在Internet中,通常使用×××隧道来互联两个物理隔离的网络的内部通信;例如:×××隧道可以用来连接两个经过NAT之后分支机构的网络,此文将针对使用Openswan来实现点对点的×××隧道测试
拓扑结构
安装配置×××服务器
一般情况下,我们只能管理A站点,如果也想管理B站点,这时就需要建立×××隧道
yum install openswan lsof
禁止×××重定向
for *** in /proc/sys/net/ipv4/conf/*;
do
echo 0 > $***/accept_redirects;
echo 0 > $***/send_redirects;
done
修改内核参数启用转发和禁止重定向
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
sysctl –p
放行openswan服务端口和NAT规则
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s site-A-private-subnet -d site-B-private-subnet -j SNAT --to site-A-Public-IP
修改配置
Site-A ××× Server:
vim /etc/ipsec.conf
## general configuration parameters ##
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
## disable opportunistic encryption in Red Hat ##
oe=off
## disable opportunistic encryption in Debian ##
## Note: this is a separate declaration statement ##
include /etc/ipsec.d/examples/no_oe.conf
## connection definition in Red Hat ##
conn demo-connection-redhat
authby=secret
auto=start
ike=3des-md5
## phase 1 ##
keyexchange=ike
## phase 2 ##
phase2=esp
phase2alg=3des-md5
compress=no
pfs=yes
type=tunnel
left=<siteA-public-IP>
leftsourceip=<siteA-public-IP>
leftsubnet=<siteA-private-subnet>/netmask
## for direct routing ##
leftsubnet=<siteA-public-IP>/32
leftnexthop=%defaultroute
right=<siteB-public-IP>
rightsubnet=<siteB-private-subnet>/netmask
## connection definition in Debian ##
conn demo-connection-debian
authby=secret
auto=start
## phase 1 ##
keyexchange=ike
## phase 2 ##
esp=3des-md5
pfs=yes
type=tunnel
left=<siteA-public-IP>
leftsourceip=<siteA-public-IP>
leftsubnet=<siteA-private-subnet>/netmask
## for direct routing ##
leftsubnet=<siteA-public-IP>/32
leftnexthop=%defaultroute
right=<siteB-public-IP>
rightsubnet=<siteB-private-subnet>/netmask
身份验证可以通过几种不同的方式,此处使用pre-shared方式
vim /etc/ipsec.secrets
siteA-public-IP siteB-public-IP: PSK "pre-shared-key"
## in case of multiple sites ##
siteA-public-IP siteC-public-IP: PSK "corresponding-pre-shared-key"
启动服务和排错
service ipsec restart
chkconfig ipsec on
如果能正常启动,从A端就能ping通B端私网地址
在Site-A ××× Server上ip route 就可以查看相关的路由
[siteB-private-subnet] via [siteA-gateway] dev eth0 src [siteA-public-IP]
default via [siteA-gateway] dev eth0
两边的××× Server都配置完成后即可互访私网,其他重要命令:
查看隧道状态
service ipsec status
IPsec running - pluto pid: 20754
pluto pid 20754
1 tunnels up
some eroutes exist
ipsec auto –status
## output truncated ##
000 "demo-connection-debian": myip=<siteA-public-IP>; hisip=unset;
000 "demo-connection-debian": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
000 "demo-connection-debian": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,28; interface: eth0;
## output truncated ##
000 #184: "demo-connection-debian":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1653s; newest IPSEC; eroute owner; isakmp#183; idle; import:not set
## output truncated ##
000 #183: "demo-connection-debian":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1093s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
相关日志文件(记录了认证、Key交换信息等,可用于排错):
/var/log/pluto.log
注意事项
1.运营商可能会屏蔽端口,通过telent命令测试确保运营商允许使用UDP 500, TCP/UDP 4500 端口
2.确保防火墙放行相关端口
3.确保终端服务器pre-shared密钥是相同的
4.遇到NAT问题,尝试使用SNAT 替代MASQUERADING
转载于:https://blog.51cto.com/linuxgeek/1545859