旧的 strongSwan 由 ipsec ipsec start 命令控制,然而现在 由 swanctl vici 控制
路由
在 linux 上, strongSwan 默认会将路由配置在 table 220 的表中,路由格式大致如下:
10.1.0.0/24 via 10.2.0.1 src 10.2.0.2
# 本地 ip 10.2.0.2
# 远端子网 10.1.0.0/24
IPsec 协议
IPsec 协议主要包括两个部分:
- Encapsulating Security Payload (ESP): 负责对两端的 IP 包 进行加密
- Internet Key Exchange Version 2 (IKEv2) 辅助协议: 负责两端的认证,自动化建立加密,数据完整性会话,以及 ESP 负载保护。
透明传输模式
隧道模式
ESP 包结构
charon
该守护进程即是 strongSwan 项目中实现了 IKEv2 协议的进程。
+---------------------------------+ +----------------------------+
| Credentials | | Backends |
+---------------------------------+ +----------------------------+
+------------+ +-----------+ +------+ +----------+
| receiver | | | | | +------+ | CHILD_SA |
+----+-------+ | Scheduler | | IKE- | | IKE- |--+----------+
| | | | SA |--| SA | | CHILD_SA |
+-------+--+ +-----------+ | | +------+ +----------+
<->| socket | | | Man- |
+-------+--+ +-----------+ | ager | +------+ +----------+
| | | | | | IKE- |--| CHILD_SA |
+----+-------+ | Processor |--------| |--| SA | +----------+
| sender | | | | | +------+
+------------+ +-----------+ +------+
+---------------------------------+ +----------------------------+
| Bus | | Kernel Interface |
+---------------------------------+ +----------------------------+
| | |
+-------------+ +-------------+ V
| File-Logger | | Sys-Logger | //////
+-------------+ +-------------+
该守护进程支持在启动时加载插件
+-------------------------------------+
| charon +---+ +-----+------+
| | | | vici |
| | | +-----+------+
| +-------------+ | | +-----+------+
| | bus | ----> | p | | stroke |
| +-------------+ | l | +-----+------+
| +-------------+ <---- | u | +-----+------+
| | controller | | g | | sql |
| +-------------+ ----> | i | +-----+------+
| +-------------+ | n | +-----+------+
| | credentials | <---- | | | eap_aka |
| +-------------+ | l | +-----+------+
| +-------------+ ----> | o | +-----+------+
| | backends | | a | | eap_sim |
| +-------------+ <---- | d | +-----+------+
| +-------------+ | e | +-----+------+
| | eap | ----> | r | | eap_md5 |
| +-------------+ | | +-----+------+
| | | +-----+------+
| | | |eap_identity|
| +---+ +-----+------+
+-------------------------------------+
There is a growing list of available libcharon plugins.
依赖的内核模块
ah4
ah6
esp4
esp6
xfrm4_tunnel
xfrm6_tunnel
xfrm_user
ip_tunnel
tunnel
tunnel6
xfrm4_mode_tunnel
xfrm6_mode_tunnel
5.2 之前的内核版本,需要明确 enable IPsec, 最好还是使用 5.2 之后的版本。
参考: docs.strongswan.org/docs/5.9/in…
抓包定位参考: - Taking Traffic Dumps
ipv6
可以看到 site-to-site ipv6 尚未完全支持 IKEv2
