apt update
apt install strongswan iptables -y
우선 /etc/sysctl.conf 구성 파일에 아래와 같은 줄을 찾아 주석처리를 제거하고 값을 설정한다.
nano /etc/ufw/before.rules
### nano ###
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
### nano ###
sysctl -p
ufw를 활성화한 경우 보안 게이트웨이의 필터 규칙 바로 앞에 있는 /etc/ufw/before.rules 구성 파일에 아래와 같은 규칙을 추가해야 한다.
# site1
iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -d 192.168.0.0/24 -j MASQUERADE
iptables -t nat -L -v
# site2
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 10.0.2.0/24 -j MASQUERADE
iptables -t nat -L -v
보안 게이트웨이 구성
# site1
cp /etc/ipsec.conf /etc/ipsec.conf.orig
nano /etc/ipsec.conf
### nano ###
config setup
charondebug="all"
uniqueids=yes
conn devgateway-to-prodgateway
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=10.20.20.1
leftsubnet=192.168.0.101/24
right=10.20.20.3
rightsubnet=10.0.2.15/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
### nano ###
# site2
cp /etc/ipsec.conf /etc/ipsec.conf.orig
nano /etc/ipsec.conf
### nano ###
config setup
charondebug="all"
uniqueids=yes
conn prodgateway-to-devgateway
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=10.20.20.3
leftsubnet=10.0.2.15/24
right=10.20.20.1
rightsubnet=192.168.0.101/24
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
### nano ###
PSK 설정
# site1
nano /etc/ipsec.secrets
### nano ###
10.20.20.1 10.20.20.3 : PSK "your_pre_shared_key"
### nano ###
ipsec restart
ipsec status
# site2
nano /etc/ipsec.secrets
### nano ###
10.20.20.3 10.20.20.1 : PSK "your_pre_shared_key"
### nano ###
ipsec restart
ipsec status
참고 : https://www.tecmint.com/setup-ipsec-vpn-with-strongswan-on-debian-ubuntu/