HQY 一个和谐有爱的空间

方案1、H3C MER路由器固定IP，Centos 动态或者固定外网IP

(适合vps 有固定IP地址，但网卡是内网IP，VPS做了外网映射到内网IP，即使VPS网卡是外网固定IP，也适用，野蛮模式，范围更广，不管对端是否有固定IP或者动态ADSL 内网、外网IP)

方案2，H3C MER路由器固定IP，Centos 固定外网IP

（vps网卡直接外网IP，没有NAT地址映射，否则协商会出现问题，类似

Cannot installed tunnel - IKE_SA checkout not successful  https://wiki.strongswan.org/issues/2758  

 checkout IKEv1 SA by message with SPIs       IKE_SA checkout not successful  https://wiki.strongswan.org/issues/2758   

error writing to socket: Invalid argument    https://wiki.strongswan.org/issues/1530   

的报错 ）

方案1 配置

linux  centos

安装strongswam 5.7.2

[root@C20250214142342]# vi /etc/sysctl.conf

#配置转发，默认是0，必须配置

net.ipv4.ip_forward = 1

#关闭重定向，防止恶意用户可以使用IP重定向来修改远程主机中的路由表

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

[root@C20250214142342]sysctl -p

net.core.default_qdisc = fq

net.ipv4.tcp_congestion_control = bbrplus

fs.file-max = 1000000

fs.inotify.max_user_instances = 8192

net.ipv4.tcp_tw_reuse = 1

net.ipv4.ip_local_port_range = 1024 65535

net.ipv4.tcp_rmem = 16384 262144 8388608

net.ipv4.tcp_wmem = 32768 524288 16777216

net.core.somaxconn = 8192

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216

net.core.wmem_default = 2097152

net.ipv4.tcp_max_tw_buckets = 5000

net.ipv4.tcp_max_syn_backlog = 10240

net.core.netdev_max_backlog = 10240

net.ipv4.tcp_slow_start_after_idle = 0

net.ipv4.ip_forward = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

[root@C20250214142342 strongswan]# vi /etc/strongswan/ipsec.conf 

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup

        # strictcrlpolicy=yes

        # uniqueids = no

conn swan

  authby = psk

  keyexchange=ikev1

  left=%any

  leftid=vps.vpn.com

  leftsubnet=10.5.0.0/16

  right=H3C固定外网IP地址

  rightid=h3c.vpn.com

  rightsubnet=192.168.6.0/24

  auto=start

  ike=aes128-sha256-modp1024

  esp=aes128-sha256

  ikelifetime=86400

 aggressive=yes

---

[root@C20250214142342 strongswan]# vi ipsec.secrets 

# ipsec.secrets - strongSwan IPsec secrets file

: PSK "12345678"

---

开启日志，方便debug、troubleshooting

[root@C20250214142342 strongswan]# vi strongswan.conf 

charon {

load_modular = yes

 i_dont_care_about_security_and_use_aggressive_mode_psk = yes

duplicheck{

enable = no

}

compress = yes

load_modular = yes

plugins {

    include strongswan.d/charon/*.conf

}

    filelog {

    charon {

        path = /var/log/charon.log

        # add a timestamp prefix

        time_format = %b %e %T

        # prepend connection name, simplifies grepping

        ike_name = yes

        # overwrite existing files

        append = no

        # increase default loglevel for all daemon subsystems

        default = 4

        # flush each line to disk

        flush_line = yes

    }

    stderr {

        # more detailed loglevel for a specific subsystem, overriding the

        # default loglevel.

        ike = 2

        knl = 3

    }

    }

compress = yes

}

include strongswan.d/*.conf

-------------------------------------

h3c  路由器，用ipsec 策略模板，实现忽略对端外网IP信息，内网IP网段对，由对端发起决定。

ipsec transform-set swan

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha256

 pfs dh-group2

#

ipsec policy-template swan

 transform-set swan

 description swan

 ike-profile swan

 sa duration time-based 3600

 sa duration traffic-based 1843200

#

ipsec policy swan 1000 isakmp template swan 10

ike profile swan

 keychain swan

 dpd interval 30 on-demand

 exchange-mode aggressive

 local-identity fqdn h3c.vpn.com

 match remote identity address 0.0.0.0 0.0.0.0

 match remote identity fqdn vps.vpn.com

 proposal 10

#

ike proposal 10

 encryption-algorithm aes-cbc-128

 dh group2

 authentication-algorithm sha256

ike keychain swan

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 12345678

//   G0/0外网固定IP地址，应用ipsec策略

interface GigabitEthernet0/0    

ipsec apply policy swan

ipsec no-nat-process enable

方案2配置

conn swan

  authby = psk

  keyexchange=ikev1

  left=vps网卡外网固定IP

  leftid=vps.vpn.com

  leftsubnet=10.5.0.0/16

  right=h3c路由器外网固定IP

  rightid=h3c.vpn.com

  rightsubnet=192.168.6.0/24

  auto=route

  ike = aes128-sha256-modp1024

  esp = aes128-sha256

  ikelifetime=86400

[root@C20250214142342 strongswan]# vi ipsec.secrets 

# ipsec.secrets - strongSwan IPsec secrets file

ip1 ip2 : PSK "12345678"

// ip1为vps的网卡外网固定IP ， ip2为h3c外网固定IP地址

日志配置参考方案1

---------------------------------

H3C mer  

ipsec policy swan 10 isakmp

 transform-set swan

 security acl 3402

 local-address H3C外网固定IP地址

 remote-address VPS外网固定IP地址

 ike-profile swan

#

ipsec transform-set swan

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha256

#

acl advanced 3402

 rule 0 permit ip source 192.168.6.0 0.0.0.255 destination 10.5.0.0 0.0.255.255

#

ike profile swan

 keychain swan

 dpd interval 30 on-demand

 exchange-mode aggressive

 local-identity fqdn h3c.vpn.com

 match remote identity fqdn vps.vpn.com

 proposal 10

#

ike proposal 10

 encryption-algorithm aes-cbc-128

 dh group2

 authentication-algorithm sha256

#

ike keychain swan

 pre-shared-key address vps外网固定IP地址 255.255.255.255 key simple 12345678

interface GigabitEthernet0/0

ipsec apply policy swan

ipsec no-nat-process enable

推荐本站淘宝优惠价购买喜欢的宝贝:

本文链接：https://hqyman.cn/post/9095.html 非本站原创文章欢迎转载，原创文章需保留本站地址！

休息一下~~