发表更新

IPsec over GRE隧道简易配置教程

为了能够顺利根据这篇文章打通隧道,最好了解并满足如下前提:

  • 两台具有公网IP的VPS A和B,其中至少有一台拥有独立IP,并且另一台如果是NAT VPS则需要内外映射端口一致,假设A的公网IP为1.1.1.1,B的公网IP为2.2.2.2
  • 设定隧道A端内网IP为10.0.0.1,B端内网IP为10.0.0.2
  • A、B两台机器系统为Debian 10
  • 关闭防火墙

配置GRE隧道

在A、B上执行以下命令

启用ip_gre模块

1
2
modprobe ip_gre
echo "ip_gre" >> /etc/modules

调整内核参数,可能需要重启来生效

1
2
3
4
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
sysctl -p

编辑A上的/etc/network/interfaces文件,加入以下内容

1
2
3
4
5
6
7
auto tun0
iface tun0 inet tunnel
address 10.0.0.1
netmask 30
mode gre
endpoint 2.2.2.2
ttl 64

同样编辑B上的/etc/network/interfaces文件,加入以下内容

1
2
3
4
5
6
7
auto tun0
iface tun0 inet tunnel
address 10.0.0.2
netmask 30
mode gre
endpoint 1.1.1.1
ttl 64

在A、B上执行ifup tun0启动隧道

在A上ping B的内网IP,应该是已经通了

1
2
3
4
5
6
7
8
9
10
11
12
13
$ ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=35.1 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=33.4 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=32.9 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=34.2 ms
64 bytes from 10.0.0.2: icmp_seq=5 ttl=64 time=33.8 ms
64 bytes from 10.0.0.2: icmp_seq=6 ttl=64 time=34.0 ms
64 bytes from 10.0.0.2: icmp_seq=7 ttl=64 time=33.4 ms
64 bytes from 10.0.0.2: icmp_seq=8 ttl=64 time=32.7 ms
--- 10.0.0.2 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 17ms
rtt min/avg/max/mdev = 32.691/33.682/35.081/0.734 ms

配置IPsec

在A、B分别执行

1
2
3
apt install -y libreswan
ipsec initnss
ipsec newhostkey --output /etc/ipsec.d/gre.secrets

在A执行ipsec showhostkey --list,结果应该类似下面这样

1
< 1> RSA keyid: AwEAAafX+ ckaid: c56b701a80f1c33393fc9e3571065aaecfbcd2c7

记下keyid,执行以下命令

1
ipsec showhostkey --left --rsaid keyid

keyid内容自行替换,将执行后输出的内容复制到其他地方备用,应该像下面这样

1
leftrsasigkey=0sAwEAAafX+TYFyJpduwbS7stsG3nEWZsdYIabeH24C.......

在B上同样执行上面的步骤,区别是将参数--left改成--right

1
ipsec showhostkey --right --rsaid keyid

同样将输出结果保存备用

1
rightrsasigkey=0sAwEAAenXFJ+y2sBkZQM2CMIHcWtTFdHp+.......

在A上新建文件/etc/ipsec.d/gre.conf,加入以下内容,leftrsasigkeyrightrsasigkey就是之前保存的输出结果

1
2
3
4
5
6
7
8
config setup
    protostack=netkey
conn gre1
    left=10.0.0.1
    right=10.0.0.2
    authby=rsasig
    leftrsasigkey=0sAwEAAafX+TYFyJpduwbS7stsG3nEWZsdYIabeH2......
    rightrsasigkey=0sAwEAAenXFJ+y2sBkZQM2CMIHcWtTFdHp+mjeVDHphbVJBjaRSEc.....

在B上步骤一致,只不过leftrightleftrsasigkeyrightrsasigkey的内容要交换一下

1
2
3
4
5
6
7
8
config setup
    protostack=netkey
conn gre1
    left=10.0.0.2
    right=10.0.0.1
    authby=rsasig
    leftrsasigkey=0sAwEAAenXFJ+y2sBkZQM2CMIHcWtTFdHp+mjeVDHphbVJBjaRSEc.....
    rightrsasigkey=0sAwEAAafX+TYFyJpduwbS7stsG3nEWZsdYIabeH2......

最后在A、B上分别执行systemctl enable ipsec && systemctl start ipsec即可启动

执行systemctl status ipsec查看日志,如果类似下面这样就代表启动成功了

1
2
3
4
5
6
7
Sep 24 18:24:56 coal pluto[1212]: "gre1" #8: initiating Main Mode to replace #7
Sep 24 18:24:56 coal pluto[1212]: "gre1" #8: STATE_MAIN_I2: sent MI2, expecting MR2
Sep 24 18:24:56 coal pluto[1212]: "gre1" #8: STATE_MAIN_I3: sent MI3, expecting MR3
Sep 24 18:24:56 coal pluto[1212]: "gre1" #8: Peer ID is ID_IPV4_ADDR: '10.0.0.2'
Sep 24 18:24:56 coal pluto[1212]: "gre1" #8: Authenticated using RSA
Sep 24 18:24:56 coal pluto[1212]: "gre1" #8: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
Sep 24 18:36:57 coal pluto[1212]: "gre1" #7: deleting state (STATE_MAIN_I4) and sending notification

这时通过GRE隧道的所有流量都会被IPsec加密

IPsec over GRE隧道简易配置教程

https://jktu.cc/IPsec_over_GRE隧道简易配置教程/

作者

udp_bbr

发布于

2020-09-24

更新于

2020-09-24

许可协议

#
×