斯堪的纳维亚
斯堪的纳维亚
3月前 · 5 人阅读

目标:北京区域的一个VPC和宁夏区域的一个VPC实现,内网互通.

需求:

EC2准备

  • 在公有子网中创建EC2(公有子网属于VPC的知识,这里不细说)

  • 申请新的EIP,并关联在新创建的EC2上

  • 在EC2设置界面中,点击网络接口,再点击接口ID


  • 在网络接口界面,点击操作-->更改源/目标检查-->已禁用--->保存


路由和安全组设置

software setup and configuration

部署openswan
yum -y install openswan 
配置openswan
cat /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        nat_traversal=yes
        force_keepalive=yes
        oe=off
        nhelpers=0
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf
配置ipsec连接文件
  • 注意文件格式
  • 2个region主机同样操作
  • 注意left和right地址
cat /etc/ipsec.d/bj-to-nx.conf

conn bj-to-nx
        left=10.0.0.1    #本region EC2,内网IP   
        leftid=xxx.xxx.xxx.xxx   #本region EC2,外网EIP
        leftsubnet=10.0.0.0/16    #本region VPC Subnet
        right=xxx.xxx.xxx.xxx   #对端 region EC2,外网EIP
        rightsubnet=20.0.0.0/16 region VPC Subnet
        rightid=xxx.xxx.xxx.xxx   #对端 region EC2,外网EIP
        pfs=no
        forceencaps=yes
        authby=secret
        auto=start
配置ipsec秘钥文件
  • AAA.AAA.AAA.AAA 本region EC2,外网EIP
  • BBB.BBB.BBB.BBB 对端 region EC2,外网EIP
  • PSK vpn验证秘钥,需要2遍相同
cat /etc/ipsec.d/bj-to-nx.secrets

AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB: PSK "WULIAODESHANGDI"

修改sysctl
cat /etc/sysctl.conf
net.ipv4.ip_forward = 1

sysctl -p
启动服务
service ipsec restart
chkconfig ipsec on

监控脚本
REMOTE="20.0.0.1"
 
ping -c 1 -W 3 -q $REMOTE > /dev/null
RET=$?
LOG="/tmp/ipsecWatchDog.log"
 
if [ $RET != 0 ];then
        DATE=$(date "+%F %T")
        echo "[$DATE] restart ipsec" >> $LOG
        /etc/init.d/ipsec restart >> $LOG
fi

healthcheck

  • 2台EC2互ping内网IP
  • 2台EC2互ping对方网段内,EC2内网IP
收藏 0
ipsec ec2 xxx etc region aaa
评论 ( 0 )