Strongswan-swanctl zu strongswan psk ikev2 site to site
Zur Navigation springen
Zur Suche springen
/etc/swanctl/conf.d/s2s.conf
connections {
net {
local_addrs = 10.81.1.10
remote_addrs = 10.81.1.11
local {
auth = psk
id = 10.81.1.10
}
remote {
auth = psk
id = 10.81.1.11
}
children {
net-1 {
local_ts = 192.168.10.0/24
remote_ts = 192.168.11.0/24
start_action = start
esp_proposals = aes256-sha256-modp4096
}
}
version = 2
proposals = aes256-sha256-modp4096
}
}
secrets {
ike-net {
id-fw3 = 10.81.1.10
id-fw4 = 10.81.1.11
secret = suxer
}
}
fw4
/etc/swanctl/conf.d/s2s.conf
connections {
net {
local_addrs = 10.81.1.11
remote_addrs = 10.81.1.10
local {
auth = psk
id = 10.81.1.11
}
remote {
auth = psk
id = 10.81.1.10
}
children {
net-1 {
local_ts = 192.168.11.0/24
remote_ts = 192.168.10.0/24
start_action = start
esp_proposals = aes256-sha256-modp4096
}
}
version = 2
proposals = aes256-sha256-modp4096
}
}
secrets {
ike-net {
id-fw3 = 10.81.1.10
id-fw4 = 10.81.1.11
secret = suxer
}
}
(re-)load credentials
- swanctl -s
loaded ike secret 'ike-net'
- ODER
load credentials, authorities, pools and connections
- swanctl -q
initiate a connection
- swanctl --initiate --child net-1
[IKE] establishing CHILD_SA net-1{4}
[ENC] generating CREATE_CHILD_SA request 9 [ SA No KE TSi TSr ]
[NET] sending packet: from 10.81.1.11[4500] to 10.81.1.10[4500] (736 bytes)
[NET] received packet: from 10.81.1.10[4500] to 10.81.1.11[4500] (736 bytes)
[ENC] parsed CREATE_CHILD_SA response 9 [ SA No KE TSi TSr ]
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
[IKE] CHILD_SA net-1{4} established with SPIs c0dc4962_i c4ef14af_o and TS 10.82.244.0/24 === 10.82.243.0/24
initiate completed successfully
list loaded configurations
- swanctl --list-conn
Mehr Beispiele
https://www.strongswan.org/testing/testresults/ikev2/net2net-psk/