阿里云 ubuntu16.04搭建IPSec服务
<p><span><strong>IPSec简介</strong></span></p>
<p>
IPSec(Internet Protocol Security):是一组基于网络层的,应用密码学的安全通信协议族。IPSec不是具体指哪个协议,而是一个开放的协议族。</p>
<p>
IPSec协议的设计目标:是在IPV4和IPV6环境中为网络层流量提供灵活的安全服务。</p>
<p>
IPSec VPN:是基于IPSec协议族构建的在IP层实现的安全虚拟专用网。通过在数据包中插入一个预定义头部的方式,来保障OSI上层协议数据的安全,主要用于保护TCP、UDP、ICMP和隧道的IP数据包。</p>
<p>
由于阿里云上有一些限制,在阿里云ECS上部署待见IPSec和普通服务器有不一样的地方。</p>
<p>
<strong>安装strongswan</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterplain" id="highlighter_487159">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="plain plain">apt-get update</code>
</div>
<div class="line number2 index1 alt1">
<code class="plain plain">apt-get install strongswan strongswan-plugin-xauth-generic</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>编辑/etc/ipsec.secrets</strong></p>
<p>
<code>vi /etc/ipsec.secrets</code></p>
<p>
增加:</p>
<blockquote>
<p>
: PSK "test"<br>
user1 : XAUTH "user1password"</p>
</blockquote>
<p>
其中PSK是预共享密钥,是用于验证 L2TP/IPSec 连接的 Unicode 字符串。user1为用户名, user1password是密码。</p>
<p>
<strong>编辑 /etc/ipsec.conf</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterplain" id="highlighter_909342">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="plain plain">config setup</code>
</div>
<div class="line number2 index1 alt1">
<code class="plain spaces"> </code><code class="plain plain">cachecrls=yes</code>
</div>
<div class="line number3 index2 alt2">
<code class="plain spaces"> </code><code class="plain plain">uniqueids=yes</code>
</div>
<div class="line number4 index3 alt1">
</div>
<div class="line number5 index4 alt2">
<code class="plain plain">conn ios</code>
</div>
<div class="line number6 index5 alt1">
<code class="plain spaces"> </code><code class="plain plain">keyexchange=ikev1</code>
</div>
<div class="line number7 index6 alt2">
<code class="plain spaces"> </code><code class="plain plain">authby=xauthpsk</code>
</div>
<div class="line number8 index7 alt1">
<code class="plain spaces"> </code><code class="plain plain">xauth=server</code>
</div>
<div class="line number9 index8 alt2">
<code class="plain spaces"> </code><code class="plain plain">left=%defaultroute</code>
</div>
<div class="line number10 index9 alt1">
<code class="plain spaces"> </code><code class="plain plain">leftsubnet=0.0.0.0/0</code>
</div>
<div class="line number11 index10 alt2">
<code class="plain spaces"> </code><code class="plain plain">leftfirewall=yes</code>
</div>
<div class="line number12 index11 alt1">
<code class="plain spaces"> </code><code class="plain plain">right=%any</code>
</div>
<div class="line number13 index12 alt2">
<code class="plain spaces"> </code><code class="plain plain">rightsubnet=192.168.0.1/16</code>
</div>
<div class="line number14 index13 alt1">
<code class="plain spaces"> </code><code class="plain plain">rightsourceip=192.168.0.1/16</code>
</div>
<div class="line number15 index14 alt2">
<code class="plain spaces"> </code><code class="plain plain">rightdns=223.5.5.5</code>
</div>
<div class="line number16 index15 alt1">
<code class="plain spaces"> </code><code class="plain plain">auto=add</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
注意使用192.168网段而不是10.0.0.1网段,10.0.0.1网段在阿里云上好像有问题(据说被禁了?)。</p>
<p>
<strong>重启 strongswan</strong></p>
<blockquote>
<p>
ipsec restart</p>
</blockquote>
<p>
修改阿里云服务器对应安全组规则</p>
<p>
增加 公网入网 UDP 500和 UDP 4500两个端口</p>
<p>
<strong>打开IPv4转发,设置NAT规则</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterplain" id="highlighter_499050">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="plain plain">sysctl net.ipv4.ip_forward=1</code>
</div>
<div class="line number2 index1 alt1">
</div>
<div class="line number3 index2 alt2">
<code class="plain plain">iptables -t nat -A POSTROUTING -s 192.168.0.1/16 -o eth1 -j MASQUERADE</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
注意是使用 eth1,而不是eth0.</p>
<p>
ECS中eth1绑定外网网卡,eth0是内网网卡。</p>
<p>
相关阅读:</p>
<p>
阿里云ubuntu16.04如何搭建pptpd服务</p>
<p>
<span><strong>总结</strong></span></p>
<p>
以上所述是小编给大家介绍的阿里云 ubuntu16.04搭建IPSec服务,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对服务器之家网站的支持!<br>
如果你觉得本文对你有帮助,欢迎转载,烦请注明出处,谢谢!</p>
<p>
原文链接:https://blog.csdn.net/fofabu2/article/details/78964126</p>
頁:
[1]