openwrt配置strongswan對接hillstone ipsec的筆記

一、主要參考資料：

https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/roadwarrior

https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/basic

https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/site2site

https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/basics

https://oldwiki.archive.openwrt.org/inbox/strongswan.howto

https://www.xiaocan.me/linux-strongswan-cilent/

https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/

https://wiki.strongswan.org/issues/2071

http://blog.sina.com.cn/s/blog_517c21c00102wvij.html

 

二、具體筆記

1、安裝strongswan：

opkg update
opkg install strongswan-ipsec strongswan-mod-kernel-libipsec kmod-tun

 

2、修改/tmp/ipsec/ipsec.conf

root@OpenWrt:/tmp/ipsec# cat ipsec.conf
# generated by /etc/init.d/ipsec
version 2

conn dmz
  left=%any
  right=111.111.111.111      #主端的公網IP地址
  leftsubnet=192.168.23.0/24     #本地LAN端的IP地址段
  ikelifetime=3h
  lifetime=1h
  margintime=9m
  keyingtries=3
  dpdaction=none
  dpddelay=30s
  leftauth=psk
  rightauth=psk
  rightsubnet=192.168.10.0/24       #主端的內網IP地址段
  auto=route             #這個參數定義IPSEC隧道的啓動方式，可選add\route\start
  leftid=IPSEC-TEST      #這個ID根據主端的IPSEC配置來匹配
  keyexchange=ikev1
  type=tunnel
  esp=3des-md5-modp1024        #IPSEC第二階段的協商加密協議，需與主端匹配，注意dh2對應是modp1024的寫法，其它dh組對應值查看上面資料
  ike=3des-md5-modp1024        #IPSEC第一階段的協商加密協議，需與主商匹配
  forceencaps = yes            #據說是udp包的封裝，yes後可以適配更多的網關轉發，需視情況yes/no

2、修改/etc/firewall.user

iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT

3、/etc/config/ipsec（無用的，可以無視之）

config 'ipsec'
  list listen ''
  option 'debug' '0'
  option 'interface' 'eth0.3'
  
config 'remote' 'aaa'
  option 'enabled' '1'
  option 'gateway' '1.1.1.1'
  option 'pre_shared_key' 'aaaaaaaaaa'
  option 'exchange_mode' 'main'
  option 'authentication_method' 'psk'
  option 'local_identifier' 'IPSEC-TEST-1'
  list   'p1_proposal' 'pre_g2_des_sha1'

  list   'tunnel' 'aaa_dmz'
  list   'tunnel' 'aaa_lan'

config 'p1_proposal' 'pre_g2_des_sha1'
  option 'encryption_algorithm' 'des'
  option 'hash_algorithm' 'sha1'
  option 'dh_group' '2'

config 'tunnel' 'aaa_lan'
  option 'local_subnet' '192.168.23.0/24'
  option 'remote_subnet' '192.168.10.0/24'
  option 'p2_proposal' 'g2_des_sha1'
  option 'keyexchange' 'ikev1'
  
config 'tunnel' 'aaa_dmz'
  option 'local_subnet' '192.168.23.0/24'
  option 'remote_subnet' '192.168.15.0/24'
  option 'p2_proposal' 'g2_des_sha1'
  option 'keyexchange' 'ikev1'
  
config 'p2_proposal' 'g2_des_sha1'
  option 'pfs_group' '2'
  option 'encryption_algorithm' 'des'
  option 'authentication_algorithm' 'sha1'
  

4、手動啓動命令

/usr/sbin/ipsec start      #啓動IPSEC進程 
/usr/sbin/ipsec up dmz     #手動啓動dmz隧道（當上面的auto=add或route時）
/usr/sbin/ipsec statusall  #查看ipsec的配置及運行狀態等

ifconfig ipsec0       #查看隧道打通後是否產生ipsec0這個虛擬網卡

5、添加路由：

route add -net 192.168.10.0/24 dev ipsec0

6、最後發現：

hillstone的垃圾只可以一個連接，當第二個IPSEC連上去會把第一個IPSEC踢掉!!!!!!