用过Azure的读者都知道,Vnet一直是Azure比较自豪的地方,尤其是VPN,Azure提供了两种VPN以及专线来保证客户数据的安全性,S2S vpn(站点到站点的,基于IPsec的),P2S vpn(点到站点的,基于sstp的),专线express route是和物理链路或者MPLS网络相连接,在这里笔者要提醒大家一句,Azure的vpn身后是两台机器做HA的vpn server,是提供LSA保证的,而无论是阿里还是AWS都没有这样的服务,而且Azure最高提供带宽200M的VPN链路,三线BGP相连(移动 联通 电信),一跳进入骨干网,所以说Azure的vpn并不是吹出来的,我们是有实力的!!!
笔者一直相信一句话,弱势与优势从来只是角度的问题,曾经碰到一个客户,这里不说名字,只谈场景,这个客户在全国有150多个分店,分店都有路由设备,并且要求数据不能走公网走,这样只能考虑vpn,本来Azure的vpn是Azure的优势,但是到这里就变成了劣势,为什么?你求我啊,我就告诉你,开个玩笑,是这样的,Azure的S2S vpn网关分个三个级别,分别对应的隧道数量只有,一个,十个,三十个,显而易见不符合需求,有人肯定会问一个vpn网关不够就用多个呗,但是Azure定义一个VNet只能有一个vpn网关,Vnet之间是隔离的,这是第一个原因,第二个原因是才最主要的,一个高级VPN网关一年的费用就达到三万左右,以这里为例,光五个vpn网关的价格就达到十五万以上,这是一般客户都难以承受的,反而这个时候用虚拟机搭vpn比较合适(这样阿里反而最占优势,因为虚拟机价格便宜),其实事实也并非如此,所以我一直觉得没有什么绝对的优势也没有觉得的劣势,关键在于客户愿意去听什么。
场景:本次poc中,我们选用开源软件openswan,然后在东部数据中心建立一台A1虚拟机,OS为Centos6.5,装上openswan,作为vpnserver,配置iptables,最后使用iphone拨该服务器,达到目的
架构图这里略去,虚拟机的建立过程略去,但是在装openswan之前,我们需要配置一下端口,分别是UDP500和UDP4500,在ASM中需要配置终结点,ARM需要配置NSG,这里的配置过程省去,结果如下
SSH登陆到vm,安装openswan
先确认OS版本,输入 sudo cat /etc/redhat-release
配置yum源
sudo vim /etc/yum.repos.d/epel.repo [epel] name=epel baseurl=http://mirrors.sohu.com/fedora-epel/6/$basearch enabled=1 gpgcheck=0
编辑保存,看到如下结果。
首先通过yum安装
sudo yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof
看到如下结果,说明安装成功
其次安装IPsec,下载,解压,安装
sudo wget https://download.openswan.org/openswan/openswan-2.6.49.tar.gz --no-check-certificate sudo tar vxf openswan-2.6.49.tar.gzsudo cd openswan-2.6.49sudo make programs install
通过yum安装epel里的xl2tpd
sudo yum install -y xl2tpd
看到如下结果说明安装成功
配置服务
配置IPsec
sudo vim /etc/ipsec.conf # /etc/ipsec.conf - Openswan IPsec configuration file # This file: /usr/local/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # Again: only enable plutodebug or klipsdebug when asked by a developer # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Enable core dumps (might require system changes, like ulimit -C) # This is required for abrtd to work properly # Note: incorrect SElinux policies might prevent pluto writing the core dumpdir=/var/run/pluto/ # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their 3G network. # This range has not been announced via BGP (at least upto 2010-12-21) virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=netkey #protostack=auto # Use this to log to a file, or disable logging on embedded systems (like openwrt) #plutostderrlog=/dev/null # Add connections here # sample VPN connection # for more examples, see /etc/ipsec.d/examples/ #conn sample # # Left security gateway, subnet behind it, nexthop toward right. # left=10.0.0.1 # leftsubnet=172.16.0.0/24 # leftnexthop=10.22.33.44 # # Right security gateway, subnet behind it, nexthop toward left. # right=10.12.12.1 # rightsubnet=192.168.0.0/24 # rightnexthop=10.101.102.103 # # To authorize this connection, but not actually start it, # # at startup, uncomment this. # #auto=add conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=10.215.92.31 #AWS EC2 Internal IP leftprotoport=17/1701 right=%any rightprotoport=17/%any dpddelay=30 dpdtimeout=120 dpdaction=clear
在这里,笔者想提醒大家一句,在修改该文件时,尽量不要去动原有的内容格式,只修改要改的内容就好,否则会在后续的过程中出现不必要的错误,看到如下结果说明成功
配置安全规则ipsec.secrets
sudo vim /etc/ipsec.secrets # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". # this file is managed with debconf and will contain the automatically created RSA keys #include /var/lib/openswan/ipsec.secrets.inc %any %any: PSK "azure"
看到如下结果说明成功
配置sysctl.conf文件
sudo vim /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1
看到如下结果则为成功
通过下面的命令,使配置生效
sudo sysctl -p sudo service ipsec start ipsec verify
看到如下结果
输入ipsec verify 会看到如下结果
在这里不需要关心errors,我们只关心我们创建的端口(udp4500和udp500正常工作就好了),其它问题引起的错误不要去纠结,这里不展开去说
配置xl2tpd
sudo vim /etc/xl2tpd/xl2tpd.conf ; ; This is a minimal sample xl2tpd configuration file for use ; with L2TP over IPsec. ; ; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec ; clients connect. In this example, the internal (protected) network ; is 192.168.1.0/24. A special IP range within this network is reserved ; for the remote clients: 192.168.1.128/25 ; (i.e. 192.168.1.128 ... 192.168.1.254) ; ; The listen-addr parameter can be used if you want to bind the L2TP daemon ; to a specific IP address instead of to all interfaces. For instance, ; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98 ; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99) ; will be used by xl2tpd as its address on pppX interfaces. [global] ; listen-addr = 192.168.1.98 ; ; requires openswan-2.5.18 or higher - Also does not yet work in combination ; with kernel mode l2tp as present in linux 2.6.23+ ; ipsec saref = yes ; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or ; when using any of the SAref kernel patches for kernels up to 2.6.35. ; saref refinfo = 30 ; ; force userspace = yes ; ; debug tunnel = yes ipsec saref = no [lns default] ip range = 192.168.1.128-192.168.1.254 local ip = 192.168.1.99 require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
看到如下结果则成功
配置ppp的用户名和密码
sudo vim /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses user * azure *
配置iptables
sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE sudo iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT sudo iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT sudo service iptables save
看到如下结果说明成功
设置服务
sudo service ipsec restart sudo service xl2tpd restart sudo service iptables restart sudo chkconfig xl2tpd on sudo chkconfig iptables on sudo chkconfig ipsec on
看到如下结果
最后一步设置iphone,这一步这里就不再多说,但是在这里笔者想提醒大家一句,有人在测试的时候发现,iphone无论如何都不能连接vpn server,即使查看了/var/log/下的secure与message文件,也发现没有然后具体报错,如果遇到这种情况说明l2tp vpn server被封掉了,这时候无论你怎么连你都是连不上的,所以笔者的建议最好是以global账户来建立vm,这样就不会碰到这种情况。