×

Setup a Site to Site IPsec VPN With Strongswan and PreShared Key Authentication

hqy hqy 发表于2019-04-12 13:29:29 浏览2230 评论0

抢沙发发表评论

Today we will setup a Site to Site ipsec VPN with Strongswan, which will be configured with PreShared Key Authentication.

After our tunnels are established, we will be able to reach the private ips over the vpn tunnels.

Get the Dependencies:

Update your repository indexes and install strongswan:

mportant;">
12
$ apt update && sudo apt upgrade -y$ apt install strongswan -y

Set the following kernel parameters:

1234567
$ cat >> /etc/sysctl.conf << EOFnet.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0EOF$ sysctl -p /etc/sysctl.conf

Generate Preshared Key:

We will need a preshared key that both servers will use:

12
$ openssl rand -base64 6487zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ

Details of our 2 Sites:

Site A:

123
Location: Paris, FranceExternal IP: 51.15.139.201Internal IP: 10.10.27.1/24

Site B:

123
Location: Amsterdam, NetherlandsExternal IP: 51.15.44.48Internal IP: 10.9.141.1/24

Configure Site A:

We will setup our VPN Gateway in Site A (Paris), first to setup the /etc/ipsec.secrets file:

123
$ cat /etc/ipsec.secrets# source      destination51.15.139.201 51.15.44.48 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"

Now to setup our VPN configuration in /etc/ipsec.conf:

123456789101112131415161718192021222324
cat /etc/ipsec.conf# basic configurationconfig setup        charondebug="all"        uniqueids=yes        strictcrlpolicy=no# connection to amsterdam datacenterconn paris-to-amsterdam  authby=secret  left=%defaultroute  leftid=51.15.139.201  leftsubnet=10.10.27.1/24  right=51.15.44.48  rightsubnet=10.9.141.1/24  ike=aes256-sha2_256-modp1024!  esp=aes256-sha2_256!  keyingtries=0  ikelifetime=1h  lifetime=8h  dpddelay=30  dpdtimeout=120  dpdaction=restart  auto=start

Firewall Rules:

1
$ sudo iptables -t nat -A POSTROUTING -s 10.9.141.0/24 -d 10.10.27.0/24 -j MASQUERADE

Configure Site B:

We will setup our VPN Gateway in Site B (Amsterdam), setup the /etc/ipsec.secrets file:

12
$ cat /etc/ipsec.secrets51.15.44.48 51.15.139.201 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"

Next to setup our VPN Configuration:

123456789101112131415161718192021222324
cat /etc/ipsec.conf# basic configurationconfig setup        charondebug="all"        uniqueids=yes        strictcrlpolicy=no# connection to paris datacenterconn amsterdam-to-paris  authby=secret  left=%defaultroute  leftid=51.15.44.48  leftsubnet=10.9.141.1/24  right=51.15.139.201  rightsubnet=10.10.27.1/24  ike=aes256-sha2_256-modp1024!  esp=aes256-sha2_256!  keyingtries=0  ikelifetime=1h  lifetime=8h  dpddelay=30  dpdtimeout=120  dpdaction=restart  auto=start

Firewall Rules:

1
$ sudo iptables -t nat -A POSTROUTING -s 10.10.27.0/24 -d 10.9.41.0/24 -J MASQUERADE

Start the VPN:

Start the VPN on both ends:

1
$ sudo ipsec restart

Get the status of the tunnel, in this case we are logged onto our Site A (Paris) Server:

12345
$ sudo ipsec statusSecurity Associations (1 up, 0 connecting):paris-to-amsterdam[2]: ESTABLISHED 14 minutes ago, 10.10.27.161[51.15.139.201]...51.15.44.48[51.15.44.48]paris-to-amsterdam{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c8c868ee_i c9d58dbd_oparis-to-amsterdam{1}:   10.10.27.1/24 === 10.9.141.1/24

Test if we can see the remote end on its private range:

123
$ ping 10.9.141.97PING 10.9.141.97 (10.9.141.97) 56(84) bytes of data.64 bytes from 10.9.141.97: icmp_seq=1 ttl=64 time=14.6 ms

Set the service to start on boot:

1
$ sudo systemctl enable strongswan

Then your VPN should be setup correctly.

Other useful commands:

Start / Stop / Status:

123456
$ sudo ipsec up connection-name$ sudo ipsec down connection-name$ sudo ipsec restart$ sudo ipsec status$ sudo ipsec statusall

Get the Policies and States of the IPsec Tunnel:

12
$ sudo ip xfrm state$ sudo ip xfrm policy

Reload the secrets, while the service is running:

1
$ sudo ipsec rereadsecrets

Check if traffic flows through the tunnel:

1
$ sudo tcpdump esp

Adding more connections to your config:

If you have to add another site to your config, the example of the ipsec.secrets will look like:

123
$ cat /etc/ipsec.secrets51.15.139.201 51.15.44.48 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"51.15.139.201 51.15.87.41  : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"

And the ipsec.conf:

123456789101112131415161718192021222324252627282930313233343536373839404142
cat /etc/ipsec.conf# basic configurationconfig setup        charondebug="all"        uniqueids=yes        strictcrlpolicy=no# connection to amsterdam datacenterconn paris-to-amsterdam  authby=secret  left=%defaultroute  leftid=51.15.139.201  leftsubnet=10.10.27.161/32  right=51.15.44.48  rightsubnet=10.9.141.97/32  ike=aes256-sha2_256-modp1024!  esp=aes256-sha2_256!  keyingtries=0  ikelifetime=1h  lifetime=8h  dpddelay=30  dpdtimeout=120  dpdaction=restart  auto=start# connection to frankfurt datacenterconn paris-to-frankfurt  authby=secret  left=%defaultroute  leftid=51.15.139.201  leftsubnet=10.10.27.1/24  right=51.15.87.41  rightsubnet=10.9.137.1/24  ike=aes256-sha2_256-modp1024!  esp=aes256-sha2_256!  keyingtries=0  ikelifetime=1h  lifetime=8h  dpddelay=30  dpdtimeout=120  dpdaction=restart  auto=start

Just remember to configure the config on the Frankfurt VPN Gateway, and the example of the status output will look like the following:

12345678
$ sudo ipsec statusSecurity Associations (2 up, 0 connecting):paris-to-frankfurt[2]: ESTABLISHED 102 seconds ago, 10.10.27.161[51.15.139.201]...51.15.87.41[51.15.87.41]paris-to-frankfurt{1}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cbc62a1f_i c95b8f78_oparis-to-frankfurt{1}:   10.10.27.1/24 === 10.9.137.1/24paris-to-amsterdam[1]: ESTABLISHED 102 seconds ago, 10.10.27.161[51.15.139.201]...51.15.44.48[51.15.44.48]paris-to-amsterdam{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7b36756_i cc54053c_oparis-to-amsterdam{2}:   10.10.27.1/24 === 10.9.141.1/24


打赏

本文链接:https://www.kinber.cn/post/536.html 转载需授权!

分享到:


推荐本站淘宝优惠价购买喜欢的宝贝:

image.png

 您阅读本篇文章共花了: 

群贤毕至

访客