Strongswan mit vti-Interfaces

Aus xinux.net
Zur Navigation springen Zur Suche springen

ipsec-Routing deaktivieren

  • vi /etc/strongswan.conf
charon {
        load_modular = yes
        install_routes = no
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

ipsec.conf und ipsec.secrets einrichten

  • vi /etc/ipsec.conf
conn routed-vpn
    right=10.84.252.44
    left=10.84.252.43
    leftsubnet=0.0.0.0/0
    rightsubnet=0.0.0.0/0
    ike=aes256-sha256-modp2048
    ikelifetime=3600s
    esp=aes256-sha256-modp2048
    keylife=1800s
    rekeymargin=540s
    type=tunnel
    compress=no
    authby=secret
    mark=100
    auto=start
    keyingtries=%forever
  • vi /etc/ipsec.secrets
10.84.252.43 10.84.252.44  : PSK "suxer"

vti-interface einrichten

Rechner 1

  • ip tunnel add vti0 local 10.84.252.43 remote 10.84.252.44 mode vti key 100
  • ip link set vti0 up
  • ip addr add 10.2.2.1 remote 10.2.2.2 dev vti0

Rechner 2

  • ip tunnel add vti0 local 10.84.252.44 remote 10.84.252.43 mode vti key 100
  • ip link set vti0 up
  • ip addr add 10.2.2.2/24 remote 10.2.2.1/24 dev vti0

rp-filter, policy und xfrm einstellen

  • echo 0 > /proc/sys/net/ipv4/conf/vti0/rp_filter
  • echo 1 > /proc/sys/net/ipv4/conf/vti0/disable_policy
  • echo 1 > /proc/sys/net/ipv4/conf/ens7/disable_xfrm
  • echo 1 > /proc/sys/net/ipv4/conf/ens7/disable_policy

Routing-Tabelle 220 leeren

  • ip route flush table 220

Routen setzen

Rechner 1

  • ip route add 10.83.44.0/24 via 10.2.2.1

Rechner 2

  • ip route add 10.83.43.0/24 via 10.2.2.2
Abgerufen von „https://xinux.net/index.php?title=Strongswan_mit_vti-Interfaces&oldid=16099