centos部署ipsec vpn nat穿越

VPN（virtual private network，虚拟专用网）就是在两个网络实体之间建立的一种受保护的连接，这两个实体可以通过点到点的链路直接相连，但通常情况下他们会相隔较远的距离。vpn方式有三种： Site-to-Site（站点到站点或者网关到网关）：如3个机构分布在互联网的3个不同的地方，各使用一个ipsec vpn网关相互建立VPN隧道，企业内网（若干PC）之间的数据通过这些网关建立的IPSec隧道实现安全互联。 End-to-End（端到端或者PC到PC）： 两个PC之间的通信由两个PC之间的IPSec会话保护，而不是网关。 End-to-Site（端到站点或者PC到网关）：两个PC之间的通信由网关和异地PC之间的IPSec进行保护。 本次讲述第一种方式Site-to-Site（站点到站点或者网关到网关） 1、需求分析 PC1部署Ipsec VPN，配置私网地址，在无线路由器做NAT； 华为USG做总部的VPN服务器； 因考虑PC1访问互联网需要通过无线路由器做nat，所ipsec vpn要考虑到nat穿越，后面openswan会有相关配置； 2、安装openswan pc1部署centos7操作系统，在linux上部署openswan yum install -y openswan lsof

我们改动内核参数，允许IP转发、永久性禁止重定向。

sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf
sed -i 's#net.ipv4.conf.default.rp_filter = 1#net.ipv4.conf.default.rp_filter = 0#g' /etc/sysctl.conf

查看内核参数，确保禁止重定向sysctl -a | egrep "ipv4.*(accept|send)_redirects"

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0

重新装入/etc/sysctl.conf sysctl -p

3、修改ipsec配置文件 vi /etc/ipsec.conf

config setup
        plutodebug=all
        plutostderrlog=/var/log/ipsec.log
 # Debug-logging controls: "none" for (almost) none, "all" for lots.
 # klipsdebug=none
 # plutodebug="control parsing"
 # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
 protostack=netkey
 nat_traversal=yes
 #实现nat穿越
 virtual_private=
 oe=off
 # Enable this if you see "failed to find any available worker"
 # nhelpers=0

4、修改lan-to-lan的配置文件 [root@localhost ~]# cat /etc/ipsec.d/site1-tosite2.conf

conn site1-tosite2
  type=tunnel
  #隧道模式
  authby=secret
  #共享秘钥方式
  auto=start
  ike=3des-sha1;modp1024
  keyexchange=ike
  phase2=esp
  phase2alg=3des-sha1
  pfs=no


  left=%defaultroute
  leftid=alice
  leftnexthop=%defaultroute
  leftsubnet=192.168.1.0/24
  
  right=172.17.0.1  
  rightsubnet=192.168.2.0/24      

5、配置ipsec vpn共享秘钥

vi /etc/ipsec.d/idcsubnet1-to-awsvpc1.secrets 本端公网地址 对端公网地址: PSK "123456"

6、检查命令 设置开机启动 ，命令#chkconfig ipsec on 命令 #ipsec verify ,没有fail项即可

[root@localhost ~]# ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                   	[OK]
Libreswan 3.25 (netkey) on 3.10.0-1062.9.1.el7.x86_64
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[OK]
         ICMP default/accept_redirects            	[OK]
         XFRM larval drop                         	[OK]
Pluto ipsec.conf syntax                           	[OK]
Two or more interfaces found, checking IP forwarding	[OK]
Checking rp_filter                                	[ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter            	[ENABLED]
 /proc/sys/net/ipv4/conf/ens33/rp_filter          	[ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE/NAT-T on udp 4500        	[OK]
 Pluto ipsec.secret syntax                        	[OK]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]
Checking 'prelink' command does not interfere with FIPS	[OK]
Checking for obsolete ipsec.conf options          	[OBSOLETE KEYWORD]
 Warning: ignored obsolete keyword 'nat_traversal'

ipsec verify: encountered 5 errors - see 'man ipsec_verify' for help

命令 #service ipsec status ，检查进程状态，tunnel up数量 命令 #ip xfrm policy ，检查tunnel的详细信息，源/目的subnet、下一跳等