CentOS配置GRE_ipsec和ipsec点对点
https://www.bhzhu203.com/2016/11/11/centos%E5%AE%89%E8%A3%85cisco-ipsec-vpn%E6%96%B9%E5%BC%8F/
http://sunweiwei.com/1948/
Point_to_Point_IPSEC配置
Cisco_Router配置
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 10.10.80.2
crypto ipsec transform-set A esp-3des esp-sha-hmac
crypto map B 10 ipsec-isakmp
set peer 10.10.80.2
set transform-set A
match address 101
interface FastEthernet0/0
ip address 10.10.80.1 255.255.255.0
crypto map B
access-list 101 permit ip 1.1.1.0 0.0.0.255 10.10.10.0 0.0.0.255
CentOS配置
[root@R2 ~]# yum install openswan -y
[root@R2 ~]# echo 1 >/proc/sys/net/ipv4/ip_forward #开启转发
[root@R2 ~]# cat /etc/ipsec.d/ipsec.conf #自己创建
conn cisco_Router
authby=secret
auto=start
ike=3des-md5
keyexchange=ike
phase2=esp
phase2alg=3des-sha
compress=no
pfs=yes
type=tunnel
left=10.10.80.2
leftsubnet=10.10.10.0/24
right=10.10.80.1
rightsubnet=1.1.1.0/24
[root@R2 ~]# cat /etc/ipsec.d/ipsec.secrets #自己创建key文件
10.10.80.2 10.10.80.1: PSK "cisco"
[root@R2 ~]# ipsec auto --status
参考文档:https://linux.cn/article-4224-1.html
GRE_Over_IPSEC_Centos配置
Cisco_router配置
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 10.10.80.2
!
crypto ipsec transform-set A esp-3des esp-sha-hmac
mode transport
!
crypto map B 10 ipsec-isakmp
set peer 10.10.80.2
set transform-set A
match address 101
!
interface Loopback0
ip address 10.10.1.1 255.255.255.0
!
interface Tunnel1
ip address 10.10.100.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 10.10.80.2
tunnel key 12345
!
interface FastEthernet0/0
ip address 10.10.80.1 255.255.255.0
duplex auto
speed auto
crypto map B
!
access-list 101 permit ip host 10.10.80.1 host 10.10.80.2
CentOS_tunnel配置
检查是否有加载ip_gre模块
[root@m01 ~]# modprobe ip_gre #加载gre模块
[root@m01 ~]# lsmod | grep gre
ip_gre 22432 0
gre 12989 1 ip_gre
[root@m01 ~]# ip tunnel help
[root@m01 ~]# ip tunnel add tun1 mode gre remote 10.10.80.2 local 10.10.80.1 ttl 255
[root@m01 ~]# ip link set tun1 up
[root@m01 ~]# ip addr add 10.10.10.1 peer 10.10.10.2 dev tun1 #增加tunnel口地址(重启tunnel接口消失)
[root@m01 ~]# ip link set tun1 down #关闭GRE
[root@m01 ~]# ip tunnel del tun1 #删除GRE
[root@m01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-tun1 #配置永久生效的tunnel
DEVICE=tun1
BOOTPROTO=none
ONBOOT=yes
TYPE=GRE
TTL=255
PEER_OUTER_IPADDR=10.10.80.2
PEER_INNER_IPADDR=10.10.10.2 #gre tunnel address
MY_OUTER_IPADDR=10.10.80.1
MY_INNER_IPADDR=10.10.10.1 #gre tunnel address
KEY=12345 #KEY值只能是数字
GRE_Over_IPSEC配置
[root@R2 ~]# yum install openswan -y
[root@R2 ~]# cat /etc/ipsec.d/ipsec.conf
conn cisco_Router
authby=secret
auto=start
ike=3des-md5
keyexchange=ike
phase2=esp
phase2alg=3des-sha
compress=no
pfs=yes
type=transport
left=10.10.80.2 #the IP address of the local IPSec
leftnexthop=10.10.80.1 #Local default gateway
leftprotoport=gre #match the GRE traffic, this line is very important
right=10.10.80.1 #the IP address of the remote IPSec
rightnexthop=10.10.80.2 #peer default gateway
rightprotoport=gre #match the GRE traffic, this line is very important
[root@R2 ~]# cat /etc/ipsec.d/ipsec.secrets
10.10.80.2 10.10.80.1: PSK "cisco"
Iptables_NAT配置
[root@R2 ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.10.10.0/24 10.10.1.0/24 to:10.10.10.2 #VPN流量不做nat转换
SNAT all -- 10.10.10.0/24 0.0.0.0/0 to:10.10.80.2
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Strongswan配置
https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation
https://blog.51cto.com/niubdada/5037222 # strongswan搭建ipsec VPN
https://me.jinchuang.org/archives/1249.html
https://www.cnblogs.com/wtil/p/14689393.html
Centos6 32位:
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
centos6 64位:
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum -y install epel-release
yum -y install strongswan
# 创建证书,特别注意:这里的192.168.48.131替换成你的公网IP地址 strongswan pki --gen --outform pem > ca.key.pem strongswan pki --self --in ca.key.pem --dn "C=CN, O=one, CN=one t CA" --ca --lifetime 3650 --outform pem > ca.cert.pem strongswan pki --gen --outform pem > server.key.pem strongswan pki --pub --in server.key.pem --outform pem > server.pub.pem strongswan pki --pub --in server.key.pem | strongswan pki --issue --lifetime 3601 --cacert ca.cert.pem --cakey ca.key.pem --dn "C=CN, O=one, CN=one t CA" --san="192.168.48.131" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem # 复制证书到strongswan cp -f ca.key.pem /etc/strongswan/ipsec.d/private/ cp -f ca.cert.pem /etc/strongswan/ipsec.d/cacerts/ cp -f server.cert.pem /etc/strongswan/ipsec.d/certs/ cp -f server.pub.pem /etc/strongswan/ipsec.d/certs/ cp -f server.key.pem /etc/strongswan/ipsec.d/private/
DMVPN配置
ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/aevseev/CentOS_CentOS-6/x86_64/ipsec-tools-0.8.0-25.3.x86_64.rpm
ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/aevseev/CentOS_CentOS-6/i686/ipsec-tools-0.8.0-25.3.i686.rpm
https://iteachs.com/?post=12 #OpenWRT配置DMVPN
https://patrickpreuss.wordpress.com/2009/02/14/dmvpn-with-linux/
[root@R2 ~]# cat /etc/protocols | sort
[root@R2 ~]# rpm -ivh ipsec-tools-0.8.0-25.3.x86_64.rpm
[root@R2 ~]# racoon -V #检查安装是否OK
[root@R2 ~]# wget https://sourceforge.net/projects/opennhrp/files/latest/download/opennhrp-0.14.1.tar.bz2
[root@R2 opennhrp-0.14.1]# yum -y install c-ares-devel
[root@R2 opennhrp-0.14.1]# make && make install
浙公网安备 33010602011771号