一、ECS 部署openswan
环境:CentOS7.9

  1. 安装OpenSwan
yum install -y openswan

2.修改内核配置

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && \
echo "net.ipv4.conf.default.rp_filter = 0" >> /etc/sysctl.conf && \
echo "net.ipv4.conf.all.rp_filter = 0" >> /etc/sysctl.conf && \
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf && \
echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf && \
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf && \
echo "net.ipv4.conf.default.log_martians = 0" >> /etc/sysctl.conf && \
echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.conf && \
echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf && \
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf && \
echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf

3.生效

sysctl -p

4.检查是否安装成功

ipsec --version

5.检查配置信息

ipsec verify

在这里插入图片描述
执行:

echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/ip_vti0/rp_filter
ipsec verify

在这里插入图片描述

6.启动

systemctl enable ipsec
systemctl start ipsec

7.修改ECS配置文件/etc/ipsec.conf(另一台机器注意修改left/right的信息,调换过来即可)

vi /etc/ipsec.conf

version 2
config setup
        plutostderrlog=/var/log/vpn.log
        protostack=netkey
        nat_traversal=yes
        oe=off

conn net-to-net
        authby=secret
        type=tunnel
		
        pfs=no
        aggrmode=no
        forceencaps=yes
        dpdaction=restart

        ## phase 1 ##
        ike=3des-sha1;modp1024
        keyexchange=ike
        ikelifetime=86400s

        ## phase 2 ##
        phase2=esp
        phase2alg=3des-sha1
        salifetime=10000s
		
        left=172.16.0.73
        leftsubnet=172.16.0.0/16
        leftid=@test1
        leftnexthop=%defaultroute
        right=95.95.95.95
        rightsubnet=192.168.0.0/16
        rightid=@test2
        rightnexthop=%defaultroute
        auto=start

部分字段解释参考下图(https://blog.csdn.net/qq_36833548/article/details/130375242)

关键点:left用本地IP信息,rigth用另外机器IP信息

在这里插入图片描述

8.修改配置文件/etc/ipsec.secrets

vi /etc/ipsec.secrets

0.0.0.0 0.0.0.0 %any: PSK "12345678"

9.重启:

systemctl restart ipsec

10.ECS2也部署,方法雷同
配置文件ipsec.conf ,left right 信息IP需要换过来

ECS2 连接上后:能看到:SA established 表示连接上。

Oct 24 10:30:50.794719: “net-to-net” #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1024}

11.补充说明
MODP1024,默认对应dh group id=2
在这里插入图片描述

(1)采用这个参数

ike=aes256-sha2_256;modp2048
phase2alg=aes256-sha2_256;modp2048

需要修改:

pfs=yes

二、采用docker部署openswan
参考:https://github.com/imgoby/openswan-docker

参考:
参考来源: https://github.com/zorrofox/openswan-docker-aws
http://www.920430.com/archives/2743378950.html

https://blog.csdn.net/weixin_33757609/article/details/92868813

https://blog.csdn.net/qq_36833548/article/details/130375242

https://blog.csdn.net/nickyu888/article/details/107766479

https://support.huaweicloud.com/intl/zh-cn/admin-vpn/vpn_admin_0007.html

https://github.com/xelerance/Openswan/wiki/Amazon-ec2-example

https://mp.weixin.qq.com/s?__biz=MzAwNzQxNzAyNw==&mid=2652688220&idx=1&sn=e4793fa0f1835e0fed6e75e21ed3575a&chksm=81f7e562c361e32f14599d7366d80f32b26251fc36abac7abd94284434a6eeb899c1ff8c8a35&scene=27

https://blog.csdn.net/weixin_33757609/article/details/92868813?spm=1001.2101.3001.6650.4&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromBaidu%7ERate-4-92868813-blog-107768155.235%5Ev43%5Epc_blog_bottom_relevance_base8&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromBaidu%7ERate-4-92868813-blog-107768155.235%5Ev43%5Epc_blog_bottom_relevance_base8&utm_relevant_index=9

https://www.cnblogs.com/cfzy/p/14989407.html

https://blog.51cto.com/lipenglong/1902574

# docker
Logo
2048 AI社区

有“AI”的1024 = 2048,欢迎大家加入2048 AI社区

更多推荐

cover

基于java+vue的行人重识别的校园出入口安防系统设计与实现的详细项目实例

avatar 2048 AI社区
cover

【并发编程实战】9、Java线程生命周期全指南:6种状态转换、中断机制与实战调试

avatar 2048 AI社区
cover

Flutter | 基础组件篇

avatar 2048 AI社区