5490

Centos7 openswan Site-to-Site(L2L) VPN

首先安装openswan

yum install openswan

修改内核参数启用转发和禁止重定向

修改sysctl.conf文件

vi /etc/sysctl.conf

添加以下内容

net.ipv4.conf.default.send_redirects=0
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.conf.default.log_martians=0
net.ipv4.conf.all.log_martians=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.core.xfrm_larval_drop=1
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

保存退出,执行以下命令

sysctl -p

关闭selinux

vi /etc/selinux/config

修改SELINUX项为disabled

SELINUX=disabled

修改配置文件

配置文件ipsec.conf

vi /etc/ipsec.conf
#隧道名称(随便起个名字)
conn site_to_site

type=tunnel
authby=secret

#statr:表示启动服务自动连接,add:表示还需使用命令
auto=start

#本端外网IP
left=本端外网IP

#本端ID,须与对端的[对端ID]一致
leftid=本端外网IP
leftsubnet=本端内网IP/32

#对端ID,须与对端的[本端ID]一致
rightid=对端外网IP
right=对端外网IP
rightsubnet=对端内网IP/32

keyexchange=ike

#IKE加密算法(3des),IKE验证算法(sha1),IKE DH算法(Group2 modp1024)
ike=3des-sha1;modp1024

phase2=esp

#ESP加密算法(3des),ESP验证算法(md5)
phase2alg=3des-md5

pfs=no
compress=no

#IKE DH算法对应表
Group 1 => modp768
Group 2 => modp1024
Group 5 => modp1536
Group 14 => modp2048
Group 15 => modp3072
Group 16 => modp4096
Group 17 => modp6144
Group 18 => modp8192
Group 19 => ecp256
Group 20 => ecp384
Group 21 => ecp521
Group 22 => modp1024s160
Group 23 => modp2048s224
Group 24 => modp2048s256
Group 25 => ecp192
Group 26 => ecp224
Group 27 => ecp224bp
Group 28 => ecp256bp
Group 29 => ecp384bp
Group 30 => ecp512bp

修改ipsec.secrets

vi /etc/ipsec.secrets

按如下格式填写

本端外网IP 对端外网IP : PSK "此处输入共享密钥"

重启下ipsec服务

systemctl restart ipsec

测试vpn状态命令

ipsec auto --status

ipsec_auto_status.png

参考

http://glennxie.blog.51cto.com/1267825/1081807
http://www.simlinux.com/archives/342.html
http://mos1989.blog.51cto.com/4226977/1109450

文章作者:DOTATONG
发布日期:2017-02-23

评论

暂无

添加新评论