node01和node02准备

基本yum源

  1. yum install -y epel-release 
  2. yum install -y wget bash-com*  git
  3. yum update -y
yum -y install  gcc bc gcc-c++ ncurses ncurses-devel cmake elfutils-libelf-devel openssl-devel flex* bison* autoconf automake zlib* fiex* libxml* ncurses-devel libmcrypt* libtool-ltdl-devel* make cmake  pcre pcre-devel openssl openssl-devel   jemalloc-devel tlc libtool vim unzip wget lrzsz bash-comp* ipvsadm ipset jq sysstat conntrack libseccomp conntrack-tools socat curl wget git conntrack-tools psmisc nfs-utils tree bash-completion conntrack libseccomp net-tools crontabs sysstat iftop nload strace bind-utils tcpdump htop telnet lsof

关闭防火墙,swap,selinux

#关闭防火墙
systemctl disable --now firewalld

#关闭swap
swapoff -a
sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab

#关闭selinux
setenforce 0
sed -ri '/^[^#]*SELINUX=/s#=.+$#=disabled#' /etc/selinux/config
node01的内网地址 10.170.0.4
node02的内网地址 10.140.0.14
node01的公网地址 35.241.127.87
node02的公网地址 104.155.197.80
node01的内网网段 10.170.0.0/24
node02的内网网段 10.140.0.0/24

image.png

内核参数优化

vim /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0

sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.conf

sysctl -p

安装libreswan

node01和node02安装libreswan

yum install -y gmp gmp-devel flex bison  python xmlto
yum install -y libreswan

node01配置证书

ipsec initnss
ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/cq-to-ksc.secrets

ipsec showhostkey --list
ipsec showhostkey --ckaid XXX --left

image.png

node02配置证书

ipsec initnss
ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/ksc-to-cq.secrets

ipsec showhostkey --list
ipsec showhostkey --ckaid XXX --left

image.png

node01

vim /etc/ipsec.d/cq-to-ksc.conf

conn cq-to-ksc
        authby=rsasig

        left=%defaultroute
        leftsubnet=10.170.0.0/24
        leftrsasigkey=0sAwEAAbYPX7qh+wuhcmvlmd3Vhz9LxWQ3bpZOl0TEi9eLmhPms0E4iHMpuZn1wGLuxREprt0aa+QMJh1qh+1//VGUmAMoGy8HGb5LWJNyBd+gfoO4GvUVebg2iVbhd7offzTA54eAvBJrII+oZe0hnVJMQFdO9FLe+F2UyMln1zMs+XIvOTsvh+ytiuVBZQUUEnaefJsdRe4kBGk8QXxOz1xlMtYWUAi5mIz+AWcE4h/ZbBrU/54wJ+o1Ma+J7R3CWMSAtz2EGT8t+A1OJxoTy64S5/xxN4jxHvpegboawmZ6zprIt+yztXnkCLHflERv4qSp9VFikqQRNgci51BpHp+z6vQNn3Gq9lkUw7u4pRZ8kyOQ3KN54R/9kLWUOLhy3/h7U/onsMXIUp5e8fRxBbUqx22ADgg3HpDUPk1U6kQbwfT5vJzHN5E+cgFr9crjqqyHtwtn6l2kM6cDX9oeMLDXEIfEnZZg7T75R84DPrSenIuhZ/UlL4I/w6JRKwLSVdE9wC74z9pR/qAIhLh+IoMjPWHdmx/iQW69pqbtTZvU08Hr3jQZbHNIcw94uDPrD6b2xARI0neZgUmt885ohYpKCLvcBl9KCULOPnX/7DOjVdkLNIEKTNOZV+ZnKw==
        leftid=35.241.127.87

        right=104.155.197.80
        rightsubnet=10.140.0.0/24
        rightrsasigkey=0sAwEAAZHcFAJAIvpyX9FQWyTTQSESZj7Pqpb4mybQ/j++VwDehwChZkYcF5Gsv0VzjABkIc8Nqu2bFN+nI8A37OUOF1e/26ZlHE7pSCBLIOJdI8DswlwaNh34NxMask4pw/uSKEZfhFA5arZj/b3PiaQ1pfO47kSQFQyeHy+g7qJt5+mBWbJ2ykmDwLJ+2CelbtGDWDoHDwJtxeNQ8Brdp2YfR2tF1/Q286pODcrE5IvOBnlEeUcuLR4Uljh/ZHVdNzDjszssxqgxNsKttXyRfkGjGnVseX+0RvePqUoUG64w9YcEKw+hJSyntgimcQ+jiijJZ74dm8pjvhrfFs2GsDHsYzXdN+mpJAJVlYZxnf6Tc4m6yEwhd68DcB5UeaKdy6odX3hZiotQ8IAe0QFejOFyHtsiiOFkRu7GMzz/y37CoSpmmX65ohh33rcmoBaMPdFN/R0nersDvH5/YD63eiueH8A57f9qdr/J5WfdhLdhRUYBgL2BFU1LtUiYsyj7BfphNKKxArOnxbiDUnbY/b4mwWrC3zNx/1cNxMWuTvG5sjCzgHdR+WXDcaib+wRD8G+unUJSeo3sDQzTDxSzojYBzsXfKw==
        rightid=104.155.197.80

        dpddelay=5
        dpdtimeout=30
        dpdaction=restart
        auto=add

node02

vim /etc/ipsec.d/ksc-to-cq.conf

conn ksc-to-cq
        authby=rsasig

        left=%defaultroute
        leftsubnet=10.140.0.0/24
        leftrsasigkey=0sAwEAAZHcFAJAIvpyX9FQWyTTQSESZj7Pqpb4mybQ/j++VwDehwChZkYcF5Gsv0VzjABkIc8Nqu2bFN+nI8A37OUOF1e/26ZlHE7pSCBLIOJdI8DswlwaNh34NxMask4pw/uSKEZfhFA5arZj/b3PiaQ1pfO47kSQFQyeHy+g7qJt5+mBWbJ2ykmDwLJ+2CelbtGDWDoHDwJtxeNQ8Brdp2YfR2tF1/Q286pODcrE5IvOBnlEeUcuLR4Uljh/ZHVdNzDjszssxqgxNsKttXyRfkGjGnVseX+0RvePqUoUG64w9YcEKw+hJSyntgimcQ+jiijJZ74dm8pjvhrfFs2GsDHsYzXdN+mpJAJVlYZxnf6Tc4m6yEwhd68DcB5UeaKdy6odX3hZiotQ8IAe0QFejOFyHtsiiOFkRu7GMzz/y37CoSpmmX65ohh33rcmoBaMPdFN/R0nersDvH5/YD63eiueH8A57f9qdr/J5WfdhLdhRUYBgL2BFU1LtUiYsyj7BfphNKKxArOnxbiDUnbY/b4mwWrC3zNx/1cNxMWuTvG5sjCzgHdR+WXDcaib+wRD8G+unUJSeo3sDQzTDxSzojYBzsXfKw==
        leftid=104.155.197.80

        right=35.241.127.87
        rightsubnet=10.170.0.0/24
        rightrsasigkey=0sAwEAAbYPX7qh+wuhcmvlmd3Vhz9LxWQ3bpZOl0TEi9eLmhPms0E4iHMpuZn1wGLuxREprt0aa+QMJh1qh+1//VGUmAMoGy8HGb5LWJNyBd+gfoO4GvUVebg2iVbhd7offzTA54eAvBJrII+oZe0hnVJMQFdO9FLe+F2UyMln1zMs+XIvOTsvh+ytiuVBZQUUEnaefJsdRe4kBGk8QXxOz1xlMtYWUAi5mIz+AWcE4h/ZbBrU/54wJ+o1Ma+J7R3CWMSAtz2EGT8t+A1OJxoTy64S5/xxN4jxHvpegboawmZ6zprIt+yztXnkCLHflERv4qSp9VFikqQRNgci51BpHp+z6vQNn3Gq9lkUw7u4pRZ8kyOQ3KN54R/9kLWUOLhy3/h7U/onsMXIUp5e8fRxBbUqx22ADgg3HpDUPk1U6kQbwfT5vJzHN5E+cgFr9crjqqyHtwtn6l2kM6cDX9oeMLDXEIfEnZZg7T75R84DPrSenIuhZ/UlL4I/w6JRKwLSVdE9wC74z9pR/qAIhLh+IoMjPWHdmx/iQW69pqbtTZvU08Hr3jQZbHNIcw94uDPrD6b2xARI0neZgUmt885ohYpKCLvcBl9KCULOPnX/7DOjVdkLNIEKTNOZV+ZnKw==
        rightid=35.241.127.87

        dpddelay=5
        dpdtimeout=30
        dpdaction=restart
        auto=add

启动

node01

systemctl start ipsec
ipsec auto --add cq-to-ksc
ipsec auto --up cq-to-ksc
ipsec status

node02

systemctl start ipsec
ipsec auto --add ksc-to-cq
ipsec auto --up ksc-to-cq
ipsec status

添加路由规则

node01

iptables -t nat -A POSTROUTING -s 10.140.0.0/24 -d 10.170.0.0/24 -j MASQUERADE
route add -net 10.140.0.0 netmask 255.255.255.0 gw 10.170.0.4

node02

iptables -t nat -A POSTROUTING -s 10.170.0.0/24 -d 10.140.0.0/24 -j MASQUERADE
route add -net 10.170.0.0 netmask 255.255.255.0 gw 10.140.0.14