openswan IPSec

 

简介

本文介绍IPSecVPN的搭建过程,并通过公网将分属于美团云上海与北京两个机房内的vpc子网打通。
由于美团云经典网络在网络控制器上对ip_filter 做了限制,打通前需要确保两边网络都处于VPC下,且子网网段无交集。
当前部署环境为CentOS 6.5。

一、网络模型

计划实现的效果是,从左侧vpc网络上的left-client主机,可以ping通右侧vpc中right-client主机内网IP

network topology

二、环境配置

此处环境配置,主要是针对两台用做gw的主机:left-gw和right-gw

1 内核参数

# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0

关闭icmp重定向
# sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.conf
# sysctl -p

2 OpenSwan配置

通过yum安装OpenSwan (ipsec)

sudo yum -y install openswan

安装完毕后,可以看到实际安装的版本为Libreswan3.15 , 是因为最原始的OpenSwan已不再更新。

# ipsec --version
Linux Libreswan 3.15 (netkey) on 2.6.32-696.1.1.el6.x86_64

执行下ipsec verify,确认配置正常:

# ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                     [OK]
Libreswan 3.15 (netkey) on 2.6.32-431.1.2.0.1.el6.x86_64
Checking for IPsec support in kernel                [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                [OK]
         ICMP default/accept_redirects              [OK]
         XFRM larval drop                           [OK]
Pluto ipsec.conf syntax                             [OK]
Hardware random device                              [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                  [OK]
Checking that pluto is running                      [OK]
 Pluto listening for IKE on udp 500                 [OK]
 Pluto listening for IKE/NAT-T on udp 4500          [OK]
 Pluto ipsec.secret syntax                          [OK]
Checking 'ip' command                               [OK]
Checking 'iptables' command                         [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options             [OK]
Opportunistic Encryption                            [DISABLED]

vim /etc/ipsec.conf 编辑配置文件

version 2

# basic configuration
config setup
        # which IPsec stack to use, "netkey" (the default), "klips" or "mast".
        # For MacOSX use "bsd"
        protostack=netkey       //使用2.6内核内建模块netkey,2.6以下是KLIPS模块
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
        dumpdir=/var/run/pluto/
        logfile=/var/log/pluto.log     //log location

conn net-to-net
        authby=secret      //使用预共享密钥方式进行认证
        type=tunnel
        left=101.236.50.21
        leftsubnet=10.0.1.0/24
        leftid=@test1     //一端的标识符,可以任意填写,如果多个连接需要区分
        leftnexthop=%defaultroute
        right=203.76.211.83
        rightsubnet=192.168.0.0/24
        rightid=@test2
        rightnexthop=%defaultroute
        ike=aes256-sha2_256;modp2048
        phase2alg=aes256-sha2_256;modp2048
        auto=add   //add代表只是添加,但并不会连接,如果为start则代表着启动自动连接

两台主机是完全相同的配置,可以直接将ipsec.conf的配置文件scp 到另一台gw server上

我们使用基于pre-shared keys认证方式(PSK), 在101.236.50.21上:

vim /etc/ipsec.secrets

101.236.50.21 %any 0.0.0.0 : PSK "123"

这个文件的格式为:“Local Ip address” “remote ip address” : PSK “your key”

若本身不存在/etc/ipsec.secrets ,可以执行下述命令先生成此文件:

ipsec newhostkey --output /etc/ipsec.secrets

同理在右侧right-gw机器上也做相应配置。

重启两个vpn服务:

service ipsec restart

在其中一台主机上启动connect:

# ipsec auto --up net-to-net
002 "net-to-net" #1: initiating Main Mode
104 "net-to-net" #1: STATE_MAIN_I1: initiate
003 "net-to-net" #1: received Vendor ID payload [Dead Peer Detection]
003 "net-to-net" #1: received Vendor ID payload [FRAGMENTATION]
003 "net-to-net" #1: received Vendor ID payload [RFC 3947]
002 "net-to-net" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
002 "net-to-net" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "net-to-net" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
002 "net-to-net" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "net-to-net" #1: received Vendor ID payload [CAN-IKEv2]
002 "net-to-net" #1: Main mode peer ID is ID_FQDN: '@test2'
002 "net-to-net" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
002 "net-to-net" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:f72303da proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
117 "net-to-net" #2: STATE_QUICK_I1: initiate
002 "net-to-net" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5e6e7359 <0x2442c77b xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}

可以看到 “IPsec SA established tunnel mode” 连接已建立

3 添加路由

由于vpn网关的功能还未上线公有云,需要在vm内部添加路由:

在10.0.1.3 (left-client)上,执行:

# route add -net 192.168.0.0/24 gw 10.0.1.2 dev eth0   ##  将访问右侧子网的路由指向到左侧网关主机(left-gw)

在101.236.50.21 (left-gw)上,执行:

# route add -net 192.168.0.0/24 gw 101.236.50.21 dev eth1  ## 将访问右侧子网的路由指向到本机公网IP,使之通过ipsec隧道出去

在203.76.211.83 (right-gw)上执行 :

# route add -net 10.0.1.0/24 gw 203.76.211.83 dev eth1    ## 将访问左侧子网默认路由指向本机公网IP

在192.168.0.2(right-client)上执行:

# route add -net 10.0.1.0/24 gw 192.168.0.4 dev eth0  ## 将访问左侧子网的路由指向right-gw机器内网IP。

四、验证

从left-client主机 去ping right-client机器的内网IP,确认网络已打通。
另外需要注意,两台gw的vm是无法直接ping通对方内网的。

# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:22:40:CA:A9:27
          inet addr:10.0.1.3  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::222:40ff:feca:a927/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:60102 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17631 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4539749 (4.3 MiB)  TX bytes:1410635 (1.3 MiB)

# ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=62 time=26.5 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=62 time=26.0 ms
64 bytes from 192.168.0.2: icmp_seq=3 ttl=62 time=26.0 ms
64 bytes from 192.168.0.2: icmp_seq=4 ttl=62 time=26.0 ms
^C:q!
--- 192.168.0.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3371ms
rtt min/avg/max/mdev = 26.006/26.164/26.534/0.214 ms

总结

本文是基于预共享密钥(PSK)的认证方式;其他还有基于RSA Signature认证方式(RSA数字签名),以及基于数字证书认证方式(x.509证书)等。

posted @   ascertain  阅读(3500)  评论(0编辑  收藏  举报
编辑推荐:
· 基于Microsoft.Extensions.AI核心库实现RAG应用
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
阅读排行:
· 震惊!C++程序真的从main开始吗?99%的程序员都答错了
· 【硬核科普】Trae如何「偷看」你的代码?零基础破解AI编程运行原理
· 单元测试从入门到精通
· 上周热点回顾(3.3-3.9)
· winform 绘制太阳,地球,月球 运作规律
点击右上角即可分享
微信分享提示
AI IDE Trae