vm1:192.168.182.144 host1:192.168.182.254 9.94.189.225 host2:9.94.189.226 192.168.152.254 vm2:192.168.152.132
环境如图所示,两台物理机充当网关,分别启动一台虚拟机组成局域网。
使用qume脚本启动,关键信息:
-enable-kvm -display none -cpu host
-smp 4
-m 4096
-kernel $vm_workdir/bzImage_$vm_id
-device virtio-scsi-pci
-net nic,model=virtio,macaddr=$mac -net bridge,br=$vm_br
-drive file=$vm_workdir/rootfs.gz_$vm_id,if=none,cache=none,id=root
-device virtio-blk,drive=root,id=d_root
$cfg_new
-append "console=ttyS0 IP=${vm_ip} root=/dev/vda1 rw kmemleak=on oops=panic panic_on_oops=1"
-qmp tcp:localhost:$port,server,nowait
-monitor unix:qemu-monitor-socket,server,nowait
-serial file:$serial_log/vm.log
-daemonize
二、路由配置
VM1:
添加路由:route add -net 192.168.152.0/24 gw 192.168.182.254 dev ens3
查看路由信息:
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.182.1 0.0.0.0 UG 0 0 0 ens3 192.168.152.0 192.168.182.254 255.255.255.0 UG 0 0 0 ens3 192.168.182.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3
HOST1:
添加路由:
route add -net 192.168.152.0/24 gw 9.94.189.225 dev enp2s0f0
查看路由:
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 9.94.0.1 0.0.0.0 UG 0 0 0 enp2s0f0 9.94.0.0 0.0.0.0 255.255.0.0 U 102 0 0 enp2s0f0 192.168.152.0 9.94.189.225 255.255.255.0 UG 0 0 0 enp2s0f0 192.168.182.0 0.0.0.0 255.255.255.0 U 0 0 0 br10
HOST2:
添加路由:
route add -net 192.168.182.0/24 gw 9.94.189.226 dev enp2s0f0
查看路由:
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 9.94.0.1 0.0.0.0 UG 0 0 0 enp2s0f0 9.94.0.0 0.0.0.0 255.255.0.0 U 102 0 0 enp2s0f0 192.168.152.0 0.0.0.0 255.255.255.0 U 0 0 0 br10 192.168.182.0 9.94.189.226 255.255.255.0 UG 0 0 0 enp2s0f0
VM2:
添加路由:route add -net 192.168.182.0/24 gw 192.168.152.254 dev ens3
查看路由:
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.152.1 0.0.0.0 UG 0 0 0 ens3 192.168.152.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3 192.168.182.0 192.168.152.254 255.255.255.0 UG 0 0 0 ens3三、网关配置
1、host1和host2分别执行
vim /etc/sysctl.conf
添加:
net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.accept_source_route = 0
2、之后分别执行:
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.conf
/sbin/sysctl -p
四、strongwan安装
1、host1和host2分别源码安装:https://download.strongswan.org/ 源码下载
我是4.4内核,担心不能适配高版本所以下载的5.6.2版本,5.10内核可以下载更高版本
tar -xvzf Openswan-2.6.52.tar.gz ./configure --sysconfdir=/etc --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp make && make install
安装完成
五、strongswan配置ipsec.conf和ipsec.secrets配置方法即将被淘汰,可能遇到一些问题,所以采用swanctl.conf配置方法
host1执行:
vim /etc/swanctl/swanctl.conf
改为:
connections {
gw-gw {
local_addrs = 9.94.189.225
remote_addrs = 9.94.189.226
local {
auth = pubkey
certs = moonCert.der
id = moonpeer
}
remote {
auth = pubkey
id = sunpeer
}
children {
net-net {
local_ts = 192.168.182.0/24
remote_ts = 192.168.152.0/24
updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
ah_proposals = sha256-sha384
}
}
version = 1
mobike = no
reauth_time = 10800
proposals = aes128-sha256-modp3072
}
}
host2执行:
vim /etc/swanctl/swanctl.conf
改为:
connections {
gw-gw {
local_addrs = 9.94.189.226
remote_addrs = 9.94.189.225
local {
auth = pubkey
certs = sunCert.der
id = sunpeer
}
remote {
auth = pubkey
id = moonpeer
}
children {
net-net {
local_ts = 192.168.152.0/24
remote_ts = 192.168.182.0/24
updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
ah_proposals = sha256
}
}
version = 1
mobike = no
reauth_time = 10800
proposals = aes128-sha256-modp3072
}
}
六、ca证书生成
host1执行:
pki --gen > mooncaKey.der pki --self --in mooncaKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > mooncaCert.der pki --gen > moonKey.der pki --issue --in moonKey.der --type priv --cacert mooncaCert.der --cakey mooncaKey.der --dn "C=CH, O=strongSwan, CN=moonpeer" --san moonpeer > moonCert.der
得到证书:
mooncaCert.der mooncaKey.der moonCert.der moonKey.der
host2执行:
pki --gen > suncaKey.der pki --self --in suncaKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > suncaCert.der pki --gen > sunKey.der pki --issue --in sunKey.der --type priv --cacert suncaCert.der --cakey suncaKey.der --dn "C=CH, O=strongSwan, CN=sunpeer" --san sunpeer > sunCert.der
得到证书:
同上
七、将证书放到指定位置:
host1执行:
cp moonKey.der /etc/swanctl/rsa/ cp moonCert.der /etc/swanctl/x509/ cp mooncaCert.der /etc/swanctl/x509ca/ scp 9.94.189.226:/etc/swanctl/x509/sunCert.der /etc/swanctl/x509/ scp 9.94.189.226:/etc/swanctl/rsa/sunKey.der /etc/swanctl/rsa/
host2执行:
cp sunKey.der /etc/swanctl/rsa/ cp sunCert.der /etc/swanctl/x509/ cp suncaCert.der /etc/swanctl/x509ca/ scp 9.94.189.225:/etc/swanctl/x509/moonCert.der /etc/swanctl/x509/ scp 9.94.189.225:/etc/swanctl/rsa/moonKey.der /etc/swanctl/rsa/
八、启动ipsec:
host1和2分别执行:
systemctl start strongswan swanctl --load-all swanctl --initiate --child net-net swanctl --list-sas --raw
之后
ip xfrm policy ls ip xfrm state ls
可以看到规则
ipsec statusall 也可查看隧道状态
至此,ipsec隧道搭建完成
3、验证:
vm1 ping vm2,
host1抓包tcpdump -i enp2s0f0 ah可以看到ah报文
四、注意事项
1、网关关闭防火墙systemctl stop firewalld.service
2、依赖相关内核模块和config:
CONFIG_XFRM_USER net/xfrm/xfrm_user.c CONFIG_XFRM_ALGO net/xfrm/xfrm_algo.c CONFIG_XFRM_AH 对应代码XFRM_ALGO和CRYPTO相关 CONFIG_XFRM_ESP 对应代码XFRM_ALGO和CRYPTO相关 CONFIG_INET_XFRM_MODE_TRANSPORT net/ipv4/xfrm4_mode_transport.c CONFIG_INET_XFRM_MODE_TUNNEL net/ipv4/xfrm4_mode_tunnel.c CONFIG_NET_KEY net/key/af_key.c CONFIG_INET_AH net/ipv4/ah.c CONFIG_INET_ESP net/ipv4/esp.c CONFIG_NETFILTER_XTABLES net/netfilter/x_tables.c xt_tcpudp.c CONFIG_NETFILTER_XT_MATCH_POLICY net/netfilter/xt_policy.c
3、网关需要安装python2(python3不可)
