des'
option 'authentication_algorithm' 'sha1'
4、手動啓動命令
/usr/sbin/ipsec start #啓動IPSEC進程
/usr/sbin/ipsec up dmz #手動啓動dmz隧道(當上面的auto=add或route時)
/usr/sbin/ipsec statusall #查看ipsec的配置及運行狀態等
ifconfig ipsec0 #查看隧道打通後是否產生ipsec0這個虛擬網卡
5、添加路由:
route add -net 192.168.10.0/24 dev ipsec0
6、最後發現:
hillstone的垃圾只可以一個連接,當第二個IPSEC連上去會把第一個IPSEC踢掉!!!!!!