目录
在阿里云上有一台ECS主机,家里有一台旧笔记本,用来做一台服务器,现在想通过另一台笔记本可以随时连接到家里的服务器。因为家里的服务器和笔记本是拨号上网的,没有固定的公网IP,而且现在很少能获取一个公网IP,所以只能由服务器、笔记本发起IPSEC连接,主动连接到拥有公网IP的阿里云ECS。服务器和笔记本使用本地的网络连接互联网,而不是通过阿里云ECS连接互联网,笔记本仅仅是通过阿里云ECS连接到家里的服务器。
为了让IPSEC连接能进入ECS,需要在阿里云控制台允许IPSEC端口UDP500/UDP4500,ECS本身的防火墙(firewall, iptables)也要开放相关端口
IPSEC VPN有多种连接方式,如两个公司之间互联、单台笔记本连接到公司等方式。本例就是单台设备连接到公司内网的远程连接方式(实际上也不是使用ECS中的资源,而是两台远程设备之间的互访)。
IPSEC VPN之远程连接
这个连接模式类似思科的easy vpn
阿里云ECS有公网IP,其它客户端没有公网IP
需求只是客户端之间访问特定的IP,客户端不通过阿里云ECS访问互联网
拓扑图
安装strongswan
阿里云ECS(CentOS 7)
阿里云
[root@ali_arben ~]# yum install strongswan ============================================================================ Package Arch Version Repository Size ============================================================================ Installing: strongswan x86_64 5.6.1-2.el7 epel 1.3 M Installing for dependencies: trousers x86_64 0.3.14-2.el7 base 289 k Transaction Summary ============================================================================ Install 1 Package (+1 Dependent package) 最后提示安装了strongswan,但trousers安装失败 Installed: strongswan.x86_64 0:5.6.1-2.el7 Failed: trousers.x86_64 0:0.3.14-2.el7 在制作证书时提示错误,没有找到libtpm.so.1 安装trousers后就可以了 [root@ali_arben ~]# yum install trousers
服务器(Ubuntu)
服务器
root@eve-ng:~# apt-get install strongswan
笔记本(Windows 10)
Windows 10不需要安装strongswan,可以使用系统自带的工具连接IPSEC VPN
配置strongswan
阿里云ECS
编辑配置文件/etc/strongswan/ipsec.conf
[root@ali_abc ~]# vim /etc/strongswan/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
uniqueids=never
#default configuration
conn %default
left=%any
#leftsubnet=0.0.0.0/0
leftsubnet=100.1.1.0/24
right=%any
rightsourceip=100.1.1.0/24
fragmentation=yes
auto=add
conn后面接的是连接名称,启用ipsec连接时所调用的ipsec连接名称,如ipsec up aliyun
%default这个连接名称比较特殊,这里的配置是每个ipsec连接的公共配置。
例如下面的连接“ikev1_psk_xauth”和“ikev2_cert”,这两个连接的部分配置是完全相同的,
就可以把这些相同的配置放到%default里面。
leftsubnet=100.1.1.0/24指定阿里云ECS这边的感兴趣流量,即笔记本要访问100.1.1.0/24的地址时,
就从ipsec连接走到阿里云ECS。而访问其它IP时,如访问互联网,就从笔记本本地的路由器直接访问互联网。
leftsubnet=0.0.0.0/0会导致笔记本访问互联网的流量转发到阿里云ECS。
#android
conn ikev1_psk_xauth
keyexchange=ikev1
leftauth=psk
rightauth=psk
rightauth2=xauth
#aggressive=yes
ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
#windows 7, Linux, ikev2, cert
conn ikev2_cert
keyexchange=ikev2
leftauth=pubkey
leftcert=server.cert.pem
rightauth=pubkey
rightcert=client.cert.pem
auto=add
ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
#windows 7,iOS9+
conn ikev2_eap
keyexchange=ikev2
ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
esp=aes256-sha256,3des-sha1,aes256-sha1!
rekey=no
leftauth=pubkey
leftcert=server.cert.pem
leftsendcert=always
leftid=120.77.157.111
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
fragmentation=yes
auto=add
编辑密钥文件
[root@ali_abc ~]# vim /etc/strongswan/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file
: RSA server.pem
: PSK "aaabbbccc"
aaa %any : XAUTH "aaa444"
aaa %any : EAP "aaa444"
PSK的密钥用于设备验证
XAUTH的密码用于用户认证
服务器(Ubuntu)
编辑配置文件
root@eve-ng:~# vim /etc/ipsec.conf
#Ubuntu下安装的strongswan,目录与CentOS的不一样
conn aliyun
keyexchange=ikev1
left=%any
leftsourceip=%config
leftauth=psk
leftauth2=xauth
right=120.77.157.111
rightid=%any
#rightsubnet=0.0.0.0/0
rightsubnet=100.1.1.0/24
rightauth=psk
xauth_identity=abc
auto=add
ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
编辑密钥文件
root@eve-ng:~# cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: PSK "aaabbbccc"
aaa : XAUTH "aaa444"
笔记本
使用Windows10的VPN连接,使用IKEv2
测试
在服务器端查看IPSEC连接情况
[root@ali_abc ~]# strongswan statusall Status of IKE charon daemon (strongSwan 5.6.1, Linux 3.10.0-693.21.1.el7.x86_64, x86_64): uptime: 4 days, since Jul 01 19:50:56 2018 malloc: sbrk 1921024, mmap 0, used 692384, free 1228640 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9 loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters Virtual IP pools (size/online/offline): 100.1.1.0/24: 254/4/0 Listening IP addresses: 172.18.144.222 Connections: ikev1_psk_xauth: %any...%any IKEv1 ikev1_psk_xauth: local: [172.18.144.222] uses pre-shared key authentication ikev1_psk_xauth: remote: uses pre-shared key authentication ikev1_psk_xauth: remote: uses XAuth authentication: any ikev1_psk_xauth: child: 0.0.0.0/0 === dynamic TUNNEL ikev2_cert: %any...%any IKEv2 ikev2_cert: local: [C=CN, O=ALIYUN, CN=120.77.157.111] uses public key authentication ikev2_cert: cert: "C=CN, O=ALIYUN, CN=120.77.157.111" ikev2_cert: remote: [C=CN, O=ALIYUN, CN=strongswan client] uses public key authentication ikev2_cert: cert: "C=CN, O=ALIYUN, CN=strongswan client" ikev2_cert: child: 0.0.0.0/0 === dynamic TUNNEL ikev2_eap: %any...%any IKEv2 ikev2_eap: local: [120.77.157.111] uses public key authentication ikev2_eap: cert: "C=CN, O=ALIYUN, CN=120.77.157.111" ikev2_eap: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any' ikev2_eap: child: 0.0.0.0/0 === dynamic TUNNEL Security Associations (4 up, 0 connecting): ikev1_psk_xauth[101]: ESTABLISHED 23 seconds ago, 172.18.144.222[172.18.144.222]...171.111.228.80[10.140.168.137] ikev1_psk_xauth[101]: Remote XAuth identity: aaa ikev1_psk_xauth[101]: IKEv1 SPIs: 2bb2a2cddb0cf562_i a78e7e2ad88a1ddb_r*, pre-shared key reauthentication in 2 hours ikev1_psk_xauth[101]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 ikev1_psk_xauth{301}: INSTALLED, TUNNEL, reqid 45, ESP in UDP SPIs: cbcf8a51_i c48eed21_o ikev1_psk_xauth{301}: AES_CBC_256/HMAC_SHA2_256_128, 12963 bytes_i (92 pkts, 3s ago), 18235 bytes_o (78 pkts, 3s ago), rekeying in 45 minutes ikev1_psk_xauth{301}: 0.0.0.0/0 === 100.1.1.2/32 #手机获取的IP ikev1_psk_xauth[99]: ESTABLISHED 11 minutes ago, 172.18.144.222[172.18.144.222]...113.16.128.90[10.55.55.4] ikev1_psk_xauth[99]: Remote XAuth identity: aaa ikev1_psk_xauth[99]: IKEv1 SPIs: e418d43b1b96fd87_i 7c960f4bb033049f_r*, pre-shared key reauthentication in 2 hours ikev1_psk_xauth[99]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 ikev1_psk_xauth{300}: INSTALLED, TUNNEL, reqid 39, ESP in UDP SPIs: cca32c65_i c49dc438_o ikev1_psk_xauth{300}: AES_CBC_128/HMAC_SHA1_96, 765931 bytes_i (7525 pkts, 0s ago), 413162 bytes_o (2586 pkts, 1s ago), rekeying in 17 minutes ikev1_psk_xauth{300}: 0.0.0.0/0 === 100.1.1.3/32 #服务器(Ubuntu)获取的IP ikev2_eap[98]: ESTABLISHED 51 minutes ago, 172.18.144.222[120.77.157.111]...220.173.36.196[192.168.19.118] ikev2_eap[98]: Remote EAP identity: aaa ikev2_eap[98]: IKEv2 SPIs: 282dbaf85177141a_i 2f804bd92430043e_r*, rekeying disabled ikev2_eap[98]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 ikev2_eap{299}: INSTALLED, TUNNEL, reqid 44, ESP in UDP SPIs: c0838ac8_i fe237358_o ikev2_eap{299}: 3DES_CBC/HMAC_SHA1_96, 483706 bytes_i (2523 pkts, 1s ago), 1618581 bytes_o (2574 pkts, 1s ago), rekeying disabled ikev2_eap{299}: 0.0.0.0/0 === 100.1.1.4/32 #Windows 10获取的IP ikev2_eap[48]: ESTABLISHED 2 days ago, 172.18.144.222[120.77.157.111]...113.14.220.136[10.55.55.3] ikev2_eap[48]: Remote EAP identity: aaa ikev2_eap[48]: IKEv2 SPIs: e7a8e4e28810d308_i 894e78f2f0568c34_r*, rekeying disabled ikev2_eap[48]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 ikev2_eap{166}: INSTALLED, TUNNEL, reqid 35, ESP in UDP SPIs: c3cf83d9_i 98b4968c_o ikev2_eap{166}: 3DES_CBC/HMAC_SHA1_96, 120717380 bytes_i (134372 pkts, 198198s ago), 3989123 bytes_o (79467 pkts, 190313s ago), rekeying disabled ikev2_eap{166}: 0.0.0.0/0 === 100.1.1.1/32
从服务器端ping客户端
设备互访 有ipsec客户端连接进来时,从ipsec服务器端ping客户端的IP是不通的。因为客户端是从地址池获取了IP,但服务器上并没有配置地址池中的IP
[root@ali_arben ~]# strongswan statusall ikev2_eap{2}: 100.1.1.0/24 === 100.1.1.2/32 ikev1_psk_xauth{1}: 100.1.1.0/24 === 100.1.1.1/32 [root@ali_arben ~]# ping 100.1.1.1 PING 100.1.1.1 (100.1.1.1) 56(84) bytes of data. ^C --- 100.1.1.1 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 999ms [root@ali_arben ~]# ping 100.1.1.2 PING 100.1.1.2 (100.1.1.2) 56(84) bytes of data. ^C --- 100.1.1.2 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms IPSEC服务器端并没配置100.1.1.0/24网段的IP [root@ali_arben ~]# ip add 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:16:3e:0c:ad:cf brd ff:ff:ff:ff:ff:ff inet 172.18.144.xxx/20 brd 172.18.xxx.255 scope global dynamic eth0 valid_lft 30375428sec preferred_lft 30375428sec
客户端互访
但是客户端之间是可以互访的 以下是从PC ping 手机
ping 100.1.1.2
正在 Ping 100.1.1.2 具有 32 字节的数据:
来自 100.1.1.2 的回复: 字节=32 时间=148ms TTL=63
来自 100.1.1.2 的回复: 字节=32 时间=81ms TTL=63
来自 100.1.1.2 的回复: 字节=32 时间=151ms TTL=63
来自 100.1.1.2 的回复: 字节=32 时间=82ms TTL=63
100.1.1.1 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 81ms,最长 = 151ms,平均 = 115ms
DPD(Dead Peer Detection,死亡对等体检测)
当IPSEC的一端断网时,IPSEC并没有正确断开IPSEC连接,另一端并不知道对方已经断网了
使用DPD检测可以发现对端是不是还在线,并且做出相应的动作
[root@ali_arben ~]# vim /etc/strongswan/ipsec.conf #default configuration conn %default dpdaction=clear #检测到对端不在线时,清除IPSEC连接 dpddelay=30s #发送DPD检测报文的间隔为30s dpdtimeout=150s #认为对端不在线的超时时间,即150s后还收不到对端的回应,则认为对端不在线 如果断网了,数据将无法发送,在规定的时间内IPSEC仍然会保留阶段1和阶段2的sa,直到阶段1、阶段2超时,才会把两个阶段的sa给消除掉。 如果网络恢复了,客户端又重新进行了IPSEC连接,那服务器端和客户端的原有SA仍然保留(在规定的时间内), 这会导致存在无用配置,而且已经被分配出去的IP无法回收。 有客户端连接进来时,查看IPSEC的状态 [root@ali_abc ~]# strongswan statusall Connections: ikev1_psk_xauth: %any...%any IKEv1, dpddelay=30s ikev1_psk_xauth: local: [172.18.144.222] uses pre-shared key authentication ikev1_psk_xauth: remote: uses pre-shared key authentication ikev1_psk_xauth: remote: uses XAuth authentication: any ikev1_psk_xauth: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear Security Associations (1 up, 0 connecting): ikev1_psk_xauth[2]: ESTABLISHED 3 minutes ago, 172.18.144.222[172.18.144.222]...113.15.143.14[10.151.134.231] ikev1_psk_xauth[2]: Remote XAuth identity: abc ikev1_psk_xauth[2]: IKEv1 SPIs: eb778ccae8b4f828_i 1619eaba18094d18_r*, pre-shared key reauthentication in 2 hours ikev1_psk_xauth[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 ikev1_psk_xauth{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c6cbafe0_i c97309b0_o ikev1_psk_xauth{2}: AES_CBC_256/HMAC_SHA2_256_128, 111714 bytes_i (755 pkts, 148s ago), 414554 bytes_o (646 pkts, 149s ago), rekeying in 43 minutes ikev1_psk_xauth{2}: 0.0.0.0/0 === 100.1.1.1/32 客户端断网150s后,再查看IPSEC连接,已经被清除了 [root@ali_abc ~]# strongswan statusall Connections: ikev1_psk_xauth: %any...%any IKEv1, dpddelay=30s ikev1_psk_xauth: local: [172.18.144.222] uses pre-shared key authentication ikev1_psk_xauth: remote: uses pre-shared key authentication ikev1_psk_xauth: remote: uses XAuth authentication: any ikev1_psk_xauth: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear Security Associations (0 up, 0 connecting): none
客户端自动重新连接IPSEC
由于网络不稳定,或其它原因导致IPSEC中断了,如何让IPSEC客户端自动重新的连接?
IPSEC VPN之站点到站点连接
参考资料
https://blog.csdn.net/sqzhao/article/details/76093994 这篇文章写得很详细
https://www.strongswan.org/
文章评论