一、環境:
VPN server 內網主機 Client
leftServer : leftClient :
192.168.19.131 192.168.7.20
192.168.7.10 <-- gw: 192.168.7.10
rightServer : rightClient :
192.168.19.132 10.200.0.20
10.200.0.10 <-- gw: 10.200.0.10
這裏未開啓防火牆,網上有的文章寫着需要Linux iptables 防火牆配置snat 等轉發策略,其實是不需要配置的。開啓防火牆的話,只放行相關監聽端口即可
這裏採用rsa和psk兩種方式實現vpn 點對點連接
二、openswan 安裝部署
下載地址: https://download.openswan.org/openswan/
1、安裝啓動openswan
安裝依賴包:
yum -y install gmp-devel bison flex
安裝:
make programs
sudo make install
啓動:
/etc/init.d/ipsec start # 啓動
netstat -lnput |grep pluto # 查看監聽端口:
2、基礎環境,內核參數等配置修改
基礎環境依賴、狀態查看 ipsec verify
root@LeftServer openswan-2.6.50]# ipsec verify
Checking if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Openswan U2.6.50/K(no kernel code presently loaded)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
Checking that pluto is running [FAILED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
ipsec verify: encountered errors
解決,如上文件更新配置:
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
配置服務器路由轉發功能等操作
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1 # 開啓轉發
net.ipv4.conf.default.rp_filter = 0
# 關閉icmp重定向
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.conf
sysctl -p
最終檢查效果如下:
[root@LeftServer openswan-2.6.50]# ipsec verify
Checking if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Openswan U2.6.50/K2.6.32-504.el6.x86_64 (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
三、VPN 配置 (這裏先使用RSA Signaturesr方式)
vim /etc/ipsec.conf
config setup # config setup 中添加日誌路徑
plutostderrlog=/var/log/pluto.log
# protostack=auto # 註釋掉,修改爲如下 netkey
protostack=netkey
# 最後面頂行包含ipsec.d目錄配置文件
include /etc/ipsec.d/*.conf
在left服務器裏
ipsec showhostkey –left > leftrsasigkey.tmp
再到right服務器裏,
ipsec showhostkey –right > rightrsasigkey.tmp
編輯vpn配置文件
vim /etc/ipsec.d/vpn_test.conf
下面的IP網絡信息根據具體環境配置,rsakey 根據兩臺vpn上面生成的信息配置。
conn test
auto=start
pfs=no # PFS(Perfect Forward Secrecy)
compress=no # IP Compression
type=tunnel
keyingtries=0
disablearrivalcheck=no
## phase 1 ##
ike=aes128-sha1;modp1024 # 第一階段參數
ikelifetime=86400s # 第一階段的生存時間
keyexchange=ike
## phase 2 ##
phase2alg=aes128-sha1 # 第二階段參數
salifetime=3600s # 第二階段參數
phase2=esp
left=192.168.19.131
leftid=@left
leftsubnet=192.168.7.0/24
leftsourceip=192.168.19.131
leftnexthop=%defaultroute
right=192.168.19.132
rightid=@right
rightsubnet=10.200.0.0/24
rightsourceip=192.168.19.132
rightnexthop=%defaultroute
# rsakey AQNevAdMU
leftrsasigkey=0sAQNevAdMUsW9oHDbKIAyon6EoyVxZcTJAl6v43H78Za138JFPSJwWUcaJAxoFdimZwbRVoYdHKluLW1zNdDZvxrh7qkE+1fcDkl+3mNtkFApji5sDIiacaiDKRuZ7KVbMQqsc9IUtp0871bW35PRcHX1qFSqQCjp0beV+C6YuHeKOuKPADloyrtRxsMdnoEATkMgmAjREO/s/jPzv46Zv5jYDfwS6FB3sNcr13IK06/IHfR5uuzXCaVL5+qNYO1goVXnld3XcnbxYIdztQnTyuy2gOf22GoDzKU+U0C9DBNedOm71tV4iEG1Z1Z5qRRuybdiXVDH8x/opbf7iKggQSD5urWRxLjJ9Hsi6IlBYAE8YXqT
# rsakey AQPuMo1iQ
rightrsasigkey=0sAQPuMo1iQJg4bZo+sYkNF2ikNgjvxoZFZxUWWCgdLY4ldOCWHJP9zwBuUxxHl9uf+FE931cH5yTYGF5oeaM6de8CGiaNM8fRTtm3UFH4kPcP1fX9fbBUK7w2+1oZIPX5pj9mqayOU6Bu16vnd40gC47kmEq4nGpiguQK8JlyY7qjoSFuW1lWBt061z1RAaI2C021L4xW+h4qQk/a+wr7NjAi1vbWPb4YRW0Au3ByXecbTNCbnyRHuid0/PgmzcG4iD9X6ZrHjv6En4OK+YZ9YHakoxejdBXfmAvBA6RAdNDZi2ePa1l4xpFJ85QkKcuR0xetINoXZI0GZTjQ2XhbLpmbGWJpRIhl7CxtKC9i8pzIN0Fj
重啓ipsec
/etc/init.d/ipsec restart
查看隧道有沒有建立成功:
[root@LeftServer ipsec.d]# /etc/init.d/ipsec status
IPsec running - pluto pid: 12128
pluto pid 12128
1 tunnels up
some eroutes exist
# 查看詳細信息,有如下信息
[root@RightServer ipsec.d]# ipsec auto --status
000 "test": 10.200.0.0/24===192.168.19.132[@right]---192.168.19.2...192.168.19.2---192.168.19.131[@left]===192.168.7.0/24; erouted; eroute owner: #2
000 "test": myip=192.168.19.132; hisip=192.168.19.131;
000 "test": keys: 1:F05F 62CD B44D 4040 EADD 5498 C17B 579F EE88 7648 2:none...
000 "test": ....1:6F58 C687 501D C49C 1A21 5822 4119 F549 D2BB 6951 2:none
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "test": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: eth0; kind=CK_PERMANENT
000 "test": newest ISAKMP SA: #1; newest IPsec SA: #2; eroute owner: #2;
000 "test": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
查看日誌文件,也會有相關信息
客戶端配置路由信息:
主機:LiftClinet
[root@LiftClinet ~]# route add -net 10.200.0.0 netmask 255.255.255.0 gw 192.168.7.10 dev eth0
主機:RightClient
[root@RightClient ~]# route add -net 192.168.7.0 netmask 255.255.255.0 gw 10.200.0.10 dev eth0
[root@RightClient ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.7.0 10.200.0.10 255.255.255.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
- vpn測試:
[root@LiftClinet ~]# ping 10.200.0.20 -c 2
PING 10.200.0.20 (10.200.0.20) 56(84) bytes of data.
64 bytes from 10.200.0.20: icmp_seq=1 ttl=62 time=9.28 ms
64 bytes from 10.200.0.20: icmp_seq=2 ttl=62 time=1.58 ms
# 注:VPN上是不能ping通對端網絡內網IP地址的。不過內網主機可以ping通對端vpn內網IP
[root@LeftServer ipsec.d]# ping 10.200.0.20 -c 2
PING 10.200.0.20 (10.200.0.20) 56(84) bytes of data.
^C
--- 10.200.0.20 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 2844ms
tcpdump 抓包
tcpdump -i eth0-nn src 10.200.0.12
四、psk方式實現vpn的連接
兩個vpnserver,均添加公鑰key
vim /etc/ipsec.secrets,最後面添加:
# 對端vpn IP 本機IP 預共享key
192.168.19.131 0.0.0.0 %any: PSK "mysecret"
vim vpn_test.conf
與上面的rsa配置相比,刪掉rsakey配置,添加authby=secret,如下
conn test
auto=start
pfs=no # PFS(Perfect Forward Secrecy)
compress=no # IP Compression
type=tunnel
keyingtries=0
disablearrivalcheck=no
## phase 1 ##
ike=aes128-sha1;modp1024 # 第一階段參數
ikelifetime=86400s # 第一階段的生存時間
keyexchange=ike
## phase 2 ##
phase2alg=aes128-sha1 # 第二階段參數
salifetime=3600s # 第二階段參數
phase2=esp
left=192.168.19.131
leftid=@left
leftsubnet=192.168.7.0/24
leftsourceip=192.168.19.131
leftnexthop=%defaultroute
right=192.168.19.132
rightid=@right
rightsubnet=10.200.0.0/24
rightsourceip=192.168.19.132
rightnexthop=%defaultroute
authby=secret # 使用預共享密鑰方式進行認證
五、其他
1、日誌報錯:
packet from185.13.230.253:500: initial Main Mode message received on 10.200.0.13:0 but noconnection has been authorized with policy=RSASIG
錯誤解決:aws ec2 外網映射內網IP,right使用內網IP不報錯。或用 right=%defaultroute