原文
setup-a-site-to-site-ipsec-vpn-with-strongswan-on-ubuntu
前言
多机房情况下,有时候需要将跨机房内网打通,现在还是使用ipsec的多。而且相对也比较成熟。
IPsec全称ip Security,由两类协议组成,分别为AH协议(Authentication Header)和ESP协议(Encapsulated Security Payload),由于AH协议无法提供数据加密,所有数据在传输时以明文传输,且AH由于提供数据来源确认,所以无法穿越NAT,所以这两种协议中ESP协议应用更广泛一些。VPN只是IPSec的一种应用方式。
strongSwan vs Openswan vs Libreswan
本质上来说三者没什么区别。
Openswan和strongSwan是Free S/WAN延续。
Libreswan是自Openswan分支出来。
今天,我们将使用Strongswan设置站点到站点ipsec VPN,并将使用预共享密钥身份验证对其进行配置。
建立隧道后,我们将能够通过vpn隧道到达专用ip。
安装
准备两台服务器
服务器A:
Location: Paris, France
External IP: 51.15.139.201 enp3s0
Internal IP: 10.10.27.1/24 enp2s0
服务器B:
Location: Amsterdam, Netherlands
External IP: 51.15.44.48 enp3s0
Internal IP: 10.9.141.1/24 enp2s0
更新你的存储库索引并安装strongswan
$ apt update && sudo apt upgrade -y
$ apt install strongswan -y
设置以下内核参数
正常情况下:
$ cat >> /etc/sysctl.conf << EOF
echo net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
EOF
$ sysctl -p /etc/sysctl.conf
可选: 正常情况下添加上述的配置到sysctl.conf就行了, 不过更完整的配置可以像下面这样添加
$ sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}'
$ sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.conf
$ sysctl -p /etc/sysctl.conf
生成预共享密钥
我们将需要两个服务器都将使用的预共享密钥:
$ openssl rand -base64 64
87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ
配置
配置站点A
我们将在服务器A(巴黎)中设置VPN网关,首先设置/etc/ipsec.secrets文件:
$ cat /etc/ipsec.secrets
# source destination
51.15.139.201 51.15.44.48 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"
现在在以下位置设置我们的VPN配置/etc/ipsec.conf:
$ cp /etc/ipsec.conf{,.old}
$ cat /etc/ipsec.conf
# basic configuration
config setup
# # Slightly more verbose logging. Very useful for debugging.
charondebug="all"
# By default only one client can connect at the same time with an identical
# certificate and/or password combination. Enable this option to disable
# this behavior.
uniqueids=yes
strictcrlpolicy=no
# connection to amsterdam datacenter
conn paris-to-amsterdam
authby=secret
left=%defaultroute
leftid=51.15.139.201
leftsubnet=10.10.27.1/24
right=51.15.44.48
rightsubnet=10.9.141.1/24
# Prefer modern cipher suites that allow PFS (Perfect Forward Secrecy)
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
防火墙规则:
$ sudo iptables -t nat -A POSTROUTING -s 10.9.141.0/24 -d 10.10.27.0/24 -j MASQUERADE
# Ubuntu 16.04下保存iptables规则
$ sudo apt-get install iptables-persistent
$ sudo netfilter-persistent save
$ sudo netfilter-persistent reload
可选: 添加路由(vpn同段的其他服务器访问不了,可以试试)
$ route add -net 10.10.0.0/16 gw 10.10.0.254 enp2s0
配置站点B
我们将在站点B(阿姆斯特丹)中设置VPN网关,并设置/etc/ipsec.secrets文件:
$ cat /etc/ipsec.secrets
51.15.44.48 51.15.139.201 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"
接下来设置我们的VPN配置:
$ cat /etc/ipsec.conf
# basic configuration
config setup
# # Slightly more verbose logging. Very useful for debugging.
charondebug="all"
# By default only one client can connect at the same time with an identical
# certificate and/or password combination. Enable this option to disable
# this behavior.
uniqueids=yes
strictcrlpolicy=no
# connection to paris datacenter
conn amsterdam-to-paris
authby=secret
left=%defaultroute
leftid=51.15.44.48
leftsubnet=10.9.141.1/24
right=51.15.139.201
rightsubnet=10.10.27.1/24
# Prefer modern cipher suites that allow PFS (Perfect Forward Secrecy)
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
防火墙规则:
$ sudo iptables -t nat -A POSTROUTING -s 10.10.27.0/24 -d 10.9.41.0/24 -j MASQUERADE
# Ubuntu 16.04下保存iptables规则
$ sudo apt-get install iptables-persistent
$ sudo netfilter-persistent save
$ sudo netfilter-persistent reload
可选: 添加路由(vpn同段的其他服务器访问不了,可以试试)
$ route add -net 10.9.0.0/16 gw 10.9.0.254 enp2s0
启动VPN
在两端启动VPN:
$ sudo ipsec restart
获取隧道的状态,在这种情况下,我们登录到站点A(巴黎)服务器:
$ sudo ipsec status
Security Associations (1 up, 0 connecting):
paris-to-amsterdam[2]: ESTABLISHED 14 minutes ago, 10.10.27.161[51.15.139.201]...51.15.44.48[51.15.44.48]
paris-to-amsterdam{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c8c868ee_i c9d58dbd_o
paris-to-amsterdam{1}: 10.10.27.1/24 === 10.9.141.1/24
测试我们是否可以在其私有范围内看到远程端:
$ ping 10.9.141.97
PING 10.9.141.97 (10.9.141.97) 56(84) bytes of data.
64 bytes from 10.9.141.97: icmp_seq=1 ttl=64 time=14.6 ms
将服务设置为在启动时启动:
$ sudo systemctl enable strongswan
然后,您的VPN应该正确设置。
其他有用的命令
开始/停止/状态:
$ sudo ipsec up connection-name
$ sudo ipsec down connection-name
$ sudo ipsec restart
$ sudo ipsec status
$ sudo ipsec statusall
获取IPsec隧道的策略和状态:
$ sudo ip xfrm state
$ sudo ip xfrm policy
在服务运行时重新加载机密:
$ sudo ipsec rereadsecrets
检查流量是否通过隧道:
$ sudo tcpdump esp
为您的配置添加更多连接
如果您必须在配置中添加另一个站点,则该示例ipsec.secrets将如下所示:
$ cat /etc/ipsec.secrets
51.15.139.201 51.15.44.48 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"
51.15.139.201 51.15.87.41 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"
和ipsec.conf:
$ cat /etc/ipsec.conf
# basic configuration
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
# connection to amsterdam datacenter
conn paris-to-amsterdam
authby=secret
left=%defaultroute
leftid=51.15.139.201
leftsubnet=10.10.27.161/32
right=51.15.44.48
rightsubnet=10.9.141.97/32
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
# connection to frankfurt datacenter
conn paris-to-frankfurt
authby=secret
left=%defaultroute
leftid=51.15.139.201
leftsubnet=10.10.27.1/24
right=51.15.87.41
rightsubnet=10.9.137.1/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
只需记住在Frankfurt VPN网关上配置配置,状态输出示例如下所示:
$ sudo ipsec status
Security Associations (2 up, 0 connecting):
paris-to-frankfurt[2]: ESTABLISHED 102 seconds ago, 10.10.27.161[51.15.139.201]...51.15.87.41[51.15.87.41]
paris-to-frankfurt{1}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cbc62a1f_i c95b8f78_o
paris-to-frankfurt{1}: 10.10.27.1/24 === 10.9.137.1/24
paris-to-amsterdam[1]: ESTABLISHED 102 seconds ago, 10.10.27.161[51.15.139.201]...51.15.44.48[51.15.44.48]
paris-to-amsterdam{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7b36756_i cc54053c_o
paris-to-amsterdam{2}: 10.10.27.1/24 === 10.9.141.1/24