RouterOS自动隧道IPSec的对端配置——以StrongSwan为例

众所周知，RouterOS的IP隧道（GRE、IPIP、EoIP以及它们的IPv6版本）里面都有一个IPSec Secret选项，两台RouterOS设备之间只要填写了相同的密钥，IPSec就会自动建立起来。姑且不说RouterOS默认的IPSec配置有多么的不安全，对于某些场景（比如运营商拦截了GRE但是你恰好又想要一个GRE），这个配置还是简单方便的。那么，如果隧道的对端不是RouterOS设备，这个快速设置还能不能用呢？答案当然是可以的。下面我们以Linux上的StrongSwan为例，实现一个GRE/IPSec隧道的配置。

安装StrongSwan：

apt install charon-systemd libcharon-extra-plugins libstrongswan-extra-plugins

1	apt install charon-systemd libcharon-extra-plugins libstrongswan-extra-plugins

记得启用StrongSwan的systemd日志功能，方便调试。在/etc/strongswan.d/charon-systemd.conf配置：

charon-systemd {
    journal {
        cfg = 2
        ike = 2
    }
}

charon-systemd {

journal {

cfg = 2

ike = 2

}

IPSec配置（其中尖括号部分需要根据实际情况填写），放到/etc/swanctl/conf.d/<any-name>.conf：

connections {
        <any-name-for-connection> {
                local_addrs = <local-ip>
                remote_addrs = <remote-ip>

                local {
                        auth = psk
                        id = <local-ip>
                }
                remote {
                        auth = psk
                        id = <remote-ip>
                }

                # phase 1
                version = 1
                rekey_time = 86400
                proposals = aes128-sha1-modp2048
                dpd_delay = 120
                dpd_timeout = 600

                children {
                        <any-name-for-child-sa> {
                                # phase 2
                                rekey_time = 5400
                                esp_proposals = aes256-sha1-modp1024
                                mode = transport
                                local_ts = dynamic[gre]
                                remote_ts = dynamic[gre]
                                hw_offload = auto
                                start_action = trap
                                close_action = trap
                        }
                }
        }
}

secrets {
        ike-<any-name> {
                id-local = <local-ip>
                id-remote = <remote-ip>
                secret = <your-secret>
        }
}

connections {

<any-name-for-connection> {

local_addrs = <local-ip>

remote_addrs = <remote-ip>

local {

auth = psk

id = <local-ip>

}

remote {

auth = psk

id = <remote-ip>

}

# phase 1

version = 1

rekey_time = 86400

proposals = aes128-sha1-modp2048

dpd_delay = 120

dpd_timeout = 600

children {

<any-name-for-child-sa> {

# phase 2

rekey_time = 5400

esp_proposals = aes256-sha1-modp1024

mode = transport

local_ts = dynamic[gre]

remote_ts = dynamic[gre]

hw_offload = auto

start_action = trap

close_action = trap

}

secrets {

ike-<any-name> {

id-local = <local-ip>

id-remote = <remote-ip>

secret = <your-secret>

}

proposal之类的设置对应RouterOS的IPSec设置里面相应default项的设置即可，那些cipher的语法可以参考IKEv2 Cipher Suites，具体各个设置项的对应关系如下：

应用StrongSwan设置：

systemctl restart strongswan-swanctl

1	systemctl restart strongswan-swanctl

然后配置GRE隧道：

ip tunnel add gre1 mode gre remote <remote-ip> local <local-ip> ttl 255
ip link set gre1 up

1 2	ip tunnel add gre1 mode gre remote <remote-ip> local <local-ip> ttl 255 ip link set gre1 up

就可以啦。

参考：

Drown in Codes

I was sixteen with an open heart…

RouterOS自动隧道IPSec的对端配置——以StrongSwan为例

发表回复取消回复

发表回复 取消回复

发表回复取消回复