====== 03 Strongswan IKEv2 with PSK ======
strongswanでIKEv2/IPsec のVPNを接続すると、下記のようにローカル間で通信可能となります。
tokyo[10.10.0.0/16] <---> osaka[172.16.0.0/24]
^location^ IP ^ local ^
|tokyo| 100.100.0.100| 10.10.0.0/16|
|osaka| 200.200.0.200| 172.16.0.0/24|
===== 1.Install =====
yum install strongswan
===== 2. Portを開ける =====
==== iptables ====
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
==== firewalld ====
firewall-cmd --permanent --zone=public --add-service=ipsec
firewall-cmd --permanent --zone=public --add-port=4500/udp
firewall-cmd --reload
===== 3.forward =====
sysctl -w net.ipv4.ip_forward=1
===== 4.ipsec.conf(tokyo) =====
conn %default
type=tunnel
authby=psk
keyingtries=3
keyexchange=ikev2
ike=aes256-sha256-modp2048
esp=aes256-sha256-modp2048
conn osaka
leftid=@tokyo
leftsubnet=10.10.0.0/16
rightid=@osaka
right=200.200.0.200
rightsubnet=172.16.0.0/24
auto=start
===== 5.ipsec.conf(osaka) =====
conn %default
type=tunnel
authby=psk
keyingtries=3
keyexchange=ikev2
ike=aes256-sha256-modp2048
esp=aes256-sha256-modp2048
conn tokyo
leftid=@osaka
leftsubnet=172.16.0.0/24
rightid=@tokyo
right=100.100.0.100
rightsubnet=10.10.0.0/16
auto=add
===== 6.最後にipsecを通るようにnat設定 =====
==== iptables ====
tokyo
iptables -t nat -I POSTROUTING 1 -s 10.10.0.0/16 -m policy --dir out --pol ipsec -j ACCEPT
osaka
iptables -t nat -I POSTROUTING 1 -s 172.16.0.0/24 -m policy --dir out --pol ipsec -j ACCEPT
==== firewalld ====
tokyo
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.10.0.0/16 -m policy --dir out --pol ipsec -j ACCEPT
osaka
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 172.16.0.0/24 -m policy --dir out --pol ipsec -j ACCEPT
===== Error =====
==== Error1 ====
[root@vpn-test ~]# strongswan status
connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
=== 対応 ===
# systemctl stop strongswan
# rm -rf /var/run/charon.ctl
# systemctl start strongswan
{{tag>network strongswan IPsec}}