【发布时间】:2021-01-26 03:06:28
【问题描述】:
我是这个范围内的新手。我尝试在谷歌云平台上使用 centos7(不同区域)配置 strongswan 站点到站点。我已经按照这个指南做了:
- https://blog.ruanbekker.com/blog/2018/02/11/setup-a-site-to-site-ipsec-vpn-with-strongswan-and-preshared-key-authentication/
- https://www.tecmint.com/setup-ipsec-vpn-with-strongswan-on-centos-rhel-8/
- https://medium.com/@georgeswizzalonge/how-to-setup-a-site-to-site-vpn-connection-with-strongswan-32d4ed034ae2
这个ipsec.conf来自站点A:
config setup
charondebug="all"
strictcrlpolicy=no
uniqueids = yes
conn sg-to-jkt
authby=secret
left=%defaultroute
leftid=34.xx.xx.xxx
leftsubnet=10.xxx.x.xx/24
right=34.xxx.xxx.xxx
rightsubnet=10.xxx.x.x/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
ipsec.secrets档案站A:
site-A site-B : PSK "someencryptedkey"
这个ipsec.conf站点B:
config setup
charondebug="all"
strictcrlpolicy=no
uniqueids = yes
conn jkt-to-sg
authby=secret
left=%defaultroute
leftid=34.xxx.xxx.xxx
leftsubnet=10.xxx.x.x/24
right=34.xx.xx.xxx
rightsubnet=10.xxx.x.xx/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
ipsec.secret文件站点B:
site-B site-A : PSK "someencryptedkey"
我的问题是:
-
为什么每次我重新启动 strongswan (strongswan restart),strongswan 服务 (systemctl status strongswan) 变得死/不活动? (注:strongswan隧道还在)
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled) Active: inactive (dead) since Sun 2020-10-11 16:37:06 UTC; 32min ago -
ESP 协议中没有流量,
tcpdump esp不显示任何内容,但 strongswan 隧道已启动。我意识到状态给出的结果与示例不同。结果返回ESP in UDP SPIs而不是ESP SPIs。有什么不同或其他的吗?
感谢您的帮助和建议
【问题讨论】:
标签: centos7 vpn systemctl strongswan