搭建ipsec+gre隧道
部署需求:國内伺服器和國外伺服器建立隧道,國外使用者在通路國外資源時,通過本地網絡。國外使用者在通路國内資源時,通過隧道到國内網絡。
ipsec隧道建立
關閉防火牆
國外伺服器
- 安裝yum倉庫
yum install wget vim -y wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo yum makecache
- 安裝ipsec-tools
yum install ipsec-tools openssl compat-openldap -y
-
配置ipsec
ipsec的目錄為:/etc/racoon,配置部署分為vpn密鑰配置、ipsec配置檔案配置(racoon.conf)、系統核心參數調整、隧道key配置(setkey.conf)等;這裡配置部署按照如下的方法來進行即可;
(1) 配置ipsec密鑰,這裡配置的84572622為密鑰串,0x84572622為密鑰串調用,會在setkey.conf中使用
echo "84572622 0x84572622" > /etc/racoon/psk.txt chmod 700 /etc/racoon/psk.txt
(2) 配置ipsec配置檔案
vim /etc/racoon/racoon.conf
path include "/etc/racoon"; include "remote.conf"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; #log debug; listen { isakmp 11.11.11.11 [500]; isakmp_natt 11.11.11.11 [4500]; } remote anonymous { exchange_mode main, aggressive, base; mode_cfg on; proposal_check obey; # obey, strict, or claim nat_traversal on; generate_policy unique; ike_frag on; passive on; dpd_delay 30; proposal { lifetime time 28800 sec; encryption_algorithm 3des; hash_algorithm md5; authentication_method xauth_psk_server; dh_group 2; } } sainfo anonymous { encryption_algorithm 3des, aes, blowfish; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate; } mode_cfg { auth_source system; dns4 8.8.8.8,114.114.114.114; banner "/etc/racoon/motd"; save_passwd on; network4 11.11.11.11; netmask4 255.255.254.0; pool_size 100; pfs_group 2; }
(3) 配置ipsec連接配接
vim /etc/racoon/setkey.conf
(4) 調整核心參數#flush SAD entries flush; #flush SPD entries spdflush; #add SA entries #add SP entries spdadd 22.22.22.22[any] 11.11.11.11[any] any -P in ipsec esp/tunnel/22.22.22.22-11.11.11.11/require; spdadd 11.11.11.11[any] 22.22.22.22[any] any -P out ipsec esp/tunnel/11.11.11.11-22.22.22.22/require; # Using ESP tunnel: add 22.22.22.22 11.11.11.11 esp 0x84572622 -m tunnel -E 3des-cbc 0x5152535455565758595a5b5c5d5e5f606162636465666768 -A hmac-sha1 0x5152535455565758595a5b5c5d5e5f6061626364; add 11.11.11.11 22.22.22.22 esp 0x84572622 -m tunnel -E 3des-cbc 0x0102030405060708090a0b0c0d0e0f101112131415161718 -A hmac-sha1 0x0102030405060708090a0b0c0d0e0f1011121314;
(5) 開放端口sed -i 's/^\(net.ipv4.ip_forward =\).*/\1 1/' /etc/sysctl.conf sed -i 's/^\(net.ipv4.conf.default.rp_filter =\).*/\1 0/' /etc/sysctl.conf sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf sysctl -p
(6) 啟動ipsecsetenforce 0 sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config ptables -I INPUT -p udp --dport 500 -j ACCEPT iptables -I INPUT -p udp --dport 4500 -j ACCEPT
setkey -f /etc/racoon/setkey.conf racoon -f /etc/racoon/racoon.conf -l /var/log/racoon.log -d
國内伺服器
國内伺服器作為所有資料包出去的一個視窗
- 安裝yun倉庫
yum install wget vim -y wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo yum makecache
- 安裝ipsec-tools
yum install ipsec-tools openssl compat-openldap
-
配置ipsec
ipsec的目錄為:/etc/racoon,配置部署分為vpn密鑰配置、ipsec配置檔案配置(racoon.conf)、系統核心參數調整、隧道key配置(setkey.conf)等;這裡配置部署按照如下的方法來進行即可
- 配置ipsec密鑰, 這裡配置的84572622為密鑰串,0x84572622為密鑰串調用,會在setkey.conf中使用
echo "84572622 0x84572622" > /etc/racoon/psk.txt chmod 700 /etc/racoon/psk.txt
-
配置ipsec配置檔案
vim /etc/racoon/racoon.conf
path include "/etc/racoon"; #include "remote.conf"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; #log debug; listen { isakmp 22.22.22.22 [500]; isakmp_natt 22.22.22.22 [4500]; } remote anonymous { exchange_mode main, aggressive, base; mode_cfg on; proposal_check obey; # obey, strict, or claim nat_traversal on; generate_policy unique; ike_frag on; passive on; dpd_delay 30; proposal { lifetime time 28800 sec; encryption_algorithm 3des; hash_algorithm md5; authentication_method xauth_psk_server; dh_group 2; } } sainfo anonymous { encryption_algorithm 3des, aes, blowfish; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate; } mode_cfg { auth_source system; dns4 8.8.8.8,114.114.114.114; banner "/etc/racoon/motd"; save_passwd on; network4 22.22.22.22; netmask4 255.255.255.240; pool_size 100; pfs_group 2; }
-
配置ipsec連接配接
vim /etc/racoon/setkey.conf
#flush SAD entries flush; #flush SPD entries spdflush; #add SA entries #add SP entries spdadd 11.11.11.11[any] 22.22.22.22[any] any -P in ipsec esp/tunnel/11.11.11.11-22.22.22.22/require; spdadd 22.22.22.22[any] 11.11.11.11[any] any -P out ipsec esp/tunnel/22.22.22.22-11.11.11.11/require; # Using ESP tunnel: add 22.22.22.22 11.11.11.11 esp 0x84572622 -m tunnel -E 3des-cbc 0x5152535455565758595a5b5c5d5e5f606162636465666768 -A hmac-sha1 0x5152535455565758595a5b5c5d5e5f6061626364; add 11.11.11.11 22.22.22.22 esp 0x84572622 -m tunnel -E 3des-cbc 0x0102030405060708090a0b0c0d0e0f101112131415161718 -A hmac-sha1 0x0102030405060708090a0b0c0d0e0f1011121314;
- 調整核心參數配置
sed -i 's/^\(net.ipv4.ip_forward =\).*/\1 1/' /etc/sysctl.conf sed -i 's/^\(net.ipv4.conf.default.rp_filter =\).*/\1 0/' /etc/sysctl.conf sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf sysctl -p
- 開放端口
setenforce 0 sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config iptables -I INPUT -p udp --dport 500 -j ACCEPT iptables -I INPUT -p udp --dport 4500 -j ACCEPT
- 啟動ipsec
setkey -f /etc/racoon/setkey.conf racoon -f /etc/racoon/racoon.conf -l /var/log/racoon.log -d
驗證ipsec
在國外伺服器ping國内伺服器
在國内伺服器上抓包
gre隧道建立
在ipsec隧道的基礎之上建立gre隧道,gre over ipsec
國外伺服器
modprobe ip_gre
ip tunnel add tunnel0 mode gre remote 22.22.22.22 local 11.11.11.11 ttl 255
ip link set tunnel0 up mtu 1400
ip addr add 192.168.122.1/24 dev tunnel0
ip addr add 192.168.122.1/24 peer 192.168.122.2/24 dev tunnel0
國内伺服器
配置gre
modprobe ip_gre
ip tunnel add tunnel0 mode gre remote 11.11.11.11 local 22.22.22.22 ttl 255
ip link set tunnel0 up mtu 1400
ip addr add 192.168.122.2/24 dev tunnel0
ip addr add 192.168.122.2/30 peer 192.168.122.1/24 dev tunnel0
nat轉發
iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -j SNAT --to 22.22.22.22
配置路由
第一:管理位址和隧道對端要走靜态路由走公網
第二:通路國内ip走隧道
route add -host 22.22.22.22 gw 11.11.11.1
ip route add 1.0.1.0/24 via 192.168.122.2 dev tunnel0
vim /etc/sysconfig/network-scripts/route-eth0
22.22.22.22 via 11.11.11.1 dev eth0
124.98.111.5 via 11.11.11.1 dev eth0
1.0.1.0/24 via 192.168.122.2 dev tunnel0
1.0.2.0/23 via 192.168.122.2 dev tunnel0
1.0.8.0/21 via 192.168.122.2 dev tunnel0
1.0.32.0/19 via 192.168.122.2 dev tunnel0
1.1.0.0/24 via 192.168.122.2 dev tunnel0
1.1.2.0/23 via 192.168.122.2 dev tunnel0