Using strongSwan to Configure On- and Off-Cloud Communication
Scenarios
The VPC on the cloud has VPN gateways and VPN connections. Servers in customer data center are installed with the IPsec software to interconnect with the cloud. One-to-one NAT mapping has been configured between the customer server IP addresses and public IP addresses on the network egress.
Topology Connection
Figure 1 shows the topology connection and policy negotiation configurations.
The VPN gateway IP address of the VPC is 11.11.11.11 and the local subnet is 192.168.200.0/24.
The NAT mapping IP address of the customer server is 22.22.22.22 and the local subnet is 192.168.222.0/24.
The ECS IP address and the customer server IP address are 192.168.200.200 and 192.168.222.222, respectively.
The negotiation parameters of the VPN connection use the default configurations defined on HUAWEI CLOUD.
Configuration Procedure
This example describes the VPN configurations of two types of strongSwan IPsec clients in Linux systems.
- Install the IPsec VPN client.
yum install strongswan
During the installation, select Y. The installation is complete when the message "Complete!" is displayed. The configuration files of the strongSwan are stored in the /etc/strongswan directory. During the configuration, you only need to edit the ipsec.conf and ipsec.secrets files.
- Enable IPv4 forwarding.
vim /etc/sysctl.conf net.ipv4.ip_forward = 1 //Add the content. /sbin/sysctl –p //Run the command to make the forwarding configuration take effect.
- Configure iptables. Run the iptables –L command to check whether the firewall is disabled or the data flow forwarding is allowed.
iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination - Configure the pre-shared key.
vim /etc/strongswan/ipsec.secrets //Edit the ipsec.secrets file. 22.22.22.22 11.11.11.11 : PSK "ipsec-key"
Format: IP address for connection+Space+Customer gateway IP address+Space+English colon (:)+Space+PSK (uppercase)+Pre-shared key. There are spaces on both sides of the colon. The key is enclosed in double quotation marks.
- Configure the IPsec connection.
vim /etc/strongswan / ipsec.conf //Edit the ipsec.conf file. config setup conn strong_ipsec //Set the connection name to strong_ipsec. auto=route //The value can be add, route, or start. type=tunnel //Enable the tunnel mode. compress=no //Disable compression. leftauth=psk //Set the local authentication mode to PSK. rightauth=psk //Set the authentication mode on the customer side to PSK. ikelifetime=86400s //Lifecycle in IKE phase lifetime=3600s //Lifecycle in phase two keyexchange=ikev1 //The IKE key exchange mode is version 1. ike=aes128-sha1-modp1536! //Define the IKE algorithm and group based on the configuration on the customer side. esp=aes128-sha1-modp1536! //Define the IPsec algorithm and group based on the configuration on the customer side. leftid=22.22.22.22 //Local ID left=192.168.222.222 //Local IP address. Set it to the actual server IP address in the NAT scenario. leftsubnet=192.168.222.0/24 //Local subnet rightid=11.11.11.11 //Customer side ID right=11.11.11.11 //VPN gateway IP address on the customer side rightsubnet=192.168.200.0/24 //Subnet on the customer side
After the configuration is complete, run the ipsec verify command to verify the configuration items in the Openswan scenario. But in the strongSwan scenario, verify the configuration items when the service is enabled. If all the command output is OK, the configuration is successful.ipsec verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.25 (netkey) on 3.10.0-957.5.1.el7.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Two or more interfaces found, checking IP forwarding[OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS[OK] Checking for obsolete ipsec.conf options [OK]If the following error information is displayed:Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/ip_vti01/rp_filter [ENABLED]
Run the following commands:echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 > /proc/sys/net/ipv4/conf/ip_vti01/rp_filter
- Start the service.
service strongswan stop //Stop the service. service strongswan start //Start the service. service strongswan restart //Restart the service. strongswan down strong_ipsec //Disable the connection. strongswan up strong_ipsec //Enable the connection.
Restart the service and then enable the connection after each modification.
Configuration Verification
Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-957.5.1.el7.x86_64, x86_64):
uptime: 5 minutes, since Apr 24 19:25:29 2019
malloc: sbrk 1720320, mmap 0, used 593088, free 1127232
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constra
ints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly x
cbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity ea
p-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap
-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:192.168.222.222
Connections:
strong_ipsec: 192.168.222.222...11.11.11.11 IKEv1
strong_ipsec: local: [22.22.22.22] uses pre-shared key authentication
strong_ipsec: remote: [11.11.11.11] uses pre-shared key authentication
strong_ipsec: child: 192.168.222.0/24 === 192.168.200.0/24 TUNNEL
Routed Connections:
strong_ipsec{1}: ROUTED, TUNNEL, reqid 1
strong_ipsec{1}: 192.168.222.0/24 === 192.168.200.0/24
Security Associations (0 up, 1 connecting):
strong_ipsec[1]: CONNECTING, 192.168.222.222[%any]...11.11.11.11[%any]
strong_ipsec[1]: IKEv1 SPIs: c3090f6512ec6b7d_i* 0000000000000000_r
strong_ipsec[1]: Tasks queued: QUICK_MODE QUICK_MODE
strong_ipsec[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
Ping the server with IPsec client installed in VPC 2 from the VPC 1.
ping 192.168.222.222
PING 192.168.222.222 (192.168.222.222) 56(84) bytes of data.
64 bytes from 192.168.222.222: icmp_seq=1 ttl=62 time=3.07 ms
64 bytes from 192.168.222.222: icmp_seq=2 ttl=62 time=3.06 ms
64 bytes from 192.168.222.222: icmp_seq=3 ttl=62 time=3.98 ms
64 bytes from 192.168.222.222: icmp_seq=4 ttl=62 time=3.04 ms
64 bytes from 192.168.222.222: icmp_seq=5 ttl=62 time=3.11 ms
64 bytes from 192.168.222.222: icmp_seq=6 ttl=62 time=3.71 ms Last Article: Using Openswan to Configure On- and Off-Cloud Communication
Next Article: Appendixes
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.