1、使用strongSwan搭建IPsecVPN
一、需求背景介绍:
客户业务在往腾讯云迁移的过程中,因为两边的数据需要同步,所以需要建立站点到站点的IPsec V**连接,由于某些公司没有V**设备或者其他云不支持V** Gateway产品的时候,就需要我们自己搭建IPsec V**服务。
本文以strongSwan为例介绍如何在本地站点中加载IPsec V**配置,配置信息如下:
腾讯云VPC的网段:172.16.10.0/16 本地IDC的网段:10.0.0.0/16 strongSwan的公网IP地址:140.143.129.162 V** Gateway的公网IP地址:115.159.144.75 操作系统版本:腾讯云CVM CentOS Linux release 7.5 strongSwan软件版本:Linux strongSwan U5.7.1
二、本地IDC端配置
1、安装strongSwan
(1)运行以下命令安装strongSwan。
[root@centos ~]# yum install strongswan -y
(2)参考以下配置,更改ipsec.conf的配置。
# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no charondebug = "all" conn %default ikelifetime=1440m keylife=60m rekeymargin=3m keyingtries=0 keyexchange=ikev1 #ike版本 authby=secret conn sirun left=%defaultroute leftid=39.101.192.213 #本地端服务器公网IP(网关公网IP) leftsubnet=172.0.0.0/24 #本地端私有网络地址 right=39.103.220.239 #对端网关公网IP rightsubnet=192.168.8.0/21 #对端私有网络地址 auto=start #进程主动时立即建立 IPsec 安全连接 type=tunnel ike=3des-md5-modp1024 esp=3des-md5 leftauth=psk rightauth=psk keyexchange=ikev1 ikelifetime=1h lifetime=8h
config setup conn tunnel-base left=%defaultroute right=106.75.8.58 rightid=%any ike=aes128-sha1-modp3072 esp=aes128-sha1 ikelifetime=86400 lifetime=3600 keyexchange=ikev1 type=tunnel authby=psk dpdaction=hold auto=ignore conn tunnel-1 leftsubnet=10.16.10.0/24 #本地子网段 rightsubnet=10.9.0.0/16 #对端自网段 also=tunnel-base auto=start conn tunnel-2 leftsubnet=10.16.10.0/24 #本地子网段 rightsubnet=10.10.0.0/16 #对端自网段 also=tunnel-base auto=start conn tunnel-3 leftsubnet=10.16.10.0/24 rightsubnet=10.19.0.0/16 #对端自网段 also=tunnel-base auto=start conn tunnel-4 leftsubnet=10.16.10.0/24 #本地子网段 rightsubnet=10.42.0.0/16 #对端自网段 also=tunnel-base auto=start
(3)运行以下命令打开ipsec.secrets配置文件。
vi /etc/strongswan/ipsec.secrets
#本地公网出口IP #对端公网出口IP #双方约定的秘钥 140.143.120.162 115.159.144.75 : PSK 123456
# ipsec.secrets - strongSwan IPsec secrets file 106.75.8.58 : PSK "IJgpQi8SHUDP6e%ydxG(scZ0Ebt=_+Lzh7*-aB1XvoVFRm9rTKYW2Mw5"
(4)/etc/sysctl.conf系统配置。
[root@centos ~]# vim /etc/sysctl.conf #配置转发,默认是0,必须配置 net.ipv4.ip_forward = 1 #关闭重定向,防止恶意用户可以使用IP重定向来修改远程主机中的路由表 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0
syctl -p
2、启动
[root@centos ~]# strongswan start
IPSec V**监听在UDP的500和4500两个端口,其中500是用来IKE密钥交换协商,4500的NAT-T是nat穿透的。
[root@centos ~]# netstat -tunpl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1024/sshd udp 0 0 0.0.0.0:4500 0.0.0.0:* 15283/charon udp 0 0 0.0.0.0:500 0.0.0.0:* 15283/charon udp 0 0 0.0.0.0:68 0.0.0.0:* 15283/charon udp 0 0 10.0.2.2:123 0.0.0.0:* 1226/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 1226/ntpd udp6 0 0 :::4500 :::* 15283/charon udp6 0 0 :::500 :::* 15283/charon
[root@VM_2_2_centos ~]# chkconfig strongswan on
开启路由转发
vim /etc/sysctl.conf net.ipv4.ip_forward = 1 sysctl -p
3、添加路由
在IDC核心网关上添加到对端172.16.0.0/16的路由,下一跳指向strongswan的IP 10.0.2.2。
Destination subnet: 172.16.0.0/16 nexthop: 10.0.2.2
这里面用的微软云,上面是IDC指定路由表,下一跳越点地址,则是搭建strongSwan的地址。必须关联子网
三、腾讯云配置,ucloud配置
1、创建vpn网关
2、创建客户端网关
3、创建隧道,IPsec配置,需与对端一致。
版本 IKE V1 版本必须一致 加密算法 aes128必须一致
4、ucloud添加路由
添加去往对端10.16.10.0/24的路由,指向Vpn的Gateway网关,VPN网关ID
四、测试验证
VPN通道,显示“已联调”状态,说明V**通道已经正常建立。 ucloud没有则不需要验证。
1、在IDC端的strongSwan上验证
(1)运行strongswan status,查看IPsec V**状态已经建立。
[root@vpn-formal azadmin]# strongswan status Security Associations (1 up, 0 connecting): tunnel-1[4]: ESTABLISHED 13 hours ago, 10.16.10.5[10.16.10.5]...106.75.8.58[106.75.8.58] tunnel-3{462}: REKEYED, TUNNEL, reqid 3, expires in 3 minutes tunnel-3{462}: 10.16.10.0/24 === 10.19.0.0/16 tunnel-2{463}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c31d7f60_i c45b9fc3_o tunnel-2{463}: 10.16.10.0/24 === 10.10.0.0/16 tunnel-1{464}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c9b8ef82_i ca94b2eb_o tunnel-1{464}: 10.16.10.0/24 === 10.9.0.0/16 tunnel-4{465}: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: c091d498_i cc62a218_o tunnel-4{465}: 10.16.10.0/24 === 10.42.0.0/16 tunnel-3{466}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c2a5e8bb_i ce2c76fe_o tunnel-3{466}: 10.16.10.0/24 === 10.19.0.0/16
(2) 运行 ip xfrm policy,查看路由策略
[root@vpn-formal azadmin]# ip xfrm policy src 10.16.10.0/24 dst 10.19.0.0/16 dir out priority 379519 ptype main tmpl src 10.16.10.5 dst 106.75.8.58 proto esp spi 0xce2c76fe reqid 3 mode tunnel src 10.19.0.0/16 dst 10.16.10.0/24 dir fwd priority 379519 ptype main tmpl src 106.75.8.58 dst 10.16.10.5 proto esp reqid 3 mode tunnel src 10.19.0.0/16 dst 10.16.10.0/24 dir in priority 379519 ptype main tmpl src 106.75.8.58 dst 10.16.10.5 proto esp reqid 3 mode tunnel src 10.16.10.0/24 dst 10.42.0.0/16 dir out priority 379519 ptype main tmpl src 10.16.10.5 dst 106.75.8.58 proto esp spi 0xcc62a218 reqid 4 mode tunnel src 10.42.0.0/16 dst 10.16.10.0/24 dir fwd priority 379519 ptype main tmpl src 106.75.8.58 dst 10.16.10.5 proto esp reqid 4 mode tunnel src 10.42.0.0/16 dst 10.16.10.0/24 dir in priority 379519 ptype main tmpl src 106.75.8.58 dst 10.16.10.5 proto esp reqid 4 mode tunnel src 10.16.10.0/24 dst 10.9.0.0/16 dir out priority 379519 ptype main tmpl src 10.16.10.5 dst 106.75.8.58 proto esp spi 0xca94b2eb reqid 1 mode tunnel src 10.9.0.0/16 dst 10.16.10.0/24 dir fwd priority 379519 ptype main tmpl src 106.75.8.58 dst 10.16.10.5 proto esp reqid 1 mode tunnel src 10.9.0.0/16 dst 10.16.10.0/24 dir in priority 379519 ptype main tmpl src 106.75.8.58 dst 10.16.10.5 proto esp reqid 1 mode tunnel src 10.16.10.0/24 dst 10.10.0.0/16 dir out priority 379519 ptype main tmpl src 10.16.10.5 dst 106.75.8.58 proto esp spi 0xc45b9fc3 reqid 2 mode tunnel src 10.10.0.0/16 dst 10.16.10.0/24 dir fwd priority 379519 ptype main tmpl src 106.75.8.58 dst 10.16.10.5 proto esp reqid 2 mode tunnel src 10.10.0.0/16 dst 10.16.10.0/24 dir in priority 379519 ptype main tmpl src 106.75.8.58 dst 10.16.10.5 proto esp reqid 2 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main
2、双向ping测试
(1)从azure服务器往ucloud云10.42.46.88测试,ping通.
在 10.14.0.4 路由转发这台服务器上做抓包,tcpdump这个这个这个看这个到哪了
(2) 从ucloud ping微软azure
3、双向速度测试
使用iperf压测工具,腾讯云VPC Gateway和strongSwan的带宽都设置的是5Mbps,压测速度能达到5Mbps就符合预期.
1、从10.14.0.4往ucloud 10.42.46.88压测。
(1)10.0.2.14上以server模块启动iperf,-s 以server模式启动,-i 以秒为单位显示报告间隔。
[root@VM_2_14_centos ~]# iperf -s -i 2 ------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 85.3 KByte (default) ------------------------------------------------------------ [ 4] local 10.0.2.14 port 5001 connected with 172.16.2.2 port 41074 [ ID] Interval Transfer Bandwidth [ 4] 0.0- 2.0 sec 1.67 MBytes 6.99 Mbits/sec [ 4] 2.0- 4.0 sec 1.11 MBytes 4.67 Mbits/sec [ 4] 4.0- 6.0 sec 1.18 MBytes 4.94 Mbits/sec [ 4] 6.0- 8.0 sec 1.15 MBytes 4.81 Mbits/sec [ 4] 8.0-10.0 sec 1.12 MBytes 4.69 Mbits/sec [ 4] 0.0-10.3 sec 6.38 MBytes 5.19 Mbits/sec
(2)172.16.2.2上以client模式运行iperf,-c host以client模式启动,host是server端地址,-i 以秒为单位显示报告间隔。
测试腾讯云>>>IDC的速度能达到5Mbps,符合预期。
[root@VM_2_2_centos ~]# iperf -c 10.0.2.14 -i 2 ------------------------------------------------------------ Client connecting to 10.0.2.14, TCP port 5001 TCP window size: 45.0 KByte (default) ------------------------------------------------------------ [ 3] local 172.16.2.2 port 41074 connected with 10.0.2.14 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0- 2.0 sec 2.00 MBytes 8.39 Mbits/sec [ 3] 2.0- 4.0 sec 1.12 MBytes 4.72 Mbits/sec [ 3] 4.0- 6.0 sec 1.12 MBytes 4.72 Mbits/sec [ 3] 6.0- 8.0 sec 1.12 MBytes 4.72 Mbits/sec [ 3] 8.0-10.0 sec 1.00 MBytes 4.19 Mbits/sec [ 3] 0.0-10.0 sec 6.38 MBytes 5.34 Mbits/sec
2、从IDC 10.0.2.14往腾讯云172.16.2.2压测。
(1)172.16.2.2上以server模块启动iperf,-s 以server模式启动,-i 以秒为单位显示报告间隔。
[root@VM_2_2_centos ~]# iperf -s -i 2 ------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 85.3 KByte (default) ------------------------------------------------------------ [ 4] local 172.16.2.2 port 5001 connected with 10.0.2.14 port 56336 [ ID] Interval Transfer Bandwidth [ 4] 0.0- 2.0 sec 1.57 MBytes 6.57 Mbits/sec [ 4] 2.0- 4.0 sec 1.13 MBytes 4.75 Mbits/sec [ 4] 4.0- 6.0 sec 1.11 MBytes 4.65 Mbits/sec [ 4] 6.0- 8.0 sec 1.17 MBytes 4.92 Mbits/sec [ 4] 8.0-10.0 sec 1.14 MBytes 4.78 Mbits/sec [ 4] 0.0-10.5 sec 6.38 MBytes 5.10 Mbits/sec
(2)10.0.2.14上以client模式运行iperf,-c host以client模式启动,host是server端地址,-i 以秒为单位显示报告间隔。
测试IDC>>>腾讯云的速度能达到5Mbps,符合预期。
[root@VM_2_14_centos ~]# iperf -c 172.16.2.2 -i 2 ------------------------------------------------------------ Client connecting to 172.16.2.2, TCP port 5001 TCP window size: 45.0 KByte (default) ------------------------------------------------------------ [ 3] local 10.0.2.14 port 56336 connected with 172.16.2.2 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0- 2.0 sec 1.75 MBytes 7.34 Mbits/sec [ 3] 2.0- 4.0 sec 1.25 MBytes 5.24 Mbits/sec [ 3] 4.0- 6.0 sec 1.12 MBytes 4.72 Mbits/sec [ 3] 6.0- 8.0 sec 1.12 MBytes 4.72 Mbits/sec [ 3] 8.0-10.0 sec 1.12 MBytes 4.72 Mbits/sec [ 3] 0.0-10.2 sec 6.38 MBytes 5.24 Mbits/sec
end...
本文来自博客园,作者:王竹笙,转载请注明原文链接:https://www.cnblogs.com/edeny/p/13253965.html
