strongswan (by quqi99)

作者：张华发表于：2025-07-16
版权声明：可以任意转载，转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明

注意: 下列还未调通, 有时间再弄.

问题

两个虚机如下, 现在从i1(dev_net=10.149.142.107, 192.168.10.122)上可以ping 192.168.12.2, 现在的需求是在bastion(10.149.144.44)上也可以直接ping 192.168.12.2, 那需要在i1与bastion上安装strongswan(site-to-site)解决.

复制代码

$ openstack server list |grep -i active
| 6fa7e3d4-f327-43b8-86aa-e9a22df515e6 | cirros | ACTIVE | net1=172.20.1.215, 192.168.12.2                                                                   | cirros-0.4.0 | m1.tiny  |
| 654d9bb0-3099-4852-9699-58ea186c7e57 | i1     | ACTIVE | dev_net=10.149.142.107, 192.168.10.122; ext1=192.168.12.6; ext2=192.168.12.14; ext3=192.168.12.21 | jammy        | m1.small |

$ ssh -i ~/testkey.priv ubuntu@$FIP -- ping 192.168.12.2 -c1 |grep from
64 bytes from 192.168.12.2: icmp_seq=1 ttl=63 time=0.322 ms

步骤

1, 在i1与bastion上安装strongswan( sudo apt install strongswan)

2, 两边生成psk

复制代码

$ openssl rand -base64 32
3kTLtKEi7fywXlhJZda8mI+S/tphJjvU2dz54qf7rFo=

#or: echo ": PSK \"mysecretpsk123\"" | sudo tee /etc/ipsec.secrets
on i1 $ cat /etc/ipsec.secrets
10.149.142.107 10.149.144.44 : PSK "3kTLtKEi7fywXlhJZda8mI+S/tphJjvU2dz54qf7rFo="
on bastion $ cat /etc/ipsec.secrets
10.149.144.44 10.149.142.107 : PSK "3kTLtKEi7fywXlhJZda8mI+S/tphJjvU2dz54qf7rFo="

3, /etc/ipsec.conf on i1, strongswan是双向协商的,

leftsubnet 表示本端的子网范围（即我允许通过的vp流量来源）；

rightsubnet 表示对端的子网范围（即我允许通过vp去往的目标）；

注意: i1只是一个虚机, 它的fixed-ip是192.168.10.122, 它的FIP才是10.149.142.107 (这里用 left=%defaultroute 避免写192.168.10.122)

复制代码

cat << EOF |sudo tee /etc/ipsec.conf
config setup
    uniqueids=no
conn bastion-tunnel
    auto=start
    type=tunnel
    keyexchange=ikev2
    authby=psk
    left=%defaultroute
    leftid=192.168.10.122
    leftsubnet=192.168.12.0/29,192.168.12.8/29,192.168.12.16/29
    right=10.149.144.44 
    rightid=10.149.144.44 
    rightsubnet=0.0.0.0/0
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    ikelifetime=86400s
    lifetime=3600s
EOF

4, /etc/ipsec.conf on bastion

复制代码

cat << EOF |sudo tee /etc/ipsec.conf
config setup
    uniqueids=no
conn i1-tunnel
    auto=start
    type=tunnel
    keyexchange=ikev2
    authby=psk
    left=10.149.144.44 
    leftid=10.149.144.44
    leftsubnet=0.0.0.0/0
    right=192.168.10.122
    rightid=192.168.10.122
    rightsubnet=192.168.12.0/29,192.168.12.8/29,192.168.12.16/29
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    ikelifetime=86400s
    lifetime=3600s
EOF

5, debug tips

复制代码

sudo ipsec restart
sudo ipsec statusall
sudo ufw allow 500/udp
sudo ufw allow 4500/udp
PROJECT_ID=$(openstack project show --domain Default admin -f value -c id)                                                                                                        
SECGRP_ID=$(openstack security group list --project ${PROJECT_ID} | awk '/default/ {print $2}')
openstack security group rule create --proto udp --dst-port 500 --ingress --remote-ip 0.0.0.0/0 $SECGRP_ID
openstack security group rule create --proto udp --dst-port 4500 --ingress --remote-ip 0.0.0.0/0 $SECGRP_ID

sudo sysctl -w net.ipv4.ip_forward=1
sudo journalctl -u strongswan-starter -n 50