隧道技术近年来多用于实现混合云的场景, 实现云环境到自己的 IDC 机房, A 云到 B 云等需求.本篇文档主要介绍两个云之间, 使用 Linux 服务器做对接的情况.
具体原理这里不讲, 主要讲具体搭建步骤, 这里我准备了两个脚本来搭建隧道环境
configIPsec.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 #!/bin/bash yum install -y openswan lsof echo "" "net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_fin_timeout = 30 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 vm.swappiness = 0 net.ipv4.neigh.default.gc_stale_time = 120 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.arp_announce = 2 net.ipv4.conf.lo.arp_announce = 2 net.ipv4.conf.all.arp_announce = 2 net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 1024 net.ipv4.tcp_synack_retries = 2 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.lo.send_redirects = 0 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.eth0.rp_filter=0 #net.ipv4.conf.ip_vti0.rp_filter=0 net.ipv4.ip_forward = 1" "" >> /etc/sysctl.confsysctl -p systemctl restart ipsec sleep 2 ipsec verify
在执行 ipsec verify 命令后, 必须保证如下回显中所有的状态均为绿色 (Hardware random device 可以为[N/A]; Opportunistic Encryption 可以为 [DISABLE]; 其他均为 ok)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 [root@99-5 ~] Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.15 (netkey) on 3.10.0-327.18.2.el7.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED]
保证上面的环境检查通过后, 执行如下脚本 configTunnel.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 #!/bin/bash ip_remote="59.110.174.253" ip_remote_vlan="192.168.20.0/24" ip_public=`curl http://members.3322.org/dyndns/getip` ip_private=`ifconfig | grep "inet" | grep "192.168" | awk '{print $2}' ` net_vlan=`ifconfig | grep "inet" | grep "192.168" | awk '{print $2}' | awk -F "." '{print $3}' ` subnet="192.168.59.0/24" token="20150509" sed -i 's/#version 2/version 2/g' /etc/ipsec.conf sed -i '/protostack=netkey/a\ nat_traversal=yes\n oe=off' /etc/ipsec.conf echo "" "conn tunnel$net_vlan ike=3des-sha authby=secret phase2=esp phase2alg=3des-sha compress=no pfs=yes type=tunnel left=$ip_private leftid=$ip_public leftsubnet=$subnet leftnexthop=%defaultroute right=$ip_remote rightid=$ip_remote rightsubnet=$ip_remote_vlan rightnexthop=%defaultroute auto=start" "" >> /etc/ipsec.d/tunnel"$net_vlan " .confecho "0.0.0.0 $ip_remote : PSK \"$token \"" >> /etc/ipsec.secrets systemctl restart ipsec
配置完毕后, 启动该条隧道
1 ipsec auto --up tunnelName
注意: 这里的 tunnelName 是上面的脚本中根据网段序号生成的, 换成上面生成的隧道名即可
单边配置好后, 在对端以同样的方式配置并启动隧道即可
参考文档:
http://blog.leanote.com/post/251689658@qq.com/阿里云openwan与网康实现IPsec对接
