使用strongswan 与 Azure gateway 建立 ipsec vpn 连接

发表于 | 更新于 | 分类于

搭建环境:

strongswang 运行在Azure云上一个虚拟网络的虚机里,有内部IP和公网IP,Azure vpn gateway 有公网IP

Azure 端的虚拟网络地址空间 192.168.120.0/24
Azure VPN getaway 公网IP 139.219.99.158 内网Ip:192.168.120.126
运行strongswan的办公点或其他公有云的网络空间 192.168.222.0/24
运行strongswan内部IP地址 192.168.222.4
运行strongswan外部公网IP地址 139.219.239.51
共享密匙 /etc/strongswan/ipsec.secrets

strongswan 的配置

# vi /etc/strongswan/ipsec.conf

config setup
    # strictcrlpolicy=yes
    uniqueids = no

conn office-network-to-azure-southeast-asia
        closeaction=restart
        dpdaction=restart

        ike=aes256-sha1-modp1024
        esp=aes256-sha1
        reauth=no
        keyexchange=ikev2               # Mandatory for Dynamic / Route-based gateway            
        mobike=no
        ikelifetime=28800s
        keylife=3600s
        keyingtries=%forever    
        authby=secret

        #auto=route                     # 这不知有何所用,所以先不用

        left=192.168.222.4                 # local instance ip (strongswan), 此处必须填虚机的内网IP,而不是strongswan虚机所在Azure云的外网IP
        leftsubnet=192.168.222.0/24
        leftid=192.168.222.4               # local instance ip (strongswan), 此处填公网IP,也可以填内网IP,但必须和ipsec.secrets里对应
        right=139.219.99.158            # vpn gateway ip (azure), 这里必须填对端的公网IP
        rightid=139.219.99.158             # vpn gateway ip (azure)
        rightsubnet=192.168.120.0/24,192.168.130.0/24    # private ip segment (azure),azure vpn gateway 后端的虚拟网络的地址空间,多网段用逗号隔开

        auto=start


# vi /etc/strongswan/ipsec.secrets

192.168.222.4 139.219.99.158 : PSK 'sharedsecret'

azure vpn gateway 设置

1) 创建一个本地网络网关名为test-azure-strongswan,用于设置对端strongswan 的配置信息

    IP address::139.219.239.51(就是对端网关strongswan外网地址)
    Address space: 192.168.222.0/24 (就是对端虚拟网络的地址空间范围,用于路由)
    Configure BGP settings:这个是用于动态路由,strongswan不一定支持
    Autonomous system number (ASN):7773 (就是对端网关test-gw03n ASN)
    BGP peer IP address:192.168.120.126 (就是对端网关 内网IP(BGP peer IP address),可以在虚拟网络网关配置项(Configuration)里看到)

2) 在Azure VPN getaway网关的portal面板上找到connections配置项,添加一个connection

    connection type: site-to-site(ipsec)

    virtual network gateway: 自动选择本端网关test-gw03n

    Local network gateway :选择上面创建的本地网关test-azure-strongswan, 用于连接对应的对端网关test-gw03n

    shared key (psk): sharedsecret

    保存后,(启用BGP就不需要了:在新建的连接con-02n-03n 配置面板里找到 configuration配置项,启用BGP。)

3) 等等一会,看刚才建的连接状态为connected就表示vpn连通了,可以进行互相ping

    [root@cdd0-vm-zbs01pe strongswan]# ping 192.168.120.4
    PING 192.168.120.4 (192.168.120.4) 56(84) bytes of data.
    64 bytes from 192.168.120.4: icmp_seq=1 ttl=63 time=32.8 ms
    64 bytes from 192.168.120.4: icmp_seq=2 ttl=63 time=32.4 ms

    [root@test-gw-vm03n ~]# ping 192.168.222.4
    PING 192.168.222.4 (192.168.222.4) 56(84) bytes of data.
    64 bytes from 192.168.222.4: icmp_seq=1 ttl=63 time=32.7 ms
    64 bytes from 192.168.222.4: icmp_seq=2 ttl=63 time=32.4 ms