Strongswan mit vti-Interfaces
Version vom 15. Dezember 2017, 08:03 Uhr von Janning (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „=ipsec-Routing deaktivieren= *vi /etc/strongswan.conf <pre> charon { load_modular = yes install_routes = no plugins { i…“)
ipsec-Routing deaktivieren
- vi /etc/strongswan.conf
charon { load_modular = yes install_routes = no plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf
ipsec.conf und ipsec.secrets einrichten
- vi /etc/ipsec.conf
conn routed-vpn right=10.84.252.44 left=10.84.252.43 leftsubnet=0.0.0.0/0 rightsubnet=0.0.0.0/0 ike=aes256-sha256-modp2048 ikelifetime=3600s esp=aes256-sha256-modp2048 keylife=1800s rekeymargin=540s type=tunnel compress=no authby=secret mark=100 auto=start keyingtries=%forever
- vi /etc/ipsec.secrets
10.84.252.43 10.84.252.44 : PSK "suxer"
vti-interface einrichten
Rechner 1
- ip tunnel add vti0 local 10.84.252.43 remote 10.84.252.44 mode vti key 100
- ip link set vti0 up
- ip addr add 10.2.2.1/24 remote 10.2.2.2/24 dev vti0
Rechner 2
- ip tunnel add vti0 local 10.84.252.44 remote 10.84.252.43 mode vti key 100
- ip link set vti0 up
- ip addr add 10.2.2.2/24 remote 10.2.2.1/24 dev vti0
rp-filter, policy und xfrm einstellen
- echo 0 > /proc/sys/net/ipv4/conf/vti0/rp_filter
- echo 1 > /proc/sys/net/ipv4/conf/vti0/disable_policy
- echo 1 > /proc/sys/net/ipv4/conf/ens7/disable_xfrm
- echo 1 > /proc/sys/net/ipv4/conf/ens7/disable_policy
Routing-Tabelle 220 leeren
- ip route flush table 220
Routen setzen
Rechner 1
- ip route add 10.83.44.0/24 via 10.2.2.1
Rechner 2
- ip route add 10.83.43.0/24 via 10.2.2.2