通过上次的案例,我们已经掌握了strongSwan和VSR基于IKEv1主模式进行对接的配置方法。有同学提出,实际使用中穿越NAT在所难免,其实这种也好解决,按照前面配置H3C的思路,我们调整对应的配置为野蛮模式+FQDN应该就可以了。
本次我们先把VSR作为公网端,strongSwan经过NAT设备和VSR进行对接。
照例,我们先调整VSR的配置:
# ike keychain swan pre-shared-key hostname swan key simple swan # ike proposal 20 encryption-algorithm aes-cbc-128 dh group2 authentication-algorithm sha256 # ike profile swan keychain swan exchange-mode aggressive local-identity address 49.7.205.89 match remote identity fqdn swan proposal 20 # acl advanced 3402 rule 0 permit ip source 172.30.1.0 0.0.0.255 destination 172.27.3.0 0.0.0.255 # ipsec transform-set swan esp encryption-algorithm aes-cbc-128 esp authentication-algorithm sha256 # ipsec policy swan 10 isakmp transform-set swan security acl 3402 local-address 172.30.3.19 ike-profile swan # interface GigabitEthernet1/0 ipsec apply policy swan
然后调整strongSwan的配置,主要是修改为IKEv1一阶段的交互模式为野蛮模式,并且修改身份验证为FQDN。
# cat /etc/strongswan/ipsec.conf conn swan aggressive = yes authby = psk keyexchange=ikev1 left= 192.168.222.131 leftid=swan leftsubnet= 172.27.3.0/24 right= 49.7.205.89 rightid= 49.7.205.89 rightsubnet= 172.30.1.0/24 auto=route ike = aes128-sha256-modp1024 esp = aes128-sha256 ikelifetime=86400
配置预共享密钥到ipsec.secrets文件中。
# cat /etc/strongswan/ipsec.secrets swan 49.7.205.89 : PSK swan
配置完成之后重新启动strongSwan服务。
strongswan restart
然后从strongSwan下连的主机发起访问请求。
访问失败,IKE一阶段协商成功,二阶段协商失败。
从VSR上查看,也是一样的状态。
对比之前的实验配置,应该是要换成IPsec模板试一下,把IPsec兴趣流也去掉。
# ipsec policy-template swant 1 transform-set swan local-address 172.30.3.19 ike-profile swan # ipsec policy swan 10 isakmp template swant
再次触发IPsec协商,隧道建立成功。
再次查看strongSwan状态,IKE第二阶段协商成功。
在VSR上查看IPsec SA信息。
不过有个地方我不太理解了,为啥开了ICMP超时报文发送功能和ICMP目的不可达报文发送功能之后,tracert路径还是会显示为*呢?
梳理一下配置。strongSwan配置如下:
# cat /etc/strongswan/ipsec.conf conn swan aggressive = yes authby = psk keyexchange=ikev1 left= 192.168.222.131 leftid=swan leftsubnet= 172.27.3.0/24 right= 49.7.205.89 rightid= 49.7.205.89 rightsubnet= 172.30.1.0/24 auto=route ike = aes128-sha256-modp1024 esp = aes128-sha256 ikelifetime=86400 # cat /etc/strongswan/ipsec.secrets swan 49.7.205.89 : PSK swan
VSR配置如下:
# interface GigabitEthernet1/0 ip address 172.30.3.19 255.255.255.0 ipsec apply policy swan # ipsec transform-set swan esp encryption-algorithm aes-cbc-128 esp authentication-algorithm sha256 # ipsec policy-template swant 1 transform-set swan local-address 172.30.3.19 ike-profile swan # ipsec policy swan 10 isakmp template swant # ike profile swan keychain swan exchange-mode aggressive local-identity address 49.7.205.89 match remote identity fqdn swan proposal 20 # ike proposal 20 encryption-algorithm aes-cbc-128 dh group2 authentication-algorithm sha256 # ike keychain swan pre-shared-key hostname swan key simple swan
