如何自动启动 swanctl.conf 配置的隧道

tag-icon tag-icon debian systemd strongswan
如何自动启动 swanctl.conf 配置的隧道

环境:Debian 10、KDE、完整桌面

# ipsec --version
Linux strongSwan U5.7.2/K4.19.0-6-amd64

# swanctl --version
strongSwan swanctl 5.7.2

# systemctl status strongswan
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Fri 2019-12-13 09:35:03 -03; 4h 34min ago
  Process: 6067 ExecStart=/usr/sbin/ipsec start --nofork (code=exited, status=0/SUCCESS)
 Main PID: 6067 (code=exited, status=0/SUCCESS)

# systemctl status strongswan-swanctl
● strongswan-swanctl.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
   Loaded: loaded (/lib/systemd/system/strongswan-swanctl.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2019-12-13 09:11:34 -03; 4h 56min ago
 Main PID: 6373 (charon-systemd)
   Status: "charon-systemd running, strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64"
    Tasks: 17 (limit: 4915)
   Memory: 8.5M
   CGroup: /system.slice/strongswan-swanctl.service
           └─6373 /usr/sbin/charon-systemd

在花了近两天的时间学习和研究 IPSec 和 IKEv2 之后,我成功地使用strongswan 和 swanctl 连接到公司网关(Lancom LCOS、IKEv2 PSK、User-FQDN 身份)。

重新启动后,我必须运行以下命令:

sudo /usr/sbin/swanctl --load-all

no files found matching '/etc/swanctl/conf.d/*.conf'
loaded ike secret 'ike'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'IKEv2PSK'
successfully loaded 1 connections, 0 unloaded

进而sudo /usr/sbin/swanctl --initiate --child myVpn

[IKE] establishing CHILD_SA myVpn{2}
... lots of log lines ...
initiate completed successfully

我想让隧道自动启动,也许使用类似的 systemd 单元

sudo systemctl swanctl-myVpn start

但是我没有找到任何文档如何实现这一点,这也让我想知道这是否是一个坏主意?

答案1

@ecdsa 为我指明了正确的方向。start_action在配置中添加 a是解决方案:

connections {
    IKEv2PSK {
        remote_addrs = SOME.DYNDNS-IP.COM, 81.81.81.81
        vips = 0.0.0.0
        version = 2
        dpd_delay = 30
        dpd_timeout = 90
        proposals = aes256-sha256-modp2048
        
        local {
            auth = psk
            id = @@[email protected]
        }
        remote {
            auth = psk
            id = 81.81.81.81
        }
                
        children {
            anicVpn {
                remote_ts = 192.168.0.0/24
                updown = /usr/lib/ipsec/_updown iptables
                esp_proposals = aes256-sha256-modp2048
                start_action = trap   # <----- trap: on traffic | start: on boot
            }
        }
    }
}

现在,对服务器进行简单的 ping 操作即可启动隧道。该选项start还可用于在系统启动时直接启动并运行隧道。来源:swanctl.conf

更新

请注意,这在 Ubuntu 中不起作用,因为 AppArmor 会阻止 updown 脚本开箱即用

答案2

通过将以下内容添加到文件中,我可以获得start_action = start在 Ubuntu 上工作的选项/etc/strongswan.d/charon.conf

# Section containing a list of scripts (name = path) that are executed when
# the daemon is started.
start-scripts {
   swanctl-creds = swanctl --load-creds --noprompt
   swanctl-conns = swanctl --load-conns
}

相关内容