====== 03 Strongswan IKEv2 with PSK ======

strongswanでIKEv2/IPsec のVPNを接続すると、下記のようにローカル間で通信可能となります。

  tokyo[10.10.0.0/16] <---> osaka[172.16.0.0/24]

^location^ IP ^ local ^
|tokyo| 100.100.0.100| 10.10.0.0/16|
|osaka| 200.200.0.200| 172.16.0.0/24|



===== 1.Install =====

  yum install strongswan

===== 2. Portを開ける =====

==== iptables ====

<code>
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
</code>

==== firewalld ====

<code>
firewall-cmd --permanent --zone=public --add-service=ipsec
firewall-cmd --permanent --zone=public --add-port=4500/udp
firewall-cmd --reload
</code>


===== 3.forward =====

  sysctl -w net.ipv4.ip_forward=1


===== 4.ipsec.conf(tokyo) =====

<code|ipsec.conf>
conn %default
    type=tunnel
    authby=psk
    keyingtries=3
    keyexchange=ikev2
    ike=aes256-sha256-modp2048
    esp=aes256-sha256-modp2048

conn osaka
    leftid=@tokyo
    leftsubnet=10.10.0.0/16
    rightid=@osaka
    right=200.200.0.200
    rightsubnet=172.16.0.0/24
    auto=start
</code>

===== 5.ipsec.conf(osaka) =====

<code|ipsec.conf>
conn %default
    type=tunnel
    authby=psk
    keyingtries=3
    keyexchange=ikev2
    ike=aes256-sha256-modp2048
    esp=aes256-sha256-modp2048

conn tokyo
    leftid=@osaka
    leftsubnet=172.16.0.0/24
    rightid=@tokyo
    right=100.100.0.100
    rightsubnet=10.10.0.0/16
    auto=add
</code>

===== 6.最後にipsecを通るようにnat設定 =====

==== iptables ====

tokyo
  iptables -t nat -I POSTROUTING 1 -s 10.10.0.0/16 -m policy --dir out --pol ipsec -j ACCEPT

osaka
  iptables -t nat -I POSTROUTING 1 -s 172.16.0.0/24 -m policy --dir out --pol ipsec -j ACCEPT



==== firewalld ====

tokyo
  firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.10.0.0/16 -m policy --dir out --pol ipsec -j ACCEPT

osaka
  firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 172.16.0.0/24 -m policy --dir out --pol ipsec -j ACCEPT


===== Error =====

==== Error1 ====

<code>
[root@vpn-test ~]# strongswan status
connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
</code>

=== 対応 ===

  # systemctl stop strongswan
  # rm -rf /var/run/charon.ctl
  # systemctl start strongswan

{{tag>network strongswan IPsec}}