通过openswan基于Azure平台搭建VPN server

用过Azure的读者都知道,Vnet一直是Azure比较自豪的地方,尤其是VPN,Azure提供了两种VPN以及专线来保证客户数据的安全性,S2S vpn(站点到站点的,基于IPsec的),P2S vpn(点到站点的,基于sstp的),专线express route是和物理链路或者MPLS网络相连接,在这里笔者要提醒大家一句,Azure的vpn身后是两台机器做HA的vpn server,是提供LSA保证的,而无论是阿里还是AWS都没有这样的服务,而且Azure最高提供带宽200M的VPN链路,三线BGP相连(移动 联通 电信),一跳进入骨干网,所以说Azure的vpn并不是吹出来的,我们是有实力的!!!

笔者一直相信一句话,弱势与优势从来只是角度的问题,曾经碰到一个客户,这里不说名字,只谈场景,这个客户在全国有150多个分店,分店都有路由设备,并且要求数据不能走公网走,这样只能考虑vpn,本来Azure的vpn是Azure的优势,但是到这里就变成了劣势,为什么?你求我啊,我就告诉你,开个玩笑,是这样的,Azure的S2S vpn网关分个三个级别,分别对应的隧道数量只有,一个,十个,三十个,显而易见不符合需求,有人肯定会问一个vpn网关不够就用多个呗,但是Azure定义一个VNet只能有一个vpn网关,Vnet之间是隔离的,这是第一个原因,第二个原因是才最主要的,一个高级VPN网关一年的费用就达到三万左右,以这里为例,光五个vpn网关的价格就达到十五万以上,这是一般客户都难以承受的,反而这个时候用虚拟机搭vpn比较合适(这样阿里反而最占优势,因为虚拟机价格便宜),其实事实也并非如此,所以我一直觉得没有什么绝对的优势也没有觉得的劣势,关键在于客户愿意去听什么。

场景:本次poc中,我们选用开源软件openswan,然后在东部数据中心建立一台A1虚拟机,OS为Centos6.5,装上openswan,作为vpnserver,配置iptables,最后使用iphone拨该服务器,达到目的

架构图这里略去,虚拟机的建立过程略去,但是在装openswan之前,我们需要配置一下端口,分别是UDP500和UDP4500,在ASM中需要配置终结点,ARM需要配置NSG,这里的配置过程省去,结果如下

SSH登陆到vm,安装openswan

先确认OS版本,输入 sudo cat /etc/redhat-release

配置yum源

sudo vim /etc/yum.repos.d/epel.repo

[epel]
name=epel
baseurl=http://mirrors.sohu.com/fedora-epel/6/$basearch
enabled=1
gpgcheck=0

编辑保存,看到如下结果。

首先通过yum安装

sudo yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof

看到如下结果,说明安装成功

其次安装IPsec,下载,解压,安装

sudo wget https://download.openswan.org/openswan/openswan-2.6.49.tar.gz --no-check-certificate
sudo tar vxf openswan-2.6.49.tar.gzsudo cd openswan-2.6.49sudo make programs install

通过yum安装epel里的xl2tpd

sudo yum install -y xl2tpd

看到如下结果说明安装成功

配置服务

配置IPsec

sudo vim /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
#protostack=auto
# Use this to log to a file, or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=add
conn L2TP-PSK-NAT
  rightsubnet=vhost:%priv
  also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
  authby=secret
  pfs=no
  auto=add
  keyingtries=3
  rekey=no
  ikelifetime=8h
  keylife=1h
  type=transport
  left=10.215.92.31 #AWS EC2 Internal IP
  leftprotoport=17/1701
  right=%any
  rightprotoport=17/%any
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear

在这里,笔者想提醒大家一句,在修改该文件时,尽量不要去动原有的内容格式,只修改要改的内容就好,否则会在后续的过程中出现不必要的错误,看到如下结果说明成功

配置安全规则ipsec.secrets

sudo vim /etc/ipsec.secrets

# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
# this file is managed with debconf and will contain the automatically created RSA keys
#include /var/lib/openswan/ipsec.secrets.inc
%any %any: PSK "azure"

看到如下结果说明成功

配置sysctl.conf文件

sudo vim /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

看到如下结果则为成功

通过下面的命令,使配置生效

sudo sysctl -p
sudo service ipsec start
ipsec verify

看到如下结果

输入ipsec verify 会看到如下结果

在这里不需要关心errors,我们只关心我们创建的端口(udp4500和udp500正常工作就好了),其它问题引起的错误不要去纠结,这里不展开去说

配置xl2tpd

sudo vim /etc/xl2tpd/xl2tpd.conf

;
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24. A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.
[global]
; listen-addr = 192.168.1.98
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
; when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes
ipsec saref = no
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

看到如下结果则成功

配置ppp的用户名和密码

sudo vim /etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client server secret IP addresses
user * azure *

配置iptables

sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
sudo iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
sudo iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT
sudo service iptables save

看到如下结果说明成功

设置服务

sudo service ipsec restart
sudo service xl2tpd restart
sudo service iptables restart
sudo chkconfig xl2tpd on
sudo chkconfig iptables on
sudo chkconfig ipsec on

看到如下结果

最后一步设置iphone,这一步这里就不再多说,但是在这里笔者想提醒大家一句,有人在测试的时候发现,iphone无论如何都不能连接vpn server,即使查看了/var/log/下的secure与message文件,也发现没有然后具体报错,如果遇到这种情况说明l2tp vpn server被封掉了,这时候无论你怎么连你都是连不上的,所以笔者的建议最好是以global账户来建立vm,这样就不会碰到这种情况。

时间: 2024-11-10 11:22:06

通过openswan基于Azure平台搭建VPN server的相关文章

搭建VPN server

VPN:即虚拟专用网络,用于公司员工,在外地出差能通过互联网建立专用隧道访问公司内网资源的技术,它不同于专线,虽然没有专线稳定,但它也有自己的优点,不受地域的限制而且价格也便宜. 下面我就来分享一下我搭建vpnserver的具体步骤: VPN服务器环境说明 操作系统:CentOS release 6.4 VPNserver IP:192.168.1.1 分配客户端IP:192.168.20.0 安装vpn所需要的包:ppp 和pptpd yum -y install ppp*  yum -y i

基于LAMP平台搭建的bbs论坛

Bbs论坛//要已经安装好LAMP架构平台先上传这个软件包:[[email protected] ~]#unzip Discuz_X3.4_SC_UTF8_0101.zip -d /opt/ 解压,需要有解压命令[[email protected] opt]# cd /opt/dir_SC_UTF8/[[email protected] dir_SC_UTF8]# cp -r upload/ /usr/local/httpd/htdocs/bbs //复制成bbs文件夹[[email prote

Ubuntu自动搭建VPN Server - PPTP的Shell脚本

#!/bin/bash if [ "$UID" != "0" ]; then echo "please use sudo to run $0" exit 1 fi if [ "$#" != "5" ]; then echo "Usage: (5 parameters)" echo " $0 localip remoteip username password networkSe

基于CentOS7平台搭建邮件服务器

一.邮件服务架构 bind:域名解析postfix:实现SMTP协议,用于发件dovecot:实现POP3和IMAP协议,用于收件Cyrus-SASL函数库:用于用户认证courier-authlib:使用MySQL数据库中的表进行身份验证extmail和extman:提供webmail 引自马哥文档的结构图 系统:CentOS Linux release 7.4.1708 (Core) 二.部署bind 2.1.yum安装 yum -y install bind bind-utils 2.2.

基于rhel7.2的Zabbix平台搭建和部署(一)

基于rhel7.2的zabbix平台搭建和部署(一) 一.实验环境: (1)虚拟机:rhel7.2 x86_64 (2)数据库:mysql5.7.13 (3)nginx1.10.2 (4)PHP5.6.27 (5)zabbix 二.安装编译工具及库文件 [[email protected] ~]# yum-y install make apr* autoconf automake curl-devel gcc gcc-c++  openssl openssl-devel gd kernel ke

基于rhel7.2的Zabbix平台搭建和部署(四)

基于rhel7.2的Zabbix平台搭建和部署(四) 一.实现zabbix添加监测项,添加对Linux主机的监控. 说明:先在"配置"-"主机"里添加主机监控,监控os资源:内存,cpu,io,负载,带宽等. (1)登录zabbix,先在"配置"-"主机"里单击"创建主机": (2)在"主机"标签,填写相关信息 注:这个主机名字必须和hostname的一模一样,这里用的ip就是被监控主机

基于rhel7.2的Zabbix平台搭建和部署(二)

 基于rhel7.2的Zabbix平台搭建和部署(二) 一.监控系统Zabbix-3.2.1的安装 zabbix-server端的操作 说明:zabbix服务器端要提前安装好LNMP环境(mysql,nginx,php5的安装目录均是/usr/local) (1)创建zabbix运行的用户 [[email protected] ~]# groupadd zabbix [[email protected] ~]# useradd -g zabbix [[email protected] ~]# g

基于rhel7.2的Zabbix平台搭建和部署(五)

基于rhel7.2的Zabbix平台搭建和部署(五) zabbix3.2.1邮件报警设置 说明:zabbix监控服务端.客户端都已经部署完成,被监控主机已经添加,zabiix监控运行正常. 在zabbix服务端设置邮件报警,当被监控主机宕机或者达到触发器预设值时,会自动发送报警邮件到指定邮箱. 一.zabbix报警部署步骤(操作在Zabbix监控服务端进行): 安装sendmail两个依赖包 [[email protected] ~]# yum install -y perl-Net-SSLea

基于H3C CAS的云计算平台搭建

基于H3C CAS的云计算平台搭建 1.H3C CAS介绍 H3C CAS(CloudAutomation System)云计算管理平台是H3C 公司推出的构建云计算基础架构的资源管理平台,它为数据中心云计算基础架构提供虚拟化管理解决方案,实现对数据中心云计算环境的集中管理和控制.此外,CAS 还支持vStor 分布式存储管理功能,即整合多个宿主机内的硬盘资源,构建IP SAN 提供给本云计算资源平台或其他业务系统使用. 2.产品组件 CAS 由四个组件构成: CVK(Cloud Virtual