node01和node02准备
基本yum源
yum install -y epel-release
yum install -y wget bash-com* git
yum update -y
yum -y install gcc bc gcc-c++ ncurses ncurses-devel cmake elfutils-libelf-devel openssl-devel flex* bison* autoconf automake zlib* fiex* libxml* ncurses-devel libmcrypt* libtool-ltdl-devel* make cmake pcre pcre-devel openssl openssl-devel jemalloc-devel tlc libtool vim unzip wget lrzsz bash-comp* ipvsadm ipset jq sysstat conntrack libseccomp conntrack-tools socat curl wget git conntrack-tools psmisc nfs-utils tree bash-completion conntrack libseccomp net-tools crontabs sysstat iftop nload strace bind-utils tcpdump htop telnet lsof
关闭防火墙,swap,selinux
#关闭防火墙
systemctl disable --now firewalld
#关闭swap
swapoff -a
sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab
#关闭selinux
setenforce 0
sed -ri '/^[^#]*SELINUX=/s#=.+$#=disabled#' /etc/selinux/config
node01的内网地址 | 10.170.0.4 |
---|---|
node02的内网地址 | 10.140.0.14 |
node01的公网地址 | 35.241.127.87 |
node02的公网地址 | 104.155.197.80 |
node01的内网网段 | 10.170.0.0/24 |
node02的内网网段 | 10.140.0.0/24 |
内核参数优化
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.conf
sysctl -p
安装libreswan
node01和node02安装libreswan
yum install -y gmp gmp-devel flex bison python xmlto
yum install -y libreswan
node01配置证书
ipsec initnss
ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/cq-to-ksc.secrets
ipsec showhostkey --list
ipsec showhostkey --ckaid XXX --left
node02配置证书
ipsec initnss
ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/ksc-to-cq.secrets
ipsec showhostkey --list
ipsec showhostkey --ckaid XXX --left
node01
vim /etc/ipsec.d/cq-to-ksc.conf
conn cq-to-ksc
authby=rsasig
left=%defaultroute
leftsubnet=10.170.0.0/24
leftrsasigkey=0sAwEAAbYPX7qh+wuhcmvlmd3Vhz9LxWQ3bpZOl0TEi9eLmhPms0E4iHMpuZn1wGLuxREprt0aa+QMJh1qh+1//VGUmAMoGy8HGb5LWJNyBd+gfoO4GvUVebg2iVbhd7offzTA54eAvBJrII+oZe0hnVJMQFdO9FLe+F2UyMln1zMs+XIvOTsvh+ytiuVBZQUUEnaefJsdRe4kBGk8QXxOz1xlMtYWUAi5mIz+AWcE4h/ZbBrU/54wJ+o1Ma+J7R3CWMSAtz2EGT8t+A1OJxoTy64S5/xxN4jxHvpegboawmZ6zprIt+yztXnkCLHflERv4qSp9VFikqQRNgci51BpHp+z6vQNn3Gq9lkUw7u4pRZ8kyOQ3KN54R/9kLWUOLhy3/h7U/onsMXIUp5e8fRxBbUqx22ADgg3HpDUPk1U6kQbwfT5vJzHN5E+cgFr9crjqqyHtwtn6l2kM6cDX9oeMLDXEIfEnZZg7T75R84DPrSenIuhZ/UlL4I/w6JRKwLSVdE9wC74z9pR/qAIhLh+IoMjPWHdmx/iQW69pqbtTZvU08Hr3jQZbHNIcw94uDPrD6b2xARI0neZgUmt885ohYpKCLvcBl9KCULOPnX/7DOjVdkLNIEKTNOZV+ZnKw==
leftid=35.241.127.87
right=104.155.197.80
rightsubnet=10.140.0.0/24
rightrsasigkey=0sAwEAAZHcFAJAIvpyX9FQWyTTQSESZj7Pqpb4mybQ/j++VwDehwChZkYcF5Gsv0VzjABkIc8Nqu2bFN+nI8A37OUOF1e/26ZlHE7pSCBLIOJdI8DswlwaNh34NxMask4pw/uSKEZfhFA5arZj/b3PiaQ1pfO47kSQFQyeHy+g7qJt5+mBWbJ2ykmDwLJ+2CelbtGDWDoHDwJtxeNQ8Brdp2YfR2tF1/Q286pODcrE5IvOBnlEeUcuLR4Uljh/ZHVdNzDjszssxqgxNsKttXyRfkGjGnVseX+0RvePqUoUG64w9YcEKw+hJSyntgimcQ+jiijJZ74dm8pjvhrfFs2GsDHsYzXdN+mpJAJVlYZxnf6Tc4m6yEwhd68DcB5UeaKdy6odX3hZiotQ8IAe0QFejOFyHtsiiOFkRu7GMzz/y37CoSpmmX65ohh33rcmoBaMPdFN/R0nersDvH5/YD63eiueH8A57f9qdr/J5WfdhLdhRUYBgL2BFU1LtUiYsyj7BfphNKKxArOnxbiDUnbY/b4mwWrC3zNx/1cNxMWuTvG5sjCzgHdR+WXDcaib+wRD8G+unUJSeo3sDQzTDxSzojYBzsXfKw==
rightid=104.155.197.80
dpddelay=5
dpdtimeout=30
dpdaction=restart
auto=add
node02
vim /etc/ipsec.d/ksc-to-cq.conf
conn ksc-to-cq
authby=rsasig
left=%defaultroute
leftsubnet=10.140.0.0/24
leftrsasigkey=0sAwEAAZHcFAJAIvpyX9FQWyTTQSESZj7Pqpb4mybQ/j++VwDehwChZkYcF5Gsv0VzjABkIc8Nqu2bFN+nI8A37OUOF1e/26ZlHE7pSCBLIOJdI8DswlwaNh34NxMask4pw/uSKEZfhFA5arZj/b3PiaQ1pfO47kSQFQyeHy+g7qJt5+mBWbJ2ykmDwLJ+2CelbtGDWDoHDwJtxeNQ8Brdp2YfR2tF1/Q286pODcrE5IvOBnlEeUcuLR4Uljh/ZHVdNzDjszssxqgxNsKttXyRfkGjGnVseX+0RvePqUoUG64w9YcEKw+hJSyntgimcQ+jiijJZ74dm8pjvhrfFs2GsDHsYzXdN+mpJAJVlYZxnf6Tc4m6yEwhd68DcB5UeaKdy6odX3hZiotQ8IAe0QFejOFyHtsiiOFkRu7GMzz/y37CoSpmmX65ohh33rcmoBaMPdFN/R0nersDvH5/YD63eiueH8A57f9qdr/J5WfdhLdhRUYBgL2BFU1LtUiYsyj7BfphNKKxArOnxbiDUnbY/b4mwWrC3zNx/1cNxMWuTvG5sjCzgHdR+WXDcaib+wRD8G+unUJSeo3sDQzTDxSzojYBzsXfKw==
leftid=104.155.197.80
right=35.241.127.87
rightsubnet=10.170.0.0/24
rightrsasigkey=0sAwEAAbYPX7qh+wuhcmvlmd3Vhz9LxWQ3bpZOl0TEi9eLmhPms0E4iHMpuZn1wGLuxREprt0aa+QMJh1qh+1//VGUmAMoGy8HGb5LWJNyBd+gfoO4GvUVebg2iVbhd7offzTA54eAvBJrII+oZe0hnVJMQFdO9FLe+F2UyMln1zMs+XIvOTsvh+ytiuVBZQUUEnaefJsdRe4kBGk8QXxOz1xlMtYWUAi5mIz+AWcE4h/ZbBrU/54wJ+o1Ma+J7R3CWMSAtz2EGT8t+A1OJxoTy64S5/xxN4jxHvpegboawmZ6zprIt+yztXnkCLHflERv4qSp9VFikqQRNgci51BpHp+z6vQNn3Gq9lkUw7u4pRZ8kyOQ3KN54R/9kLWUOLhy3/h7U/onsMXIUp5e8fRxBbUqx22ADgg3HpDUPk1U6kQbwfT5vJzHN5E+cgFr9crjqqyHtwtn6l2kM6cDX9oeMLDXEIfEnZZg7T75R84DPrSenIuhZ/UlL4I/w6JRKwLSVdE9wC74z9pR/qAIhLh+IoMjPWHdmx/iQW69pqbtTZvU08Hr3jQZbHNIcw94uDPrD6b2xARI0neZgUmt885ohYpKCLvcBl9KCULOPnX/7DOjVdkLNIEKTNOZV+ZnKw==
rightid=35.241.127.87
dpddelay=5
dpdtimeout=30
dpdaction=restart
auto=add
启动
node01
systemctl start ipsec
ipsec auto --add cq-to-ksc
ipsec auto --up cq-to-ksc
ipsec status
node02
systemctl start ipsec
ipsec auto --add ksc-to-cq
ipsec auto --up ksc-to-cq
ipsec status
添加路由规则
node01
iptables -t nat -A POSTROUTING -s 10.140.0.0/24 -d 10.170.0.0/24 -j MASQUERADE
route add -net 10.140.0.0 netmask 255.255.255.0 gw 10.170.0.4
node02
iptables -t nat -A POSTROUTING -s 10.170.0.0/24 -d 10.140.0.0/24 -j MASQUERADE
route add -net 10.170.0.0 netmask 255.255.255.0 gw 10.140.0.14