Aldebaran

人生最棒的感觉,就是你做到别人说你做不到的事。

0%

在Ubuntu上使用Strongswan设置点对点IPSec VPN

Posted on Edited on In

生田絵梨花 - 白石麻衣

原文

setup-a-site-to-site-ipsec-vpn-with-strongswan-on-ubuntu

前言

多机房情况下,有时候需要将跨机房内网打通,现在还是使用ipsec的多。而且相对也比较成熟。

IPsec全称ip Security,由两类协议组成,分别为AH协议(Authentication Header)和ESP协议(Encapsulated Security Payload),由于AH协议无法提供数据加密,所有数据在传输时以明文传输,且AH由于提供数据来源确认,所以无法穿越NAT,所以这两种协议中ESP协议应用更广泛一些。VPN只是IPSec的一种应用方式。

strongSwan vs Openswan vs Libreswan

本质上来说三者没什么区别。

Openswan和strongSwan是Free S/WAN延续。

Libreswan是自Openswan分支出来。

今天,我们将使用Strongswan设置站点到站点ipsec VPN,并将使用预共享密钥身份验证对其进行配置。

建立隧道后,我们将能够通过vpn隧道到达专用ip。

安装

准备两台服务器

服务器A:

Location: Paris, France
External IP: 51.15.139.201  enp3s0
Internal IP: 10.10.27.1/24  enp2s0

服务器B:

Location: Amsterdam, Netherlands
External IP: 51.15.44.48    enp3s0
Internal IP: 10.9.141.1/24  enp2s0

更新你的存储库索引并安装strongswan

$ apt update && sudo apt upgrade -y
$ apt install strongswan -y

设置以下内核参数

正常情况下:

$ cat >> /etc/sysctl.conf << EOF
echo net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
EOF

$ sysctl -p /etc/sysctl.conf

可选: 正常情况下添加上述的配置到sysctl.conf就行了, 不过更完整的配置可以像下面这样添加

$ sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}'
$ sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.conf

$ sysctl -p /etc/sysctl.conf

生成预共享密钥

我们将需要两个服务器都将使用的预共享密钥:

$ openssl rand -base64 64
87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ

配置

配置站点A

我们将在服务器A(巴黎)中设置VPN网关,首先设置/etc/ipsec.secrets文件:

$ cat /etc/ipsec.secrets
# source      destination
51.15.139.201 51.15.44.48 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"

现在在以下位置设置我们的VPN配置/etc/ipsec.conf:

$ cp /etc/ipsec.conf{,.old}
$ cat /etc/ipsec.conf
# basic configuration
config setup
    # # Slightly more verbose logging. Very useful for debugging.
    charondebug="all"

    # By default only one client can connect at the same time with an identical
    # certificate and/or password combination. Enable this option to disable
    # this behavior.
    uniqueids=yes

    strictcrlpolicy=no

# connection to amsterdam datacenter
conn paris-to-amsterdam
    authby=secret
    left=%defaultroute
    leftid=51.15.139.201
    leftsubnet=10.10.27.1/24
    right=51.15.44.48
    rightsubnet=10.9.141.1/24
    # Prefer modern cipher suites that allow PFS (Perfect Forward Secrecy)
    ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!

    keyingtries=0
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart
    auto=start

防火墙规则:

$ sudo iptables -t nat -A POSTROUTING -s 10.9.141.0/24 -d 10.10.27.0/24 -j MASQUERADE

# Ubuntu 16.04下保存iptables规则
$ sudo apt-get install iptables-persistent
$ sudo netfilter-persistent save
$ sudo netfilter-persistent reload

可选: 添加路由(vpn同段的其他服务器访问不了,可以试试)

$ route add -net 10.10.0.0/16 gw 10.10.0.254 enp2s0

配置站点B

我们将在站点B(阿姆斯特丹)中设置VPN网关,并设置/etc/ipsec.secrets文件:

$ cat /etc/ipsec.secrets
51.15.44.48 51.15.139.201 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"

接下来设置我们的VPN配置:

$ cat /etc/ipsec.conf
# basic configuration
config setup
    # # Slightly more verbose logging. Very useful for debugging.
    charondebug="all"

    # By default only one client can connect at the same time with an identical
    # certificate and/or password combination. Enable this option to disable
    # this behavior.
    uniqueids=yes

    strictcrlpolicy=no

# connection to paris datacenter
conn amsterdam-to-paris
    authby=secret
    left=%defaultroute
    leftid=51.15.44.48
    leftsubnet=10.9.141.1/24
    right=51.15.139.201
    rightsubnet=10.10.27.1/24

    # Prefer modern cipher suites that allow PFS (Perfect Forward Secrecy)
    ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!

    keyingtries=0
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart
    auto=start

防火墙规则:

$ sudo iptables -t nat -A POSTROUTING -s 10.10.27.0/24 -d 10.9.41.0/24 -j MASQUERADE

# Ubuntu 16.04下保存iptables规则
$ sudo apt-get install iptables-persistent
$ sudo netfilter-persistent save
$ sudo netfilter-persistent reload

可选: 添加路由(vpn同段的其他服务器访问不了,可以试试)

$ route add -net 10.9.0.0/16 gw 10.9.0.254 enp2s0

启动VPN

在两端启动VPN:

$ sudo ipsec restart

获取隧道的状态,在这种情况下,我们登录到站点A(巴黎)服务器:

$ sudo ipsec status
Security Associations (1 up, 0 connecting):
paris-to-amsterdam[2]: ESTABLISHED 14 minutes ago, 10.10.27.161[51.15.139.201]...51.15.44.48[51.15.44.48]
paris-to-amsterdam{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c8c868ee_i c9d58dbd_o
paris-to-amsterdam{1}:   10.10.27.1/24 === 10.9.141.1/24

测试我们是否可以在其私有范围内看到远程端:

$ ping 10.9.141.97
PING 10.9.141.97 (10.9.141.97) 56(84) bytes of data.
64 bytes from 10.9.141.97: icmp_seq=1 ttl=64 time=14.6 ms
将服务设置为在启动时启动:

$ sudo systemctl enable strongswan

然后,您的VPN应该正确设置。

其他有用的命令

开始/停止/状态:

$ sudo ipsec up connection-name
$ sudo ipsec down connection-name

$ sudo ipsec restart
$ sudo ipsec status
$ sudo ipsec statusall

获取IPsec隧道的策略和状态:

$ sudo ip xfrm state
$ sudo ip xfrm policy

在服务运行时重新加载机密:

$ sudo ipsec rereadsecrets

检查流量是否通过隧道:

$ sudo tcpdump esp

为您的配置添加更多连接

如果您必须在配置中添加另一个站点,则该示例ipsec.secrets将如下所示:

$ cat /etc/ipsec.secrets
51.15.139.201 51.15.44.48 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"
51.15.139.201 51.15.87.41  : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"
和ipsec.conf:

$ cat /etc/ipsec.conf
# basic configuration
config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no

# connection to amsterdam datacenter
conn paris-to-amsterdam
    authby=secret
    left=%defaultroute
    leftid=51.15.139.201
    leftsubnet=10.10.27.161/32
    right=51.15.44.48
    rightsubnet=10.9.141.97/32
    ike=aes256-sha2_256-modp1024!
    esp=aes256-sha2_256!
    keyingtries=0
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart
    auto=start

# connection to frankfurt datacenter
conn paris-to-frankfurt
    authby=secret
    left=%defaultroute
    leftid=51.15.139.201
    leftsubnet=10.10.27.1/24
    right=51.15.87.41
    rightsubnet=10.9.137.1/24
    ike=aes256-sha2_256-modp1024!
    esp=aes256-sha2_256!
    keyingtries=0
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart
    auto=start

只需记住在Frankfurt VPN网关上配置配置,状态输出示例如下所示:

$ sudo ipsec status
Security Associations (2 up, 0 connecting):
paris-to-frankfurt[2]: ESTABLISHED 102 seconds ago, 10.10.27.161[51.15.139.201]...51.15.87.41[51.15.87.41]
paris-to-frankfurt{1}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cbc62a1f_i c95b8f78_o
paris-to-frankfurt{1}:   10.10.27.1/24 === 10.9.137.1/24
paris-to-amsterdam[1]: ESTABLISHED 102 seconds ago, 10.10.27.161[51.15.139.201]...51.15.44.48[51.15.44.48]
paris-to-amsterdam{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7b36756_i cc54053c_o
paris-to-amsterdam{2}:   10.10.27.1/24 === 10.9.141.1/24