在阿里云上有一台ECS主机,家里有一台旧笔记本,用来做一台服务器,现在想通过另一台笔记本可以随时连接到家里的服务器。因为家里的服务器和笔记本是拨号上网的,没有固定的公网IP,而且现在很少能获取一个公网IP,所以只能由服务器、笔记本发起IPSEC连接,主动连接到拥有公网IP的阿里云ECS。服务器和笔记本使用本地的网络连接互联网,而不是通过阿里云ECS连接互联网,笔记本仅仅是通过阿里云ECS连接到家里的服务器。
为了让IPSEC连接能进入ECS,需要在阿里云控制台允许IPSEC端口UDP500/UDP4500,ECS本身的防火墙(firewall, iptables)也要开放相关端口
IPSEC VPN有多种连接方式,如两个公司之间互联、单台笔记本连接到公司等方式。本例就是单台设备连接到公司内网的远程连接方式(实际上也不是使用ECS中的资源,而是两台远程设备之间的互访)。

IPSEC VPN之远程连接

这个连接模式类似思科的easy vpn
阿里云ECS有公网IP,其它客户端没有公网IP
需求只是客户端之间访问特定的IP,客户端不通过阿里云ECS访问互联网

拓扑图

ipsec_vpn_strongswan_top
ipsec_vpn_strongswan_top

安装strongswan

阿里云ECS(CentOS 7)

阿里云

[[email protected]_arben ~]# yum install strongswan
============================================================================
 Package           Arch          Version            Repository        Size
============================================================================
Installing:
 strongswan        x86_64        5.6.1-2.el7        epel             1.3 M
Installing for dependencies:
 trousers          x86_64        0.3.14-2.el7       base             289 k
Transaction Summary
============================================================================
Install  1 Package (+1 Dependent package)
最后提示安装了strongswan,但trousers安装失败
Installed:
  strongswan.x86_64 0:5.6.1-2.el7
Failed:
  trousers.x86_64 0:0.3.14-2.el7
在制作证书时提示错误,没有找到libtpm.so.1
安装trousers后就可以了
[[email protected]_arben ~]# yum install trousers

服务器(Ubuntu)

服务器

[email protected]:~# apt-get install strongswan

笔记本(Windows 10)

Windows 10不需要安装strongswan,可以使用系统自带的工具连接IPSEC VPN

配置strongswan

阿里云ECS

编辑配置文件/etc/strongswan/ipsec.conf
[[email protected]_abc ~]# vim /etc/strongswan/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        uniqueids=never
#default configuration
conn %default
        left=%any
        #leftsubnet=0.0.0.0/0
        leftsubnet=100.1.1.0/24
        right=%any
        rightsourceip=100.1.1.0/24
        fragmentation=yes
        auto=add
conn后面接的是连接名称,启用ipsec连接时所调用的ipsec连接名称,如ipsec up aliyun
%default这个连接名称比较特殊,这里的配置是每个ipsec连接的公共配置。例如下面的连接“ikev1_psk_xauth”和“ikev2_cert”,这两个连接的部分配置是完全相同的,就可以把这些相同的配置放到%default里面
leftsubnet=100.1.1.0/24指定阿里云ECS这边的感兴趣流量,即笔记本要访问100.1.1.0/24的地址时,就从ipsec连接走到阿里云ECS,而访问其它IP时,如访问互联网,就从笔记本本地的路由器直接访问互联网
leftsubnet=0.0.0.0/0会导致笔记本访问互联网的流量转发到阿里云ECS。
#android
conn ikev1_psk_xauth
        keyexchange=ikev1
        leftauth=psk
        rightauth=psk
        rightauth2=xauth
        #aggressive=yes
        ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
#windows 7, Linux, ikev2, cert
conn ikev2_cert
        keyexchange=ikev2
        leftauth=pubkey
        leftcert=server.cert.pem
        rightauth=pubkey
        rightcert=client.cert.pem
        auto=add
        ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
#windows 7,iOS9+
conn ikev2_eap
    keyexchange=ikev2
    ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
    esp=aes256-sha256,3des-sha1,aes256-sha1!
    rekey=no
    leftauth=pubkey
    leftcert=server.cert.pem
    leftsendcert=always
    leftid=120.77.157.111
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    fragmentation=yes
    auto=add
编辑密钥文件
[[email protected]_abc ~]# vim /etc/strongswan/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file
: RSA server.pem
: PSK "aaabbbccc"
aaa %any : XAUTH "aaa444"
aaa %any : EAP "aaa444"
PSK的密钥用于设备验证
XAUTH的密码用于用户认证

服务器(Ubuntu)

编辑配置文件
[email protected]:~# vim /etc/ipsec.conf
#Ubuntu下安装的strongswan,目录与CentOS的不一样
conn aliyun
        keyexchange=ikev1
        left=%any
        leftsourceip=%config
        leftauth=psk
        leftauth2=xauth
        right=120.77.157.111
        rightid=%any
        #rightsubnet=0.0.0.0/0
        rightsubnet=100.1.1.0/24
        rightauth=psk
        xauth_identity=abc
        auto=add
        ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
编辑密钥文件
[email protected]:~# cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: PSK "aaabbbccc"
aaa : XAUTH "aaa444"

笔记本

使用Windows10的VPN连接,使用IKEv2

测试

在服务器端查看IPSEC连接情况

[[email protected]_abc ~]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.6.1, Linux 3.10.0-693.21.1.el7.x86_64, x86_64):
  uptime: 4 days, since Jul 01 19:50:56 2018
  malloc: sbrk 1921024, mmap 0, used 692384, free 1228640
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9
  loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Virtual IP pools (size/online/offline):
  100.1.1.0/24: 254/4/0
Listening IP addresses:
  172.18.144.222
Connections:
ikev1_psk_xauth:  %any...%any  IKEv1
ikev1_psk_xauth:   local:  [172.18.144.222] uses pre-shared key authentication
ikev1_psk_xauth:   remote: uses pre-shared key authentication
ikev1_psk_xauth:   remote: uses XAuth authentication: any
ikev1_psk_xauth:   child:  0.0.0.0/0 === dynamic TUNNEL
  ikev2_cert:  %any...%any  IKEv2
  ikev2_cert:   local:  [C=CN, O=ALIYUN, CN=120.77.157.111] uses public key authentication
  ikev2_cert:    cert:  "C=CN, O=ALIYUN, CN=120.77.157.111"
  ikev2_cert:   remote: [C=CN, O=ALIYUN, CN=strongswan client] uses public key authentication
  ikev2_cert:    cert:  "C=CN, O=ALIYUN, CN=strongswan client"
  ikev2_cert:   child:  0.0.0.0/0 === dynamic TUNNEL
   ikev2_eap:  %any...%any  IKEv2
   ikev2_eap:   local:  [120.77.157.111] uses public key authentication
   ikev2_eap:    cert:  "C=CN, O=ALIYUN, CN=120.77.157.111"
   ikev2_eap:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
   ikev2_eap:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (4 up, 0 connecting):
ikev1_psk_xauth[101]: ESTABLISHED 23 seconds ago, 172.18.144.222[172.18.144.222]...171.111.228.80[10.140.168.137]
ikev1_psk_xauth[101]: Remote XAuth identity: aaa
ikev1_psk_xauth[101]: IKEv1 SPIs: 2bb2a2cddb0cf562_i a78e7e2ad88a1ddb_r*, pre-shared key reauthentication in 2 hours
ikev1_psk_xauth[101]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
ikev1_psk_xauth{301}:  INSTALLED, TUNNEL, reqid 45, ESP in UDP SPIs: cbcf8a51_i c48eed21_o
ikev1_psk_xauth{301}:  AES_CBC_256/HMAC_SHA2_256_128, 12963 bytes_i (92 pkts, 3s ago), 18235 bytes_o (78 pkts, 3s ago), rekeying in 45 minutes
ikev1_psk_xauth{301}:   0.0.0.0/0 === 100.1.1.2/32    #手机获取的IP
ikev1_psk_xauth[99]: ESTABLISHED 11 minutes ago, 172.18.144.222[172.18.144.222]...113.16.128.90[10.55.55.4]
ikev1_psk_xauth[99]: Remote XAuth identity: aaa
ikev1_psk_xauth[99]: IKEv1 SPIs: e418d43b1b96fd87_i 7c960f4bb033049f_r*, pre-shared key reauthentication in 2 hours
ikev1_psk_xauth[99]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
ikev1_psk_xauth{300}:  INSTALLED, TUNNEL, reqid 39, ESP in UDP SPIs: cca32c65_i c49dc438_o
ikev1_psk_xauth{300}:  AES_CBC_128/HMAC_SHA1_96, 765931 bytes_i (7525 pkts, 0s ago), 413162 bytes_o (2586 pkts, 1s ago), rekeying in 17 minutes
ikev1_psk_xauth{300}:   0.0.0.0/0 === 100.1.1.3/32    #服务器(Ubuntu)获取的IP
   ikev2_eap[98]: ESTABLISHED 51 minutes ago, 172.18.144.222[120.77.157.111]...220.173.36.196[192.168.19.118]
   ikev2_eap[98]: Remote EAP identity: aaa
   ikev2_eap[98]: IKEv2 SPIs: 282dbaf85177141a_i 2f804bd92430043e_r*, rekeying disabled
   ikev2_eap[98]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
   ikev2_eap{299}:  INSTALLED, TUNNEL, reqid 44, ESP in UDP SPIs: c0838ac8_i fe237358_o
   ikev2_eap{299}:  3DES_CBC/HMAC_SHA1_96, 483706 bytes_i (2523 pkts, 1s ago), 1618581 bytes_o (2574 pkts, 1s ago), rekeying disabled
   ikev2_eap{299}:   0.0.0.0/0 === 100.1.1.4/32    #Windows 10获取的IP
   ikev2_eap[48]: ESTABLISHED 2 days ago, 172.18.144.222[120.77.157.111]...113.14.220.136[10.55.55.3]
   ikev2_eap[48]: Remote EAP identity: aaa
   ikev2_eap[48]: IKEv2 SPIs: e7a8e4e28810d308_i 894e78f2f0568c34_r*, rekeying disabled
   ikev2_eap[48]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
   ikev2_eap{166}:  INSTALLED, TUNNEL, reqid 35, ESP in UDP SPIs: c3cf83d9_i 98b4968c_o
   ikev2_eap{166}:  3DES_CBC/HMAC_SHA1_96, 120717380 bytes_i (134372 pkts, 198198s ago), 3989123 bytes_o (79467 pkts, 190313s ago), rekeying disabled
   ikev2_eap{166}:   0.0.0.0/0 === 100.1.1.1/32

从服务器端ping客户端

设备互访 有ipsec客户端连接进来时,从ipsec服务器端ping客户端的IP是不通的。因为客户端是从地址池获取了IP,但服务器上并没有配置地址池中的IP

[[email protected]_arben ~]# strongswan statusall
   ikev2_eap{2}:   100.1.1.0/24 === 100.1.1.2/32
   ikev1_psk_xauth{1}:   100.1.1.0/24 === 100.1.1.1/32
[[email protected]_arben ~]# ping 100.1.1.1
PING 100.1.1.1 (100.1.1.1) 56(84) bytes of data.
^C
--- 100.1.1.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
[[email protected]_arben ~]# ping 100.1.1.2
PING 100.1.1.2 (100.1.1.2) 56(84) bytes of data.
^C
--- 100.1.1.2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
IPSEC服务器端并没配置100.1.1.0/24网段的IP
[[email protected]_arben ~]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:16:3e:0c:ad:cf brd ff:ff:ff:ff:ff:ff
    inet 172.18.144.xxx/20 brd 172.18.xxx.255 scope global dynamic eth0
       valid_lft 30375428sec preferred_lft 30375428sec

客户端互访

但是客户端之间是可以互访的 以下是从PC ping 手机

ping 100.1.1.2
正在 Ping 100.1.1.2 具有 32 字节的数据:
来自 100.1.1.2 的回复: 字节=32 时间=148ms TTL=63
来自 100.1.1.2 的回复: 字节=32 时间=81ms TTL=63
来自 100.1.1.2 的回复: 字节=32 时间=151ms TTL=63
来自 100.1.1.2 的回复: 字节=32 时间=82ms TTL=63
100.1.1.1 的 Ping 统计信息:
    数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
    最短 = 81ms,最长 = 151ms,平均 = 115ms

DPD(Dead Peer Detection,死亡对等体检测)

当IPSEC的一端断网时,IPSEC并没有正确断开IPSEC连接,另一端并不知道对方已经断网了
使用DPD检测可以发现对端是不是还在线,并且做出相应的动作

[[email protected]_arben ~]# vim /etc/strongswan/ipsec.conf
#default configuration
conn %default
        dpdaction=clear    #检测到对端不在线时,清除IPSEC连接
        dpddelay=30s       #发送DPD检测报文的间隔为30s
        dpdtimeout=150s    #认为对端不在线的超时时间,即150s后还收不到对端的回应,则认为对端不在线
如果断网了,数据将无法发送,在规定的时间内IPSEC仍然会保留阶段1和阶段2的sa,直到阶段1、阶段2超时,才会把两个阶段的sa给消除掉
如果网络恢复了,客户端又重新进行了IPSEC连接,那服务器端和客户端的原有SA仍然保留(在规定的时间内),这会导致存在无用配置,而且已经被分配出去的IP无法回收
有客户端连接进来时,查看IPSEC的状态
[[email protected]_abc ~]# strongswan statusall
Connections:
ikev1_psk_xauth:  %any...%any  IKEv1, dpddelay=30s
ikev1_psk_xauth:   local:  [172.18.144.222] uses pre-shared key authentication
ikev1_psk_xauth:   remote: uses pre-shared key authentication
ikev1_psk_xauth:   remote: uses XAuth authentication: any
ikev1_psk_xauth:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
ikev1_psk_xauth[2]: ESTABLISHED 3 minutes ago, 172.18.144.222[172.18.144.222]...113.15.143.14[10.151.134.231]
ikev1_psk_xauth[2]: Remote XAuth identity: abc
ikev1_psk_xauth[2]: IKEv1 SPIs: eb778ccae8b4f828_i 1619eaba18094d18_r*, pre-shared key reauthentication in 2 hours
ikev1_psk_xauth[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
ikev1_psk_xauth{2}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c6cbafe0_i c97309b0_o
ikev1_psk_xauth{2}:  AES_CBC_256/HMAC_SHA2_256_128, 111714 bytes_i (755 pkts, 148s ago), 414554 bytes_o (646 pkts, 149s ago), rekeying in 43 minutes
ikev1_psk_xauth{2}:   0.0.0.0/0 === 100.1.1.1/32
客户端断网150s后,再查看IPSEC连接,已经被清除了
[[email protected]_abc ~]# strongswan statusall
Connections:
ikev1_psk_xauth:  %any...%any  IKEv1, dpddelay=30s
ikev1_psk_xauth:   local:  [172.18.144.222] uses pre-shared key authentication
ikev1_psk_xauth:   remote: uses pre-shared key authentication
ikev1_psk_xauth:   remote: uses XAuth authentication: any
ikev1_psk_xauth:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
  none

客户端自动重新连接IPSEC

由于网络不稳定,或其它原因导致IPSEC中断了,如何让IPSEC客户端自动重新的连接?

IPSEC VPN之站点到站点连接

参考资料

https://blog.csdn.net/sqzhao/article/details/76093994 这篇文章写得很详细
https://www.strongswan.org/

0 Comments

发表评论

电子邮件地址不会被公开。 必填项已用*标注