搭建ipsec+gre隧道

搭建ipsec+gre隧道

部署需求：国内服务器和国外服务器建立隧道，国外用户在访问国外资源时，通过本地网络。国外用户在访问国内资源时，通过隧道到国内网络。

ipsec隧道建立

关闭防火墙

国外服务器

1. 安装yum仓库

   yum install wget vim -y
   wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
   yum makecache
   

2. 安装ipsec-tools

   yum install ipsec-tools openssl compat-openldap -y
   

3. 配置ipsec

   ipsec的目录为：/etc/racoon，配置部署分为vpn密钥配置、ipsec配置文件配置（racoon.conf）、系统内核参数调整、隧道key配置（setkey.conf）等；这里配置部署按照如下的方法来进行即可；

   (1) 配置ipsec密钥，这里配置的84572622为密钥串，0x84572622为密钥串调用，会在setkey.conf中使用

   echo "84572622             0x84572622" > /etc/racoon/psk.txt
   chmod 700 /etc/racoon/psk.txt
   

   (2) 配置ipsec配置文件

   vim /etc/racoon/racoon.conf

   path include "/etc/racoon";
   include "remote.conf";
   path pre_shared_key "/etc/racoon/psk.txt";
   path certificate "/etc/racoon/certs";
   #log debug;
   
   listen
   {
   isakmp 11.11.11.11 [500];
   isakmp_natt 11.11.11.11 [4500];
   }
   
   remote anonymous
   {
   exchange_mode main, aggressive, base;
   mode_cfg on;
   proposal_check obey; # obey, strict, or claim
   nat_traversal on;
   generate_policy unique;
   ike_frag on;
   passive on;
   dpd_delay 30;
   
   proposal {
   lifetime time 28800 sec;
   encryption_algorithm 3des;
   hash_algorithm md5;
   authentication_method xauth_psk_server;
   dh_group 2;
   }
   }
   
   sainfo anonymous
   {
   encryption_algorithm 3des, aes, blowfish;
   authentication_algorithm hmac_sha1, hmac_md5;
   compression_algorithm deflate;
   }
   
   mode_cfg
   {
   auth_source system;
   dns4 8.8.8.8,114.114.114.114;
   banner "/etc/racoon/motd";
   save_passwd on;
   network4 11.11.11.11;
   netmask4 255.255.254.0;
   pool_size 100;
   pfs_group 2;
   }
   

   (3) 配置ipsec连接

   vim /etc/racoon/setkey.conf

   #flush SAD entries
   flush;
   
   #flush SPD entries
   spdflush;
   
   #add SA entries
   #add SP entries
   spdadd 22.22.22.22[any] 11.11.11.11[any] any -P in ipsec esp/tunnel/22.22.22.22-11.11.11.11/require;
   spdadd 11.11.11.11[any] 22.22.22.22[any] any -P out ipsec esp/tunnel/11.11.11.11-22.22.22.22/require;
   
   # Using ESP tunnel:
   add 22.22.22.22 11.11.11.11 esp 0x84572622 -m tunnel -E 3des-cbc 0x5152535455565758595a5b5c5d5e5f606162636465666768 -A hmac-sha1 0x5152535455565758595a5b5c5d5e5f6061626364;
   add 11.11.11.11 22.22.22.22 esp 0x84572622 -m tunnel -E 3des-cbc 0x0102030405060708090a0b0c0d0e0f101112131415161718 -A hmac-sha1 0x0102030405060708090a0b0c0d0e0f1011121314;
   

   (4) 调整内核参数

   sed -i 's/^\(net.ipv4.ip_forward =\).*/\1 1/' /etc/sysctl.conf
   sed -i 's/^\(net.ipv4.conf.default.rp_filter =\).*/\1 0/' /etc/sysctl.conf
   sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf
   sysctl -p
   

   (5) 开放端口

   setenforce 0
   sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
   ptables -I INPUT -p udp --dport 500 -j ACCEPT
   iptables -I INPUT -p udp --dport 4500 -j ACCEPT
   
   

   (6) 启动ipsec

   setkey -f /etc/racoon/setkey.conf
   racoon -f /etc/racoon/racoon.conf -l /var/log/racoon.log -d
   

国内服务器

国内服务器作为所有数据包出去的一个窗口

1. 安装yun仓库

   yum install wget vim -y
   wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
   yum makecache
   

2. 安装ipsec-tools

   yum install ipsec-tools openssl compat-openldap
   

3. 配置ipsec

   ipsec的目录为：/etc/racoon，配置部署分为vpn密钥配置、ipsec配置文件配置（racoon.conf）、系统内核参数调整、隧道key配置（setkey.conf）等；这里配置部署按照如下的方法来进行即可

4. 配置ipsec密钥, 这里配置的84572622为密钥串，0x84572622为密钥串调用，会在setkey.conf中使用

   echo "84572622             0x84572622" > /etc/racoon/psk.txt
   chmod 700 /etc/racoon/psk.txt
   
   

5. 配置ipsec配置文件

   vim /etc/racoon/racoon.conf

   path include "/etc/racoon";
   #include "remote.conf";
   path pre_shared_key "/etc/racoon/psk.txt";
   path certificate "/etc/racoon/certs";
   #log debug;
   
   listen
   {
   isakmp 22.22.22.22 [500];
   isakmp_natt 22.22.22.22 [4500];
   }
   
   remote anonymous
   {
   exchange_mode main, aggressive, base;
   mode_cfg on;
   proposal_check obey; # obey, strict, or claim
   nat_traversal on;
   generate_policy unique;
   ike_frag on;
   passive on;
   dpd_delay 30;
   
   proposal {
   lifetime time 28800 sec;
   encryption_algorithm 3des;
   hash_algorithm md5;
   authentication_method xauth_psk_server;
   dh_group 2;
   }
   }
   
   sainfo anonymous
   {
   encryption_algorithm 3des, aes, blowfish;
   authentication_algorithm hmac_sha1, hmac_md5;
   compression_algorithm deflate;
   }
   
   mode_cfg
   {
   auth_source system;
   dns4 8.8.8.8,114.114.114.114;
   banner "/etc/racoon/motd";
   save_passwd on;
   network4 22.22.22.22;
   netmask4 255.255.255.240;
   pool_size 100;
   pfs_group 2;
   }
   

6. 配置ipsec连接

   vim /etc/racoon/setkey.conf

   #flush SAD entries
   flush;
   
   #flush SPD entries
   spdflush;
   
   #add SA entries
   #add SP entries
   
   spdadd 11.11.11.11[any] 22.22.22.22[any] any -P in ipsec esp/tunnel/11.11.11.11-22.22.22.22/require;
   spdadd 22.22.22.22[any] 11.11.11.11[any] any -P out ipsec esp/tunnel/22.22.22.22-11.11.11.11/require;
   
   # Using ESP tunnel:
   add 22.22.22.22 11.11.11.11 esp 0x84572622 -m tunnel -E 3des-cbc 0x5152535455565758595a5b5c5d5e5f606162636465666768 -A hmac-sha1 0x5152535455565758595a5b5c5d5e5f6061626364;
   add 11.11.11.11 22.22.22.22 esp 0x84572622 -m tunnel -E 3des-cbc 0x0102030405060708090a0b0c0d0e0f101112131415161718 -A hmac-sha1 0x0102030405060708090a0b0c0d0e0f1011121314;
   

7. 调整内核参数配置

   sed -i 's/^\(net.ipv4.ip_forward =\).*/\1 1/' /etc/sysctl.conf
   sed -i 's/^\(net.ipv4.conf.default.rp_filter =\).*/\1 0/' /etc/sysctl.conf
   sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf
   sysctl -p
   

8. 开放端口

   setenforce 0
   sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
   
   iptables -I INPUT -p udp --dport 500 -j ACCEPT
   iptables -I INPUT -p udp --dport 4500 -j ACCEPT
   

9. 启动ipsec

   setkey -f /etc/racoon/setkey.conf
   racoon -f /etc/racoon/racoon.conf -l /var/log/racoon.log -d
   

验证ipsec

在国外服务器ping国内服务器

在国内服务器上抓包

gre隧道建立

在ipsec隧道的基础之上建立gre隧道，gre over ipsec

国外服务器

modprobe ip_gre
ip tunnel add tunnel0 mode gre remote 22.22.22.22 local 11.11.11.11 ttl 255
ip link set tunnel0 up mtu 1400
ip addr add 192.168.122.1/24  dev tunnel0
ip addr add 192.168.122.1/24 peer 192.168.122.2/24 dev tunnel0

国内服务器

配置gre

modprobe ip_gre
ip tunnel add tunnel0 mode gre remote 11.11.11.11 local 22.22.22.22 ttl 255
ip link set tunnel0 up mtu 1400
ip addr add 192.168.122.2/24 dev tunnel0
ip addr add 192.168.122.2/30 peer 192.168.122.1/24 dev tunnel0

nat转发

iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -j SNAT --to 22.22.22.22

配置路由

第一：管理地址和隧道对端要走静态路由走公网

第二：访问国内ip走隧道

隧道对端的ip地址要走公网网关

route add -host 22.22.22.22 gw 11.11.11.1

访问国内ip走隧道

ip route add 1.0.1.0/24 via 192.168.122.2 dev tunnel0

永久添加路由规则，重启网卡生效，如果tunnel0网卡不存在，规则不会生效

vim /etc/sysconfig/network-scripts/route-eth0

22.22.22.22 via 11.11.11.1 dev eth0
124.98.111.5 via 11.11.11.1 dev eth0
1.0.1.0/24 via 192.168.122.2 dev tunnel0
1.0.2.0/23 via 192.168.122.2 dev tunnel0
1.0.8.0/21 via 192.168.122.2 dev tunnel0
1.0.32.0/19 via 192.168.122.2 dev tunnel0
1.1.0.0/24 via 192.168.122.2 dev tunnel0
1.1.2.0/23 via 192.168.122.2 dev tunnel0