示例：使用OpenSwan配置云上云下互通

操作场景

云端在VPC中购买了VPN网关和连接，云下客户使用主机安装IPsec软件与云端对接，客户主机在出口网络进行了一对一的NAT映射。

拓扑连接

本场景拓扑连接及策略协商配置信息如图 拓扑连接及策略协商配置信息所示。

云上VPC的VPN网关IP：11.11.11.11，本地子网：192.168.200.0/24。

客户主机NAT映射IP：22.22.22.22，本地子网：192.168.222.0/24。

云端ECS与客户主机的本地IP地址分别为192.168.200.200和192.168.222.222。

VPN连接的协商参数使用华为云缺省配置。

图1 拓扑连接及策略协商配置信息

配置步骤

本实例以在CentOs6.8中配置Openswan IPsec客户端为例进行介绍。

1. 安装Openswan客户端。

   yum install -y openswan

2. 开启IPv4转发。

   vim /etc/sysctl.conf

   1. 在配置文件中增加如下内容：

      net.ipv4.ip_forward = 1

   2. 执行/sbin/sysctl -p命令，使转发配置参数生效。

3. iptables配置。
   确认关闭firewall或允许数据流转发，查询命令：iptables -L

   iptables -L
       Chain INPUT (policy ACCEPT)
       target     prot opt source               destination 
       Chain FORWARD (policy ACCEPT)
       target     prot opt source               destination 
       Chain OUTPUT (policy ACCEPT)
       target     prot opt source               destination 

4. 预共享密钥配置。

   vim /etc/ipsec.d/open_IPsec.secrets

   在配置文件中增加如下内容：

   22.22.22.22 11.11.11.11 : psk "IPsec-key"

   格式：本地用于连接的IP+空格+远端网关IP+空格+英文冒号+空格+PSK+预共享密钥，冒号的两边都有空格，PSK大小写均可，密钥用英文双引号。

5. IPsec连接配置。

   vim /etc/ipsec.d/open_IPsec.conf

   在配置文件中增加如下内容：

   conn openswan_IPsec                 # 定义连接名称为openswan_IPsec
     type=tunnel                       # 开启隧道模式
     auto=start                        # 可选择add、route和start
     
     left=192.168.222.222              # 本地IP，nat场景选择真实的主机地址
     leftid=22.22.22.22                # 本地标识ID
     leftsourceip=22.22.22.22          # 如果存在nat，源地址选择nat后的IP
     leftsubnet=192.168.222.0/24       # 本地子网
     leftnexthop=22.22.22.1            # nat场景下一跳选择nat后的网关IP
     right=11.11.11.11                 # 远端VPN网关IP 
     rightid=11.11.11.11               # 远端标识ID
     rightsourceip=11.11.11.11         # 远端源地址选择VPN网关IP
     rightsubnet=192.168.200.0/24      # 远端子网
     rightnexthop=%defaultroute        # 远端路由按缺省配置
    
     authby=secret                     # 定义认证方式为PSK
     keyexchange=ike                   # ike密钥交换方式
     ike=aes128-sha1;modp1536          # 按照对端配置定义ike阶段算法和group
     ikev2=never                       # 关闭IKEv2版本
     ikelifetime=86400s                # ike阶段生命周期
     
     phase2=esp                        # 二阶段传输格式
     phase2alg=aes128-sha1;modp1536    # 按照对端配置定义IPsec阶段算法和group，modp1536=DH group 5
     pfs=yes                           # 开启PFS
     compress=no                       # 关闭压缩
     salifetime=3600s                  # 二阶段生命周期

   

   • 在NAT穿越场景中可按需配置forceencaps=yes。
   • 华为云VPN使用的DH-group对应的比特位详细请参见华为云VPN使用的DH-group对应的比特位是多少？。
   配置完成后通过命令ipsec verify进行配置项校验。如果回显信息全部为OK时，表示配置成功。

   ipsec verify
   Verifying installed system and configuration files
   Version check and IPsec on-path                             [OK]
   Libreswan 3.25 (netkey) on 3.10.0-957.5.1.el7.x86_64
   Checking for IPsec support in kernel                                 [OK]
    NETKEY: Testing XFRM related proc values
            ICMP default/send_redirects              [OK]
            ICMP default/accept_redirects            [OK]
            XFRM larval drop                         [OK]
   Pluto IPsec.conf syntax                           [OK]
   Two or more interfaces found, checking IP forwarding[OK]
   Checking rp_filter                                [OK]
   Checking that pluto is running                    [OK]
    Pluto listening for IKE on udp 500               [OK]
    Pluto listening for IKE/NAT-T on udp 4500        [OK]
    Pluto IPsec.secret syntax                        [OK]
   Checking 'ip' command                             [OK]
   Checking 'iptables' command                       [OK]
   Checking 'prelink' command does not interfere with FIPS[OK]
   Checking for obsolete IPsec.conf options          [OK]

   若回显信息出现如下报错：

   Checking rp_filter                                  [ENABLED]
    /proc/sys/net/ipv4/conf/default/rp_filter          [ENABLED]
    /proc/sys/net/ipv4/conf/lo/rp_filter               [ENABLED]
    /proc/sys/net/ipv4/conf/eth0/rp_filter             [ENABLED]
    /proc/sys/net/ipv4/conf/eth1/rp_filter             [ENABLED]
    /proc/sys/net/ipv4/conf/ip_vti01/rp_filter             [ENABLED]

   通过如下命令解决：

   echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
   echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
   echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
   echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
   echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
   echo 0 > /proc/sys/net/ipv4/conf/ip_vti01/rp_filter

6. 启动服务。

   service ipsec stop # 关闭服务

   service ipsec start # 启动服务

   service ipsec restart # 重启服务

   ipsec auto --down openswan_IPsec # 关闭连接

   ipsec auto --up openswan_IPsec # 开启连接

   

   每次修改配置都需要重启服务，并重新开启连接。

配置验证

Connection list:
000  
000 "openswan_IPsec": 192.168.222.0/24===192.168.222.222<192.168.222.222>[22.22.22.22]---22.22.22.1...11.11.11.11<11.11.11.11>===192.168.200.0/24; erouted; eroute owner: #30
000 "openswan_IPsec":     oriented; my_ip=22.22.22.22; their_ip=11.11.11.11; my_updown=IPsec _updown;
000 "openswan_IPsec":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "openswan_IPsec":   our auth:secret, their auth:secret
000 "openswan_IPsec":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "openswan_IPsec":   labeled_IPsec:no;
000 "openswan_IPsec":   policy_label:unset;
000 "openswan_IPsec":   ike_life: 86400s; IPsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "openswan_IPsec":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "openswan_IPsec":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "openswan_IPsec":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "openswan_IPsec":   conn_prio: 24,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "openswan_IPsec":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "openswan_IPsec":   our idtype: ID_IPV4_ADDR; our id=1.1.1.1; their idtype: ID_IPV4_ADDR; their id=2.2.2.2
000 "openswan_IPsec":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "openswan_IPsec":   newest ISAKMP SA: #3; newest IPsec SA: #30;
000 "openswan_IPsec":   IKE algorithms: AES_CBC_128-HMAC_SHA1-MODP1536
000 "openswan_IPsec":   IKE algorithm newest: AES_CBC_128-HMAC_SHA1-MODP1536
000 "openswan_IPsec":   ESP algorithms: AES_CBC_128-HMAC_SHA1_96-MODP1536
000 "openswan_IPsec":   ESP algorithm newest: AES_CBC_128-HMAC_SHA1_96; pfsgroup=MODP1536
000  
000 Total IPsec connections: loaded 1, active 1
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000  
000 #3: "openswan_IPsec":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 15087s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #30: "openswan_IPsec":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1744s; newest IPsec; eroute owner; isakmp#3; idle; import:admin initiate
000 #30: "openswan_IPsec" esp.b810a24@11.11.11.11 esp.aab7b496@192.168.222.222 tun.0@11.11.11.11 tun.0@192.168.222.222 ref=0 refhim=0 Traffic: ESPin=106KB ESPout=106KB! ESPmax
=4194303B