2018年3月20日 星期二

IPSEC VPN TO GCP Using Strongswan On Centos6 Part2

主機資訊

GCP VPN Server    35.99.99.1      //   192.168.80.1
GCP VPN Client     35.99.99.2      //   192.168.80.2

Local VPN Server   213.213.213.1   //  192.168.81.1
Local VPN Client    213.213.213.2  //   192.168.81.2





#GCP VPN Server 


1. 建立一個GCP專案"project-456"

2.預約靜態IP給新的VM使用.並建立一台VM主機(centos6)
gcloud compute --project=project-123 addresses create yourvpnsvrip --region=asia-east1

3. 關閉iptables , Seliunx ,開放防火牆 udp 4500 , udp 500 , esp  , icmp

4. 允許封包轉送

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p 

5. 安裝Strongswan

yum install strongswan -y

6. 編輯 /etc/strongswan/ipsec.conf

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=psk
        auto=start
        dpdaction=hold
        esp=aes128-sha1!
        forceencaps=yes
        ike=aes128-sha1-modp2048!
        keyexchange=ikev2
        mobike=yes


conn net-net
        left=0.0.0.0/0
        leftsubnet=192.168.80.0/24
        leftfirewall=yes
        right=213.213.213.1
        rightsubnet=192.168.81.0/24
        auto=start


7. 新增pre share key檔案 

touch /etc/strongswan/ipsec.secrets
chmod 600 /etc/strongswan/ipsec.secret


8.編輯/etc/strongswan/ipsec.secrets

%any : PSK "presharekey"

9.啟動服務

/etc/init.d/strongswan start

10.查看log

tail -f /var/log/message


#GCP VPN Client



1. 建立一台VM主機(centos6) , 內網IP 192.168.80.2 

2. 關閉iptables , Seliunx

3. 新增透過VPN到GCP內網的路由
gcloud compute --project=-pro-456 routes create rouute-to-81 --network=test-vpc --priority=1000 --destination-range=192.168.81.0/24 --next-hop-address=192.168.80.1




#Local VPN Server



1. 關閉iptables , Seliunx ,開放防火牆 udp 4500 , udp 500 , esp  , icmp 



2. 允許封包轉送

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p 

3. 安裝Strongswan

yum install strongswan -y

4. 編輯 /etc/strongswan/ipsec.conf

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=psk
        auto=start
        dpdaction=hold
        esp=aes128-sha1!
        forceencaps=yes
        ike=aes128-sha1-modp2048!
        keyexchange=ikev2
        mobike=yes

conn net-net
        left=0.0.0.0/0
        leftsubnet=192.168.81.0/24
        right=35.99.99.1
        rightsubnet=192.168.80.0/24
        auto=start


5. 新增pre share key檔案 

touch /etc/strongswan/ipsec.secrets
chmod 600 /etc/strongswan/ipsec.secret


6.編輯/etc/strongswan/ipsec.secrets

%any : PSK "presharekey"

7.啟動服務

/etc/init.d/strongswan start

8.查看log

tail -f /var/log/message



#Local VPN Client



1. 新增內網IP 192.168.81.2 

2. 關閉iptables , Seliunx 

3. 新增透過VPN到GCP內網的路由
route add -net 192.168.80.0 netmask 255.255.255.0 gw 192.168.81.1




#測試

192.168.80.2  互相ping 192.168.80.2  要能通

張貼者: 沒有留言:

IPSEC VPN TO GCP Using Strongswan On Centos6 Part1

主機資訊

GCP Cloud VPN    35.99.99.1   
GCP VPN Client    35.99.99.2        //   192.168.100.2

Local VPN Server   213.213.213.1   //  192.168.165.1
Local VPN Client    213.213.213.2  //   192.168.165.2





#GCP Cloud VPN 


1. 建立一個GCP專案"project-123"

2.預約靜態IP給Clould使用
gcloud compute --project=project-123 addresses create yourtunnelip --region=asia-east1


3.建立混合式連線-VPN

gcloud compute --project "project-123" target-vpn-gateways create "my-vpn-tunnel" --region "asia-east1" --network "test-vpc"

gcloud compute --project "project-123" forwarding-rules create "my-vpn-tunnel-rule-esp" --region "asia-east1" --address "yourtunnelip" --ip-protocol "ESP" --target-vpn-gateway "my-vpn-tunnel"

gcloud compute --project "project-123" forwarding-rules create "my-vpn-tunnel-rule-udp500" --region "asia-east1" --address "yourtunnelip" --ip-protocol "UDP" --port-range "500" --target-vpn-gateway "my-vpn-tunnel"

gcloud compute --project "project-123" forwarding-rules create "my-vpn-tunnel-rule-udp4500" --region "asia-east1" --address "yourtunnelip" --ip-protocol "UDP" --port-range "4500" --target-vpn-gateway "my-vpn-tunnel"

gcloud compute --project "project-123" vpn-tunnels create "myvpn-tunnel-1" --region "asia-east1" --peer-address "213.213.213.1" --shared-secret "presharekey" --ike-version "2" --target-vpn-gateway "my-vpn-tunnel"

#這個步驟是新增透過VPN連線到Local Server內網的路由
gcloud compute --project "project-123" routes create "myvpn-tunnel-1-route-1" --network "test-vpc" --next-hop-vpn-tunnel "myvpn-tunnel-1" --next-hop-vpn-tunnel-region "asia-east1" --destination-range "192.168.165.0/24"


#GCP VPN Client


關閉iptables , Seliunx



#Local VPN Server



1. 關閉iptables , Seliunx ,開放防火牆 udp 4500 , udp 500 , esp  , icmp



2. 允許封包轉送

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p 

3. 安裝Strongswan

yum install strongswan -y

4. 編輯 /etc/strongswan/ipsec.conf

conn gcp-to-lab
        authby=psk
        auto=start
        dpdaction=hold
        ike = aes256-sha1-modp2048,aes256-sha256-modp2048,aes256-sha384-modp2048,aes256-sha512-modp2048!
        esp = aes256-sha1-modp2048,aes256-sha256-modp2048,aes256-sha384-modp2048,aes256-sha512-modp2048!
        forceencaps=yes
        keyexchange=ikev2
        mobike=no
        type=tunnel
        left=%any
        leftid=213.213.213.1
        leftsubnet=192.168.165.0/24
        leftauth=psk
        leftikeport=4500
        right=35.99.99.1
        rightsubnet=192.168.100.0/24
        rightauth=psk
       rightikeport=4500

5. 新增pre share key檔案 

touch /etc/strongswan/ipsec.secrets
chmod 600 /etc/strongswan/ipsec.secrets


6.編輯/etc/strongswan/ipsec.secrets

%any : PSK "presharekey"

7.啟動服務

/etc/init.d/strongswan start

8.查看log

tail -f /var/log/message



#Local VPN Client



1. 新增內網IP 192.168.165.2 

2. 關閉iptables , Seliunx 

3. 新增透過VPN到GCP內網的路由
route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.165.1




#測試

192.168.100.2  互相ping 192.168.165.2  要能通


張貼者: 沒有留言:
訂閱: 文章 (Atom)