Strongswan zu strongswan ikev1 site to site vti: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(→deb113) |
(→deb114) |
||
| Zeile 125: | Zeile 125: | ||
connections { | connections { | ||
it114-it113 { | it114-it113 { | ||
| − | |||
| − | |||
local_addrs = 192.168.6.114 | local_addrs = 192.168.6.114 | ||
remote_addrs = 192.168.6.113 | remote_addrs = 192.168.6.113 | ||
| Zeile 142: | Zeile 140: | ||
remote_ts = 0.0.0.0/0 | remote_ts = 0.0.0.0/0 | ||
esp_proposals = aes256-sha256-modp4096 | esp_proposals = aes256-sha256-modp4096 | ||
| − | |||
| − | |||
| − | |||
| − | |||
policies = no | policies = no | ||
updown = /usr/lib/ipsec/_updown_vti | updown = /usr/lib/ipsec/_updown_vti | ||
} | } | ||
} | } | ||
| − | |||
| − | |||
| − | |||
} | } | ||
} | } | ||
Version vom 4. April 2025, 15:19 Uhr
IPsec-VTI mit StrongSwan und swanctl unter Debian
Szenario
| Einstellung | deb113 | deb114 |
|---|---|---|
| WAN-IP | 192.168.6.113 | 192.168.6.114 |
| Tunnel-IP | 169.254.100.1 | 169.254.100.2 |
| Internes Netz | 172.16.113.0/24 | 172.16.114.0/24 |
| PSK | 123Start$ | |
Pakete installieren
- apt install strongswan-swanctl strongswan-charon
IP-Forwarding aktivieren
- echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
- sysctl -p
VTI-Setup-Skript erstellen
Datei: /usr/local/sbin/setup-vti.sh (auf beiden Seiten unterschiedlich)
deb113
#!/bin/bash ip link add vti10 type vti local 192.168.6.113 remote 192.168.6.114 key 10 ip addr add 169.254.100.1/30 dev vti10 ip link set vti10 up ip route add 172.16.114.0/24 dev vti10
deb114
#!/bin/bash ip link add vti10 type vti local 192.168.6.114 remote 192.168.6.113 key 10 ip addr add 169.254.100.2/30 dev vti10 ip link set vti10 up ip route add 172.16.113.0/24 dev vti10
- chmod +x /usr/local/sbin/setup-vti.sh
Systemd-Unit für VTI
Datei: /etc/systemd/system/ipsec-vti10.service (identisch auf beiden Hosts)
[Unit] Description=VTI interface for IPsec (vti10) After=network-online.target Wants=network-online.target [Service] Type=oneshot ExecStart=/usr/local/sbin/setup-vti.sh RemainAfterExit=yes [Install] WantedBy=multi-user.target
- systemctl daemon-reexec
- systemctl enable ipsec-vti10.service
- systemctl start ipsec-vti10.service
strongswan.conf
Datei: /etc/strongswan.d/strongswan.conf
charon {
install_routes = no
install_virtual_ip = no
}
swanctl.conf
Datei: /etc/swanctl/swanctl.conf
deb113
connections {
it113-it114 {
local_addrs = 192.168.6.113
remote_addrs = 192.168.6.114
local {
id = 192.168.6.113
}
remote {
id = 192.168.6.114
}
children {
vti-child {
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
esp_proposals = aes256-sha256-modp4096
policies = no
updown = /usr/lib/ipsec/_updown_vti
}
}
}
}
secrets {
ike-1 {
id-1 = 192.168.6.113
id-2 = 192.168.6.114
secret = "123Start$"
}
}
/etc/strongswan.d/charon.conf
charon {
install_routes = no
install_virtual_ip = no
}
deb114
connections {
it114-it113 {
local_addrs = 192.168.6.114
remote_addrs = 192.168.6.113
local {
id = 192.168.6.114
}
remote {
id = 192.168.6.113
}
children {
vti-child {
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
esp_proposals = aes256-sha256-modp4096
policies = no
updown = /usr/lib/ipsec/_updown_vti
}
}
}
}
secrets {
ike-1 {
id-1 = 192.168.6.114
id-2 = 192.168.6.113
secret = "123Start$"
}
}
Start und Prüfung
- systemctl enable strongswan-swanctl
- systemctl start strongswan-swanctl
- swanctl --load-all
- swanctl --initiate --child vti-child
Verbindung prüfen
- ip a → vti10 muss IP haben
- ping 172.16.114.1 → von deb113 aus
- swanctl --list-sas → zeigt aktive Security Associations
Firewall-Hinweis
UDP-Port 500 und 4500 müssen auf beiden Seiten offen sein.
Hinweis
Die VTI-Interfaces werden über systemd automatisch eingerichtet. Der StrongSwan-Dienst übernimmt anschließend den Tunnelbetrieb. Routing erfolgt manuell über das VTI.