版权声明:本文为原创文章,允许转载,转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。 https://blog.csdn.net/fgf00/article/details/79917330
一、环境:
VPN server 内网主机 Client
leftServer : leftClient :
192.168.19.131 192.168.7.20
192.168.7.10 <-- gw: 192.168.7.10
rightServer : rightClient :
192.168.19.132 10.200.0.20
10.200.0.10 <-- gw: 10.200.0.10
这里未开启防火墙,网上有的文章写着需要Linux iptables 防火墙配置snat 等转发策略,其实是不需要配置的。开启防火墙的话,只放行相关监听端口即可
这里采用rsa和psk两种方式实现vpn 点对点连接
二、openswan 安装部署
下载地址: https://download.openswan.org/openswan/
1、安装启动openswan
安装依赖包:
yum -y install gmp-devel bison flex
安装:
make programs
sudo make install
启动:
/etc/init.d/ipsec start # 启动
netstat -lnput |grep pluto # 查看监听端口:
2、基础环境,内核参数等配置修改
基础环境依赖、状态查看 ipsec verify
root@LeftServer openswan-2.6.50]# ipsec verify
Checking if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Openswan U2.6.50/K(no kernel code presently loaded)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
Checking that pluto is running [FAILED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
ipsec verify: encountered errors
解决,如上文件更新配置:
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
配置服务器路由转发功能等操作
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1 # 开启转发
net.ipv4.conf.default.rp_filter = 0
# 关闭icmp重定向
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.conf
sysctl -p
最终检查效果如下:
[root@LeftServer openswan-2.6.50]# ipsec verify
Checking if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Openswan U2.6.50/K2.6.32-504.el6.x86_64 (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
三、VPN 配置 (这里先使用RSA Signaturesr方式)
vim /etc/ipsec.conf
config setup # config setup 中添加日志路径
plutostderrlog=/var/log/pluto.log
# protostack=auto # 注释掉,修改为如下 netkey
protostack=netkey
# 最后面顶行包含ipsec.d目录配置文件
include /etc/ipsec.d/*.conf
在left服务器里
ipsec showhostkey –left > leftrsasigkey.tmp
再到right服务器里,
ipsec showhostkey –right > rightrsasigkey.tmp
编辑vpn配置文件
vim /etc/ipsec.d/vpn_test.conf
下面的IP网络信息根据具体环境配置,rsakey 根据两台vpn上面生成的信息配置。
conn test
auto=start
pfs=no # PFS(Perfect Forward Secrecy)
compress=no # IP Compression
type=tunnel
keyingtries=0
disablearrivalcheck=no
## phase 1 ##
ike=aes128-sha1;modp1024 # 第一阶段参数
ikelifetime=86400s # 第一阶段的生存时间
keyexchange=ike
## phase 2 ##
phase2alg=aes128-sha1 # 第二阶段参数
salifetime=3600s # 第二阶段参数
phase2=esp
left=192.168.19.131
leftid=@left
leftsubnet=192.168.7.0/24
leftsourceip=192.168.19.131
leftnexthop=%defaultroute
right=192.168.19.132
rightid=@right
rightsubnet=10.200.0.0/24
rightsourceip=192.168.19.132
rightnexthop=%defaultroute
# rsakey AQNevAdMU
leftrsasigkey=0sAQNevAdMUsW9oHDbKIAyon6EoyVxZcTJAl6v43H78Za138JFPSJwWUcaJAxoFdimZwbRVoYdHKluLW1zNdDZvxrh7qkE+1fcDkl+3mNtkFApji5sDIiacaiDKRuZ7KVbMQqsc9IUtp0871bW35PRcHX1qFSqQCjp0beV+C6YuHeKOuKPADloyrtRxsMdnoEATkMgmAjREO/s/jPzv46Zv5jYDfwS6FB3sNcr13IK06/IHfR5uuzXCaVL5+qNYO1goVXnld3XcnbxYIdztQnTyuy2gOf22GoDzKU+U0C9DBNedOm71tV4iEG1Z1Z5qRRuybdiXVDH8x/opbf7iKggQSD5urWRxLjJ9Hsi6IlBYAE8YXqT
# rsakey AQPuMo1iQ
rightrsasigkey=0sAQPuMo1iQJg4bZo+sYkNF2ikNgjvxoZFZxUWWCgdLY4ldOCWHJP9zwBuUxxHl9uf+FE931cH5yTYGF5oeaM6de8CGiaNM8fRTtm3UFH4kPcP1fX9fbBUK7w2+1oZIPX5pj9mqayOU6Bu16vnd40gC47kmEq4nGpiguQK8JlyY7qjoSFuW1lWBt061z1RAaI2C021L4xW+h4qQk/a+wr7NjAi1vbWPb4YRW0Au3ByXecbTNCbnyRHuid0/PgmzcG4iD9X6ZrHjv6En4OK+YZ9YHakoxejdBXfmAvBA6RAdNDZi2ePa1l4xpFJ85QkKcuR0xetINoXZI0GZTjQ2XhbLpmbGWJpRIhl7CxtKC9i8pzIN0Fj
重启ipsec
/etc/init.d/ipsec restart
查看隧道有没有建立成功:
[root@LeftServer ipsec.d]# /etc/init.d/ipsec status
IPsec running - pluto pid: 12128
pluto pid 12128
1 tunnels up
some eroutes exist
# 查看详细信息,有如下信息
[root@RightServer ipsec.d]# ipsec auto --status
000 "test": 10.200.0.0/24===192.168.19.132[@right]---192.168.19.2...192.168.19.2---192.168.19.131[@left]===192.168.7.0/24; erouted; eroute owner: #2
000 "test": myip=192.168.19.132; hisip=192.168.19.131;
000 "test": keys: 1:F05F 62CD B44D 4040 EADD 5498 C17B 579F EE88 7648 2:none...
000 "test": ....1:6F58 C687 501D C49C 1A21 5822 4119 F549 D2BB 6951 2:none
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "test": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: eth0; kind=CK_PERMANENT
000 "test": newest ISAKMP SA: #1; newest IPsec SA: #2; eroute owner: #2;
000 "test": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
查看日志文件,也会有相关信息
客户端配置路由信息:
主机:LiftClinet
[root@LiftClinet ~]# route add -net 10.200.0.0 netmask 255.255.255.0 gw 192.168.7.10 dev eth0
主机:RightClient
[root@RightClient ~]# route add -net 192.168.7.0 netmask 255.255.255.0 gw 10.200.0.10 dev eth0
[root@RightClient ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.7.0 10.200.0.10 255.255.255.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
- vpn测试:
[root@LiftClinet ~]# ping 10.200.0.20 -c 2
PING 10.200.0.20 (10.200.0.20) 56(84) bytes of data.
64 bytes from 10.200.0.20: icmp_seq=1 ttl=62 time=9.28 ms
64 bytes from 10.200.0.20: icmp_seq=2 ttl=62 time=1.58 ms
# 注:VPN上是不能ping通对端网络内网IP地址的。不过内网主机可以ping通对端vpn内网IP
[root@LeftServer ipsec.d]# ping 10.200.0.20 -c 2
PING 10.200.0.20 (10.200.0.20) 56(84) bytes of data.
^C
--- 10.200.0.20 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 2844ms
tcpdump 抓包
tcpdump -i eth0-nn src 10.200.0.12
四、psk方式实现vpn的连接
两个vpnserver,均添加公钥key
vim /etc/ipsec.secrets,最后面添加:
# 对端vpn IP 本机IP 预共享key
192.168.19.131 0.0.0.0 %any: PSK "mysecret"
vim vpn_test.conf
与上面的rsa配置相比,删掉rsakey配置,添加authby=secret,如下
conn test
auto=start
pfs=no # PFS(Perfect Forward Secrecy)
compress=no # IP Compression
type=tunnel
keyingtries=0
disablearrivalcheck=no
## phase 1 ##
ike=aes128-sha1;modp1024 # 第一阶段参数
ikelifetime=86400s # 第一阶段的生存时间
keyexchange=ike
## phase 2 ##
phase2alg=aes128-sha1 # 第二阶段参数
salifetime=3600s # 第二阶段参数
phase2=esp
left=192.168.19.131
leftid=@left
leftsubnet=192.168.7.0/24
leftsourceip=192.168.19.131
leftnexthop=%defaultroute
right=192.168.19.132
rightid=@right
rightsubnet=10.200.0.0/24
rightsourceip=192.168.19.132
rightnexthop=%defaultroute
authby=secret # 使用预共享密钥方式进行认证
五、其他
1、日志报错:
packet from185.13.230.253:500: initial Main Mode message received on 10.200.0.13:0 but noconnection has been authorized with policy=RSASIG
错误解决:aws ec2 外网映射内网IP,right使用内网IP不报错。或用 right=%defaultroute