vm1:192.168.182.144 host1:192.168.182.254 9.94.189.225 host2:9.94.189.226 192.168.152.254 vm2:192.168.152.132
环境如图所示,两台物理机充当网关,分别启动一台虚拟机组成局域网。
使用qume脚本启动,关键信息:
-enable-kvm -display none -cpu host
-smp 4
-m 4096
-kernel $vm_workdir/bzImage_$vm_id
-device virtio-scsi-pci
-net nic,model=virtio,macaddr=$mac -net bridge,br=$vm_br
-drive file=$vm_workdir/rootfs.gz_$vm_id,if=none,cache=none,id=root
-device virtio-blk,drive=root,id=d_root
$cfg_new
-append "console=ttyS0 IP=${vm_ip} root=/dev/vda1 rw kmemleak=on oops=panic panic_on_oops=1"
-qmp tcp:localhost:$port,server,nowait
-monitor unix:qemu-monitor-socket,server,nowait
-serial file:$serial_log/vm.log
-daemonize
二、路由配置
VM1:
添加路由:
route add -net 192.168.152.0/24 gw 192.168.182.254 dev ens3
查看路由信息:
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.182.1 0.0.0.0 UG 0 0 0 ens3 192.168.152.0 192.168.182.254 255.255.255.0 UG 0 0 0 ens3 192.168.182.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3
HOST1:
添加路由:
route add default gw 192.168.182.1 route add -net 192.168.152.0/24 gw 9.94.189.225 dev enp2s0f0
查看路由:
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 9.94.0.1 0.0.0.0 UG 0 0 0 enp2s0f0 0.0.0.0 192.168.182.1 0.0.0.0 UG 0 0 0 br10 0.0.0.0 9.94.0.1 0.0.0.0 UG 102 0 0 enp2s0f0 9.94.0.0 0.0.0.0 255.255.0.0 U 102 0 0 enp2s0f0 192.168.152.0 9.94.189.225 255.255.255.0 UG 0 0 0 enp2s0f0 192.168.182.0 0.0.0.0 255.255.255.0 U 0 0 0 br10
注:添加了默认路由192.168.182.1之后,若通过ssh连接9.94.189.225,主机1会断掉,通过串口/BMC登录之后重新添加9.94.0.1默认路由即可(host2一样)。
HOST2:
添加路由:
route add default gw 192.168.152.1 route add -net 192.168.182.0/24 gw 9.94.189.226 dev enp2s0f0
查看路由:
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 9.94.0.1 0.0.0.0 UG 0 0 0 enp2s0f0 0.0.0.0 192.168.152.1 0.0.0.0 UG 0 0 0 br10 0.0.0.0 9.94.0.1 0.0.0.0 UG 102 0 0 enp2s0f0 9.94.0.0 0.0.0.0 255.255.0.0 U 102 0 0 enp2s0f0 192.168.152.0 0.0.0.0 255.255.255.0 U 0 0 0 br10 192.168.182.0 9.94.189.226 255.255.255.0 UG 0 0 0 enp2s0f0
VM2:
添加路由:route add -net 192.168.182.0/24 gw 192.168.152.254 dev ens3
查看路由:
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.152.1 0.0.0.0 UG 0 0 0 ens3 192.168.152.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3 192.168.182.0 192.168.152.254 255.255.255.0 UG 0 0 0 ens3三、网关配置
1、host1和host2分别执行
vim /etc/sysctl.conf
添加:
net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.accept_source_route = 0
2、之后分别执行:
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.conf
/sbin/sysctl -p
3、host1执行:
vim /etc/ipsec.conf
改为:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
protostack=netkey
nat_traversal=yes
# Add connections here.
conn %default
authby=rsasig
compress=no
pfs=no
conn net-to-net
left=9.94.189.225
leftsubnet=192.168.182.0/24
leftid=@left
leftnexthop=%defaultroute
right=9.94.189.226
rightsubnet=192.168.152.0/24
rightid=@right
rightnexthop=%defaultroute
auto=add
ike=aes256-sha1-modp1024
esp=aes256-sha1;modp1024
type=tunnel
之后执行:
ipsec newhostkey --output /etc/ipsec.secrets ipsec showhostkey --left >>/etc/ipsec.conf scp /etc/ipsec.conf root@9.94.189.226:/etc/ipsec.conf
4、host2执行:
ipsec newhostkey --output /etc/ipsec.secrets ipsec showhostkey --right >>/etc/ipsec.conf scp /etc/ipsec.conf root@9.94.189.225:/etc/ipsec.conf
这样左右两边网关配置一致,并且学到秘钥
5、两端分别执行:
systemctl restart ipsec.service systemctl status ipsec.service ipsec setup restart ipsec auto --up net-to-net
至此,环境搭建完成。
四、注意事项
1、网关关闭防火墙`
systemctl stop firewalld.service
2、依赖相关内核模块和config:
CONFIG_XFRM_USER net/xfrm/xfrm_user.c CONFIG_XFRM_ALGO net/xfrm/xfrm_algo.c CONFIG_XFRM_AH 对应代码XFRM_ALGO和CRYPTO相关 CONFIG_XFRM_ESP 对应代码XFRM_ALGO和CRYPTO相关 CONFIG_INET_XFRM_MODE_TRANSPORT net/ipv4/xfrm4_mode_transport.c CONFIG_INET_XFRM_MODE_TUNNEL net/ipv4/xfrm4_mode_tunnel.c CONFIG_NET_KEY net/key/af_key.c CONFIG_INET_AH net/ipv4/ah.c CONFIG_INET_ESP net/ipv4/esp.c CONFIG_NETFILTER_XTABLES net/netfilter/x_tables.c xt_tcpudp.c CONFIG_NETFILTER_XT_MATCH_POLICY net/netfilter/xt_policy.c
3、网关需要安装python2(python3不可)
4、ipsec verify查看信息:
Checking if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Openswan U3.0.0/K4.4.292+ (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
ipsec verify: encountered errors
5、grep pluto /var/log/secure可查看日志
也有机器 grep pluto /var/log/auth.log可查看
