最近の更新
このページへのアクセス
今日: 5 / 昨日: 7
総計: 779
strongswanでIKEv2/IPsec のVPNを接続すると、下記のようにローカル間で通信可能となります。
tokyo[10.10.0.0/16] <---> osaka[172.16.0.0/24]
| location | IP | local |
|---|---|---|
| tokyo | 100.100.0.100 | 10.10.0.0/16 |
| osaka | 200.200.0.200 | 172.16.0.0/24 |
yum install strongswan
iptables -I INPUT -p udp --dport 4500 -j ACCEPT iptables -I INPUT -p udp --dport 500 -j ACCEPT iptables -t nat -A POSTROUTING -j MASQUERADE
firewall-cmd --permanent --zone=public --add-service=ipsec firewall-cmd --permanent --zone=public --add-port=4500/udp firewall-cmd --reload
sysctl -w net.ipv4.ip_forward=1
ipsec.conf
conn %default
type=tunnel
authby=psk
keyingtries=3
keyexchange=ikev2
ike=aes256-sha256-modp2048
esp=aes256-sha256-modp2048
conn osaka
leftid=@tokyo
leftsubnet=10.10.0.0/16
rightid=@osaka
right=200.200.0.200
rightsubnet=172.16.0.0/24
auto=start
ipsec.conf
conn %default
type=tunnel
authby=psk
keyingtries=3
keyexchange=ikev2
ike=aes256-sha256-modp2048
esp=aes256-sha256-modp2048
conn tokyo
leftid=@osaka
leftsubnet=172.16.0.0/24
rightid=@tokyo
right=100.100.0.100
rightsubnet=10.10.0.0/16
auto=add
tokyo
iptables -t nat -I POSTROUTING 1 -s 10.10.0.0/16 -m policy --dir out --pol ipsec -j ACCEPT
osaka
iptables -t nat -I POSTROUTING 1 -s 172.16.0.0/24 -m policy --dir out --pol ipsec -j ACCEPT
tokyo
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.10.0.0/16 -m policy --dir out --pol ipsec -j ACCEPT
osaka
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 172.16.0.0/24 -m policy --dir out --pol ipsec -j ACCEPT
[root@vpn-test ~]# strongswan status connecting to 'unix:///var/run/charon.ctl' failed: Connection refused failed to connect to stroke socket 'unix:///var/run/charon.ctl'
# systemctl stop strongswan # rm -rf /var/run/charon.ctl # systemctl start strongswan
