***(virtual private network,虛擬專用網)就是在兩個網絡實體之間建立的一種受保護的連接,這兩個實體可以通過點到點的鏈路直接相連,但通常情況下他們會相隔較遠的距離。***方式有三種:
Site-to-Site(站點到站點或者網關到網關):如3個機構分佈在互聯網的3個不同的地方,各使用一個ipsec ***網關相互建立***隧道,企業內網(若干PC)之間的數據通過這些網關建立的IPSec隧道實現安全互聯。
End-to-End(端到端或者PC到PC): 兩個PC之間的通信由兩個PC之間的IPSec會話保護,而不是網關。
End-to-Site(端到站點或者PC到網關):兩個PC之間的通信由網關和異地PC之間的IPSec進行保護。
本次講述第一種方式Site-to-Site(站點到站點或者網關到網關)
1、需求分析
PC1部署Ipsec ***,配置私網地址,在無線路由器做NAT;
華爲USG做總部的***服務器;
因考慮PC1訪問互聯網需要通過無線路由器做nat,所ipsec ***要考慮到nat穿越,後面openswan會有相關配置;
2、安裝openswan
pc1部署centos7操作系統,在linux上部署openswan
yum install -y openswan lsof
我們改動內核參數,允許IP轉發、永久性禁止重定向。
sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf
sed -i 's#net.ipv4.conf.default.rp_filter = 1#net.ipv4.conf.default.rp_filter = 0#g' /etc/sysctl.conf
查看內核參數,確保禁止重定向sysctl -a | egrep "ipv4.*(accept|send)_redirects"
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
重新裝入/etc/sysctl.confsysctl -p
3、修改ipsec配置文件
vi /etc/ipsec.conf
config setup
plutodebug=all
plutostderrlog=/var/log/ipsec.log
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
#實現nat穿越
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
4、修改lan-to-lan的配置文件
[root@localhost ~]# cat /etc/ipsec.d/site1-tosite2.conf
conn site1-tosite2
type=tunnel
#隧道模式
authby=secret
#共享祕鑰方式
auto=start
ike=3des-sha1;modp1024
keyexchange=ike
phase2=esp
phase2alg=3des-sha1
pfs=no
left=%defaultroute
leftid=alice
leftnexthop=%defaultroute
leftsubnet=192.168.1.0/24
right=172.17.0.1
rightsubnet=192.168.2.0/24
5、配置ipsec ***共享祕鑰
vi /etc/ipsec.d/idcsubnet1-to-awsvpc1.secrets本端公網地址 對端公網地址: PSK "123456"
6、檢查命令
設置開機啓動 ,命令#chkconfig ipsec on
命令 #ipsec verify ,沒有fail項即可
[root@localhost ~]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 3.10.0-1062.9.1.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ens33/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD]
Warning: ignored obsolete keyword 'nat_traversal'
ipsec verify: encountered 5 errors - see 'man ipsec_verify' for help
命令 #service ipsec status ,檢查進程狀態,tunnel up數量
命令 #ip xfrm policy ,檢查tunnel的詳細信息,源/目的subnet、下一跳等