虚拟专用网络 vpn-凯发k8国际娱乐官网入口
操作场景
云端在vpc中购买了vpn网关和连接,云下客户使用主机安装ipsec软件与云端对接,客户主机在出口网络进行了一对一的nat映射。
拓扑连接
本场景拓扑连接及策略协商配置信息如图1所示。
云上vpc的vpn网关ip:11.11.11.11,本地子网:192.168.200.0/24。
客户主机nat映射ip:22.22.22.22,本地子网:192.168.222.0/24。
云端ecs与客户主机的本地ip地址分别为192.168.200.200和192.168.222.222。
vpn连接的协商参数使用华为云缺省配置。
配置步骤
本实例以在centos6.8中配置openswan ipsec客户端为例进行介绍。
- 安装openswan客户端。
yum install -y openswan
- 开启ipv4转发。
vim /etc/sysctl.conf
- 在配置文件中增加如下内容:
net.ipv4.ip_forward = 1
- 执行/sbin/sysctl -p命令,使转发配置参数生效。
- 在配置文件中增加如下内容:
- iptables配置。
确认关闭firewall或允许数据流转发,查询命令:iptables -l
iptables -l chain input (policy accept) target prot opt source destination chain forward (policy accept) target prot opt source destination chain output (policy accept) target prot opt source destination
- 预共享密钥配置。
vim /etc/ipsec.d/open_ipsec.secrets
在配置文件中增加如下内容:22.22.22.22 11.11.11.11 : psk "ipsec-key"
格式:本地用于连接的ip 空格 远端网关ip 空格 英文冒号 空格 psk 预共享密钥,冒号的两边都有空格,psk大小写均可,密钥用英文双引号。
- ipsec连接配置。
vim /etc/ipsec.d/open_ipsec.conf
在配置文件中增加如下内容:conn openswan_ipsec # 定义连接名称为openswan_ipsec type=tunnel # 开启隧道模式 auto=start # 可选择add、route和start left=192.168.222.222 # 本地ip,nat场景选择真实的主机地址 leftid=22.22.22.22 # 本地标识id leftsourceip=22.22.22.22 # 如果存在nat,源地址选择nat后的ip leftsubnet=192.168.222.0/24 # 本地子网 leftnexthop=22.22.22.1 # nat场景下一跳选择nat后的网关ip right=11.11.11.11 # 远端vpn网关ip rightid=11.11.11.11 # 远端标识id rightsourceip=11.11.11.11 # 远端源地址选择vpn网关ip rightsubnet=192.168.200.0/24 # 远端子网 rightnexthop=�faultroute # 远端路由按缺省配置 authby=secret # 定义认证方式为psk keyexchange=ike # ike密钥交换方式 ike=aes128-sha1;modp1536 # 按照对端配置定义ike阶段算法和group ikev2=never # 关闭ikev2版本 ikelifetime=86400s # ike阶段生命周期 phase2=esp # 二阶段传输格式 phase2alg=aes128-sha1;modp1536 # 按照对端配置定义ipsec阶段算法和group,modp1536=dh group 5 pfs=yes # 开启pfs compress=no # 关闭压缩 salifetime=3600s # 二阶段生命周期
- 在nat穿越场景中可按需配置forceencaps=yes。
- 华为云vpn使用的dh-group对应的比特位详细请参见。
配置完成后通过命令ipsec verify进行配置项校验。如果回显信息全部为ok时,表示配置成功。ipsec verify verifying installed system and configuration files version check and ipsec on-path [ok] libreswan 3.25 (netkey) on 3.10.0-957.5.1.el7.x86_64 checking for ipsec support in kernel [ok] netkey: testing xfrm related proc values icmp default/send_redirects [ok] icmp default/accept_redirects [ok] xfrm larval drop [ok] pluto ipsec.conf syntax [ok] two or more interfaces found, checking ip forwarding[ok] checking rp_filter [ok] checking that pluto is running [ok] pluto listening for ike on udp 500 [ok] pluto listening for ike/nat-t on udp 4500 [ok] pluto ipsec.secret syntax [ok] checking 'ip' command [ok] checking 'iptables' command [ok] checking 'prelink' command does not interfere with fips[ok] checking for obsolete ipsec.conf options [ok]
若回显信息出现如下报错:checking rp_filter [enabled] /proc/sys/net/ipv4/conf/default/rp_filter [enabled] /proc/sys/net/ipv4/conf/lo/rp_filter [enabled] /proc/sys/net/ipv4/conf/eth0/rp_filter [enabled] /proc/sys/net/ipv4/conf/eth1/rp_filter [enabled] /proc/sys/net/ipv4/conf/ip_vti01/rp_filter [enabled]
通过如下命令解决:echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 > /proc/sys/net/ipv4/conf/ip_vti01/rp_filter
- 启动服务。
service ipsec stop # 关闭服务
service ipsec start # 启动服务
service ipsec restart # 重启服务
ipsec auto --down openswan_ipsec # 关闭连接
ipsec auto --up openswan_ipsec # 开启连接
每次修改配置都需要重启服务,并重新开启连接。
配置验证
connection list: 000 000 "openswan_ipsec": 192.168.222.0/24===192.168.222.222<192.168.222.222>[22.22.22.22]---22.22.22.1...11.11.11.11<11.11.11.11>===192.168.200.0/24; erouted; eroute owner: #30 000 "openswan_ipsec": oriented; my_ip=22.22.22.22; their_ip=11.11.11.11; my_updown=ipsec _updown; 000 "openswan_ipsec": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "openswan_ipsec": our auth:secret, their auth:secret 000 "openswan_ipsec": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "openswan_ipsec": labeled_ipsec:no; 000 "openswan_ipsec": policy_label:unset; 000 "openswan_ipsec": ike_life: 86400s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "openswan_ipsec": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "openswan_ipsec": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "openswan_ipsec": policy: psk encrypt tunnel pfs up ikev1_allow saref_track ike_frag_allow esn_no; 000 "openswan_ipsec": conn_prio: 24,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "openswan_ipsec": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "openswan_ipsec": our idtype: id_ipv4_addr; our id=1.1.1.1; their idtype: id_ipv4_addr; their id=2.2.2.2 000 "openswan_ipsec": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "openswan_ipsec": newest isakmp sa: #3; newest ipsec sa: #30; 000 "openswan_ipsec": ike algorithms: aes_cbc_128-hmac_sha1-modp1536 000 "openswan_ipsec": ike algorithm newest: aes_cbc_128-hmac_sha1-modp1536 000 "openswan_ipsec": esp algorithms: aes_cbc_128-hmac_sha1_96-modp1536 000 "openswan_ipsec": esp algorithm newest: aes_cbc_128-hmac_sha1_96; pfsgroup=modp1536 000 000 total ipsec connections: loaded 1, active 1 000 000 state information: ddos cookies not required, accepting new ike connections 000 ike sas: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 ipsec sas: total(1), authenticated(1), anonymous(0) 000 000 #3: "openswan_ipsec":4500 state_main_r3 (sent mr3, isakmp sa established); event_sa_replace in 15087s; newest isakmp; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #30: "openswan_ipsec":4500 state_quick_i2 (sent qi2, ipsec sa established); event_sa_replace in 1744s; newest ipsec; eroute owner; isakmp#3; idle; import:admin initiate 000 #30: "openswan_ipsec" esp.b810a24@11.11.11.11 esp.aab7b496@192.168.222.222 tun.0@11.11.11.11 tun.0@192.168.222.222 ref=0 refhim=0 traffic: espin=106kb espout=106kb! espmax =4194303b
意见反馈
文档内容是否对您有帮助?
如您有其它疑问,您也可以通过华为云社区问答频道来与我们联系探讨