文档首页> 虚拟专用网络 VPN> 管理员指南> 示例:使用StrongSwan配置云上云下互通
更新时间:2022-04-08 GMT+08:00
分享

示例:使用StrongSwan配置云上云下互通

操作场景

云端在VPC中购买了VPN网关和连接,云下客户使用主机安装IPsec软件与云端对接,客户主机在出口网络进行了一对一的NAT映射。

拓扑连接

本场景拓扑连接及策略协商配置信息如图1所示,

云上VPC的VPN网关IP:11.11.11.11,本地子网:192.168.200.0/24。

客户主机NAT映射IP:22.22.22.22,本地子网:192.168.222.0/24。

云端ECS与客户主机的本地IP地址分别为192.168.200.200和192.168.222.222。

VPN连接的协商参数使用华为云缺省配置。

图1 拓扑连接及策略协商配置信息

配置步骤

本实例以客户侧VPN配置信息为基础,详细介绍Linux中strongswan两种IPsec客户端VPN配置。

  1. 安装IPsecVPN客户端。

    yum install strongswan

    安装交互过程选择“Y”,出现“Complete!”提示即完成安装,strongswan的配置文件集中放置在/etc/strongswan目录中,配置过程只需编辑ipsec.conf和ipsec.secrets文件即可。

  2. 开启IPv4转发。

    vim /etc/sysctl.conf 
    net.ipv4.ip_forward = 1        //编辑增加内容
    /sbin/sysctl -p                    //执行命令,生效转发配置命令

  3. iptables配置。

    确认关闭firewall或允许数据流转发,查询命令:iptables -L
    iptables -L
        Chain INPUT (policy ACCEPT)
        target     prot opt source               destination 
        Chain FORWARD (policy ACCEPT)
        target     prot opt source               destination 
        Chain OUTPUT (policy ACCEPT)
        target     prot opt source               destination 

  4. 预共享密钥配置。

    vim /etc/strongswan/ipsec.secrets          //编辑ipsec.secrets文件
    22.22.22.22 11.11.11.11 : PSK "ipsec-key"

    格式与openswan相同,冒号的两边都有空格,PSK只能为大写,密钥用英文双引号。

  5. ipsec连接配置。

    vim /etc/strongswan / ipsec.conf           //编辑ipsec.conf文件
    config setup
    conn strong_ipsec                               //定义连接名称为strong_ipsec
    auto=route                                         //可选择add、route和start
    type=tunnel                                       //开启隧道模式
    compress=no                                      //关闭压缩
    leftauth=psk                                       //定义本地认证方式为PSK
    rightauth=psk                                     //定义远端认证方式为PSK
    ikelifetime=86400s                             // ike阶段生命周期
    lifetime=3600s                                   //二阶段生命周期
    keyexchange=ikev1                     // ike密钥交换方式为版本1
    ike=aes128-sha1-modp1536!               //按照对端配置定义ike阶段算法和group,modp1536=DH group 5
    esp=aes128-sha1-modp1536!              //按照对端配置定义ipsec阶段算法和group,modp1536=DH group 5
    leftid=22.22.22.22                                   //本端标识ID
    left=192.168.222.222                         //本地IP,nat场景选择真实的主机地址
    leftsubnet=192.168.222.0/24               //本地子网
    rightid=11.11.11.11                      //远端标识ID
    right=11.11.11.11                         //远端VPN网关IP
    rightsubnet=192.168.200.0/24             //远端子网

    华为云VPN使用的DH-group对应的比特位详细请参见华为云VPN使用的DH-group对应的比特位是多少?

    配置完成后openswan可通过命令ipsec verify进行配置项校验,strongswan是在开启服务时进行校验。回显信息全部为OK时,表示配置成功。
    ipsec verify
    Verifying installed system and configuration files
    Version check and ipsec on-path                             [OK]
    Libreswan 3.25 (netkey) on 3.10.0-957.5.1.el7.x86_64
    Checking for IPsec support in kernel                                 [OK]
     NETKEY: Testing XFRM related proc values
             ICMP default/send_redirects              [OK]
             ICMP default/accept_redirects            [OK]
             XFRM larval drop                         [OK]
    Pluto ipsec.conf syntax                           [OK]
    Two or more interfaces found, checking IP forwarding[OK]
    Checking rp_filter                                [OK]
    Checking that pluto is running                    [OK]
     Pluto listening for IKE on udp 500               [OK]
     Pluto listening for IKE/NAT-T on udp 4500        [OK]
     Pluto ipsec.secret syntax                        [OK]
    Checking 'ip' command                             [OK]
    Checking 'iptables' command                       [OK]
    Checking 'prelink' command does not interfere with FIPS[OK]
    Checking for obsolete ipsec.conf options          [OK]
    若回显信息出现如下报错:
    Checking rp_filter                                  [ENABLED]
     /proc/sys/net/ipv4/conf/default/rp_filter          [ENABLED]
     /proc/sys/net/ipv4/conf/lo/rp_filter               [ENABLED]
     /proc/sys/net/ipv4/conf/eth0/rp_filter             [ENABLED]
     /proc/sys/net/ipv4/conf/eth1/rp_filter             [ENABLED]
     /proc/sys/net/ipv4/conf/ip_vti01/rp_filter             [ENABLED]
    通过如下命令解决:
    echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/ip_vti01/rp_filter

  6. 启动服务。

    service strongswan stop                //关闭服务
    service strongswan start                //启动服务
    service strongswan restart             //重启服务
    strongswan down strong_ipsec                    //关闭连接
    strongswan up strong_ipsec                        //开启连接

    每次修改配置都需要重启服务,并重新开启连接。

配置验证

通过strongswan statusall查询,可见连接启动时间。
Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-957.5.1.el7.x86_64, x86_64):
  uptime: 5 minutes, since Apr 24 19:25:29 2019
  malloc: sbrk 1720320, mmap 0, used 593088, free 1127232
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constra
ints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly x
cbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity ea
p-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap
-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:192.168.222.222
Connections:
strong_ipsec:  192.168.222.222...11.11.11.11  IKEv1
strong_ipsec:   local:  [22.22.22.22] uses pre-shared key authentication
strong_ipsec:   remote: [11.11.11.11] uses pre-shared key authentication
strong_ipsec:   child:  192.168.222.0/24 === 192.168.200.0/24 TUNNEL
Routed Connections:
strong_ipsec{1}:  ROUTED, TUNNEL, reqid 1
strong_ipsec{1}:   192.168.222.0/24 === 192.168.200.0/24
Security Associations (0 up, 1 connecting):
strong_ipsec[1]: CONNECTING, 192.168.222.222[%any]...11.11.11.11[%any]
strong_ipsec[1]: IKEv1 SPIs: c3090f6512ec6b7d_i* 0000000000000000_r
strong_ipsec[1]: Tasks queued: QUICK_MODE QUICK_MODE 
strong_ipsec[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
通过VPC1 ping安装有IPsec客户端的VPC2的主机:
ping 192.168.222.222
PING 192.168.222.222 (192.168.222.222) 56(84) bytes of data.
64 bytes from 192.168.222.222: icmp_seq=1 ttl=62 time=3.07 ms
64 bytes from 192.168.222.222: icmp_seq=2 ttl=62 time=3.06 ms
64 bytes from 192.168.222.222: icmp_seq=3 ttl=62 time=3.98 ms
64 bytes from 192.168.222.222: icmp_seq=4 ttl=62 time=3.04 ms
64 bytes from 192.168.222.222: icmp_seq=5 ttl=62 time=3.11 ms
64 bytes from 192.168.222.222: icmp_seq=6 ttl=62 time=3.71 ms
分享:

    相关文档

    相关产品

close