Ubuntu - 具有双栈 / Strongswan 的 IPSec VPN

Ubuntu - 具有双栈 / Strongswan 的 IPSec VPN

我正在尝试为我们的 Linux 客户端设置 IPSec VPN (ike1)。但我们需要 ipv4 和 ipv6 双栈。

终端是 Fortigate 防火墙。有两个 phase2,一个用于 IPv4,一个用于 IPv6。设置如下:

config vpn ipsec phase1-interface
    edit "VPNRemote"
        set type dynamic
        set interface "port4"
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set dhgrp 14
        set xauthtype auto
        set authusrgrp "VPNRemote_Group"
        set assign-ip-from name
        set ipv4-name "VPNRemote_Network"
        set ipv6-name "VPNRemote_Network"
        set save-password enable
        set client-auto-negotiate enable
        set psksecret
    next
end
config vpn ipsec phase2-interface
    edit "VPNRemote_Network1"
        set phase1name "VPNRemote"
        set proposal aes256-sha256
        set dhgrp 14
    next
    edit "VPNRemote_Network2"
        set phase1name "VPNRemote"
        set proposal aes256-sha256
        set dhgrp 14
        set src-addr-type subnet6
        set dst-addr-type subnet6
    next
end

要从我们使用的 Linux 客户端连接 VPN strongswan。这里我使用以下工作配置:

conn VPNRemote
  keyexchange = ikev1
  ikelifetime = 86400s
  keylife = 43200s
  aggressive = no
  ike = aes256-sha256-modp2048
  esp = aes256-sha256-modp2048
  xauth = client
  leftsourceip = %config4,%config6
  leftauth = psk
  rightauth = psk
  leftauth2 = xauth
  right = 123.123.123.123
  xauth_identity = muster.tester

conn VPNRemote1
  rightsubnet = 0.0.0.0/0
  also = VPNRemote
  auto = add

conn VPNRemote2
  rightsubnet = ::/0
  also = VPNRemote
  auto = add

使用上面的配置,名为 VPNRemote1 的阶段 2 启动。并配置了 IPv4。但如果我尝试阶段 VPNRemote2,就会出现超时。

这里 Fortigate 日志打印以下内容:

peer proposal is: peer:0:10.16.2.10-10.16.2.10:0, me:0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0

所以 strongswan 建议了错误的 IP 类型。它应该建议 IPv6,但它又使用了 IPv4。

如果我在 VPNRemote1 中切换,rightsubnet = 0.0.0.0/0问题rightsubnet = ::/0就恰恰相反。

因此,总而言之,strongswan 应该在 VPNRemote2 中提出 IPv6,但这并不起作用。

有谁在 Ubuntu 的双栈中运行 IPSec VPN 并能给我一些提示吗?

相关内容