_浅行
文章 标签 分类 烹饪 关于
_浅行

配置 openswan ipsecvpn

 收录于  类别 devops vpn
     约 554 字   预计阅读 2 分钟 
  • VPC1:192.168.1.1
  • VPC2:192.168.2.2
1

[root@wglee ~]# yum install openswan

编辑 /etc/ipsec.conf 文件,启用 /etc/ipsec.d/*.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

[root@wglee ~]# sudo vi /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    # Debug-logging controls: "none" for (almost) none, "all" for lots.
    # klipsdebug=none
    # plutodebug="control parsing"
    # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
    protostack=netkey
    nat_traversal=yes
    virtual_private=
    oe=off
    # Enable this if you see "failed to find any available worker"
    # nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf

配置VPC1

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

[root@wglee ~]# sudo vi /etc/ipsec.d/vpc1-to-vpc2.conf
conn vpc1-to-vpc2
    type=tunnel
    authby=secret
    left=%defaultroute
    leftid=<VPC1的外网IP>
    leftnexthop=%defaultroute
    leftsubnet=<VPC1 子网地址>
    right=<VPC2的外网IP>
    rightsubnet=<VPC2 子网地址>
    pfs=yes
    auto=start
[root@wglee ~]# sudo vi /etc/ipsec.d/vpc1-to-vpc2.secrets
<VPC1 子网地址> <VPC1 子网地址>: PSK "Put a Preshared Key here!!"

配置VPC2

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

[root@wglee ~]# sudo vi /etc/ipsec.d/vpc2-to-vpc1.conf
conn vpc2-to-vpc1
    type=tunnel
    authby=secret
    left=%defaultroute
    leftid=<VPC2的外网IP>
    leftnexthop=%defaultroute
    leftsubnet=<VPC2 的子网地址>
    right=<EIP1>
    rightsubnet=<VPC1 的子网地址>
    pfs=yes
    auto=start
[root@wglee ~]# sudo vi /etc/ipsec.d/vpc2-to-vpc1.secrets
<VPC2 的子网地址> <VPC1 的子网地址>: PSK "Put a Preshared Key here!!"

1
2
3

[root@wglee ~]# sudo service ipsec start
# Configure IPSec/Openswan to always start on boot
[root@wglee ~]# sudo chkconfig ipsec on

1
2
3
4

[root@wglee ~]# sudo vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

1

[root@wglee ~]# service network restart

1
2
3
4
5
6

#下面的命令可以在检查或故障排除VPN状态有所帮助:
[root@wglee ~]# sudo ipsec verify

#会检查所需的OpenSWAN的服务状态正常运行
[root@wglee ~]# sudo service ipsec status
#检查OpenSWAN服务的状态和VPN隧道

来源: https://aws.amazon.com/articles/5472675506466066

更新于 2015-09-24
阅读原始文档
 openswan
返回 | 主页