Libreswan示例配置 – One Two Three, Hello !

Libreswan示例配置

2022-3-12 16:01

|

Linux

246 字

|

16 分钟

OS: debian9.5
libreswan 4.6

一、基于ikev1配置

1、服务端配置

配置模式 ikev1

/etc/ipsec.d/server.conf

conn roadwarriors
    authby=secret
    encapsulation=yes
    type=tunnel
    left=10.32.18.192
    leftsubnet=192.168.5.0/24
    right=%any
    rightsubnet=0.0.0.0/0
    # aggrmode=yes
    auto=start
    ikev2=never
    # ikev2=insist
    # ike=3des-md5
    ike=aes256-sha2
    ikelifetime=86400
    #
    phase2=esp
    # phase2alg=3des-md5
    phase2alg=aes256-sha2

2、客户端配置

/etc/ipsec.d/client.conf

conn to-vpn-server
    authby=secret
    encapsulation=yes
    type=tunnel
    left=%defaultroute
    leftsubnet=192.168.110.0/24
    right=10.32.18.192
    rightsubnet=192.168.5.0/24
    # aggrmode=yes
    auto=start
    # 
    ikev2=never
    # ikev2=insist
    # ike=3des-md5
    ike=aes256-sha2
    ikelifetime=86400
    # 
    phase2=esp
    # phase2alg=3des-md5
    phase2alg=aes256-sha2

二、基于ikev2配置

1、服务端配置

conn roadwarriors
    authby=secret
    # encapsulation=yes
    type=tunnel
    left=172.16.0.10
    leftsubnet=192.168.5.1/32
    right=%any
    rightsubnet=192.168.110.1/32
    # rightsubnet=0.0.0.0/0
    auto=start
    ikev2=insist
    ike=aes256-sha2
    ikelifetime=86400
    #
    phase2=esp
    phase2alg=aes256-sha2

2、客户端配置

conn to-vpn-server
    authby=secret
    # encapsulation=yes
    type=tunnel
    left=172.20.0.12
    leftsubnet=192.168.110.1/32
    right=172.16.0.10
    rightsubnet=192.168.5.1/32
    auto=start
    # 
    ikev2=insist
    ike=aes256-sha2
    ikelifetime=86400
    # 
    phase2=esp
    phase2alg=aes256-sha2

4、注意

leftsubnet与rightsubnet 网段要保持一致

三、基于证书配置

服务端配置

conn totest3
    # 证书认证方式，证书名称为nss数据库中的证书名称
    authby=rsasig
    # 
    leftcert=vpn.example.com
    leftsendcert=always
    leftrsasigkey=%cert
    leftid=@vpn.example.com
    #
    rightca=%same
    rightrsasigkey=%cert
    rightid="CN=client3.example.com, O=Example"
    # 
    encapsulation=yes
    type=tunnel
    #
    left=192.168.31.100
    leftsubnet=192.168.5.1/32
    #
    right=%any
    rightsubnet=192.168.10.1/32
    #
    auto=start
    ikev2=insist
    ike=aes256-sha2
    ikelifetime=86400
    #
    phase2=esp
    phase2alg=aes_gcm128-null
    mark=20/0xffffffff
    vti-interface=ipsec_vti1
    vti-shared=yes
    vti-routing=yes
    dpddelay=2
    dpdtimeout=5
    dpdaction=clear
    retransmit-timeout=5

客户端配置

conn to-vpn-server2
    leftcert=client3.example.com
    leftsendcert=always
    leftrsasigkey=%cert
    #
    rightca=%same
    rightrsasigkey=%cert
    # 
    authby=rsasig
    encapsulation=yes
    type=tunnel
    #
    left=%defaultroute
    right=192.168.31.100
    leftsubnet=192.168.10.1/32
    rightsubnet=192.168.5.1/32
    #
    leftid=%fromcert
    rightid=@vpn.example.com
    #
    auto=start
    #
    ikev2=insist
    ike=aes256-sha2
    ikelifetime=86400
    #
    phase2=esp
    phase2alg=aes_gcm128-null
    #
    mark=20/0xffffffff
    vti-interface=ipsec0
    vti-shared=yes
    vti-routing=yes
    dpddelay=2
    dpdtimeout=5
    dpdaction=restart
    retransmit-timeout=5

Libreswan Linux Network