服务器strongswan.conf
libtls {
suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
}
charon {
plugins {
dhcp {
# Always use the configured server address.
force_server_address = yes
# Derive user-defined MAC address from hash of IKE identity.
identity_lease = yes
# Interface name the plugin uses for address allocation.
interface = eth0
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# DHCP server unicast or broadcast IP address.
server = 10.0.2.255
}
}
}
客户ipsec.conf
conn %default
ike=aes256gcm16-sha384-modp3072!
esp=aes256gcm16-sha384-modp3072!
conn ikev2
auto=start
[email protected]
leftsourceip=%config
leftauth=eap-tls
leftcert=vpn-client.crt
right=my-vpn.com
rightid=my-vpn.com
rightsubnet=0.0.0.0/0
rightauth=pubkey
客户端正在从 获取动态 IP,isc-dhcp-server但我想使用以下内容分配一个静态 IP dhcpd.conf。
host client {
hardware ethernet a1-b2-c3-d4-e5-f6;
fixed-address 10.0.2.2;
}
根据https://wiki.strongswan.org/projects/strongswan/wiki/DHCPPlugin,客户端 MAC 地址可以选择基于客户端的 IKEv2 身份。
答案1
不确定如何计算 MAC,但可以通过运行找到它sudo dhcp-lease-list。