使用libreswan搭建ipsec点对点隧道实现两idc内网网段互通

文章目录

使用libreswan搭建ipsec点对点隧道实现两idc内网网段互通
- 一、libreswan 简介
- - - > IKE
  - - > ESP
  - Libreswan功能
- 二、环境介绍
- - 环境:
- 三、软件安装:
- - 3.1 libreswan下载
  - 3.2 libreswan 安装
- 四、配置内核参数
- - 加载生效内核参数
- 五、启动服务，验证内核配置是否正常
- 六、防火墙策略开发udp500 和 udp4500端口
- - 6.1 保障防火墙关闭或者开通udp500 和udp4500 策略
  - 6.2 云主机环境，请在安全组中添加相关ip的 4500 和 500策略
  - 6.3 nmap 验证端口连通性
- 七、配置预共享秘钥
- 八、配置 ipsec 连接
- - 8.1 主配置:
  - 8.2 创建连接配置:
- 九、重启两端服务，建立ipsec隧道
- - 9.1 查看ipsec建立情况
- 十、测试网络连通性
- 十一、坑:
- 十二、排错
- - 12.1 tcpdump
  - 12.2 查看日志
  - 12.3 查看状态
  - 12.4 手动调试链接
- 十三、参考:

一、libreswan 简介

LibreSwan是IPsec协议的开源实现，它基于FreeSwan项目，可以在RedHat的Linux发行版上使用该软件包。关于LibreSwan的IPsec协议的两个部分的简要信息如下所述。

基于IPsec的***由Internet密钥交换协议和封装安全有效载荷（ESP）协议组成。

- > IKE

正如名称所示，IKE协议的目的是认证（使用***的预共享密钥，公开密钥加密，自由连接）对等体来动态生成密钥并与***对等体共享密钥。 IPsec第二阶段的加密密钥也取决于IKE。 Libreswan使用项目的pluto程序实现IKE协议。

- > ESP

ESP协议是在Linux内核（NETEY / XFRM）IPsec中实现的对等体约定策略的实际规范。

Libreswan功能

支持基于预共享密钥的认证。

支持基于公钥的认证。

支持IKE v1 / v2版本的密钥交换。

支持NSS加密库。

还支持Xauth和DNSSec。

本文我们将使用 libreswan 搭建点对点的ipsec网络，实现两idc内网互通。

二、环境介绍

环境:

idc-重庆区域:

内网网段: 172.16.30.0/24

公网ip: 192.191.91.71 (公网ip修改)

内网ip: 172.16.30.15

主机版本: centos7

idc-香港区域:

内网网段: 172.19.0.0/24

公网ip: 192.226.50.61(公网ip修改)

内网ip: 172.19.0.13

主机版本: centos7

架构图:

三、软件安装:

3.1 libreswan下载

centos 系统yum仓库中提供了libreswan的包，但为了安全起见，我们采用最新版本的rpm进行安装

# wget  https://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-3.31-1.el7_7.x86_64.rpm

3.2 libreswan 安装

yum localinstall -y libreswan-3.31-1.el7_7.x86_64.rpm[root@VM_0_13_centos ipsec.d]# yum info libreswan
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Installed Packages
Name        : libreswan
Arch        : x86_64
Version     : 3.31
Release     : 1.el7_7
Size        : 4.4 M
Repo        : installed
From repo   : /libreswan-3.31-1.el7_7.x86_64
Summary     : Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
URL         : https://libreswan.org/
License     : GPLv2
Description : Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is: the Internet Protocol Security and uses strong cryptography to provide: both authentication and encryption services.  These services allow you: to build secure tunnels through untrusted networks.  Everything passing: through the untrusted net is encrypted by the ipsec gateway machine and: decrypted by the gateway at the other end of the tunnel.  The resulting: tunnel is a virtual private network or ***.: : This package contains the daemons and userland tools for setting up: Libreswan.: : Libreswan also supports IKEv2 (RFC7296) and Secure Labeling: : Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04[root@VM_0_13_centos ipsec.d]# rpm -ql libreswan|grep -E -v "share|libe"
/etc/ipsec.conf                                  # 主配文件
/etc/ipsec.d                                     # 配置文件子目录
/etc/ipsec.d/policies                            # 策略目录
/etc/ipsec.d/policies/block
/etc/ipsec.d/policies/clear
/etc/ipsec.d/policies/clear-or-private
/etc/ipsec.d/policies/portexcludes.conf
/etc/ipsec.d/policies/private
/etc/ipsec.d/policies/private-or-clear
/etc/ipsec.secrets                               # 秘钥配置文件
/etc/pam.d/pluto                                 # 协议认证模块
/etc/prelink.conf.d
/etc/prelink.conf.d/libreswan-fips.conf
/etc/sysctl.d/50-libreswan.conf                  # 内置系统内核文件
/run/pluto
/usr/lib/systemd/system/ipsec.service            # 服务systemd启动脚本文件
/usr/lib/tmpfiles.d/libreswan.conf
/usr/lib64/fipscheck/pluto.hmac
/usr/sbin/ipsec                                  # ipsec 二进制文件
/var/log/pluto
/var/log/pluto/peer

四、配置内核参数

在libereswan软件安装中，内置了一下需要修改的内核参数[ /etc/sysctl.d/50-libreswan.conf ]。但这些还不够，ipsec是一个路由协议，需要开启路由转发

echo "## 开启路由转发功能" >> /etc/sysctl.conf
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

关闭源路由验证

echo "## 关闭源路由验证(跟进网卡名称添加如:ens33..)" >> /etc/sysctl.d/50-libreswan.conf
echo "net.ipv4.conf.all.rp_filter = 0" >> /etc/sysctl.d/50-libreswan.conf
echo "net.ipv4.conf.default.rp_filter = 0" >> /etc/sysctl.d/50-libreswan.conf
echo "net.ipv4.conf.eth0.rp_filter = 0" >> /etc/sysctl.d/50-libreswan.conf

关闭icmp重定向

echo "## 关闭icmp重定向"
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.d/50-libreswan.conf

加载生效内核参数

sysctl -p

# cat /etc/sysctl.d/50-lireswan.conf
# when using 1 interface for two networks when using NETKEY, the kernel
# thinks it can be clever by sending a redirect (cause it cannot tell
# an encrypted packet came in, but a decrypted packet came out),
# so it sends a bogus ICMP redirect
#
# We disable redirects for XFRM/IPsec
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.ip_vti0.accept_redirects = 0
net.ipv4.conf.ip_vti0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0# sysctl -p

五、启动服务，验证内核配置是否正常

systemctl start ipsec

[root@VM_0_13_centos ~]# systemctl start ipsec
[root@VM_0_13_centos ~]# systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsecLoaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled)Active: active (running) since Tue 2020-03-24 09:36:27 CST; 51min agoDocs: man:ipsec(8)man:pluto(8)man:ipsec.conf(5)Process: 2052 ExecStopPost=/usr/sbin/ipsec --stopnflog (code=exited, status=0/SUCCESS)Process: 2050 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)Process: 2048 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)Process: 2044 ExecStop=/usr/libexec/ipsec/whack --shutdown (code=exited, status=0/SUCCESS)Process: 2326 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)Process: 2324 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)Process: 2060 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)Process: 2059 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)Main PID: 2338 (pluto)Status: "Startup completed."CGroup: /system.slice/ipsec.service└─2338 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --noforkMar 24 09:36:26 VM_0_13_centos systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Mar 24 09:36:26 VM_0_13_centos systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Mar 24 09:36:27 VM_0_13_centos ipsec[2326]: nflog ipsec capture disabled
Mar 24 09:36:27 VM_0_13_centos systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.

ipsec verify

[root@VM_0_13_centos ~]# ipsec verify
Verifying installed system and configuration filesVersion check and ipsec on-path                       [OK]
Libreswan 3.31 (netkey) on 3.10.0-1062.9.1.el7.x86_64
Checking for IPsec support in kernel                [OK]NETKEY: Testing XFRM related proc valuesICMP default/send_redirects                 [OK]ICMP default/accept_redirects               [OK]XFRM larval drop                            [OK]
Pluto ipsec.conf syntax                             [OK]
Checking rp_filter                                  [OK]
Checking that pluto is running                      [OK]Pluto listening for IKE on udp 500                  [OK]Pluto listening for IKE/NAT-T on udp 4500           [OK]Pluto ipsec.secret syntax                           [OK]
Checking 'ip' command                                 [OK]
Checking 'iptables' command                           [OK]
Checking 'prelink' command does not interfere with FIPS   [OK]
Checking for obsolete ipsec.conf options            [OK]

要确保所有检查都为OK，部分内核参数修改 sysctl -p也不能立即生效的，可以手动配置，或重启系统。

六、防火墙策略开发udp500 和 udp4500端口

针对 Internet Key Exchange (IKE) 协议的 UDP 端口 500
针对 IKE NAT-Traversal的 UDP 端口 4500
针对 Encapsulated Security Payload (ESP) IPsec 数据包的端口 50
针对 Authenticated Header (AH) IPsec 数据包（非常见）的端口 51

[root@VM_0_13_centos ~]# netstat -unlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 127.0.0.1:4500          0.0.0.0:*                           2338/pluto
udp        0      0 172.19.0.13:4500        0.0.0.0:*                           2338/pluto
udp        0      0 127.0.0.1:500           0.0.0.0:*                           2338/pluto
udp        0      0 172.19.0.13:500         0.0.0.0:*                           2338/pluto
udp6       0      0 ::1:500                 :::*                                2338/pluto

6.1 保障防火墙关闭或者开通udp500 和udp4500 策略

[root@VM_0_13_centos ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

6.2 云主机环境，请在安全组中添加相关ip的 4500 和 500策略

6.3 nmap 验证端口连通性

[root@VM_0_15_centos ~]# nmap -sU 192.226.50.61 -p 500,4500 -Pn
Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-24 10:34 CST
Nmap scan report for 192.226.50.61
Host is up.
PORT     STATE         SERVICE
500/udp  open|filtered isakmp
4500/udp open|filtered nat-t-ike
Nmap done: 1 IP address (1 host up) scanned in 9.83 seconds[root@VM_0_13_centos ~]# nmap -sU 192.226.50.61 -p 500,4500 -Pn
Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-24 10:35 CST
Nmap scan report for 192.226.50.61
Host is up.
PORT     STATE         SERVICE
500/udp  open|filtered isakmp
4500/udp open|filtered nat-t-ike
Nmap done: 1 IP address (1 host up) scanned in 3.26 seconds

七、配置预共享秘钥

ipsec ike支持预共享秘钥，证书，x.509 等方式验证，在这里我们使用预共享秘钥

authby=secret

查看 secret 主配文件/etc/ipsec.secrets，创建秘钥

[root@VM_0_13_centos ~]# cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets[root@VM_0_13_centos ~]# vim /etc/ipsec.d/test-vm.secrets
## 源ip 目的ip : PSK "key" (0.0.0.0 所有ip)0.0.0.0  0.0.0.0 : PSK "1234567890"

测试阶段为了方便我们使用 1234567890 作为所有连接的秘钥

八、配置 ipsec 连接

8.1 主配置:

[root@VM_0_13_centos ~]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Libreswan IPsec configuration file
#
# see 'man ipsec.conf' and 'man pluto' for more information
#
# For example configurations and documentation, see https://libreswan.org/wiki/config setup# Normally, pluto logs via syslog.logfile=/var/log/pluto.log## Do not enable debug options to debug configuration issues!## plutodebug="control parsing"# plutodebug="all crypt"plutodebug=none## NAT-TRAVERSAL support# exclude networks used on server side by adding %v4:!a.b.c.0/24# It seems that T-Mobile in the US and Rogers/Fido in Canada are# using 25/8 as "private" address space on their wireless networks.# This range has never been announced via BGP (at least up to 2015)virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf

主配置告诉我们自配置文件的在 /etc/ipsec.d/*.conf 和内网bgp传送信息，为了方便起见我们开启日志，调试。

8.2 创建连接配置:

vim /etc/ipsec.d/test-vm.confconn test-vm-test### phase 1 #### 指定认证类型预共享秘钥authby=secret# 指定ike算法为3des-sha1ike=3des-sha1# 指定ikekeyexchange=ike### phase 2 ###phase2=espphase2alg=3des-sha1# 指定是否压缩compress=no# 指定是否加密pfs=yes# 指定连接添加类型。start 为开机自启，add为添加 不主动连接auto=start# 指定模式类型为隧道模式|传输模式type=tunnelleft=172.30.0.15leftsubnet=172.30.0.0/24leftid=192.191.91.71leftnexthop=%defaultrouteright=192.226.50.61rightsubnet=172.19.0.0/24rightid=192.226.50.61rightnexthop=%defaultroute

Libreswan 不使用术语 “source”（来源）或 “destination”（目的）。相反，它用术语 “left”（左边）和 “right”（右边）来代指终端（主机）。虽然大多数管理员用 “left” 表示本地主机，“right” 表示远程主机，但是这样可以再大多数情况下在两个终端上使用相同的配置。
由于我们的服务器使用的是vpc网络，采用静态nat的形式，在配置left 和right 时，本端的ip需要使用内网ip，或 %defaultroute。left 和 right 是两端的ip地址，而leftid 和 rightid 为代号id。

[root@VM_0_15_centos ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 52:54:00:47:0b:03 brd ff:ff:ff:ff:ff:ffinet 172.30.0.15/20 brd 172.30.15.255 scope global eth0valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100link/none inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0valid_lft forever preferred_lft forever
4: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1link/ipip 0.0.0.0 brd 0.0.0.0

跟进实际情况，写对端配置

vim /etc/ipsec.d/test-vm.confconn test-vm-test# 指定认证类型预共享秘钥authby=secret# 指定ike算法为3des-sha1ike=3des-sha1# 指定ikekeyexchange=ike### phase 2 ###phase2=espphase2alg=3des-sha1# 指定是否压缩compress=no# 指定是否加密pfs=yes# 指定连接添加类型。start 为开机自启，add为添加 不主动连接auto=start# 指定模式类型为隧道模式|传输模式type=tunnelleft=192.191.91.71leftsubnet=172.30.0.0/24leftid=192.191.91.71leftnexthop=%defaultrouteright=172.19.0.13rightsubnet=172.19.0.0/24rightid=192.226.50.61rightnexthop=%defaultroute

九、重启两端服务，建立ipsec隧道

# 两端都需要重启服务，查看日志[root@VM_0_15_centos ~]# systemctl restart ipsec && tailf /var/log/pluto.log
Mar 24 11:13:31.653094:   RFC 2104: MD5_HMAC test 2
Mar 24 11:13:31.653253:   RFC 2104: MD5_HMAC test 3
Mar 24 11:13:31.653454: 1 CPU cores online
Mar 24 11:13:31.653463: starting up 1 crypto helpers
Mar 24 11:13:31.653508: started thread for crypto helper 0
Mar 24 11:13:31.653523: Using Linux XFRM/NETKEY IPsec kernel support code on 3.10.0-514.21.1.el7.x86_64
Mar 24 11:13:31.653842: selinux support is NOT enabled.
Mar 24 11:13:31.653857: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Mar 24 11:13:31.653861: watchdog: sending probes every 100 secs
Mar 24 11:13:31.658117: added connection description "test-vm-test"
Mar 24 11:13:31.663092: listening for IKE messages
Mar 24 11:13:31.663151: Kernel does not support NIC esp-hw-offload (ETHTOOL_GSSET_INFO failed)
Mar 24 11:13:31.663164: adding interface tun0/tun0 (esp-hw-offload not supported by kernel) 10.8.0.1:500
Mar 24 11:13:31.663179: adding interface tun0/tun0 10.8.0.1:4500
Mar 24 11:13:31.663193: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 172.30.0.15:500
Mar 24 11:13:31.663206: adding interface eth0/eth0 172.30.0.15:4500
Mar 24 11:13:31.663220: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500
Mar 24 11:13:31.663233: adding interface lo/lo 127.0.0.1:4500
Mar 24 11:13:31.664646: loading secrets from "/etc/ipsec.secrets"
Mar 24 11:13:31.664699: loading secrets from "/etc/ipsec.d/test-vm.secrets"
Mar 24 11:13:31.665433: "test-vm-test" #1: initiating IKEv2 IKE SA
Mar 24 11:13:31.665462: "test-vm-test": local IKE proposals (IKE SA initiator selecting KE):
Mar 24 11:13:31.665475: "test-vm-test":   1:IKE=3DES-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Mar 24 11:13:31.666747: "test-vm-test" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
Mar 24 11:13:31.698633: "test-vm-test": local ESP/AH proposals (IKE SA initiator emitting ESP/AH proposals):
Mar 24 11:13:31.698669: "test-vm-test":   1:ESP=3DES-HMAC_SHA1_96-NONE-DISABLED
Mar 24 11:13:31.698718: "test-vm-test" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=3DES_CBC_192 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
Mar 24 11:13:31.752437: "test-vm-test" #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.226.50.61'
Mar 24 11:13:31.752554: "test-vm-test" #2: Authenticated using authby=secret
Mar 24 11:13:31.795116: "test-vm-test" #2: negotiated connection [172.30.0.0-172.30.0.255:0-65535 0] -> [172.19.0.0-172.19.0.255:0-65535 0]
Mar 24 11:13:31.795155: "test-vm-test"  #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0xead78a70 <0x677c8223 xfrm=3DES_CBC-HMAC_SHA1_96 NATOA=none NATD=192.226.50.61:4500 DPD=passive}

IPsec SA established tunnel mode# 看到日志为建立隧道成功

9.1 查看ipsec建立情况

ipsec auto --status

[root@VM_0_15_centos ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 172.30.0.15:4500
000 interface eth0/eth0 172.30.0.15:500
000 interface tun0/tun0 10.8.0.1:4500
000 interface tun0/tun0 10.8.0.1:500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.31, pluto_vendorid=OE-Libreswan-3.31, audit-log=yes
000 nhelpers=-1, uniqueids=yes, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=32001
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "test-vm-test": 172.30.0.0/24===172.30.0.15<172.30.0.15>[192.191.91.71]---172.30.0.1...192.226.50.61<192.226.50.61>===172.19.0.0/24; erouted; eroute owner: #2
000 "test-vm-test":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "test-vm-test":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "test-vm-test":   our auth:secret, their auth:secret
000 "test-vm-test":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "test-vm-test":   policy_label:unset;
000 "test-vm-test":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "test-vm-test":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "test-vm-test":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "test-vm-test":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "test-vm-test":   v2-auth-hash-policy: none;
000 "test-vm-test":   conn_prio: 24,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "test-vm-test":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "test-vm-test":   our idtype: ID_IPV4_ADDR; our id=192.191.91.71; their idtype: ID_IPV4_ADDR; their id=192.226.50.61
000 "test-vm-test":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "test-vm-test":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "test-vm-test":   IKE algorithms: 3DES_CBC-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
000 "test-vm-test":   IKEv2 algorithm newest: 3DES_CBC_192-HMAC_SHA1-MODP2048
000 "test-vm-test":   ESP algorithms: 3DES_CBC-HMAC_SHA1_96
000 "test-vm-test":   ESP algorithm newest: 3DES_CBC_192-HMAC_SHA1_96; pfsgroup=<Phase1>
000
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(2), half-open(1), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #1: "test-vm-test":4500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REKEY in 2444s; newest ISAKMP; idle;
000 #2: "test-vm-test":4500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REKEY in 27885s; newest IPSEC; eroute owner; isakmp#1; idle;
000 #2: "test-vm-test" esp.ead78a70@192.226.50.61 esp.677c8223@172.30.0.15 tun.0@192.226.50.61 tun.0@172.30.0.15 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #3: "test-vm-test":500 STATE_PARENT_R1 (received v2I1, sent v2R1); EVENT_SO_DISCARD in 37s; idle;
000
000 Bare Shunt list:
000

十、测试网络连通性

分别在两端ping对端ip

[root@VM_0_15_centos ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 52:54:00:47:0b:03 brd ff:ff:ff:ff:ff:ffinet 172.30.0.15/20 brd 172.30.15.255 scope global eth0valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100link/none inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0valid_lft forever preferred_lft forever
4: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1link/ipip 0.0.0.0 brd 0.0.0.0[root@VM_0_15_centos ~]# ip route
default via 172.30.0.1 dev eth0
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1
169.254.0.0/16 dev eth0  scope link  metric 1002
172.30.0.0/20 dev eth0  proto kernel  scope link  src 172.30.0.15 [root@VM_0_15_centos ~]# ping 172.19.0.13
PING 172.19.0.13 (172.19.0.13) 56(84) bytes of data.
64 bytes from 172.19.0.13: icmp_seq=1 ttl=64 time=40.2 ms
^C---[root@VM_0_13_centos ipsec.d]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 52:54:00:16:68:89 brd ff:ff:ff:ff:ff:ffinet 172.19.0.13/20 brd 172.19.15.255 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::5054:ff:fe16:6889/64 scope link valid_lft forever preferred_lft forever
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000link/ipip 0.0.0.0 brd 0.0.0.0[root@VM_0_13_centos ipsec.d]# ping 172.30.0.15
PING 172.30.0.15 (172.30.0.15) 56(84) bytes of data.
64 bytes from 172.30.0.15: icmp_seq=1 ttl=64 time=40.1 ms
^C[root@VM_0_13_centos ipsec.d]# ip route
default via 172.19.0.1 dev eth0
169.254.0.0/16 dev eth0 scope link metric 1002
172.19.0.0/20 dev eth0 proto kernel scope link src 172.19.0.13

我们看到网络已经通了，查看路由表发现已经新增ipsec相关的路由条目了。

十一、坑:

预共享秘钥不一致

vps nat网络模式下，配置文件本段ip写内网ip，对端写公网

ike=3des-sha1加密算法,dh24 后，ipsec不连接

十二、排错

12.1 tcpdump

tcpdump -n -i interface esp and udp port 500 and udp port 4500
00:32:32.632165 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1a), length 132
00:32:32.632592 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1a), length 132
00:32:32.632592 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 7, length 64
00:32:33.632221 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1b), length 132
00:32:33.632731 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1b), length 132
00:32:33.632731 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 8, length 64
00:32:34.632183 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1c), length 132
00:32:34.632607 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1c), length 132
00:32:34.632607 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 9, length 64
00:32:35.632233 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1d), length 132
00:32:35.632685 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1d), length 132
00:32:35.632685 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 10, length 64

12.2 查看日志

# tailf /var/log/pluto.log Mar 24 11:13:31.665433: "test-vm-test" #1: initiating IKEv2 IKE SA
Mar 24 11:13:31.665462: "test-vm-test": local IKE proposals (IKE SA initiator selecting KE):
Mar 24 11:13:31.665475: "test-vm-test":   1:IKE=3DES-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Mar 24 11:13:31.666747: "test-vm-test" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
Mar 24 11:13:31.698633: "test-vm-test": local ESP/AH proposals (IKE SA initiator emitting ESP/AH proposals):
Mar 24 11:13:31.698669: "test-vm-test":   1:ESP=3DES-HMAC_SHA1_96-NONE-DISABLED
Mar 24 11:13:31.698718: "test-vm-test" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=3DES_CBC_192 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
Mar 24 11:13:31.752437: "test-vm-test" #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.226.50.61'
Mar 24 11:13:31.752554: "test-vm-test" #2: Authenticated using authby=secret
Mar 24 11:13:31.795116: "test-vm-test" #2: negotiated connection [172.30.0.0-172.30.0.255:0-65535 0] -> [172.19.0.0-172.19.0.255:0-65535 0]
Mar 24 11:13:31.795155: "test-vm-test"  #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0xead78a70 <0x677c8223 xfrm=3DES_CBC-HMAC_SHA1_96 NATOA=none NATD=192.226.50.61:4500 DPD=passive}

12.3 查看状态

ipsec auto --status

12.4 手动调试链接

ipsec auto --up 连接名

十三、参考:

https://access.redhat.com/documentation/zh-cn/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks

https://www.linuxprobe.com/centos7-install-l2tp.html

https://www.mtyun.com/library/how-to-configure-ipsec-{***}-on-centos6