需求背景:
多个IDC机房或者办公地点,不同地址位置,用linux系统和软件,组一个局域网,共享网络资源
需求环境:
ubuntu 20.4 + openswan 实现点对点VPN
需要技能:
熟悉ubuntu,会用日常网络指令
了解网络结构,理解私有和公有IP地址以及范围
编辑ipsec相关配置文件
了解openswan 相关协议和原理
安装流程:
1、下载
wget https://github.com/xelerance/Openswan/archive/refs/tags/v3.0.0.zip
2、解压
unzip v3.0.0.zip
3、移动
mv 源文件夹名称 目标路径
4、依赖
apt-get install libgmp-dev
apt-get install bison
apt-get install flex
5、安装
make programs install
6、检验
ipsec --version
7、配置
修改内核
vi /etc/sysctl.conf
# example entries for /etc/sysctl.conf
# forwarding is needed for subnet or l2tp connections
net.ipv4.ip_forward = 1
# rp_filter is stupid and cannot deal decrypted packets "appearing out of
# nowhere"
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
# when using 1 interface for two networks when using NETKEY, the kernel
# kernel thinks it can be clever by sending a redirect (cause it cannot
# tell an encrypted packet came in, but a decrypted packet came out),
# so it sends a bogus ICMP redirect
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.all.log_martians = 0
# seems the martian settings are not always enough. If not receiving packets
# try running this:
# for n in eth0 mast0 ipsec0 ipsec1 all default ; do sysctl net.ipv4.conf.$n.rp_filter=0; done
#
# these are non-ipsec specific security policies you should use
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
8、加载内核
sysctl -p
9、安装python
apt install python3
apt install python
apt install python-minimal
10、检验配置
ipsec verify
11、修改配置
vi /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8
oe=off
protostack=netkey
conn test # 定义连接名称为openswan_IPsec
auto=start # 可选择add、route和start
pfs=no # PFS(Perfect Forward Secrecy)
compress=no # 是否压缩
type=tunnel # 开启隧道模式
authby=secret # 定义认证方式为PSK
## phase 1 ##
ike=aes128-sha1;modp1024 # 按照对端配置定义ike阶段算法和group
ikelifetime=86400s # ike阶段生命周期
keyexchange=ike # ike密钥交换方式
## phase 2 ##
phase2alg=aes128-sha1;modp1024 # 按照对端配置定义IPsec阶段算法和group
salifetime=3600s # 二阶段生命周期
phase2=esp # 二阶段传输格式
# IP配置阶段
left=59.*.212.* # 本地IP,nat场景选择真实的主机地址
leftid=@left # 本地标识ID(可以是@开头的标识,也可以是你的本地IP地址)
leftsourceip=59.*.212.* # 存在nat源地址选择nat后IP
leftsubnet=172.20.0.0/16 # 本地子网
leftnexthop=%defaultroute # nat场景下一跳选择nat后的网关IP(一般按缺省配置)
right=121.40.168.* # 远端IP,nat场景选择真实的主机地址
rightid=@right # 远端标识ID(可以是@开头的标识,也可以是你的本地IP地址)
rightsourceip=121.40.168.* # 存在nat源地址选择nat后IP
rightsubnet=172.23.108.*/20 # 远端子网
rightnexthop=%defaultroute # nat场景下一跳选择nat后的网关IP(一般按缺省配置)
# rsakey AQPGLAfkE
leftrsasigkey=0sAQPGLAfkEfGISg4FfXZqRe47LMX5sGyG+0ec1b5FWDriEpy4tiOvjusVzx2eyP3PTM+J9uKW93GxRugxpqa82O/aegGpnUpWGHBnEBBIvjpiMawrv3RhtCYeXodMKKqI6jhdEYzU69AYHkbPI3jOtk8TVYhaoSEkDRoBkbUzasAXOCrxL6a61G8C8XwOaW0qz+yEaoYwh/Nhc0fz1li/vQWofwXuR7ZQ5FlfDUY+JCgqbIhpmUfA9mRtawqIupYxQO3j55lhX4yUT9mBcRl9dlUNZnNEXL3hvoIABm/O+xMTwM695JBF0lVM5MJ/zizy7TsbHFJlNEPuGMI/An4FseHK0pQwe4BUZ08A8izIiI9ZT4Lp
# rsakey AQOzIeXfR
rightrsasigkey=0sAQOzIeXfRPL5ODGw97Y6wwotc9LExdihgdfxprYLKukKSpe3oH9G6smILqqkU+8INImuHwpL7mDPqKxDWb/YiYxRgRciXAMkuhq8c/IjcVIbK9EXSmWyPkC1Rn5+cD+2FDUd85FtQWMlEObwLJDC0UxqN5ZoFr7sR0Kur9LqZFS1FlD72E/x3RckY1R/LiR27R83Zv2EXEi1lhYf/ZstKPsGuzlEAzSnyV6jRz9Urz/SFrnyL8vGapiq5p6q+PkBEqsw97Wp8taj8tzK+lH1oxMB4+ArUKhGNk/w+tKPgKrLI8AR2nh2892P6cN0dta83t67k8Mf0ZrOCpxWLcZUnjLkFBvs9fJca3ONXH2RA+jMjn1l
12、配置共享密钥
vi /etc/ipsec.secrets
%any %any : PSK "!@#123"
# %any %any : PSK "预共享密钥",默认是所有的连接都使用共享密钥
# IP地址(标识符) IP地址(标识符) : PSK "预共享密钥",某个连接共享密钥
# left right : PSK "预共享密钥"
# left,right是上述ipsec.conf中指代的IP地址
13、运行ipsec:
/etc/init.d/ipsec start
service ipsec start
14、查看是否建立通道:
/etc/init.d/ipsec status
15、查看隧道建立过程
ipsec auto status
16、监听IPSec建立过程:
tcpdump -i whlp0s20f3 host 59.*.212.*
tcpdump -i whlp0s20f3 host 121.*.168.*
17、在LServer上执行以下命令设置NAT:
iptables -t nat -A POSTROUTING -o eth* -s 59*/24 -d ! 121*/24 -j MASQUERADE
18、在RServer上执行以下命令设置NAT:
iptables -t nat -A POSTROUTING -o eth0 -s 121*/24 -d ! 59*/24 -j MASQUERADE
19、查看状态
ipsec auto status
20、重启
/etc/init.d/ipsec restart