centos部署ipsec *** nat穿越

***（virtual private network，虛擬專用網）就是在兩個網絡實體之間建立的一種受保護的連接，這兩個實體可以通過點到點的鏈路直接相連，但通常情況下他們會相隔較遠的距離。***方式有三種：
Site-to-Site（站點到站點或者網關到網關）：如3個機構分佈在互聯網的3個不同的地方，各使用一個ipsec ***網關相互建立***隧道，企業內網（若干PC）之間的數據通過這些網關建立的IPSec隧道實現安全互聯。
End-to-End（端到端或者PC到PC）： 兩個PC之間的通信由兩個PC之間的IPSec會話保護，而不是網關。
End-to-Site（端到站點或者PC到網關）：兩個PC之間的通信由網關和異地PC之間的IPSec進行保護。
本次講述第一種方式Site-to-Site（站點到站點或者網關到網關）
1、需求分析
PC1部署Ipsec ***，配置私網地址，在無線路由器做NAT；
華爲USG做總部的***服務器；
因考慮PC1訪問互聯網需要通過無線路由器做nat，所ipsec ***要考慮到nat穿越，後面openswan會有相關配置；

2、安裝openswan
pc1部署centos7操作系統，在linux上部署openswan
yum install -y openswan lsof

我們改動內核參數，允許IP轉發、永久性禁止重定向。

sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf
sed -i 's#net.ipv4.conf.default.rp_filter = 1#net.ipv4.conf.default.rp_filter = 0#g' /etc/sysctl.conf

查看內核參數，確保禁止重定向sysctl -a | egrep "ipv4.*(accept|send)_redirects"

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0

重新裝入/etc/sysctl.conf
sysctl -p

3、修改ipsec配置文件
vi /etc/ipsec.conf

config setup
        plutodebug=all
        plutostderrlog=/var/log/ipsec.log
 # Debug-logging controls: "none" for (almost) none, "all" for lots.
 # klipsdebug=none
 # plutodebug="control parsing"
 # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
 protostack=netkey
 nat_traversal=yes
 #實現nat穿越
 virtual_private=
 oe=off
 # Enable this if you see "failed to find any available worker"
 # nhelpers=0

4、修改lan-to-lan的配置文件
[root@localhost ~]# cat /etc/ipsec.d/site1-tosite2.conf

conn site1-tosite2
  type=tunnel
  #隧道模式
  authby=secret
  #共享祕鑰方式
  auto=start
  ike=3des-sha1;modp1024
  keyexchange=ike
  phase2=esp
  phase2alg=3des-sha1
  pfs=no

  left=%defaultroute
  leftid=alice
  leftnexthop=%defaultroute
  leftsubnet=192.168.1.0/24

  right=172.17.0.1  
  rightsubnet=192.168.2.0/24      

5、配置ipsec ***共享祕鑰

vi /etc/ipsec.d/idcsubnet1-to-awsvpc1.secrets
本端公網地址 對端公網地址: PSK "123456"

6、檢查命令
設置開機啓動 ，命令#chkconfig ipsec on
命令 #ipsec verify ,沒有fail項即可

[root@localhost ~]# ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                     [OK]
Libreswan 3.25 (netkey) on 3.10.0-1062.9.1.el7.x86_64
Checking for IPsec support in kernel                [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                [OK]
         ICMP default/accept_redirects              [OK]
         XFRM larval drop                           [OK]
Pluto ipsec.conf syntax                             [OK]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                  [ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter              [ENABLED]
 /proc/sys/net/ipv4/conf/ens33/rp_filter            [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                      [OK]
 Pluto listening for IKE on udp 500                 [OK]
 Pluto listening for IKE/NAT-T on udp 4500          [OK]
 Pluto ipsec.secret syntax                          [OK]
Checking 'ip' command                               [OK]
Checking 'iptables' command                         [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options            [OBSOLETE KEYWORD]
 Warning: ignored obsolete keyword 'nat_traversal'

ipsec verify: encountered 5 errors - see 'man ipsec_verify' for help

命令 #service ipsec status ，檢查進程狀態，tunnel up數量
命令 #ip xfrm policy ，檢查tunnel的詳細信息，源/目的subnet、下一跳等