配置 openswan ipsecvpn

  • VPC1:192.168.1.1
  • VPC2:192.168.2.2
1
[[email protected] ~]# yum install openswan
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[[email protected] ~]# sudo vi /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    # Debug-logging controls: "none" for (almost) none, "all" for lots.
    # klipsdebug=none
    # plutodebug="control parsing"
    # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
    protostack=netkey
    nat_traversal=yes
    virtual_private=
    oe=off
    # Enable this if you see "failed to find any available worker"
    # nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf

配置VPC1

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
[[email protected] ~]# sudo vi /etc/ipsec.d/vpc1-to-vpc2.conf
conn vpc1-to-vpc2
    type=tunnel
    authby=secret
    left=%defaultroute
    leftid=<VPC1的外网IP>
    leftnexthop=%defaultroute
    leftsubnet=<VPC1 子网地址>
    right=<VPC2的外网IP>
    rightsubnet=<VPC2 子网地址>
    pfs=yes
    auto=start
[[email protected] ~]# sudo vi /etc/ipsec.d/vpc1-to-vpc2.secrets
<VPC1 子网地址> <VPC1 子网地址>: PSK "Put a Preshared Key here!!"

配置VPC2

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
[[email protected] ~]# sudo vi /etc/ipsec.d/vpc2-to-vpc1.conf
conn vpc2-to-vpc1
    type=tunnel
    authby=secret
    left=%defaultroute
    leftid=<VPC2的外网IP>
    leftnexthop=%defaultroute
    leftsubnet=<VPC2 的子网地址>
    right=<EIP1>
    rightsubnet=<VPC1 的子网地址>
    pfs=yes
    auto=start
[[email protected] ~]# sudo vi /etc/ipsec.d/vpc2-to-vpc1.secrets
<VPC2 的子网地址> <VPC1 的子网地址>: PSK "Put a Preshared Key here!!"
1
2
3
[[email protected] ~]# sudo service ipsec start
# Configure IPSec/Openswan to always start on boot
[[email protected] ~]# sudo chkconfig ipsec on
1
2
3
4
[[email protected] ~]# sudo vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
1
[[email protected] ~]# service network restart
1
2
3
4
5
6
#下面的命令可以在检查或故障排除VPN状态有所帮助:
[[email protected] ~]# sudo ipsec verify

#会检查所需的OpenSWAN的服务状态正常运行
[[email protected] ~]# sudo service ipsec status
#检查OpenSWAN服务的状态和VPN隧道

来源: https://aws.amazon.com/articles/5472675506466066