搭建ipsec+gre隧道

部署需求：國内伺服器和國外伺服器建立隧道，國外使用者在通路國外資源時，通過本地網絡。國外使用者在通路國内資源時，通過隧道到國内網絡。

ipsec隧道建立

關閉防火牆

國外伺服器

1. 安裝yum倉庫

   yum install wget vim -y
   wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
   yum makecache
              

2. 安裝ipsec-tools

   yum install ipsec-tools openssl compat-openldap -y
              

3. 配置ipsec

   ipsec的目錄為：/etc/racoon，配置部署分為vpn密鑰配置、ipsec配置檔案配置（racoon.conf）、系統核心參數調整、隧道key配置（setkey.conf）等；這裡配置部署按照如下的方法來進行即可；

   (1) 配置ipsec密鑰，這裡配置的84572622為密鑰串，0x84572622為密鑰串調用，會在setkey.conf中使用

   echo "84572622             0x84572622" > /etc/racoon/psk.txt
   chmod 700 /etc/racoon/psk.txt
              

   (2) 配置ipsec配置檔案

   vim /etc/racoon/racoon.conf

   path include "/etc/racoon";
   include "remote.conf";
   path pre_shared_key "/etc/racoon/psk.txt";
   path certificate "/etc/racoon/certs";
   #log debug;
   
   listen
   {
   isakmp 11.11.11.11 [500];
   isakmp_natt 11.11.11.11 [4500];
   }
   
   remote anonymous
   {
   exchange_mode main, aggressive, base;
   mode_cfg on;
   proposal_check obey; # obey, strict, or claim
   nat_traversal on;
   generate_policy unique;
   ike_frag on;
   passive on;
   dpd_delay 30;
   
   proposal {
   lifetime time 28800 sec;
   encryption_algorithm 3des;
   hash_algorithm md5;
   authentication_method xauth_psk_server;
   dh_group 2;
   }
   }
   
   sainfo anonymous
   {
   encryption_algorithm 3des, aes, blowfish;
   authentication_algorithm hmac_sha1, hmac_md5;
   compression_algorithm deflate;
   }
   
   mode_cfg
   {
   auth_source system;
   dns4 8.8.8.8,114.114.114.114;
   banner "/etc/racoon/motd";
   save_passwd on;
   network4 11.11.11.11;
   netmask4 255.255.254.0;
   pool_size 100;
   pfs_group 2;
   }
              

   (3) 配置ipsec連接配接

   vim /etc/racoon/setkey.conf

   #flush SAD entries
   flush;
   
   #flush SPD entries
   spdflush;
   
   #add SA entries
   #add SP entries
   spdadd 22.22.22.22[any] 11.11.11.11[any] any -P in ipsec esp/tunnel/22.22.22.22-11.11.11.11/require;
   spdadd 11.11.11.11[any] 22.22.22.22[any] any -P out ipsec esp/tunnel/11.11.11.11-22.22.22.22/require;
   
   # Using ESP tunnel:
   add 22.22.22.22 11.11.11.11 esp 0x84572622 -m tunnel -E 3des-cbc 0x5152535455565758595a5b5c5d5e5f606162636465666768 -A hmac-sha1 0x5152535455565758595a5b5c5d5e5f6061626364;
   add 11.11.11.11 22.22.22.22 esp 0x84572622 -m tunnel -E 3des-cbc 0x0102030405060708090a0b0c0d0e0f101112131415161718 -A hmac-sha1 0x0102030405060708090a0b0c0d0e0f1011121314;
              

   (4) 調整核心參數

   sed -i 's/^\(net.ipv4.ip_forward =\).*/\1 1/' /etc/sysctl.conf
   sed -i 's/^\(net.ipv4.conf.default.rp_filter =\).*/\1 0/' /etc/sysctl.conf
   sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf
   sysctl -p
              

   (5) 開放端口

   setenforce 0
   sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
   ptables -I INPUT -p udp --dport 500 -j ACCEPT
   iptables -I INPUT -p udp --dport 4500 -j ACCEPT
   
              

   (6) 啟動ipsec

   setkey -f /etc/racoon/setkey.conf
   racoon -f /etc/racoon/racoon.conf -l /var/log/racoon.log -d
              

國内伺服器

國内伺服器作為所有資料包出去的一個視窗

1. 安裝yun倉庫

   yum install wget vim -y
   wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
   yum makecache
              

2. 安裝ipsec-tools

   yum install ipsec-tools openssl compat-openldap
              

3. 配置ipsec

   ipsec的目錄為：/etc/racoon，配置部署分為vpn密鑰配置、ipsec配置檔案配置（racoon.conf）、系統核心參數調整、隧道key配置（setkey.conf）等；這裡配置部署按照如下的方法來進行即可

4. 配置ipsec密鑰, 這裡配置的84572622為密鑰串，0x84572622為密鑰串調用，會在setkey.conf中使用

   echo "84572622             0x84572622" > /etc/racoon/psk.txt
   chmod 700 /etc/racoon/psk.txt
   
              

5. 配置ipsec配置檔案

   vim /etc/racoon/racoon.conf

   path include "/etc/racoon";
   #include "remote.conf";
   path pre_shared_key "/etc/racoon/psk.txt";
   path certificate "/etc/racoon/certs";
   #log debug;
   
   listen
   {
   isakmp 22.22.22.22 [500];
   isakmp_natt 22.22.22.22 [4500];
   }
   
   remote anonymous
   {
   exchange_mode main, aggressive, base;
   mode_cfg on;
   proposal_check obey; # obey, strict, or claim
   nat_traversal on;
   generate_policy unique;
   ike_frag on;
   passive on;
   dpd_delay 30;
   
   proposal {
   lifetime time 28800 sec;
   encryption_algorithm 3des;
   hash_algorithm md5;
   authentication_method xauth_psk_server;
   dh_group 2;
   }
   }
   
   sainfo anonymous
   {
   encryption_algorithm 3des, aes, blowfish;
   authentication_algorithm hmac_sha1, hmac_md5;
   compression_algorithm deflate;
   }
   
   mode_cfg
   {
   auth_source system;
   dns4 8.8.8.8,114.114.114.114;
   banner "/etc/racoon/motd";
   save_passwd on;
   network4 22.22.22.22;
   netmask4 255.255.255.240;
   pool_size 100;
   pfs_group 2;
   }
              

6. 配置ipsec連接配接

   vim /etc/racoon/setkey.conf

   #flush SAD entries
   flush;
   
   #flush SPD entries
   spdflush;
   
   #add SA entries
   #add SP entries
   
   spdadd 11.11.11.11[any] 22.22.22.22[any] any -P in ipsec esp/tunnel/11.11.11.11-22.22.22.22/require;
   spdadd 22.22.22.22[any] 11.11.11.11[any] any -P out ipsec esp/tunnel/22.22.22.22-11.11.11.11/require;
   
   # Using ESP tunnel:
   add 22.22.22.22 11.11.11.11 esp 0x84572622 -m tunnel -E 3des-cbc 0x5152535455565758595a5b5c5d5e5f606162636465666768 -A hmac-sha1 0x5152535455565758595a5b5c5d5e5f6061626364;
   add 11.11.11.11 22.22.22.22 esp 0x84572622 -m tunnel -E 3des-cbc 0x0102030405060708090a0b0c0d0e0f101112131415161718 -A hmac-sha1 0x0102030405060708090a0b0c0d0e0f1011121314;
              

7. 調整核心參數配置

   sed -i 's/^\(net.ipv4.ip_forward =\).*/\1 1/' /etc/sysctl.conf
   sed -i 's/^\(net.ipv4.conf.default.rp_filter =\).*/\1 0/' /etc/sysctl.conf
   sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf
   sysctl -p
              

8. 開放端口

   setenforce 0
   sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
   
   iptables -I INPUT -p udp --dport 500 -j ACCEPT
   iptables -I INPUT -p udp --dport 4500 -j ACCEPT
              

9. 啟動ipsec

   setkey -f /etc/racoon/setkey.conf
   racoon -f /etc/racoon/racoon.conf -l /var/log/racoon.log -d
              

驗證ipsec

在國外伺服器ping國内伺服器

在國内伺服器上抓包

gre隧道建立

在ipsec隧道的基礎之上建立gre隧道，gre over ipsec

國外伺服器

modprobe ip_gre
ip tunnel add tunnel0 mode gre remote 22.22.22.22 local 11.11.11.11 ttl 255
ip link set tunnel0 up mtu 1400
ip addr add 192.168.122.1/24  dev tunnel0
ip addr add 192.168.122.1/24 peer 192.168.122.2/24 dev tunnel0
           

國内伺服器

配置gre

modprobe ip_gre
ip tunnel add tunnel0 mode gre remote 11.11.11.11 local 22.22.22.22 ttl 255
ip link set tunnel0 up mtu 1400
ip addr add 192.168.122.2/24 dev tunnel0
ip addr add 192.168.122.2/30 peer 192.168.122.1/24 dev tunnel0
           

nat轉發

iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -j SNAT --to 22.22.22.22
           

配置路由

第一：管理位址和隧道對端要走靜态路由走公網

第二：通路國内ip走隧道

route add -host 22.22.22.22 gw 11.11.11.1
           

ip route add 1.0.1.0/24 via 192.168.122.2 dev tunnel0
           

vim /etc/sysconfig/network-scripts/route-eth0

22.22.22.22 via 11.11.11.1 dev eth0
124.98.111.5 via 11.11.11.1 dev eth0
1.0.1.0/24 via 192.168.122.2 dev tunnel0
1.0.2.0/23 via 192.168.122.2 dev tunnel0
1.0.8.0/21 via 192.168.122.2 dev tunnel0
1.0.32.0/19 via 192.168.122.2 dev tunnel0
1.1.0.0/24 via 192.168.122.2 dev tunnel0
1.1.2.0/23 via 192.168.122.2 dev tunnel0