Site to Site VPN配置III

配置Libreswan

登录到on-premise侧的实例(上面填写的public IP对应的那台)。安装libreswan:

vi /etc/yum.repos.d/fedora.repo  # 粘帖进以下内容
[fedora]
name=Fedora 36 - $basearch
#baseurl=http://download.example/pub/fedora/linux/releases/36/Everything/$basearch/os/
metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=$basearch
enabled=0
countme=1
metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=https://getfedora.org/static/fedora.gpg
skip_if_unavailable=False

进行安装:

sudo dnf --enablerepo=fedora install libreswan -y

安装完成后执行:

cat <<EoF >> /etc/sysctl.conf 
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
EoF

配置aws.conf

从VPN Connections里下载配置:

image-20240608192651900

选择Openswan平台:

image-20240608192711479

下载为一个txt文件,找到以下部分复制下来:

conn Tunnel1
	authby=secret
	auto=start
	left=%defaultroute
	leftid=18.236.88.223
	right=34.223.135.144
	type=tunnel
	ikelifetime=8h
	keylife=1h
	phase2alg=aes128-sha1;modp1024
	ike=aes128-sha1;modp1024
	auth=esp
	keyingtries=%forever
	keyexchange=ike
	leftsubnet=<LOCAL NETWORK>
	rightsubnet=<REMOTE NETWORK>
	dpddelay=10
	dpdtimeout=30
	dpdaction=restart_by_peer

在on-premise实例上创建一个aws.conf:

touch /etc/ipsec.d/aws.conf

将上面的内容进行替换:

  • 删除 auth=esp 一行
  • 更改加密算法phase2alg=aes_gcmike=aes256-sha1
  • 将leftsubnet配置为on-premise网段,rightsubnet配置为aws侧网段
conn Tunnel1
	authby=secret
	auto=start
	left=%defaultroute
	leftid=18.236.88.223
	right=34.223.135.144
	type=tunnel
	ikelifetime=8h
	keylife=1h
	phase2alg=aes_gcm
	ike=aes256-sha1
	keyingtries=%forever
	keyexchange=ike
	leftsubnet=172.31.0.0/16
	rightsubnet=10.0.0.0/16
	dpddelay=10
	dpdtimeout=30
	dpdaction=restart_by_peer

将上面的内容粘帖进/etc/ipsec.d/aws.conf

在下载的txt中找到以下部分并复制下来:

image-20240608193011574

创建一个aws.secrets文件,并粘帖进上面的内容:

/etc/ipsec.d/aws.secrets

启动ipsec.service:

sudo systemctl start ipsec.service
sudo systemctl status ipsec.service

image-20240608193123666

看到了创建完成了VPN Tunnel。检查AWS控制台,同样发现有一个Tunnel状态也正常了:

image-20240608193317523

这里我们看到只Up了一个Tunnel,为什么Tunnel2没有Up呢?如果将这个txt往下拉,还会看到有Tunnel2的配置,这是因为我们只配置了Tunnel1,所以只活跃了一个。

image-20240608214822126

进行ping测试

最后我们进行on-premise侧实例与AWS侧实例的ping测试。但首先要更改下AWS侧VPC(10.0.0.0/16)的路由表,添加一条路由:

  • 0.0.0.0/0 => VGW

image-20240608193630054

添加0.0.0.0/0 => VGW的路由:

image-20240608193703485

添加完成后,在On-premise实例ping AWS侧的实例,可以ping通:

image-20240608193720296