一看必會系列:aliyunvpn 與 strongswan s2s對接配置

來源:本站原創 Linux 超過263 views圍觀 0條評論

一定成功

 

阿里云vpn 網關與 strongswan s2s對接配置

 

{
  "LocalSubnet": "對端內網IP段/24",
  "RemoteSubnet": "阿里內網IP段/24",
  "IpsecConfig": {
    "IpsecPfs": "group2",
    "IpsecEncAlg": "aes",
    "IpsecAuthAlg": "sha1",
    "IpsecLifetime": 86400
  },
  "Local": "對端公網IP",
  "Remote": "阿里端公網IP",
  "IkeConfig": {
    "IkeAuthAlg": "sha1",
    "LocalId": "對端VM內網IP",
    "IkeEncAlg": "aes256",
    "IkeVersion": "ikev1",
    "IkeMode": "aggressive",
    "IkeLifetime": 86400,
    "RemoteId": "阿里端公網IP",
    "Psk": "g24J$%#$",
    "IkePfs": "group2"
  }
}

 

config setup
     uniqueids=no
conn %default
     authby=psk
     type=tunnel
conn tomyidc
     keyexchange=ikev1
     left=對端VM內網IP
     leftsubnet=本端內網IP段/24
     leftid=對端VM內網IP
     right=阿里端公網IP
     rightsubnet=阿里內網IP段/24
     rightid=阿里端公網IP
     auto=route
     ike=aes256-sha1-modp1024
     ikelifetime=86400s
     esp=aes-sha1-modp1024
     lifetime=86400s
     type=tunnel
     aggressive=yes

 

Listening IP addresses:
  對端VM內網IP
Connections:
     tomyidc:  對端VM內網IP…阿里端公網IP  IKEv1 Aggressive
     tomyidc:   local:  [對端VM內網IP] uses pre-shared key authentication
     tomyidc:   remote: [阿里端公網IP] uses pre-shared key authentication
     tomyidc:   child:  對端內網IP段/24 === 阿里內網IP段/24 TUNNEL
Routed Connections:
     tomyidc{1}:  ROUTED, TUNNEL, reqid 1
     tomyidc{1}:   對端內網IP段/24 === 阿里內網IP段/24
Security Associations (1 up, 0 connecting):
     tomyidc[1]: ESTABLISHED 4 minutes ago, 對端VM內網IP[對端VM內網IP]…阿里端公網IP[阿里端公網IP]
     tomyidc[1]: IKEv1 SPIs: 13f2e09ad624bad8_i* af1d8f540aef12d3_r, pre-shared key reauthentication in 23 hours
     tomyidc[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     tomyidc{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce59cad4_i c0ed3fcf_o
     tomyidc{2}:  AES_CBC_128/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 4272 bytes_o (60 pkts, 200s ago), rekeying in 23 hours
     tomyidc{2}:   對端內網IP段/24 === 阿里內網IP段/24
[[email protected] strongswan]#

https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/moon.statusall

 

中間出現的故障

"Error writing to socket: Invalid argument".
 
原因為 left 相關信息需要寫成VM的IP 不是公網的IP

文章出自:CCIE那點事 http://www.qdxgqk.live/ 版權所有。本站文章除注明出處外,皆為作者原創文章,可自由引用,但請注明來源。 禁止全文轉載。
本文鏈接:http://www.qdxgqk.live/?p=4061轉載請注明轉自CCIE那點事
如果喜歡:點此訂閱本站
?
?
萌宠夺宝游戏