虚拟专用网络 vpn-凯发k8国际娱乐官网入口

操作场景

云端在vpc中购买了vpn网关和连接，云下客户使用主机安装ipsec软件与云端对接，客户主机在出口网络进行了一对一的nat映射。

拓扑连接

本场景拓扑连接及策略协商配置信息如图1所示。

云上vpc的vpn网关ip：11.11.11.11，本地子网：192.168.200.0/24。

客户主机nat映射ip：22.22.22.22，本地子网：192.168.222.0/24。

云端ecs与客户主机的本地ip地址分别为192.168.200.200和192.168.222.222。

vpn连接的协商参数使用华为云缺省配置。

图1 拓扑连接及策略协商配置信息

配置步骤

本实例以在centos6.8中配置openswan ipsec客户端为例进行介绍。

1. 安装openswan客户端。

   yum install -y openswan

2. 开启ipv4转发。

   vim /etc/sysctl.conf

   1. 在配置文件中增加如下内容：

      net.ipv4.ip_forward = 1

   2. 执行/sbin/sysctl -p命令，使转发配置参数生效。
3. iptables配置。
   确认关闭firewall或允许数据流转发，查询命令：iptables -l

   iptables -l
       chain input (policy accept)
       target     prot opt source               destination 
       chain forward (policy accept)
       target     prot opt source               destination 
       chain output (policy accept)
       target     prot opt source               destination 

4. 预共享密钥配置。

   vim /etc/ipsec.d/open_ipsec.secrets

   在配置文件中增加如下内容：

   22.22.22.22 11.11.11.11 : psk "ipsec-key"

   格式：本地用于连接的ip 空格 远端网关ip 空格 英文冒号 空格 psk 预共享密钥，冒号的两边都有空格，psk大小写均可，密钥用英文双引号。

5. ipsec连接配置。

   vim /etc/ipsec.d/open_ipsec.conf

   在配置文件中增加如下内容：

   conn openswan_ipsec                 # 定义连接名称为openswan_ipsec
     type=tunnel                       # 开启隧道模式
     auto=start                        # 可选择add、route和start
     
     left=192.168.222.222              # 本地ip，nat场景选择真实的主机地址
     leftid=22.22.22.22                # 本地标识id
     leftsourceip=22.22.22.22          # 如果存在nat，源地址选择nat后的ip
     leftsubnet=192.168.222.0/24       # 本地子网
     leftnexthop=22.22.22.1            # nat场景下一跳选择nat后的网关ip
     right=11.11.11.11                 # 远端vpn网关ip 
     rightid=11.11.11.11               # 远端标识id
     rightsourceip=11.11.11.11         # 远端源地址选择vpn网关ip
     rightsubnet=192.168.200.0/24      # 远端子网
     rightnexthop=�faultroute        # 远端路由按缺省配置
    
     authby=secret                     # 定义认证方式为psk
     keyexchange=ike                   # ike密钥交换方式
     ike=aes128-sha1;modp1536          # 按照对端配置定义ike阶段算法和group
     ikev2=never                       # 关闭ikev2版本
     ikelifetime=86400s                # ike阶段生命周期
     
     phase2=esp                        # 二阶段传输格式
     phase2alg=aes128-sha1;modp1536    # 按照对端配置定义ipsec阶段算法和group，modp1536=dh group 5
     pfs=yes                           # 开启pfs
     compress=no                       # 关闭压缩
     salifetime=3600s                  # 二阶段生命周期

   

   • 在nat穿越场景中可按需配置forceencaps=yes。
   • 华为云vpn使用的dh-group对应的比特位详细请参见。
   配置完成后通过命令ipsec verify进行配置项校验。如果回显信息全部为ok时，表示配置成功。

   ipsec verify
   verifying installed system and configuration files
   version check and ipsec on-path                             [ok]
   libreswan 3.25 (netkey) on 3.10.0-957.5.1.el7.x86_64
   checking for ipsec support in kernel                                 [ok]
    netkey: testing xfrm related proc values
            icmp default/send_redirects              [ok]
            icmp default/accept_redirects            [ok]
            xfrm larval drop                         [ok]
   pluto ipsec.conf syntax                           [ok]
   two or more interfaces found, checking ip forwarding[ok]
   checking rp_filter                                [ok]
   checking that pluto is running                    [ok]
    pluto listening for ike on udp 500               [ok]
    pluto listening for ike/nat-t on udp 4500        [ok]
    pluto ipsec.secret syntax                        [ok]
   checking 'ip' command                             [ok]
   checking 'iptables' command                       [ok]
   checking 'prelink' command does not interfere with fips[ok]
   checking for obsolete ipsec.conf options          [ok]

   若回显信息出现如下报错：

   checking rp_filter                                  [enabled]
    /proc/sys/net/ipv4/conf/default/rp_filter          [enabled]
    /proc/sys/net/ipv4/conf/lo/rp_filter               [enabled]
    /proc/sys/net/ipv4/conf/eth0/rp_filter             [enabled]
    /proc/sys/net/ipv4/conf/eth1/rp_filter             [enabled]
    /proc/sys/net/ipv4/conf/ip_vti01/rp_filter             [enabled]

   通过如下命令解决：

   echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
   echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
   echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
   echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
   echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
   echo 0 > /proc/sys/net/ipv4/conf/ip_vti01/rp_filter

6. 启动服务。

   service ipsec stop # 关闭服务

   service ipsec start # 启动服务

   service ipsec restart # 重启服务

   ipsec auto --down openswan_ipsec # 关闭连接

   ipsec auto --up openswan_ipsec # 开启连接

   

   每次修改配置都需要重启服务，并重新开启连接。

配置验证

connection list:
000  
000 "openswan_ipsec": 192.168.222.0/24===192.168.222.222<192.168.222.222>[22.22.22.22]---22.22.22.1...11.11.11.11<11.11.11.11>===192.168.200.0/24; erouted; eroute owner: #30
000 "openswan_ipsec":     oriented; my_ip=22.22.22.22; their_ip=11.11.11.11; my_updown=ipsec _updown;
000 "openswan_ipsec":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "openswan_ipsec":   our auth:secret, their auth:secret
000 "openswan_ipsec":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "openswan_ipsec":   labeled_ipsec:no;
000 "openswan_ipsec":   policy_label:unset;
000 "openswan_ipsec":   ike_life: 86400s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "openswan_ipsec":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "openswan_ipsec":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "openswan_ipsec":   policy: psk encrypt tunnel pfs up ikev1_allow saref_track ike_frag_allow esn_no;
000 "openswan_ipsec":   conn_prio: 24,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "openswan_ipsec":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "openswan_ipsec":   our idtype: id_ipv4_addr; our id=1.1.1.1; their idtype: id_ipv4_addr; their id=2.2.2.2
000 "openswan_ipsec":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "openswan_ipsec":   newest isakmp sa: #3; newest ipsec sa: #30;
000 "openswan_ipsec":   ike algorithms: aes_cbc_128-hmac_sha1-modp1536
000 "openswan_ipsec":   ike algorithm newest: aes_cbc_128-hmac_sha1-modp1536
000 "openswan_ipsec":   esp algorithms: aes_cbc_128-hmac_sha1_96-modp1536
000 "openswan_ipsec":   esp algorithm newest: aes_cbc_128-hmac_sha1_96; pfsgroup=modp1536
000  
000 total ipsec connections: loaded 1, active 1
000  
000 state information: ddos cookies not required, accepting new ike connections
000 ike sas: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 ipsec sas: total(1), authenticated(1), anonymous(0)
000  
000 #3: "openswan_ipsec":4500 state_main_r3 (sent mr3, isakmp sa established); event_sa_replace in 15087s; newest isakmp; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #30: "openswan_ipsec":4500 state_quick_i2 (sent qi2, ipsec sa established); event_sa_replace in 1744s; newest ipsec; eroute owner; isakmp#3; idle; import:admin initiate
000 #30: "openswan_ipsec" esp.b810a24@11.11.11.11 esp.aab7b496@192.168.222.222 tun.0@11.11.11.11 tun.0@192.168.222.222 ref=0 refhim=0 traffic: espin=106kb espout=106kb! espmax
=4194303b