本文基于centos6.5安装openswan-2.6.32-37.el6.x86_64
首先安装预环境:
yum -y install gmp gmp-devel gawk flex bison
安装软件
yum install -y openswan lsof traceroute
禁用服务器中的VPN重定向,如果有VPN重定向的话
for vpn in /proc/sys/net/ipv4/conf/*;do echo 0 > $vpn/accept_redirects;echo 0 > $vpn/send_redirects;done
我们改动内核参数,允许IP转发、永久性禁止重定向。
sed -i ‘s#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g‘ /etc/sysctl.conf
sed -i ‘s#net.ipv4.conf.default.rp_filter = 1#net.ipv4.conf.default.rp_filter = 0#g‘ /etc/sysctl.conf
查看内核参数,确保禁止重定向sysctl -a | egrep "ipv4.*(accept|send)_redirects"
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
重新装入/etc/sysctl.conf
sysctl -p
修改配置文件:vi /etc/ipsec.conf
config setup
plutodebug=all
plutostderrlog=/var/log/ipsec.log
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf
修改lan-to-lan的配置文件vi /etc/ipsec.d/lan1-to-lan2.conf
conn lan1-to-lan2
type=tunnel
authby=secret
left=%defaultroute
leftid=本端公网地址1
leftnexthop=%defaultroute
leftsubnet=192.168.90.0/24
right=对端公网地址
rightsubnet=10.248.200.0/21
pfs=yes
auto=start
vi /etc/ipsec.d/idcsubnet1-to-awsvpc1.secrets #配置方式 源ID 目的ID:PSK “密码” 密码两端要配置相同
本端公网地址 对端公网地址: PSK "123456"
命令 #service ipsec start/stop/restart
设置开机启动 ,命令#chkconfig ipsec on
命令 #ipsec verify ,没有fail项即可
命令 #service ipsec status ,检查进程状态,tunnel up数量
命令 #ip xfrm policy ,检查tunnel的详细信息,源/目的subnet、下一跳等,如下图一个reqid相同的tunnel会产生3条转发策略