一、主要参考资料:
https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/roadwarrior
https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/basic
https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/site2site
https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/basics
https://oldwiki.archive.openwrt.org/inbox/strongswan.howto
https://www.xiaocan.me/linux-strongswan-cilent/
https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/
https://wiki.strongswan.org/issues/2071
http://blog.sina.com.cn/s/blog_517c21c00102wvij.html
二、具体笔记
1、安装strongswan:
opkg update
opkg install strongswan-ipsec strongswan-mod-kernel-libipsec kmod-tun
2、修改/tmp/ipsec/ipsec.conf
root@OpenWrt:/tmp/ipsec# cat ipsec.conf
# generated by /etc/init.d/ipsec
version 2
conn dmz
left=%any
right=111.111.111.111 #主端的公网IP地址
leftsubnet=192.168.23.0/24 #本地LAN端的IP地址段
ikelifetime=3h
lifetime=1h
margintime=9m
keyingtries=3
dpdaction=none
dpddelay=30s
leftauth=psk
rightauth=psk
rightsubnet=192.168.10.0/24 #主端的内网IP地址段
auto=route #这个参数定义IPSEC隧道的启动方式,可选add\route\start
leftid=IPSEC-TEST #这个ID根据主端的IPSEC配置来匹配
keyexchange=ikev1
type=tunnel
esp=3des-md5-modp1024 #IPSEC第二阶段的协商加密协议,需与主端匹配,注意dh2对应是modp1024的写法,其它dh组对应值查看上面资料
ike=3des-md5-modp1024 #IPSEC第一阶段的协商加密协议,需与主商匹配
forceencaps = yes #据说是udp包的封装,yes后可以适配更多的网关转发,需视情况yes/no
2、修改/etc/firewall.user
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
3、/etc/config/ipsec(无用的,可以无视之)
config 'ipsec'
list listen ''
option 'debug' '0'
option 'interface' 'eth0.3'
config 'remote' 'aaa'
option 'enabled' '1'
option 'gateway' '1.1.1.1'
option 'pre_shared_key' 'aaaaaaaaaa'
option 'exchange_mode' 'main'
option 'authentication_method' 'psk'
option 'local_identifier' 'IPSEC-TEST-1'
list 'p1_proposal' 'pre_g2_des_sha1'
list 'tunnel' 'aaa_dmz'
list 'tunnel' 'aaa_lan'
config 'p1_proposal' 'pre_g2_des_sha1'
option 'encryption_algorithm' 'des'
option 'hash_algorithm' 'sha1'
option 'dh_group' '2'
config 'tunnel' 'aaa_lan'
option 'local_subnet' '192.168.23.0/24'
option 'remote_subnet' '192.168.10.0/24'
option 'p2_proposal' 'g2_des_sha1'
option 'keyexchange' 'ikev1'
config 'tunnel' 'aaa_dmz'
option 'local_subnet' '192.168.23.0/24'
option 'remote_subnet' '192.168.15.0/24'
option 'p2_proposal' 'g2_des_sha1'
option 'keyexchange' 'ikev1'
config 'p2_proposal' 'g2_des_sha1'
option 'pfs_group' '2'
option 'encryption_algorithm' 'des'
option 'authentication_algorithm' 'sha1'
4、手动启动命令
/usr/sbin/ipsec start #启动IPSEC进程
/usr/sbin/ipsec up dmz #手动启动dmz隧道(当上面的auto=add或route时)
/usr/sbin/ipsec statusall #查看ipsec的配置及运行状态等
ifconfig ipsec0 #查看隧道打通后是否产生ipsec0这个虚拟网卡
5、添加路由:
route add -net 192.168.10.0/24 dev ipsec0
6、最后发现:
hillstone的垃圾只可以一个连接,当第二个IPSEC连上去会把第一个IPSEC踢掉!!!!!!