{"id":1814,"date":"2018-05-09T16:03:27","date_gmt":"2018-05-09T08:03:27","guid":{"rendered":"https:\/\/blog.nuface.tw\/?p=1814"},"modified":"2018-05-10T10:17:31","modified_gmt":"2018-05-10T02:17:31","slug":"ipsce-vpn-%e5%bb%ba%e7%ab%8b%e7%ad%86%e8%a8%98","status":"publish","type":"post","link":"https:\/\/blog.nuface.tw\/?p=1814","title":{"rendered":"IPSCE VPN \u5efa\u7acb\u7b46\u8a18"},"content":{"rendered":"

\u4f7f\u7528\u4e86 Open VPN \u591a\u5e74\u5f8c\uff0c\u6700\u8fd1\u5de5\u4f5c\u7684\u9700\u8981\uff0c\u5fc5\u9808\u4f7f\u7528\u5230 IPSEC\u4f86\u5efa\u7acb site to site \u7684VPN\u3002\u505a\u500b\u7b46\u8a18\uff0c\u65e5\u5f8c\u53ef\u4ee5\u67e5\u95b1\u3002<\/p>\n


\n\"secure<\/p>\n

\u9ede\u5c0d\u9ede\u5169\u7aef\u7684\u4f5c\u696d\u7cfb\u7d71\uff0c\u9810\u8a08\u4f7f\u7528 CentOS 7 <\/p>\n

\n\uff11\uff0e\u5169\u5730Server \u5efa\u7acb\u8d77IPSEC VPN \u9023\u7dda\u3002
\n\uff12\uff0e\u5169\u5730Server \u5167\u7684\u5404\u81eaUser \u53ef\u4ee5\u76f4\u63a5\u4e92\u76f8\u8a2a\u554f\uff0c\u4e0d\u7528\u505aNAT\uff0c\u53ef\u76f4\u63a5\u4f7f\u7528User \u79c1\u6709IP\u3002\n<\/p><\/blockquote>\n

\u5148\u898f\u5283\u4e00\u4e0b\u5169\u5730\u7684\u72c0\u6cc1<\/p>\n

\"site<\/p>\n

Site A <\/p>\n

\n\u5323\u9053\u5668\u4f7f\u7528 192.168.131.137 IP \u4e0a\u3000internet
\n\u5167\u90e8IP 10.10.100.1
\n\u4f7f\u7528\u8005\u5167\u90e8\u7db2\u6bb5 10.10.100.0 \/ 24\n<\/p><\/blockquote>\n

Site B <\/p>\n

\n\u5323\u9053\u5668\u4f7f\u7528 192.168.131.43 IP \u4e0a\u3000internet
\n\u5167\u90e8IP 10.10.200.1
\n\u4f7f\u7528\u8005\u5167\u90e8\u7db2\u6bb5 10.10.200.0 \/ 24\n<\/p><\/blockquote>\n

\u5169\u7aef\u5323\u9053\u5668\u7cfb\u7d71\u4f7f\u7528 CentOS 7\uff0c\u57fa\u672c\u5b89\u88dd\uff0c\u4e4b\u5f8c\u52a0\u5b89\u88dd epel-release ipsec-tools<\/p>\n

\nyum install epel-release
\nyum install ipsec-tools\n<\/p><\/blockquote>\n

\u4e0d\u6e05\u695a\u4e5f\u6c92\u7814\u7a76 NetworkManager.service \u8ddf firewalld.service \u9019\u5169\u500b\u670d\u52d9, \u6240\u4ee5\u6211\u6703\u505c\u7528\u3002<\/p>\n

\nsystemctl disable NetworkManager.service
\nsystemctl disable firewalld.service\n<\/p><\/blockquote>\n

\u5728\u555f\u52d5 IPsec \u9023\u7dda\u524d\uff0c\u6838\u5fc3\u4e2d\u5fc5\u9808\u555f\u7528 IP forwarding\u3002
\n\u53ef\u4ee5\u4f7f\u7528<\/p>\n

\necho “1” > \/proc\/sys\/net\/ipv4\/ip_forward\n<\/p><\/blockquote>\n

\u4e5f\u53ef\u4ee5\u4fee\u6539 \/etc\/sysctl.conf \u6a94\u6848\uff0c\u52a0\u5165 net.ipv4.ip_forward = 1 \u4e4b\u5f8c\uff0c\u57f7\u884c\u4e0b\u5217\u6307\u4ee4\u4ee5\u4f7f\u8b8a\u66f4\u751f\u6548\uff1a<\/p>\n

\nsysctl -p \/etc\/sysctl.conf\n<\/p><\/blockquote>\n

\u8a2d\u5b9aSide A \u7684IPSEC1 \u670d\u52d9\u5668\uff0c\u65b0\u589e\u4e00\u500b\u7db2\u8def\u8a2d\u5b9a\u6a94 ipsec1 \u547d\u540d\u70ba \/etc\/sysconfig\/network-scripts\/ifcfg-ipsec1
\n\u5167\u5bb9\u5982\u4e0b\uff1a<\/p>\n

\nTYPE=IPSEC
\nONBOOT=no
\nIKE_METHOD=PSK
\nSRCGW=10.10.100.1
\nDSTGW=10.10.200.1
\nSRCNET=10.10.100.0\/24
\nDSTNET=10.10.200.0\/24
\nDST=192.168.131.143\n<\/p><\/blockquote>\n

ONBOOT = yes \u6216 no \u770b\u5be6\u969b\u9700\u8981
\nIKE_METHOD = PSK \u4f7f\u7528\u9810\u5148\u5171\u4eab\u91d1\u9470\u7684\u52a0\u5bc6\u65b9\u6cd5
\nSRCGW=10.10.100.1 \u4f86\u6e90\u9598\u9053\u5668\uff0c\u4e5f\u5c31\u662f\u5340\u7db2 A \u7684\u9598\u9053\u5668 IP \u4f4d\u5740
\nDSTGW=10.10.200.1 \u76ee\u7684\u5730\u7684\u9598\u9053\u5668\uff0c\u4e5f\u5c31\u662f\u5340\u7db2 B \u7684\u9598\u9053\u5668 IP \u4f4d\u5740
\nSRCNET=10.10.100.0\/24 \u4f86\u6e90\u7db2\u8def\uff0c\u4e5f\u5c31\u662f\u5340\u7db2 A \u7684\u7db2\u8def\u7bc4\u570d
\nDSTNET=10.10.200.0\/24 \u76ee\u7684\u5730\u7db2\u8def\uff0c\u4e5f\u5c31\u662f\u5340\u7db2 B \u7684\u7db2\u8def\u7bc4\u570d
\nDST=192.168.131.143 \u76ee\u7684\u5730 IP \u4f4d\u5740\uff0c\u4e5f\u5c31\u662f\u5340\u7db2 B \u53ef\u88ab\u5916\u754c\u5b58\u53d6\u7684 IP \u4f4d\u5740<\/p>\n

\u8a2d\u5b9a\u9810\u5148\u5171\u4eab\u91d1\u9470 \/etc\/sysconfig\/network-scripts\/keys-ipsec1 \u5167\u5bb9\u683c\u5f0f\u5982\u4e0b\uff1a<\/p>\n

\nIKE_PSK=”xY)($89koLPy”\n<\/p><\/blockquote>\n

\u4e0a\u9762\u9019\u500b\u6a94\u5169\u908aSERVER \u4e0a\u5167\u5bb9\u5fc5\u9808\u4e00\u6a23\u3002<\/p>\n

\u5efa\u7acb\u5f8c\uff0c\u5fc5\u9808\u4fee\u6539\u6a94\u6848\u7684\u5c6c\u6027\u3002<\/p>\n

\nchmod 600 \/etc\/sysconfig\/network-scripts\/keys-ipsec1\n<\/p><\/blockquote>\n

\u63a5\u4e0b\u4f86\u770b\u9023\u7dda\u52a0\u5bc6\u7684\u9700\u6c42\uff0c\u8abf\u6574\u8a2d\u5b9a\u6a94 \/etc\/racoon\/racoon.conf<\/p>\n

\npath pre_shared_key “\/etc\/racoon\/psk.txt”;
\npath certificate “\/etc\/racoon\/certs”;
\npath script “\/etc\/racoon\/scripts”;<\/p>\n

sainfo anonymous
\n{
\n #pfs_group 2;
\n lifetime time 1 hour ;
\n encryption_algorithm 3des, blowfish 448, rijndael ;
\n authentication_algorithm hmac_md5 ;
\n compression_algorithm deflate ;
\n}<\/p>\n

remote anonymous
\n{
\n exchange_mode main;
\n my_identifier address;
\n peers_identifier address;
\n lifetime time 24 hour ;
\n proposal {
\n encryption_algorithm 3des;
\n hash_algorithm md5;
\n authentication_method pre_shared_key ;
\n dh_group 2 ;
\n }<\/p>\n

}<\/p>\n

include “\/etc\/racoon\/192.168.131.143.conf”;<\/p>\n<\/blockquote>\n

\u8acb\u6ce8\u610f\u5728\u6a94\u6848\u5e95\u90e8\u7684 include \u90a3\u4e00\u884c\u53ea\u8207 IPsec \u7a7f\u96a7\u9023\u7dda\u6642\u624d\u6703\u51fa\u73fe\uff0c\u56e0\u70ba\u5b83\u662f\u5728 IPsec \u9023\u7dda\u6bcf\u6b21\u555f\u52d5\u6642\u81ea\u52d5\u7522\u751f\u7684\u3002<\/p>\n

\u4ee5\u4e0a\u70baSide A \u4f3a\u670d\u5668\u4e0a\u8a2d\u5b9a\u7684\u65b9\u5f0f\uff0c\u63a5\u4e0b\u4f86\u8a2d\u5b9a Side B <\/p>\n

\u8a2d\u5b9aSide B \u7684IPSEC2 \u670d\u52d9\u5668\uff0c\u65b0\u589e\u4e00\u500b\u7db2\u8def\u8a2d\u5b9a\u6a94 ipsec2 \u547d\u540d\u70ba \/etc\/sysconfig\/network-scripts\/ifcfg-ipsec2
\n\u5167\u5bb9\u5982\u4e0b\uff1a<\/p>\n

\nTYPE=IPSEC
\nONBOOT=no
\nIKE_METHOD=PSK
\nSRCGW=10.10.200.1
\nDSTGW=10.10.100.1
\nSRCNET=10.10.200.0\/24
\nDSTNET=10.10.100.0\/24
\nDST=192.168.131.137\n<\/p><\/blockquote>\n

\u8a2d\u5b9a\u9810\u5148\u5171\u4eab\u91d1\u9470 \/etc\/sysconfig\/network-scripts\/keys-ipsec2 \u5167\u5bb9\u683c\u5f0f\u5982\u4e0b\uff1a<\/p>\n

\nIKE_PSK=”xY)($89koLPy”\n<\/p><\/blockquote>\n

\u4e0a\u9762\u9019\u500b\u6a94\u5169\u908aSERVER \u4e0a\u5167\u5bb9\u5fc5\u9808\u4e00\u6a23\u3002<\/p>\n

\u5efa\u7acb\u5f8c\uff0c\u5fc5\u9808\u4fee\u6539\u6a94\u6848\u7684\u5c6c\u6027\u3002<\/p>\n

\nchmod 600 \/etc\/sysconfig\/network-scripts\/keys-ipsec2\n<\/p><\/blockquote>\n

\u6309\u9700\u6c42\uff0c\u8abf\u6574\u8a2d\u5b9a\u6a94 \/etc\/racoon\/racoon.conf<\/p>\n

===========\u4ee5\u4e0a\u70ba\u5169\u908a\u4f3a\u670d\u5668\u8a2d\u5b9a\u7684\u5167\u5bb9============<\/p>\n

\u63a5\u8457\u8aaa\u660e\u5982\u4f55\u555f\u52d5\u53ca\u95dc\u9589IPSEC \u9023\u7dda\u3002<\/p>\n

\nIPSEC1 \u4e0a\u9762
\n\u555f\u52d5: \u4f7f\u7528 ifup ipsec1
\n\u95dc\u9589: \u4f7f\u7528 ifdown ipsec1<\/p>\n

IPSEC2 \u4e0a\u9762
\n\u555f\u52d5: \u4f7f\u7528 ifup ipsec2
\n\u95dc\u9589: \u4f7f\u7528 ifdown ipsec2\n<\/p><\/blockquote>\n

\u5982\u8981\u6e2c\u8a66 IPsec \u9023\u7dda\uff0c\u8acb\u5728\u5916\u90e8\u53ef\u5b58\u53d6\u7684\u88dd\u7f6e\u4e0a\uff08\u6b64\u4f8b\u70ba ens33\uff09\u57f7\u884c tcpdump \u5de5\u5177\u7a0b\u5f0f\uff0c\u4f86\u6aa2\u8996\u5728\u4e3b\u6a5f\uff08\u6216\u7db2\u8def\u9593\uff09\u50b3\u8f38\u7684\u7db2\u8def\u5c01\u5305\uff0c\u4e26\u4e14\u6aa2\u9a57\u5b83\u5011\u662f\u5426\u5df2\u7d93\u7d93\u7531 IPsec \u9032\u884c \u52a0\u5bc6\u3002 \u4f8b\u5982\uff0c\u5982\u8981\u6aa2\u67e5\u5340\u7db2 A \u7684 IPsec \u9023\u7dda\u72c0\u6cc1\uff0c\u8acb\u8f38\u5165\u4e0b\u5217\u6307\u4ee4\uff1a<\/p>\n

\ntcpdump -nn -i ens33 host 192.168.131.143\n<\/p><\/blockquote>\n

\u5c01\u5305\u4e2d\u61c9\u8a72\u542b\u6709\u4e00\u500b AH \u8868\u982d\uff0c\u800c\u4e14\u5fc5\u9808\u662f\u4e00\u500b ESP \u5c01\u5305\u3002 ESP \u8868\u793a\u8a72\u5c01\u5305\u5df2\u7d93\u52a0\u5bc6\u904e\u4e86\u3002 \u4f8b\u5982\uff08\u53cd\u659c\u7dda\u4ee3\u8868\u6307\u4ee4\u884c\u7684\u7e7c\u7e8c\uff09\uff1a<\/p>\n

\n12:24:26.155529 192.168.131.137 > 192.168.131.143: AH(spi=0x021c9834,seq=0x358): \\
\n\t 192.168.131.143 > 192.168.131.137: ESP(spi=0x00c887ad,seq=0x358) (DF) \\
\n\t (ipip-proto-4)\n<\/p><\/blockquote>\n

\u9019\u500bIPSEC \u7684\u9023\u7dda\u4f7f\u7528\u5230\u90a3\u4e9bPORT \u53e3\u8ddf\u901a\u8a0a\u5354\u5b9a\u5462?<\/p>\n

\nProtocol: UDP, port 500 (for IKE, to manage encryption keys)
\nProtocol: UDP, port 4500 (for IPSEC NAT-Traversal mode)
\nProtocol: ESP, value 50 (for IPSEC)
\nProtocol: AH, value 51 (for IPSEC)\n<\/p><\/blockquote>\n

\u6240\u4ee5\u5728\u9632\u706b\u7246\u4e0a\u5fc5\u9808\u653e\u884c\u9019\u4e9b\u5354\u5b9a\u53caPort\u53e3<\/p>\n

\niptables -A INPUT -i $EXT_NIC -p udp –dport 500 -j ACCEPT
\niptables -A INPUT -i $EXT_NIC -p udp –dport 4500 -j ACCEPT
\niptables -A INPUT -i $EXT_NIC -p 50 -j ACCEPT
\niptables -A INPUT -i $EXT_NIC -p 51 -j ACCEPT\n<\/p><\/blockquote>\n

$EXT_NIC\u8868\u793aIPSEC\u4e3b\u6a5f\u4e0a\u5c0d\u5916\u4e0a\u7db2\u7684\u7db2\u5361\uff0c\u5728\u9019\u500b\u4f8b\u5b50\u4e2d\u70ba ens33<\/p>\n

\u4ee5\u4e0a\u662f\u5c0f\u745e\u8a2d\u5b9aIPSEC \u7684\u7b46\u8a18\uff0c\u5e0c\u671b\u5c0d\u5927\u5bb6\u6709\u5e6b\u52a9\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"

\u4f7f\u7528CentOS 7 \u5efa\u7acbIPSEC \u9023\u7dda<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23,24],"tags":[286,287],"class_list":["post-1814","post","type-post","status-publish","format-standard","hentry","category-mistech","category-mistech-net","tag-ipsec","tag-vpn"],"_links":{"self":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts\/1814","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1814"}],"version-history":[{"count":18,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts\/1814\/revisions"}],"predecessor-version":[{"id":1840,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts\/1814\/revisions\/1840"}],"wp:attachment":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1814"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1814"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}