• 部署拓扑:


1、StrongSwan部署在Centos 7上;在会环口配置10.10.100.1模拟内部资源。

2、另一端部署Palo Alto PA-850用于IPSEC VPN测试。

Palo Alto NGFW与StrongSwan配置IPSEC VPN_IPSEC VPN

  • 配置介绍:

1、Centos 7上安装StrongSwan的文档比较多,这里就不做详细介绍了。

参考这里部署介绍:​​https://blog.51cto.com/niubdada/5037222​

2、首先,先完成Palo Alto PA-850的IPSEC VPN配置。

A、IKE配置:

Palo Alto NGFW与StrongSwan配置IPSEC VPN_strongswan_02

IPSEC配置:

Palo Alto NGFW与StrongSwan配置IPSEC VPN_IPSEC VPN_03

B、IKE网关配置:

Palo Alto NGFW与StrongSwan配置IPSEC VPN_IPSEC VPN_04

Palo Alto NGFW与StrongSwan配置IPSEC VPN_strongswan_05

C、IPSEC隧道配置:

Palo Alto NGFW与StrongSwan配置IPSEC VPN_strongswan_06Palo Alto NGFW与StrongSwan配置IPSEC VPN_IPSEC VPN_07

D、IPSEC VPN路由配置:

Palo Alto NGFW与StrongSwan配置IPSEC VPN_strongswan_08


3、StrongSwan配置

IPSEC 信息配置:

vim /etc/strongswan/ipsec.conf


config setup

       strictcrlpolicy= no

       uniqueids = yes

       charondebug = "all"

conn %default

       ikelifetime=1440m

       keylife=60m

       rekeymargin=3m

       keyingtries=0

       keyexchange=ikev1  

       authby=secret



conn pa      

   left=192.168.31.70

   leftid= 192.168.31.70

   leftsubnet=10.10.100.0/24

   right = 172.31.31.76

   rightsubnet= 10.10.10.0/24

   auto = start

   type=tunnel

   ike=aes128-sha1-modp1024!

   esp=aes128-sha1-modp1024!

   leftauth=psk

   rightauth=psk

   keyexchange=ikev2

   ikelifetime=1h

   lifetime=8h

   dpddelay=30

   dpdtimeput=120

   dpdaction=restart


共享秘钥配置:

vim /etc/strongswan/ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file

192.168.31.70 172.31.31.76  : PSK "1qaz2wsx"


  • 测试

首先,在Centos 7上启用strongswan,如下所示:


[root@localhost ~]# systemctl start strongswan


然后,就可以查看strongswan状态:

[root@localhost ~]# strongswan status

Security Associations (1 up, 0 connecting):

         pa[3]: ESTABLISHED 44 minutes ago, 192.168.31.70[192.168.31.70]...172.31.31.76[172.31.31.76]

         pa{3}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c7ed7ebb_i e06a1b47_o

         pa{3}:   10.10.100.0/24 === 10.10.10.0/24

[root@localhost ~]# 


然后,在Palo Alto PA-850上也可以看到相应状态:

Palo Alto NGFW与StrongSwan配置IPSEC VPN_strongswan_09

最后,通过在Centos 7上ping PA-850内网主机能够正常ping通,同样,PA-850内网主机也能够正常ping通Centos 7的会环口IP,在PA-850上看到通讯日志也是正常,到此为止配置Palo Alto和strongswan配置IPSEC VPN成功。

Palo Alto NGFW与StrongSwan配置IPSEC VPN_Palo Alto_10

Palo Alto NGFW与StrongSwan配置IPSEC VPN_Palo Alto_11

Palo Alto NGFW与StrongSwan配置IPSEC VPN_strongswan_12