一看必会系列:aliyunvpn 与 strongswan s2s对接配置

No Comments Linux

一定成功

 

阿里云vpn 网关与 strongswan s2s对接配置

 

{
  "LocalSubnet": "对端内网IP段/24",
  "RemoteSubnet": "阿里内网IP段/24",
  "IpsecConfig": {
    "IpsecPfs": "group2",
    "IpsecEncAlg": "aes",
    "IpsecAuthAlg": "sha1",
    "IpsecLifetime": 86400
  },
  "Local": "对端公网IP",
  "Remote": "阿里端公网IP",
  "IkeConfig": {
    "IkeAuthAlg": "sha1",
    "LocalId": "对端VM内网IP",
    "IkeEncAlg": "aes256",
    "IkeVersion": "ikev1",
    "IkeMode": "aggressive",
    "IkeLifetime": 86400,
    "RemoteId": "阿里端公网IP",
    "Psk": "g24J$%#$",
    "IkePfs": "group2"
  }
}

 

------中间广告---------

config setup
     uniqueids=no
conn %default
     authby=psk
     type=tunnel
conn tomyidc
     keyexchange=ikev1
     left=对端VM内网IP
     leftsubnet=本端内网IP段/24
     leftid=对端VM内网IP
     right=阿里端公网IP
     rightsubnet=阿里内网IP段/24
     rightid=阿里端公网IP
     auto=route
     ike=aes256-sha1-modp1024
     ikelifetime=86400s
     esp=aes-sha1-modp1024
     lifetime=86400s
     type=tunnel
     aggressive=yes

 

Listening IP addresses:
  对端VM内网IP
Connections:
     tomyidc:  对端VM内网IP…阿里端公网IP  IKEv1 Aggressive
     tomyidc:   local:  [对端VM内网IP] uses pre-shared key authentication
     tomyidc:   remote: [阿里端公网IP] uses pre-shared key authentication
     tomyidc:   child:  对端内网IP段/24 === 阿里内网IP段/24 TUNNEL
Routed Connections:
     tomyidc{1}:  ROUTED, TUNNEL, reqid 1
     tomyidc{1}:   对端内网IP段/24 === 阿里内网IP段/24
Security Associations (1 up, 0 connecting):
     tomyidc[1]: ESTABLISHED 4 minutes ago, 对端VM内网IP[对端VM内网IP]…阿里端公网IP[阿里端公网IP]
     tomyidc[1]: IKEv1 SPIs: 13f2e09ad624bad8_i* af1d8f540aef12d3_r, pre-shared key reauthentication in 23 hours
     tomyidc[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     tomyidc{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce59cad4_i c0ed3fcf_o
     tomyidc{2}:  AES_CBC_128/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 4272 bytes_o (60 pkts, 200s ago), rekeying in 23 hours
     tomyidc{2}:   对端内网IP段/24 === 阿里内网IP段/24
[root@hk-cdn-server-ipsecvpn-001 strongswan]#

https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/moon.statusall

 

中间出现的故障

"Error writing to socket: Invalid argument".
 
原因为 left 相关信息需要写成VM的IP 不是公网的IP

发表评论