AWS上FortiGate和Openswan实现点到点IPsecVPN-CFANZ编程社区

AWS上FortiGate和Openswan实现点到点IPsecVPN

安装部署

AWS上安装FortiGateMarketplace搜索FortiGate，安装对应版本，之后登陆并导入LIC
安装Openswan
# yum -y install openswan lsof

# ipsec verify //一开始会有报错

# vi /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 0 ---改成1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1 ---改成0

# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
改为
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 0

# sysctl -p

运行如下命令配置环境变量（禁止ICMP重定向）
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf
成功执行后运行sysctl -p使修改的参数生效。
or（或以下命令修改ICMP重定向）
for *** in /proc/sys/net/ipv4/conf/*;
do
echo 0 > $***/accept_redirects;
echo 0 > $***/send_redirects;
done

关闭selinux：setenforce 0（关闭selinux，重启失效），接下来永久关闭selinux
修改vi /etc/selinux/config 把
SELINUX=enforcing
改为
SELINUX=disabled

# /etc/init.d/iptables stop
# chkconfig iptables off

或

放行openswan服务端口和NAT规则
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

运行#chkconfig ipsec on 开机自动启动ipsec服务
启动ipsec # service ipsec restart 并重新运行检查命令ipsec verify（重新确认ipsec）
配置Openswan
cat /etc/ipsec.conf

# /etc/ipsec.conf - Libreswan IPsec configuration file
#
# see 'man ipsec.conf' and 'man pluto' for more information
#
# For example configurations and documentation, see https://libreswan.org/wiki/

config setup
# Normally, pluto logs via syslog.
logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
# plutodebug="control parsing"
# plutodebug="all crypt"
plutodebug=all
plutostderrlog=/var/log/pluto.log
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least up to 2015)
virtual_private=%v4:10.0.0.0/16,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config

# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf

cat /etc/ipsec.d/ipsec.conf

config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/16,%v4:192.168.0.0/16
oe=off

conn vpn-to-openswan
##phase 1##
authby=secret
auto=start
ike=aes128-sha1
keyexchange=ike
ikelifetime=86400
aggrmode=yes

##phase 2##
phase2=esp
phase2alg=aes128-sha1
compress=no
pfs=no
type=tunnel
keylife=43200

leftid=52.194.222.255
left=192.168.14.113
#leftsourceip=52.194.222.255
leftsubnet=192.168.0.0/16
leftnexthop=%defaultroute

right=54.238.113.251
rightid=54.238.113.251
rightsubnet=10.0.0.0/16
rightnexthop=%defaultroute

cat /etc/ipsec.d/ipsec.secret
x.x.x.x(本地公网ip) x.x.x.x（对端公网ip） : PSK "Qwer@123456"

重启服务
systemctl restart ipsec

查看Openswan日志
tail -f /var/log/pluto.log
FortiGate部署