REMOTE IPSEC IP: 11.22.33.44 remote-server-subnet: 192.168.32.0/19
LOCAL PUBLIC IP: 55.66.77.88 local-conn-ip : 10.248.1.234/29
PSK: PSKPSKPSK
# add conn-ip
ip addr add 10.248.1.234/29 dev eth0:1
# add for ipsec vpn sysctl
net.ipv6.conf.all.forwarding=1
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
# iptables
*mangle
:PREROUTING ACCEPT [49065:6651787]
:INPUT ACCEPT [47547:6532724]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12179:3953613]
:POSTROUTING ACCEPT [12179:3953613]
COMMIT
*nat
:PREROUTING ACCEPT [3729948:285248453]
:INPUT ACCEPT [47459:4287785]
:OUTPUT ACCEPT [8475:510544]
:POSTROUTING ACCEPT [8410:506620]
-A POSTROUTING -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [31828:4961537]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2105704:689977532]
-A INPUT -p esp -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p vrrp -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m multiport --dports 1701,500,4500 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 1701,500,4500 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -j ACCEPT
-A INPUT -s 11.22.33.44/32 -j ACCEPT
-A INPUT -d 192.168.32.0/19 -p tcp -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1350
COMMIT
cat /etc/ipsec.d/ipsec.secrets
%any 11.22.33.44 : PSK 'PSKPSKPSK'
%any 55.66.77.88 : PSK 'PSKPSKPSK'
cat /etc/ipsec.d/ipsec.conf
conn ipsec
right=11.22.33.44
rightid=11.22.33.44
rightsubnet=192.168.32.0/19
leftsubnet=10.248.1.232/29
leftid=55.66.77.88
left=10.248.1.234
authby=secret
auto=start
ikelifetime=7200s
keylife=7200s
ike=3des-md5;modp1024
phase2alg=3des-sha1
ikev2=no
aggressive=no
pfs=no
# debian support old DH2
sudo apt-get remove libreswan
sudo apt-get install libnss3-dev libnspr4-dev pkg-config libpam-dev \
libcap-ng-dev libcap-ng-utils libselinux-dev \
libcurl3-nss-dev flex bison gcc make libldns-dev \
libunbound-dev libnss3-tools libevent-dev xmlto \
libsystemd-dev
git clone https://github.com/libreswan/libreswan.git
cd libreswan
export USE_DH2=true
USE_DH2=true make programs
USE_DH2=true sudo make install
# 检查环境
ipsec start
ipsec verify : 如果没有 enable failed ,都是 ok,说明环境没问题。
# debug
ipsec pluto --stderrlog --config /etc/ipsec.conf --nofork
systemctl unmask ipsec
/usr/local/sbin/ipsec start
ipsec verify
ipsec status : 成功建立连接的状态
000 Total IPsec connections: loaded 2, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #111: "xxxx":4500 STATE_MAIN_I4 (IKE SA established); REPLACE in 4646s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle;
000 #112: "xxxx":4500 STATE_QUICK_I2 (IPsec SA established); REPLACE in 5396s; newest IPSEC; eroute owner; isakmp#111; idle;
000 #112: "xxxx" esp.f97e3f@remote-ip esp.68f963dd@local-ip tun.0@remote-ip tun.0@local-ip Traffic: ESPin=0B ESPout=5KB ESPmax=4194303B
ipsec pluto --stderrlog --config /etc/ipsec.conf --nofork 报错:
Dec 1 20:22:59.166821: Initializing NSS using read-write database "sql:/var/lib/ipsec/nss"
Dec 1 20:22:59.253512: FATAL ERROR: NSS: initialization using read-only database "sql:/var/lib/ipsec/nss" failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
==> ipsec initnss || true
lireswan 3.30+ no support mode1024/DH2
USE_DH2=true
=> hwdsl2/ipsec-vpn-server with libreswan 4.9 and USE_DH2=true
=> alpine 3.11 with lireswan 3.29
=> centos 7 with lireswan 3.25
almalinux:9 with lireswan 4.5
almalinux:9 with lireswan 4.6
sudo iptables -t nat -L -v -n # IPv4 rules
iptables -t mangle -L -v -n
iptables -t filter -L -v -n
sudo ip6tables -t nat -L -v -n # IPv6 rules
conntrack -L -j
####################
#cat compose.yaml
volumes:
ipsec-data:
services:
ipsec:
#image: ipsec
image: hwdsl2/ipsec-vpn-server
command: bash /etc/ipsec.d/run.sh
restart: always
env_file:
- ./ipsec.env
ports:
- "500:500/udp"
- "4500:4500/udp"
privileged: true
hostname: ipsec
container_name: ipsec
volumes:
- ./data:/etc/ipsec.d
- /lib/modules:/lib/modules:ro
tty: true
networks:
ipsec:
ipv4_address: 10.X.X.XX
cap_add:
- NET_ADMIN
devices:
- "/dev/ppp:/dev/ppp"
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.accept_redirects=0
- net.ipv4.conf.all.send_redirects=0
- net.ipv4.conf.all.rp_filter=0
- net.ipv4.conf.default.accept_redirects=0
- net.ipv4.conf.default.send_redirects=0
- net.ipv4.conf.default.rp_filter=0
- net.ipv4.conf.eth0.send_redirects=0
- net.ipv4.conf.eth0.rp_filter=0
networks:
ipsec:
ipam:
config:
- subnet: 10.248.0.0/16
cat data/run.sh
ipsec version
iptables --version
iptables-restore /etc/ipsec.d/iptables.txt || true
iptables -nL
ipsec initnss || true
ipsec pluto --stderrlog --config /etc/ipsec.conf --nofork
cat data/xxx.conf
conn xxx
right=11.18.22.15
rightid=11.18.22.15
rightsubnet=19.16.32.0/19
leftsubnet=10.24.9.18/29
leftid=8.7.6.5
left=10.24.9.19
authby=secret
auto=start
ikelifetime=7200s
keylife=7200s
ike=3des-md5;modp1024
phase2alg=3des-sha1
ikev2=no
aggressive=no
pfs=no
cat data/xxx.secrets
%any 11.18.22.15 : PSK '*********'
cat data/iptables.txt
# Generated by iptables-save v1.8.7 on Wed Mar 9 18:15:09 2022
*mangle
:PREROUTING ACCEPT [2312:163515]
:INPUT ACCEPT [2296:162555]
:FORWARD ACCEPT [16:960]
:OUTPUT ACCEPT [2283:363273]
:POSTROUTING ACCEPT [2283:363273]
COMMIT
# Completed on Wed Mar 9 18:15:09 2022
# Generated by iptables-save v1.8.7 on Wed Mar 9 18:15:09 2022
*security
:INPUT ACCEPT [2229:157875]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2283:363273]
COMMIT
# Completed on Wed Mar 9 18:15:09 2022
# Generated by iptables-save v1.8.7 on Wed Mar 9 18:15:09 2022
*raw
:PREROUTING ACCEPT [2312:163515]
:OUTPUT ACCEPT [2283:363273]
COMMIT
# Completed on Wed Mar 9 18:15:09 2022
# Generated by iptables-save v1.8.7 on Wed Mar 9 18:15:09 2022
*filter
:INPUT ACCEPT [3:120]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2283:363273]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s 172.16.0.0/16 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -j ACCEPT
-A INPUT -s 198.18.0.0/16 -j ACCEPT
-A INPUT -s 169.254.0.0/16 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j ACCEPT
-A INPUT -i docker+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -o tun+ -j ACCEPT
-A FORWARD -i wg+ -j ACCEPT
-A FORWARD -i wg+ -j ACCEPT
-A FORWARD -i docker+ -j ACCEPT
-A FORWARD -o docker+ -j ACCEPT
-A FORWARD -o vpns+ -j ACCEPT
-A FORWARD -i vpns+ -j ACCEPT
-A FORWARD -s 169.254.0.0/16 -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -j ACCEPT
-A FORWARD -s 169.254.0.0/16 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1456
-A FORWARD -s 172.16.0.0/16 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1456
-A FORWARD -s 198.18.0.0/16 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1456
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o docker+ -j ACCEPT
COMMIT
# Completed on Wed Mar 9 18:15:09 2022
# Generated by iptables-save v1.8.7 on Wed Mar 9 18:15:09 2022
*nat
:PREROUTING ACCEPT [367:12076]
:INPUT ACCEPT [323:9436]
:OUTPUT ACCEPT [246:14970]
:POSTROUTING ACCEPT [246:14970]
-A POSTROUTING -s 169.254.0.0/16 -j MASQUERADE
-A POSTROUTING -s 198.18.0.0/16 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/16 -j MASQUERADE
-A POSTROUTING -o tun+ -j MASQUERADE
#-A POSTROUTING -o veth+ -j MASQUERADE
COMMIT
# Completed on Wed Mar 9 18:15:09 2022
##TODO: debug iptables rule
网友评论