我正在尝试为我们的 Linux 客户端设置 IPSec VPN (ike1)。但我们需要 ipv4 和 ipv6 双栈。
终端是 Fortigate 防火墙。有两个 phase2,一个用于 IPv4,一个用于 IPv6。设置如下:
config vpn ipsec phase1-interface
edit "VPNRemote"
set type dynamic
set interface "port4"
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set dhgrp 14
set xauthtype auto
set authusrgrp "VPNRemote_Group"
set assign-ip-from name
set ipv4-name "VPNRemote_Network"
set ipv6-name "VPNRemote_Network"
set save-password enable
set client-auto-negotiate enable
set psksecret
next
end
config vpn ipsec phase2-interface
edit "VPNRemote_Network1"
set phase1name "VPNRemote"
set proposal aes256-sha256
set dhgrp 14
next
edit "VPNRemote_Network2"
set phase1name "VPNRemote"
set proposal aes256-sha256
set dhgrp 14
set src-addr-type subnet6
set dst-addr-type subnet6
next
end
要从我们使用的 Linux 客户端连接 VPN strongswan
。这里我使用以下工作配置:
conn VPNRemote
keyexchange = ikev1
ikelifetime = 86400s
keylife = 43200s
aggressive = no
ike = aes256-sha256-modp2048
esp = aes256-sha256-modp2048
xauth = client
leftsourceip = %config4,%config6
leftauth = psk
rightauth = psk
leftauth2 = xauth
right = 123.123.123.123
xauth_identity = muster.tester
conn VPNRemote1
rightsubnet = 0.0.0.0/0
also = VPNRemote
auto = add
conn VPNRemote2
rightsubnet = ::/0
also = VPNRemote
auto = add
使用上面的配置,名为 VPNRemote1 的阶段 2 启动。并配置了 IPv4。但如果我尝试阶段 VPNRemote2,就会出现超时。
这里 Fortigate 日志打印以下内容:
peer proposal is: peer:0:10.16.2.10-10.16.2.10:0, me:0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0
所以 strongswan 建议了错误的 IP 类型。它应该建议 IPv6,但它又使用了 IPv4。
如果我在 VPNRemote1 中切换,rightsubnet = 0.0.0.0/0
问题rightsubnet = ::/0
就恰恰相反。
因此,总而言之,strongswan 应该在 VPNRemote2 中提出 IPv6,但这并不起作用。
有谁在 Ubuntu 的双栈中运行 IPSec VPN 并能给我一些提示吗?