0
点赞
收藏
分享

微信扫一扫

AWS上FortiGate和Openswan实现点到点IPsecVPN

AWS上FortiGate和Openswan实现点到点IPsecVPN


  1. 安装部署
  1. AWS上安装FortiGateMarketplace搜索FortiGate,安装对应版本,之后登陆并导入LIC
  2. 安装Openswan
    # yum -y install openswan lsof

    # ipsec verify //一开始会有报错

    # vi /etc/sysctl.conf
    # Controls IP packet forwarding
    net.ipv4.ip_forward = 0 ---改成1
    # Controls source route verification
    net.ipv4.conf.default.rp_filter = 1 ---改成0

    # Controls IP packet forwarding
    net.ipv4.ip_forward = 0
    # Controls source route verification
    net.ipv4.conf.default.rp_filter = 1
    改为
    # Controls IP packet forwarding
    net.ipv4.ip_forward = 1
    # Controls source route verification
    net.ipv4.conf.default.rp_filter = 0

    # sysctl -p

    运行如下命令配置环境变量(禁止ICMP重定向)
    sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf
    成功执行后运行sysctl -p使修改的参数生效。
    or(或以下命令修改ICMP重定向)
    for *** in /proc/sys/net/ipv4/conf/*;
    do
    echo 0 > $***/accept_redirects;
    echo 0 > $***/send_redirects;
    done

    关闭selinux:setenforce 0(关闭selinux,重启失效),接下来永久关闭selinux
    修改vi /etc/selinux/config 把
    SELINUX=enforcing
    改为
    SELINUX=disabled

    # /etc/init.d/iptables stop
    # chkconfig iptables off



    放行openswan服务端口和NAT规则
    iptables -A INPUT -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT

    运行#chkconfig ipsec on 开机自动启动ipsec服务
    启动ipsec # service ipsec restart 并重新运行检查命令ipsec verify(重新确认ipsec)
  3. 配置Openswan
    cat /etc/ipsec.conf

    # /etc/ipsec.conf - Libreswan IPsec configuration file
    #
    # see 'man ipsec.conf' and 'man pluto' for more information
    #
    # For example configurations and documentation, see https://libreswan.org/wiki/

    config setup
    # Normally, pluto logs via syslog.
    logfile=/var/log/pluto.log
    #
    # Do not enable debug options to debug configuration issues!
    #
    # plutodebug="control parsing"
    # plutodebug="all crypt"
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    #
    # NAT-TRAVERSAL support
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    # It seems that T-Mobile in the US and Rogers/Fido in Canada are
    # using 25/8 as "private" address space on their wireless networks.
    # This range has never been announced via BGP (at least up to 2015)
    virtual_private=%v4:10.0.0.0/16,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

    # if it exists, include system wide crypto-policy defaults
    # include /etc/crypto-policies/back-ends/libreswan.config

    # It is best to add your IPsec connections as separate files in /etc/ipsec.d/
    include /etc/ipsec.d/*.conf


    cat /etc/ipsec.d/ipsec.conf

    config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/16,%v4:192.168.0.0/16
    oe=off

    conn vpn-to-openswan
    ##phase 1##
    authby=secret
    auto=start
    ike=aes128-sha1
    keyexchange=ike
    ikelifetime=86400
    aggrmode=yes

    ##phase 2##
    phase2=esp
    phase2alg=aes128-sha1
    compress=no
    pfs=no
    type=tunnel
    keylife=43200

    leftid=52.194.222.255
    left=192.168.14.113
    #leftsourceip=52.194.222.255
    leftsubnet=192.168.0.0/16
    leftnexthop=%defaultroute

    right=54.238.113.251
    rightid=54.238.113.251
    rightsubnet=10.0.0.0/16
    rightnexthop=%defaultroute

    cat /etc/ipsec.d/ipsec.secret
    x.x.x.x(本地公网ip) x.x.x.x(对端公网ip) : PSK "Qwer@123456"

    重启服务
    systemctl restart ipsec

    查看Openswan日志
    tail -f /var/log/pluto.log
  4. FortiGate部署


IPsecVPN通道配置

野蛮模式,阶段二不开启PFS

AWS上FortiGate和Openswan实现点到点IPsecVPN_Openswan



AWS上FortiGate和Openswan实现点到点IPsecVPN_Openswan_02

AWS上FortiGate和Openswan实现点到点IPsecVPN_FortiGate_03

AWS上FortiGate和Openswan实现点到点IPsecVPN_IPsecVPN_04


防火墙策略

AWS上FortiGate和Openswan实现点到点IPsecVPN_IPsecVPN_05



静态路由

到对端网段指向vpn接口,本地网段指向port1

AWS上FortiGate和Openswan实现点到点IPsecVPN_Openswan_06



AWS子网路由表要添加指向FortiGate网卡的路由

FortiGate网卡要关闭源/目标检查




举报

相关推荐

0 条评论