配置openswan ipsecvpn Tags: Linux [TOC] 實驗環境: OS: VPC1: VPC2: 安裝openswan 編輯 文件,啟用 在/etc/ipsec.d 目錄創建以下文件 配置VPC1 配置VPC2 啟動 IPSec/Openswan 編輯/etc/sysctl.c ...
配置openswan ipsecvpn
Tags: Linux
[TOC]
實驗環境:
OS: centos
VPC1:192.168.1.1
VPC2:192.168.2.2
安裝openswan
[root@wglee ~]# yum install openswan編輯 /etc/ipsec.conf文件,啟用/etc/ipsec.d/*.conf
[root@wglee ~]# sudo vi /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf在/etc/ipsec.d 目錄創建以下文件
配置VPC1
[root@wglee ~]# sudo vi /etc/ipsec.d/vpc1-to-vpc2.conf
conn vpc1-to-vpc2
type=tunnel
authby=secret
left=%defaultroute
leftid=<VPC1的外網IP>
leftnexthop=%defaultroute
leftsubnet=<VPC1 子網地址>
right=<VPC2的外網IP>
rightsubnet=<VPC2 子網地址>
pfs=yes
auto=start
[root@wglee ~]# sudo vi /etc/ipsec.d/vpc1-to-vpc2.secrets
<VPC1 子網地址> <VPC1 子網地址>: PSK "Put a Preshared Key here!!"配置VPC2
[root@wglee ~]# sudo vi /etc/ipsec.d/vpc2-to-vpc1.conf
conn vpc2-to-vpc1
type=tunnel
authby=secret
left=%defaultroute
leftid=<VPC2的外網IP>
leftnexthop=%defaultroute
leftsubnet=<VPC2 的子網地址>
right=<EIP1>
rightsubnet=<VPC1 的子網地址>
pfs=yes
auto=start
[root@wglee ~]# sudo vi /etc/ipsec.d/vpc2-to-vpc1.secrets
<VPC2 的子網地址> <VPC1 的子網地址>: PSK "Put a Preshared Key here!!"啟動 IPSec/Openswan
[root@wglee ~]# sudo service ipsec start
# Configure IPSec/Openswan to always start on boot
[root@wglee ~]# sudo chkconfig ipsec on編輯/etc/sysctl.conf
[root@wglee ~]# sudo vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0重啟網路
[root@wglee ~]# service network restart檢查 VPN 狀態
#下麵的命令可以在檢查或故障排除VPN狀態有所幫助:
[root@wglee ~]# sudo ipsec verify
#會檢查所需的OpenSWAN的服務狀態正常運行
[root@wglee ~]# sudo service ipsec status
#檢查OpenSWAN服務的狀態和VPN隧道來源: https://aws.amazon.com/articles/5472675506466066
