簡介
本文介紹IPSecVPN的搭建過程,並通過公網將分屬於美團雲上海與北京兩個機房內的vpc子網打通。
由於美團雲經典網絡在網絡控制器上對ip_filter 做了限制,打通前需要確保兩邊網絡都處於VPC下,且子網網段無交集。
當前部署環境為CentOS 6.5。
一、網絡模型
計划實現的效果是,從左側vpc網絡上的left-client主機,可以ping通右側vpc中right-client主機內網IP
二、環境配置
此處環境配置,主要是針對兩台用做gw的主機:left-gw和right-gw
1 內核參數
# vim /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.eth1.rp_filter = 0 關閉icmp重定向 # sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.conf # sysctl -p 2 OpenSwan配置
通過yum安裝OpenSwan (ipsec)
sudo yum -y install openswan 安裝完畢后,可以看到實際安裝的版本為Libreswan3.15 , 是因為最原始的OpenSwan已不再更新。
# ipsec --version Linux Libreswan 3.15 (netkey) on 2.6.32-696.1.1.el6.x86_64 執行下ipsec verify,確認配置正常:
# ipsec verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.15 (netkey) on 2.6.32-431.1.2.0.1.el6.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED] vim /etc/ipsec.conf 編輯配置文件
version 2 # basic configuration config setup # which IPsec stack to use, "netkey" (the default), "klips" or "mast". # For MacOSX use "bsd" protostack=netkey //使用2.6內核內建模塊netkey,2.6以下是KLIPS模塊 nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 dumpdir=/var/run/pluto/ logfile=/var/log/pluto.log //log location conn net-to-net authby=secret //使用預共享密鑰方式進行認證 type=tunnel left=101.236.50.21 leftsubnet=10.0.1.0/24 leftid=@test1 //一端的標識符,可以任意填寫,如果多個連接需要區分 leftnexthop=%defaultroute right=203.76.211.83 rightsubnet=192.168.0.0/24 rightid=@test2 rightnexthop=%defaultroute ike=aes256-sha2_256;modp2048 phase2alg=aes256-sha2_256;modp2048 auto=add //add代表只是添加,但並不會連接,如果為start則代表着啟動自動連接 兩台主機是完全相同的配置,可以直接將ipsec.conf的配置文件scp 到另一台gw server上
我們使用基於pre-shared keys認證方式(PSK), 在101.236.50.21上:
vim /etc/ipsec.secrets
101.236.50.21 %any 0.0.0.0 : PSK "123" 這個文件的格式為:“Local Ip address” “remote ip address” : PSK “your key”
若本身不存在/etc/ipsec.secrets ,可以執行下述命令先生成此文件:
ipsec newhostkey --output /etc/ipsec.secrets 同理在右側right-gw機器上也做相應配置。
重啟兩個vpn服務:
service ipsec restart 在其中一台主機上啟動connect:
# ipsec auto --up net-to-net 002 "net-to-net" #1: initiating Main Mode 104 "net-to-net" #1: STATE_MAIN_I1: initiate 003 "net-to-net" #1: received Vendor ID payload [Dead Peer Detection] 003 "net-to-net" #1: received Vendor ID payload [FRAGMENTATION] 003 "net-to-net" #1: received Vendor ID payload [RFC 3947] 002 "net-to-net" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) 002 "net-to-net" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 "net-to-net" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected 002 "net-to-net" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 "net-to-net" #1: received Vendor ID payload [CAN-IKEv2] 002 "net-to-net" #1: Main mode peer ID is ID_FQDN: '@test2' 002 "net-to-net" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048} 002 "net-to-net" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:f72303da proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048} 117 "net-to-net" #2: STATE_QUICK_I1: initiate 002 "net-to-net" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5e6e7359 <0x2442c77b xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive} 可以看到 “IPsec SA established tunnel mode” 連接已建立
3 添加路由
由於vpn網關的功能還未上線公有雲,需要在vm內部添加路由:
在10.0.1.3 (left-client)上,執行:
# route add -net 192.168.0.0/24 gw 10.0.1.2 dev eth0 ## 將訪問右側子網的路由指向到左側網關主機(left-gw) 在101.236.50.21 (left-gw)上,執行:
# route add -net 192.168.0.0/24 gw 101.236.50.21 dev eth1 ## 將訪問右側子網的路由指向到本機公網IP,使之通過ipsec隧道出去 在203.76.211.83 (right-gw)上執行 :
# route add -net 10.0.1.0/24 gw 203.76.211.83 dev eth1 ## 將訪問左側子網默認路由指向本機公網IP 在192.168.0.2(right-client)上執行:
# route add -net 10.0.1.0/24 gw 192.168.0.4 dev eth0 ## 將訪問左側子網的路由指向right-gw機器內網IP。 四、驗證
從left-client主機 去ping right-client機器的內網IP,確認網絡已打通。
另外需要注意,兩台gw的vm是無法直接ping通對方內網的。
# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:22:40:CA:A9:27 inet addr:10.0.1.3 Bcast:10.0.1.255 Mask:255.255.255.0 inet6 addr: fe80::222:40ff:feca:a927/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:60102 errors:0 dropped:0 overruns:0 frame:0 TX packets:17631 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4539749 (4.3 MiB) TX bytes:1410635 (1.3 MiB) # ping 192.168.0.2 PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data. 64 bytes from 192.168.0.2: icmp_seq=1 ttl=62 time=26.5 ms 64 bytes from 192.168.0.2: icmp_seq=2 ttl=62 time=26.0 ms 64 bytes from 192.168.0.2: icmp_seq=3 ttl=62 time=26.0 ms 64 bytes from 192.168.0.2: icmp_seq=4 ttl=62 time=26.0 ms ^C:q! --- 192.168.0.2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3371ms rtt min/avg/max/mdev = 26.006/26.164/26.534/0.214 ms 總結
本文是基於預共享密鑰(PSK)的認證方式;其他還有基於RSA Signature認證方式(RSA數字簽名),以及基於數字證書認證方式(x.509證書)等。