pfsense和strongswan搭建site-to-site VPN
- Site_A: pfsense
- Site_B: strongswan 5.7.1
- PSK,ikev2
- 将VPS和家里的DMZ区域打通
1. pfsense 端
pfsense 的strongswan的配置文件为/var/etc/ipsec/ipsec.conf,/var/etc/ipsec/ipsec.secrets
配置如图:
2. strongswan 端
由于该VPS只有公网IP,没有内网IP,而我需要将家里的DMZ的内网和VPS打通,所以额外在VPS的eth0上配置一个虚拟网卡'eth0:0',其ip为10.0.0.254/24;
# 配置eth0:0 cat > /etc/sysconfig/network-scripts/ifcfg-eth0:0 <<'EOF' DEVICE=eth0:0 ONBOOT=yes BOOTPROTO=none IPADDR=10.0.0.254 PREFIX=24 EOF # 启动网卡 ifup eth0:0 ip a
配置iptables:
iptables -I INPUT -p udp -m udp --dport 500 -j ACCEPT
配置/etc/ipsec.secrets,其格式为:
[left peer] [right peer] : PSK "your_psk"
配置/etc/ipsec.conf:
config setup
uniqueids = never
conn %default
ikelifetime = 1h
keylife = 20m
rekeymargin = 10m
keyingtries = 3
keyexchange = ikev2
dpdaction = restart
dpddelay = 30s
ikelifetime = 8h
lifetime = 3h
conn to-lab
left = bwg.xx.net
leftid = fqdn:bwg.xx.net
leftsubnet = 10.0.0.0/24
right = lab.xx.net
rightid = fqdn:lab.xx.net
rightsubnet = 172.17.200.0/24
auto = route
ike = aes256-sha256-modp2048!
esp = aes256gcm128-sha256-modp2048!
type = tunnel
leftauth = psk
rightauth = psk
重启并检查ipsec运行状态:
ipsec restart ipsec statusall
- homelab/pfsense/pfsense_strongswan_site-to-site_ipsec.txt
- 最后更改: 2019/04/16 18:31
- (外部编辑)