原來的我

一般情況下，我們只能管理A站點，如果也想管理B站點，這時就需要建立VPN隧道 yum install openswan lsof 禁止VPN重定向 for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done 修改內核參數啟用轉發和禁止重定向 vim /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 sysctl –p 放行openswan服務端口和NAT規則 iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p tcp --dport 4500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT iptables -t nat -A POSTROUTING -s site-A-private-subnet -d site-B-private-subnet -j SNAT --to site-A-Public-IP 修改配置 Site-A VPN Server: vim /etc/ipsec.conf ## general configuration parameters ## config setup plutodebug=all plutostderrlog=/var/log/pluto.log protostack=netkey nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16 ## disable opportunistic encryption in Red Hat ## oe=off ## disable opportunistic encryption in Debian ## ## Note: this is a separate declaration statement ## include /etc/ipsec.d/examples/no_oe.conf ## connection definition in Red Hat ## conn demo-connection-redhat authby=secret auto=start ike=3des-md5 ## phase 1 ## keyexchange=ike ## phase 2 ## phase2=esp phase2alg=3des-md5 compress=no pfs=yes type=tunnel left= leftsourceip= leftsubnet=/netmask ## for direct routing ## leftsubnet=/32 leftnexthop=%defaultroute right= rightsubnet=/netmask ## connection definition in Debian ## conn demo-connection-debian authby=secret auto=start ## phase 1 ## keyexchange=ike ## phase 2 ## esp=3des-md5 pfs=yes type=tunnel left= leftsourceip= leftsubnet=/netmask ## for direct routing ## leftsubnet=/32 leftnexthop=%defaultroute right= rightsubnet=/netmask 身份驗證可以通過幾種不同的方式,此處使用pre-shared方式 vim /etc/ipsec.secrets siteA-public-IP siteB-public-IP: PSK "pre-shared-key" ## in case of multiple sites ## siteA-public-IP siteC-public-IP: PSK "corresponding-pre-shared-key" 啟動服務和排錯 service ipsec restart chkconfig ipsec on 如果能正常啟動，從A端就能ping通B端私網地址 在Site-A VPN Server上ip route 就可以查看相關的路由 [siteB-private-subnet] via [siteA-gateway] dev eth0 src [siteA-public-IP] default via [siteA-gateway] dev eth0 兩邊的VPN Server都配置完成后即可互訪私網，其他重要命令： 查看隧道狀態 service ipsec status IPsec running - pluto pid: 20754 pluto pid 20754 1 tunnels up some eroutes exist ipsec auto –status ## output truncated ## 000 "demo-connection-debian": myip=; hisip=unset; 000 "demo-connection-debian": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes 000 "demo-connection-debian": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,28; interface: eth0; ## output truncated ## 000 #184: "demo-connection-debian":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1653s; newest IPSEC; eroute owner; isakmp#183; idle; import:not set ## output truncated ## 000 #183: "demo-connection-debian":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1093s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set 相關日志文件(記錄了認證、Key交換信息等，可用于排錯): /var/log/pluto.log 注意事項 1.運營商可能會屏蔽端口，通過telent命令測試確保運營商允許使用UDP 500, TCP/UDP 4500 端口 2.確保防火墻放行相關端口 3.確保終端服務器pre-shared密鑰是相同的 4.遇到NAT問題，嘗試使用SNAT 替代MASQUERADING