Today we will setup a Site to Site ipsec VPN with Strongswan, which will be configured with PreShared Key Authentication.
After our tunnels are established, we will be able to reach the private ips over the vpn tunnels.
Get the Dependencies:
Update your repository indexes and install strongswan:
mportant;">
12 | $ apt update && sudo apt upgrade -y$ apt install strongswan -y |
Set the following kernel parameters:
1234567 | $ cat >> /etc/sysctl.conf << EOFnet.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0EOF$ sysctl -p /etc/sysctl.conf |
Generate Preshared Key:
We will need a preshared key that both servers will use:
12 | $ openssl rand -base64 6487zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ |
Details of our 2 Sites:
Site A:
123 | Location: Paris, FranceExternal IP: 51.15.139.201Internal IP: 10.10.27.1/24 |
Site B:
123 | Location: Amsterdam, NetherlandsExternal IP: 51.15.44.48Internal IP: 10.9.141.1/24 |
Configure Site A:
We will setup our VPN Gateway in Site A (Paris), first to setup the /etc/ipsec.secrets
file:
123 | $ cat /etc/ipsec.secrets# source destination51.15.139.201 51.15.44.48 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ" |
Now to setup our VPN configuration in /etc/ipsec.conf
:
123456789101112131415161718192021222324 | cat /etc/ipsec.conf# basic configurationconfig setup charondebug="all" uniqueids=yes strictcrlpolicy=no# connection to amsterdam datacenterconn paris-to-amsterdam authby=secret left=%defaultroute leftid=51.15.139.201 leftsubnet=10.10.27.1/24 right=51.15.44.48 rightsubnet=10.9.141.1/24 ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! keyingtries=0 ikelifetime=1h lifetime=8h dpddelay=30 dpdtimeout=120 dpdaction=restart auto=start |
Firewall Rules:
1 | $ sudo iptables -t nat -A POSTROUTING -s 10.9.141.0/24 -d 10.10.27.0/24 -j MASQUERADE |
Configure Site B:
We will setup our VPN Gateway in Site B (Amsterdam), setup the /etc/ipsec.secrets
file:
12 | $ cat /etc/ipsec.secrets51.15.44.48 51.15.139.201 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ" |
Next to setup our VPN Configuration:
123456789101112131415161718192021222324 | cat /etc/ipsec.conf# basic configurationconfig setup charondebug="all" uniqueids=yes strictcrlpolicy=no# connection to paris datacenterconn amsterdam-to-paris authby=secret left=%defaultroute leftid=51.15.44.48 leftsubnet=10.9.141.1/24 right=51.15.139.201 rightsubnet=10.10.27.1/24 ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! keyingtries=0 ikelifetime=1h lifetime=8h dpddelay=30 dpdtimeout=120 dpdaction=restart auto=start |
Firewall Rules:
1 | $ sudo iptables -t nat -A POSTROUTING -s 10.10.27.0/24 -d 10.9.41.0/24 -J MASQUERADE |
Start the VPN:
Start the VPN on both ends:
Get the status of the tunnel, in this case we are logged onto our Site A (Paris) Server:
12345 | $ sudo ipsec statusSecurity Associations (1 up, 0 connecting):paris-to-amsterdam[2]: ESTABLISHED 14 minutes ago, 10.10.27.161[51.15.139.201]...51.15.44.48[51.15.44.48]paris-to-amsterdam{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c8c868ee_i c9d58dbd_oparis-to-amsterdam{1}: 10.10.27.1/24 === 10.9.141.1/24 |
Test if we can see the remote end on its private range:
123 | $ ping 10.9.141.97PING 10.9.141.97 (10.9.141.97) 56(84) bytes of data.64 bytes from 10.9.141.97: icmp_seq=1 ttl=64 time=14.6 ms |
Set the service to start on boot:
1 | $ sudo systemctl enable strongswan |
Then your VPN should be setup correctly.
Other useful commands:
Start / Stop / Status:
123456 | $ sudo ipsec up connection-name$ sudo ipsec down connection-name$ sudo ipsec restart$ sudo ipsec status$ sudo ipsec statusall |
Get the Policies and States of the IPsec Tunnel:
12 | $ sudo ip xfrm state$ sudo ip xfrm policy |
Reload the secrets, while the service is running:
1 | $ sudo ipsec rereadsecrets |
Check if traffic flows through the tunnel:
Adding more connections to your config:
If you have to add another site to your config, the example of the ipsec.secrets
will look like:
123 | $ cat /etc/ipsec.secrets51.15.139.201 51.15.44.48 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"51.15.139.201 51.15.87.41 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ" |
And the ipsec.conf
:
123456789101112131415161718192021222324252627282930313233343536373839404142 | cat /etc/ipsec.conf# basic configurationconfig setup charondebug="all" uniqueids=yes strictcrlpolicy=no# connection to amsterdam datacenterconn paris-to-amsterdam authby=secret left=%defaultroute leftid=51.15.139.201 leftsubnet=10.10.27.161/32 right=51.15.44.48 rightsubnet=10.9.141.97/32 ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! keyingtries=0 ikelifetime=1h lifetime=8h dpddelay=30 dpdtimeout=120 dpdaction=restart auto=start# connection to frankfurt datacenterconn paris-to-frankfurt authby=secret left=%defaultroute leftid=51.15.139.201 leftsubnet=10.10.27.1/24 right=51.15.87.41 rightsubnet=10.9.137.1/24 ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! keyingtries=0 ikelifetime=1h lifetime=8h dpddelay=30 dpdtimeout=120 dpdaction=restart auto=start |
Just remember to configure the config on the Frankfurt VPN Gateway, and the example of the status output will look like the following:
12345678 | $ sudo ipsec statusSecurity Associations (2 up, 0 connecting):paris-to-frankfurt[2]: ESTABLISHED 102 seconds ago, 10.10.27.161[51.15.139.201]...51.15.87.41[51.15.87.41]paris-to-frankfurt{1}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cbc62a1f_i c95b8f78_oparis-to-frankfurt{1}: 10.10.27.1/24 === 10.9.137.1/24paris-to-amsterdam[1]: ESTABLISHED 102 seconds ago, 10.10.27.161[51.15.139.201]...51.15.44.48[51.15.44.48]paris-to-amsterdam{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7b36756_i cc54053c_oparis-to-amsterdam{2}: 10.10.27.1/24 === 10.9.141.1/24 |
打赏支付宝微信扫一扫,打赏作者吧~
本文链接:https://www.kinber.cn/post/536.html 转载需授权!
推荐本站淘宝优惠价购买喜欢的宝贝:
您阅读本篇文章共花了: