ipsec-Routing deaktivieren
charon {
load_modular = yes
install_routes = no
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
ipsec.conf und ipsec.secrets einrichten
conn routed-vpn
right=10.84.252.44
left=10.84.252.43
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
ike=aes256-sha256-modp2048
ikelifetime=3600s
esp=aes256-sha256-modp2048
keylife=1800s
rekeymargin=540s
type=tunnel
compress=no
authby=secret
mark=100
auto=start
keyingtries=%forever
10.84.252.43 10.84.252.44 : PSK "suxer"
vti-interface einrichten
Rechner 1
- ip tunnel add vti0 local 10.84.252.43 remote 10.84.252.44 mode vti key 100
- ip link set vti0 up
- ip addr add 10.2.2.1 remote 10.2.2.2 dev vti0
Rechner 2
- ip tunnel add vti0 local 10.84.252.44 remote 10.84.252.43 mode vti key 100
- ip link set vti0 up
- ip addr add 10.2.2.2/24 remote 10.2.2.1/24 dev vti0
rp-filter, policy und xfrm einstellen
- echo 0 > /proc/sys/net/ipv4/conf/vti0/rp_filter
- echo 1 > /proc/sys/net/ipv4/conf/vti0/disable_policy
- echo 1 > /proc/sys/net/ipv4/conf/ens7/disable_xfrm
- echo 1 > /proc/sys/net/ipv4/conf/ens7/disable_policy
Routing-Tabelle 220 leeren
Routen setzen
Rechner 1
- ip route add 10.83.44.0/24 via 10.2.2.1
Rechner 2
- ip route add 10.83.43.0/24 via 10.2.2.2