1.环境说明
本次安装基于CentOS 6.5(内核版本 2.6.32-431.el6.x86_64),其他linux版本命令有可能有出入。
StrongSwan 版本为5.8.0,本方案介绍基于预共享密钥的方式。
2.CentOS 端配置步骤
1)安装依赖的库:
yum install pam-devel openssl-devel make gcc
2)下载strongswan:
wget http://download.strongswan.org/strongswan.tar.gz
3)解压strongswan:
tar -xzf strongswan.tar.gz
4)进入解压文件:
cd strongswan-*(*代表当前 StrongSwan 版本,目前最新版本是 5.8.0)
5)编译strongswan:
./configure --enable-eap-identity --enable-eap-md5 \--enable-eap-mschapv2 --enable-eap-tls
-- enable-eap-ttls --enable-eap-peap \--enable-eap-tnc --enable-eap-dynamic --enable-eapradius
--enable-xauth-eap \--enable-xauth-pam --enable-dhcp --enable-openssl --
enableaddrblock --enable-unity \--enable-certexpire --enable-radattr --enable-tools --enableopenssl
--disable-gmp
6) 编译并安装:
make && make install
#编译安装完后没有报错,并且使用命令 ipsec version 能出现版本信息,则表示 安装成功
[root@localhost strongswan-5.8.0]# ipsec version
Linux strongSwan U5.8.0/K2.6.32-431.el6.x86_64
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
7) 配置strongswan
A. vim /usr/local/etc/ipsec.conf
参考以下配置,对ipsec.conf进行修改(A.A.A.A是本端公网地址,B.B.B.B是对端公网地址)
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
uniqueids = no
# Add connections here.
conn %default
ikelifetime=1440m
keylife=200m
rekeymargin=30m
keyingtries=1
keyexchange=ikev1
dpddelay=10s
authby=secret
ike=3des-md5-modp1024
esp=des-md5
conn gansu-tunnel
left=%any
leftid=A.A.A.A
leftsubnet=11.10.11.0/24
leftfirewall=no
right=B.B.B.B
rightsubnet=10.251.90.231/32
rightid=B.B.B.B
auto=start
type=tunnel
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
注:配置文件中的参数
uniqueids = no (关闭ID唯一性,允许多设备同时在线)
ike=3des-md5-modp1024 (IKE的加密模式)
esp=des-md5 (ESP的加密模式)
conn gansu-tunnel (通道名称,在对端配置上会显示)
left=%any ( left表示local,即本地端(服务器端)IP地址,也就是保护地址;
%any是魔数字,表示任意地址)
leftsubnet=11.10.11.0/24 (本地端IP地址段)
leftid=A.A.A.A (本地端公网地址,就是隧道地址)
right=B.B.B.B (远程段地址,也就是对端地址)
rightsubnet=10.251.90.231/32 (对端保护地址段,目前这个设置就是指定对端特定的IP地址)
rightid=B.B.B.B (对端公网地址)
B. vim /usr/local/etc/ipsec.secrets
添加以下内容:
A.A.A.A B.B.B.B : PSK "gansuyouxian"
8)配置防火墙
A. vim /etc/sysctl.conf
找到 net.ipv4.ip_forward = 0 ,将 0 改为 1,即:net.ipv4.ip_forward = 1
B. 执行 sysctl -p
[root@localhost etc]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
执行完后结果应该如上所示
C. 测试环境关闭 Linux 防火墙,生产环境按需配置
service iptables stop
D. 开启 ipsec start
[root@localhost strongswan-5.8.0]# ipsec start
Starting strongSwan 5.8.0 IPsec [starter]...
E.查看 ipsec状态
[root@localhost strongswan-5.8.0]# ipsec status
Security Associations (1 up, 0 connecting):
gansu-tunnel[1]: ESTABLISHED 17 hours ago,
A.A.A.A[A.A.A.A]...B.B.B.B[B.B.B.B]
gansu-tunnel{7}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: caa5ba69_i 00008bc5_o
gansu-tunnel{7}: 11.10.11.0/24 === 10.251.90.231/32
出现以上信息,说明隧道建立成功,可以进行保护地址之间的信息传输。
9)配置网卡信息
在建立好隧道之后,需要在本地对网卡进行设置
A.添加一块网卡配置,具体信息如下:
配置目录:/etc/sysconfig/network-scripts/
网卡名称:ifcfg-lo:1
网卡配置信息:
DEVICE=lo:1
IPADDR=11.10.11.1
NETMASK=255.255.255.0
BROADCAST=127.255.255.255
ONBOOT=yes
NAME=loopback
B.配置完成后,重启网卡
service network restart
重启完成后,查看网卡信息:
[root@localhost network-scripts]# ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:00:23:DD:22
inet addr:A.A.A.A Bcast:A.A.A.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe23:dd22/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1870158 errors:0 dropped:0 overruns:0 frame:0
TX packets:382896 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1406612540 (1.3 GiB) TX bytes:45551627 (43.4 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:624 (624.0 b) TX bytes:624 (624.0 b)
lo:1 Link encap:Local Loopback
inet addr:11.10.11.1 Mask:255.255.255.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
2.7 连接测试
A.关闭IPSec
关闭IPSec服务后,隧道关闭,无法通过隧道访问对端保护地址
B.开启IPSec
开启IPSec服务后,隧道打开,与对端保护地址可进行通讯,进行业务访问。
此时,IPSec服务边搭建完成了,可进行相应的业务部署。
配置参考文档:https://blog.51cto.com/yimiyinei/2155652
https://help.aliyun.com/document_detail/57412.html