更新时间:2023-12-05 GMT+08:00

示例:使用OpenSwan配置云上云下互通

操作场景

云端在VPC中购买了VPN网关和连接,云下客户使用主机安装IPsec软件与云端对接,客户主机在出口网络进行了一对一的NAT映射。

拓扑连接

本场景拓扑连接及策略协商配置信息如图1所示。

云上VPC的VPN网关IP:11.11.11.11,本地子网:192.168.200.0/24。

客户主机NAT映射IP:22.22.22.22,本地子网:192.168.222.0/24。

云端ECS与客户主机的本地IP地址分别为192.168.200.200和192.168.222.222。

VPN连接的协商参数使用华为云缺省配置。

图1 拓扑连接及策略协商配置信息

配置步骤

本实例以在CentOs6.8中配置Openswan IPsec客户端为例进行介绍。

  1. 安装Openswan客户端。

    yum install -y openswan

  2. 开启IPv4转发。

    vim /etc/sysctl.conf

    1. 在配置文件中增加如下内容:
      net.ipv4.ip_forward = 1
    2. 执行/sbin/sysctl -p命令,使转发配置参数生效。

  3. iptables配置。

    确认关闭firewall或允许数据流转发,查询命令:iptables -L
    iptables -L
        Chain INPUT (policy ACCEPT)
        target     prot opt source               destination 
        Chain FORWARD (policy ACCEPT)
        target     prot opt source               destination 
        Chain OUTPUT (policy ACCEPT)
        target     prot opt source               destination 

  4. 预共享密钥配置。

    vim /etc/ipsec.d/open_IPsec.secrets

    在配置文件中增加如下内容:
    22.22.22.22 11.11.11.11 : psk "IPsec-key"

    格式:本地用于连接的IP+空格+远端网关IP+空格+英文冒号+空格+PSK+预共享密钥,冒号的两边都有空格,PSK大小写均可,密钥用英文双引号。

  5. IPsec连接配置。

    vim /etc/ipsec.d/open_IPsec.conf

    在配置文件中增加如下内容:
    conn openswan_IPsec                 # 定义连接名称为openswan_IPsec
      type=tunnel                       # 开启隧道模式
      auto=start                        # 可选择add、route和start
      
      left=192.168.222.222              # 本地IP,nat场景选择真实的主机地址
      leftid=22.22.22.22                # 本地标识ID
      leftsourceip=22.22.22.22          # 如果存在nat,源地址选择nat后的IP
      leftsubnet=192.168.222.0/24       # 本地子网
      leftnexthop=22.22.22.1            # nat场景下一跳选择nat后的网关IP
      right=11.11.11.11                 # 远端VPN网关IP 
      rightid=11.11.11.11               # 远端标识ID
      rightsourceip=11.11.11.11         # 远端源地址选择VPN网关IP
      rightsubnet=192.168.200.0/24      # 远端子网
      rightnexthop=%defaultroute        # 远端路由按缺省配置
     
      authby=secret                     # 定义认证方式为PSK
      keyexchange=ike                   # ike密钥交换方式
      ike=aes128-sha1;modp1536          # 按照对端配置定义ike阶段算法和group
      ikev2=never                       # 关闭IKEv2版本
      ikelifetime=86400s                # ike阶段生命周期
      
      phase2=esp                        # 二阶段传输格式
      phase2alg=aes128-sha1;modp1536    # 按照对端配置定义IPsec阶段算法和group,modp1536=DH group 5
      pfs=yes                           # 开启PFS
      compress=no                       # 关闭压缩
      salifetime=3600s                  # 二阶段生命周期
    配置完成后通过命令ipsec verify进行配置项校验。如果回显信息全部为OK时,表示配置成功。
    ipsec verify
    Verifying installed system and configuration files
    Version check and IPsec on-path                             [OK]
    Libreswan 3.25 (netkey) on 3.10.0-957.5.1.el7.x86_64
    Checking for IPsec support in kernel                                 [OK]
     NETKEY: Testing XFRM related proc values
             ICMP default/send_redirects              [OK]
             ICMP default/accept_redirects            [OK]
             XFRM larval drop                         [OK]
    Pluto IPsec.conf syntax                           [OK]
    Two or more interfaces found, checking IP forwarding[OK]
    Checking rp_filter                                [OK]
    Checking that pluto is running                    [OK]
     Pluto listening for IKE on udp 500               [OK]
     Pluto listening for IKE/NAT-T on udp 4500        [OK]
     Pluto IPsec.secret syntax                        [OK]
    Checking 'ip' command                             [OK]
    Checking 'iptables' command                       [OK]
    Checking 'prelink' command does not interfere with FIPS[OK]
    Checking for obsolete IPsec.conf options          [OK]
    若回显信息出现如下报错:
    Checking rp_filter                                  [ENABLED]
     /proc/sys/net/ipv4/conf/default/rp_filter          [ENABLED]
     /proc/sys/net/ipv4/conf/lo/rp_filter               [ENABLED]
     /proc/sys/net/ipv4/conf/eth0/rp_filter             [ENABLED]
     /proc/sys/net/ipv4/conf/eth1/rp_filter             [ENABLED]
     /proc/sys/net/ipv4/conf/ip_vti01/rp_filter             [ENABLED]
    通过如下命令解决:
    echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/ip_vti01/rp_filter

  6. 启动服务。

    service ipsec stop # 关闭服务

    service ipsec start # 启动服务

    service ipsec restart # 重启服务

    ipsec auto --down openswan_IPsec # 关闭连接

    ipsec auto --up openswan_IPsec # 开启连接

    每次修改配置都需要重启服务,并重新开启连接。

配置验证

通过查询IPsec的状态,结果显示如下信息(摘录),查询状态命令:ipsec --status
Connection list:
000  
000 "openswan_IPsec": 192.168.222.0/24===192.168.222.222<192.168.222.222>[22.22.22.22]---22.22.22.1...11.11.11.11<11.11.11.11>===192.168.200.0/24; erouted; eroute owner: #30
000 "openswan_IPsec":     oriented; my_ip=22.22.22.22; their_ip=11.11.11.11; my_updown=IPsec _updown;
000 "openswan_IPsec":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "openswan_IPsec":   our auth:secret, their auth:secret
000 "openswan_IPsec":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "openswan_IPsec":   labeled_IPsec:no;
000 "openswan_IPsec":   policy_label:unset;
000 "openswan_IPsec":   ike_life: 86400s; IPsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "openswan_IPsec":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "openswan_IPsec":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "openswan_IPsec":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "openswan_IPsec":   conn_prio: 24,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "openswan_IPsec":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "openswan_IPsec":   our idtype: ID_IPV4_ADDR; our id=1.1.1.1; their idtype: ID_IPV4_ADDR; their id=2.2.2.2
000 "openswan_IPsec":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "openswan_IPsec":   newest ISAKMP SA: #3; newest IPsec SA: #30;
000 "openswan_IPsec":   IKE algorithms: AES_CBC_128-HMAC_SHA1-MODP1536
000 "openswan_IPsec":   IKE algorithm newest: AES_CBC_128-HMAC_SHA1-MODP1536
000 "openswan_IPsec":   ESP algorithms: AES_CBC_128-HMAC_SHA1_96-MODP1536
000 "openswan_IPsec":   ESP algorithm newest: AES_CBC_128-HMAC_SHA1_96; pfsgroup=MODP1536
000  
000 Total IPsec connections: loaded 1, active 1
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000  
000 #3: "openswan_IPsec":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 15087s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #30: "openswan_IPsec":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1744s; newest IPsec; eroute owner; isakmp#3; idle; import:admin initiate
000 #30: "openswan_IPsec" esp.b810a24@11.11.11.11 esp.aab7b496@192.168.222.222 tun.0@11.11.11.11 tun.0@192.168.222.222 ref=0 refhim=0 Traffic: ESPin=106KB ESPout=106KB! ESPmax
=4194303B