环境:Debian 8.1 AMD64,strongswan 5.3.3,cisco 1841 (c1841-adventerprisek9-mz.151-4.M10.bin)

Debian running with a public internet ip iaddress, and cisco 1841 running with pppoe getting a dynamic public ip address from ISP

本来想用IKEv2的,可惜1841的固件不支持IKEv2

Remote ISP ----stongswan------------1841------------Local ISP
                                     |
                                     |
                                 Local LAN

1.下载并编译最新版的strongswan(以下以5.3.3版为例)
下载页面:https://download.strongswan.org/

root@debian:/usr/src# wget https://download.strongswan.org/strongswan-5.3.3.tar.bz2
root@debian:/usr/src# tar jxvf strongswan-5.3.3.tar.bz2
root@debian:/usr/src# apt-get build-dep strongswan
root@debian:/usr/src# cd strongswan-5.3.3/
root@debian:/usr/src# ./configure
root@debian:/usr/src# make && make install

说明:
以上步骤,若没有错误发生,最终程序将被安装在/usr/local/下的各子目录里面,有效配置文件存放在/usr/local/etc目录下。
若在configure步骤下,存在错误,则下载安装对应的软件包即可。
configure配置参考:

root@debian:/usr/src#./configure --enable-bliss --enable-af-alg --enable-blowfish -enable-ccm --enable-ctr --enable-gcm --enable-gcrypt --enable-md4 --enable-ntru --enable-openssl --enable-rdrand --enable-aesni --enable-curl --enable-addrblock --enable-acert --enable-agent --enable-coupling --enable-dnscert --enable-eap-identity --enable-eap-md5 --enable-eap-gtc --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-ipseckey --enable-pkcs11 --enable-xauth-eap --enable-xauth-pam --enable-kernel-pfkey --enable-kernel-libipsec --enable-socket-dynamic --enable-vici --enable-dhcp --enable-unity --enable-forecast --enable-duplicheck --enable-error-notify --enable-farp --enable-ha --enable-lookip --enable-systime-fix --enable-cmd --enable-libipsec --enable-swanctl --enable-mediation --enable-python-eggs --enable-python-eggs-install

2.配置strongswan
参考材料:
https://zh.opensuse.org/index.php?title=SDB:Setup_Ipsec_VPN_with_Strongswan&variant=zh
ipsec.conf: https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf
ipsec.secrets: https://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets
strongswan.conf: https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf

ipsec.conf配置样例:

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn ciscoios
    forceencaps = yes
    ikelifetime=24h
    lifetime=12h
    keyingtries=3
    authby=secret
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftid=%defaultroute
    right=%any
    rightsubnet=192.168.0.0/16
    rightid=%any
    auto=start
    ike=aes256-md5-modp1536
    esp=aes256-sha1
    keyexchange=ikev1

ipsec.secrets配置样例(注意冒号“:”前面的空格,否则会出错):

         : PSK  "password string"

3.配置iptables转发规则:

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp --syn -s 192.168.8.0/24 -j TCPMSS --set-mss 1356

第1条指令,配置NAT转发
第2条指令,当PMTU/MTU设置不起作用时,设置转发的最大包大小(Maximum Segment Size),解释参考http://lartc.org/howto/lartc.cookbook.mtu-mss.html,其中的值1356,可根据需要调整,windows下通过

ping -f -l 数据包大小 目标IP地址

可探测出链路上可用的MSS值。若VPN连接成功后,发现某些网站可以看到文字,但看不了图片,或者打开图片很慢(前提是路由优化方面没有任何问题),那么就需要关注这个设置了。

4.配置系统,以支持IP转发
编辑/etc/sysctl.conf

net.ipv4.ip_forward=1

执行指令:

sysctl -p

5. cisco 1841配置

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key [pre-share-keys/password] address [strongswan public ip address]
crypto ipsec transform-set TS_strongswan esp-aes 256 esp-sha-hmac
crypto ipsec profile ipsecprof_strongswan
 set transform-set TS_strongswan

interface Tunnel1
 ip address [Local Lan ip address] [Local Lan Netmask]
 tunnel source Dialer0
 tunnel mode ipsec ipv4
 tunnel destination [strongswan public ip address]
 tunnel protection ipsec ipsecprof_strongswan

配置路由(示例):

ip route 8.8.8.8 255.255.255.255 Tunnel1 permanent
ip route 8.8.4.4 255.255.255.255 Tunnel1 permanent

发表评论

电子邮件地址不会被公开。 必填项已用*标注