这是我们现在要实现的拓扑:打通总部跟分部到阿里云
下面开始
1、安装strongswan
先安装epel源
yum install -y epel-release
然后安装strongswan vpn服务
yum install strongswan -y
2、开始创建证书
新建一个目录来创建证书,特别注意:这里的192.168.48.131替换成你的公网IP地址
strongswan pki --gen --outform pem > ca.key.pem
strongswan pki --self --in ca.key.pem --dn "C=CN, O=one, CN=one t CA" --ca --lifetime 3650 --outform pem > ca.cert.pem
strongswan pki --gen --outform pem > server.key.pem
strongswan pki --pub --in server.key.pem --outform pem > server.pub.pem
strongswan pki --pub --in server.key.pem | strongswan pki --issue --lifetime 3601 --cacert ca.cert.pem --cakey ca.key.pem --dn "C=CN, O=one, CN=one t CA" --san="192.168.48.131" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
复制证书到strongswan
cp -f ca.key.pem /etc/strongswan/ipsec.d/private/
cp -f ca.cert.pem /etc/strongswan/ipsec.d/cacerts/
cp -f server.cert.pem /etc/strongswan/ipsec.d/certs/
cp -f server.pub.pem /etc/strongswan/ipsec.d/certs/
cp -f server.key.pem /etc/strongswan/ipsec.d/private/
3、配置vpn连接
vim /etc/strongswan/ipsec.conf
config setup
charondebug = "all"
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=0
keyexchange=ikev1
authby=secret
conn zongbu
left=%any
leftid= 192.168.48.131
leftsubnet=10.10.0.0/24
leftcert = server.cert.pem
right = 100.100.100.100
rightsubnet= 192.168.100.0/24
auto = start
type=tunnel
ike=3des-md5-modp1024
esp=3des-md5
leftauth=psk
rightauth=psk
keyexchange=ikev1
ikelifetime=1h
lifetime=8h
conn fenbu
left=%any
leftid= 192.168.48.131
leftsubnet=10.10.0.0/24
leftcert = server.cert.pem
right = 101.101.101.101
rightsubnet= 192.168.200.0/24,192.168.1.0/24,192.168.5.0/24
auto = start
type=tunnel
ike=3des-md5-modp1024
esp=3des-md5
leftauth=psk
rightauth=psk
keyexchange=ikev1
ikelifetime=1h
lifetime=8h
解释一下:这里配置了两个连接,一个是总部的,一个是分部的,阿里云内网网段是10.10.0.0/24,总部内网网段是92.168.100.0/24,分部内网网段是192.168.200.0/24,因为我们深信服防火墙只支持ikeyv1版本,所以这里设置为ikev1
4、配置预共享秘钥和路由
配置秘钥为Password-1234
vim /etc/strongswan/ipsec.secrets
: RSA server.key.pem
192.168.48.131 100.100.100.100 : PSK "Password-1234"
192.168.48.131 101.101.101.101 : PSK "Password-1234"
开启linux路由转发功能
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding=1
# sysctl -p
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
#配置snat,不然网络会不通
iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE
5、启动VPN服务
systemctl start strongswan
查看服务状态,这里看到起来两个等待的连接了
#strongswan status
Security Associations (0 up, 2 connecting):
fenbu[2]: CONNECTING, 192.168.48.131[%any]...101.101.101.101[%any]
zongbu[1]: CONNECTING, 192.168.48.131[%any]...100.100.100.100[%any]
需要注意的是阿里云安全组:阿里云安全组需要放开vpn服务器UDP 500和4500端口,不然无法连接
6、总部防火墙配置连接VPN
选择第三方对接管理
填入预共享秘钥
然后点击新增,填入本端,对端内网网段
然后选择ikeyv1,主模式,3DES,MD5
点击提交就能连接上去了,分部同样的操作
然后到服务器上查看连接状态
# strongswan status
Security Associations (2 up, 0 connecting):
fenbu[56]: ESTABLISHED 60 seconds ago, 192.168.48.131[192.168.48.131]...101.101.101.101[101.101.101.101]
fenbu{54}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c0db69df_i c843d709_o
fenbu{54}: 10.10.10.0/24 === 192.168.100.0/24
fenbu[55]: ESTABLISHED 48 minutes ago, 192.168.48.131[192.168.48.131]...100.100.100.100[100.100.100.100]
zongbu{53}: INSTALLED, TUNNEL, reqid 3, ESP SPIs: c4da9236_i 3c1b323f_o
zongbu{53}: 10.10.10.0/24 === 192.168.200.0/24
至此网络已经打通,可以在本地直接用阿里云rds内网ip连接数据库了