问答详情
图片加载失败

如何使用Openswan创建点对点的IPsec VPN隧道

阅读(473) 2017-06-19 09:51:36
如何使用Openswan创建点对点的IPsec VPN隧道
提问者:燕儿飞 悬赏分:0

评论

  • 原来的我

    2017-06-19

    一般情况下,我们只能管理A站点,如果也想管理B站点,这时就需要建立VPN隧道 yum install openswan lsof 禁止VPN重定向 for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done 修改内核参数启用转发和禁止重定向 vim /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 sysctl –p 放行openswan服务端口和NAT规则 iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p tcp --dport 4500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT iptables -t nat -A POSTROUTING -s site-A-private-subnet -d site-B-private-subnet -j SNAT --to site-A-Public-IP 修改配置 Site-A VPN Server: vim /etc/ipsec.conf ## general configuration parameters ## config setup plutodebug=all plutostderrlog=/var/log/pluto.log protostack=netkey nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16 ## disable opportunistic encryption in Red Hat ## oe=off ## disable opportunistic encryption in Debian ## ## Note: this is a separate declaration statement ## include /etc/ipsec.d/examples/no_oe.conf ## connection definition in Red Hat ## conn demo-connection-redhat authby=secret auto=start ike=3des-md5 ## phase 1 ## keyexchange=ike ## phase 2 ## phase2=esp phase2alg=3des-md5 compress=no pfs=yes type=tunnel left= leftsourceip= leftsubnet=/netmask ## for direct routing ## leftsubnet=/32 leftnexthop=%defaultroute right= rightsubnet=/netmask ## connection definition in Debian ## conn demo-connection-debian authby=secret auto=start ## phase 1 ## keyexchange=ike ## phase 2 ## esp=3des-md5 pfs=yes type=tunnel left= leftsourceip= leftsubnet=/netmask ## for direct routing ## leftsubnet=/32 leftnexthop=%defaultroute right= rightsubnet=/netmask 身份验证可以通过几种不同的方式,此处使用pre-shared方式 vim /etc/ipsec.secrets siteA-public-IP siteB-public-IP: PSK "pre-shared-key" ## in case of multiple sites ## siteA-public-IP siteC-public-IP: PSK "corresponding-pre-shared-key" 启动服务和排错 service ipsec restart chkconfig ipsec on 如果能正常启动,从A端就能ping通B端私网地址 在Site-A VPN Server上ip route 就可以查看相关的路由 [siteB-private-subnet] via [siteA-gateway] dev eth0 src [siteA-public-IP] default via [siteA-gateway] dev eth0 两边的VPN Server都配置完成后即可互访私网,其他重要命令: 查看隧道状态 service ipsec status IPsec running - pluto pid: 20754 pluto pid 20754 1 tunnels up some eroutes exist ipsec auto –status ## output truncated ## 000 "demo-connection-debian": myip=; hisip=unset; 000 "demo-connection-debian": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes 000 "demo-connection-debian": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,28; interface: eth0; ## output truncated ## 000 #184: "demo-connection-debian":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1653s; newest IPSEC; eroute owner; isakmp#183; idle; import:not set ## output truncated ## 000 #183: "demo-connection-debian":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1093s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set 相关日志文件(记录了认证、Key交换信息等,可用于排错): /var/log/pluto.log 注意事项 1.运营商可能会屏蔽端口,通过telent命令测试确保运营商允许使用UDP 500, TCP/UDP 4500 端口 2.确保防火墙放行相关端口 3.确保终端服务器pre-shared密钥是相同的 4.遇到NAT问题,尝试使用SNAT 替代MASQUERADING

    0