pfsense和strongswan搭建site-to-site VPN

  • Site_A: pfsense
  • Site_B: strongswan 5.7.1
  • PSK,ikev2
  • 将VPS和家里的DMZ区域打通

pfsense 的strongswan的配置文件为/var/etc/ipsec/ipsec.conf,/var/etc/ipsec/ipsec.secrets

配置如图:

由于该VPS只有公网IP,没有内网IP,而我需要将家里的DMZ的内网和VPS打通,所以额外在VPS的eth0上配置一个虚拟网卡'eth0:0',其ip为10.0.0.254/24;

# 配置eth0:0
cat > /etc/sysconfig/network-scripts/ifcfg-eth0:0 <<'EOF'
DEVICE=eth0:0
ONBOOT=yes
BOOTPROTO=none
IPADDR=10.0.0.254
PREFIX=24
EOF
 
# 启动网卡
ifup eth0:0
ip a

配置iptables:

iptables -I INPUT -p udp -m udp --dport 500 -j ACCEPT

配置/etc/ipsec.secrets,其格式为:

[left peer] [right peer] : PSK "your_psk"

配置/etc/ipsec.conf:

config setup
    uniqueids = never

conn %default
    ikelifetime = 1h
    keylife = 20m
    rekeymargin = 10m
    keyingtries = 3
    keyexchange = ikev2
    dpdaction = restart
    dpddelay = 30s
    ikelifetime = 8h
    lifetime = 3h

conn to-lab
    left = bwg.xx.net
    leftid = fqdn:bwg.xx.net
    leftsubnet = 10.0.0.0/24
    right = lab.xx.net
    rightid = fqdn:lab.xx.net
    rightsubnet = 172.17.200.0/24
    auto = route
    ike = aes256-sha256-modp2048!
    esp = aes256gcm128-sha256-modp2048!
    type = tunnel
    leftauth = psk
    rightauth = psk

重启并检查ipsec运行状态:

ipsec restart
ipsec statusall
  • homelab/pfsense/pfsense_strongswan_site-to-site_ipsec.txt
  • 最后更改: 2019/04/16 18:31
  • (外部编辑)