首先安装openswan
yum install openswan修改内核参数启用转发和禁止重定向
修改sysctl.conf文件
vi /etc/sysctl.conf
添加以下内容
net.ipv4.conf.default.send_redirects=0
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.conf.default.log_martians=0
net.ipv4.conf.all.log_martians=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.core.xfrm_larval_drop=1
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0保存退出,执行以下命令
sysctl -p关闭selinux
vi /etc/selinux/config修改SELINUX项为disabled
SELINUX=disabled修改配置文件
配置文件ipsec.conf
vi /etc/ipsec.conf#隧道名称(随便起个名字)
conn site_to_site
type=tunnel
authby=secret
#statr:表示启动服务自动连接,add:表示还需使用命令
auto=start
#本端外网IP
left=本端外网IP
#本端ID,须与对端的[对端ID]一致
leftid=本端外网IP
leftsubnet=本端内网IP/32
#对端ID,须与对端的[本端ID]一致
rightid=对端外网IP
right=对端外网IP
rightsubnet=对端内网IP/32
keyexchange=ike
#IKE加密算法(3des),IKE验证算法(sha1),IKE DH算法(Group2 modp1024)
ike=3des-sha1;modp1024
phase2=esp
#ESP加密算法(3des),ESP验证算法(md5)
phase2alg=3des-md5
pfs=no
compress=no
#IKE DH算法对应表
Group 1 => modp768
Group 2 => modp1024
Group 5 => modp1536
Group 14 => modp2048
Group 15 => modp3072
Group 16 => modp4096
Group 17 => modp6144
Group 18 => modp8192
Group 19 => ecp256
Group 20 => ecp384
Group 21 => ecp521
Group 22 => modp1024s160
Group 23 => modp2048s224
Group 24 => modp2048s256
Group 25 => ecp192
Group 26 => ecp224
Group 27 => ecp224bp
Group 28 => ecp256bp
Group 29 => ecp384bp
Group 30 => ecp512bp修改ipsec.secrets
vi /etc/ipsec.secrets按如下格式填写
本端外网IP 对端外网IP : PSK "此处输入共享密钥"重启下ipsec服务
systemctl restart ipsec测试vpn状态命令
ipsec auto --status
参考
http://glennxie.blog.51cto.com/1267825/1081807
http://www.simlinux.com/archives/342.html
http://mos1989.blog.51cto.com/4226977/1109450
文章作者:DOTATONG
发布日期:2017-02-23
评论