Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

4.6.4. 使用 Libreswan 配置站点 VPN

为了让 Libreswan 创建站点到站点 IPsec VPN,将两个网络接合在一起,在两个主机之间创建一个 IPsec 隧道,这些端点配置为允许来自一个或多个子网的流量通过。因此,它们可以视为到网络远程部分的网关。站点到站点 VPN 的配置只能与主机到主机 VPN 不同,同时必须在配置文件中指定一个或多个网络或子网。
要将 Libreswan 配置为创建站点到站点 IPsec VPN,请首先配置主机到主机的 IPsec VPN,如 第 4.6.3 节 “使用 Libreswan 创建主机至主机 VPN” 所述,然后使用适当名称将文件复制到一个文件中,如 /etc/ipsec.d/my_site-to-site.conf。使用以 root 用户身份运行的编辑器,编辑自定义配置文件 /etc/ipsec.d/my_site-to-site.conf,如下所示:
conn mysubnet
    also=mytunnel
    leftsubnet=192.0.1.0/24
    rightsubnet=192.0.2.0/24
    auto=start

conn mysubnet6
    also=mytunnel
    connaddrfamily=ipv6
    leftsubnet=2001:db8:0:1::/64
    rightsubnet=2001:db8:0:2::/64
    auto=start

conn mytunnel
    leftid=@west.example.com
    left=192.1.2.23
    leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...] W2n417C/4urYHQkCvuIQ==
    rightid=@east.example.com
    right=192.1.2.45
    rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
    authby=rsasig
要启动隧道,请重启 Libreswan,或者以 root 用户身份使用以下命令手动加载并启动所有连接:
~]# ipsec auto --add mysubnet
~]# ipsec auto --add mysubnet6
~]# ipsec auto --up mysubnet
104 "mysubnet" #1: STATE_MAIN_I1: initiate
003 "mysubnet" #1: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
106 "mysubnet" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "mysubnet" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mysubnet" #1: received Vendor ID payload [CAN-IKEv2]
004 "mysubnet" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "mysubnet" #2: STATE_QUICK_I1: initiate
004 "mysubnet" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x9414a615 <0x1a8eb4ef xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
~]# ipsec auto --up mysubnet6
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
117 "mysubnet" #2: STATE_QUICK_I1: initiate
004 "mysubnet" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x06fe2099 <0x75eaa862 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

4.6.4.1. 使用 Libreswan 验证站点到站点的 VPN

验证数据包是否通过 VPN 隧道发送,与 第 4.6.3.1 节 “使用 Libreswan 验证主机至主机 VPN” 所述的步骤相同。