公司使用aws中国区服务，aws国际区支持vpn产品，可直接使用aws自带vpn服务器建立vpn私网连接。但是中国区目前没有上线此功能，需要自行搭建vpn站点，公司内部使用华为usg防火墙做为vpn网关。为解决公司到云平台网络互通，故决定使用ipsec搭建站点到站点vpn隧道。

DH group对应比特位：https://support.huaweicloud.com/vpn_faq/vpn_08_0617.html

开源vpn产品有很多，此次使用StrongSwan进行配置。

本实例以客户侧VPN配置信息为基础，详细介绍Linux中strongswan两种IPsec客户端VPN配置。

1. 安装IPsecVPN客户端。

yum -y install strongswan

出现“Complete!”提示即完成安装，strongswan的配置文件集中放置在/etc/strongswan目录中，配置过程只需编辑ipsec.conf和ipsec.secrets文件即可。

2. 开启IPv4转发。

vim /etc/sysctl.conf
net.ipv4.ip_forward = 1 //编辑增加内容
/sbin/sysctl -p //执行命令，生效转发配置命令</pre>

3. iptables配置。

   确认关闭firewall或允许数据流转发，查询命令：iptables -L

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination </pre>

4. 预共享密钥配置。

vim /etc/strongswan/ipsec.secrets //编辑ipsec.secrets文件
22.22.22.22 11.11.11.11 : PSK "ipsec-key"

格式与openswan相同，冒号的两边都有空格，PSK只能为大写，密钥用英文双引号。

5. ipsec连接配置。

vim /etc/strongswan / ipsec.conf //编辑ipsec.conf文件

#ipsec.conf - strongSwan IPsec configuration file

#basic configuration

#config setup
        # strictcrlpolicy=yes
        # uniqueids = no

config setup
     uniqueids=no # Add connections here.conn %default

conn %default
     authby=psk                  #使用预共享密钥认证方式

conn sirun                             #  //定义连接名称为strong_ipsec
     keyexchange=ikev1           #IPsec连接使用的IKE协议的版本
     leftid=52.81.100.102                   #                //本端标识ID
     #left=%any                       #  //本地IP，nat场景选择真实的主机地址
     left=172.29.0.73
     leftsubnet=172.29.0.0/16               #//本地子网
     rightid=117.133.54.252                      #//远端标识ID
     right=117.133.54.252                         #//远端VPN网关IP
     rightsubnet=192.168.8.0/21             #远端子
     #ike=aes-sha1-modp1024       #IPsec连接中IKE协议的加密算法-认证算法-DH分组
     #esp=aes-sha1             #IPsec连接中IPsec协议的加密算法-认证算法-DH分组

     ike=aes256-sha1-modp1536!       #IPsec连接中IKE协议的加密算法-认证算法-DH分组
     esp=aes256-sha1-modp1536!             #IPsec连接中IPsec协议的加密算法-认证算法-DH分组

     lifetime=86400s             #IPsec协议的SA生命周期
     type=tunnel
     aggressive=yes
     auto=start                                   #      //可选择add、route和start

配置完成后openswan可通过命令ipsec verify进行配置项校验，strongswan是在开启服务时进行校验。回显信息全部为OK时，表示配置成功。

">ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 3.10.0-957.5.1.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding[OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS[OK]
Checking for obsolete ipsec.conf options [OK]</pre>

若回显信息出现如下报错：

Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti01/rp_filter [ENABLED]</pre>

通过如下命令解决：

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/ip_vti01/rp_filter</pre>

6. 启动服务。

service strongswan stop //关闭服务
service strongswan start //启动服务
service strongswan restart //重启服务
strongswan down strong_ipsec //关闭连接
strongswan up strong_ipsec //开启连接</pre>

说明：

每次修改配置都需要重启服务，并重新开启连接。

配置验证

通过strongswan statusall查询，可见连接启动时间。

[root@ip-172-29-0-73 ec2-user]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.14.281-212.502.amzn2.x86_64, x86_64):
  uptime: 22 minutes, since Oct 17 09:26:36 2022
  malloc: sbrk 1884160, mmap 0, used 1016560, free 867600
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
  172.29.0.73
Connections:
       sirun:  172.29.0.73...117.133.54.252  IKEv1 Aggressive
       sirun:   local:  [52.81.100.102] uses pre-shared key authentication
       sirun:   remote: [117.133.54.252] uses pre-shared key authentication
       sirun:   child:  172.29.0.0/16 === 192.168.8.0/21 TUNNEL
Security Associations (1 up, 0 connecting):
       sirun[1]: ESTABLISHED 21 minutes ago, 172.29.0.73[52.81.100.102]...117.133.54.252[117.133.54.252]
       sirun[1]: IKEv1 SPIs: 49a41879ff78d648_i* 3862d38b1b99d255_r, pre-shared key reauthentication in 2 hours
       sirun[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
       sirun{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c1139c01_i 0ebe9c4c_o
       sirun{1}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, rekeying in 23 hours
       sirun{1}:   172.29.0.0/16 === 192.168.8.0/21