IPSEC VPN TO GCP Using Strongswan On Centos6 Part1

主機資訊

GCP Cloud VPN    35.99.99.1   
GCP VPN Client    35.99.99.2        //   192.168.100.2

Local VPN Server   213.213.213.1   //  192.168.165.1
Local VPN Client    213.213.213.2  //   192.168.165.2

#GCP Cloud VPN 

1. 建立一個GCP專案"project-123"

2.預約靜態IP給Clould使用

gcloud compute --project=project-123 addresses create yourtunnelip --region=asia-east1

3.建立混合式連線-VPN

gcloud compute --project "project-123" target-vpn-gateways create "my-vpn-tunnel" --region "asia-east1" --network "test-vpc"

gcloud compute --project "project-123" forwarding-rules create "my-vpn-tunnel-rule-esp" --region "asia-east1" --address "yourtunnelip" --ip-protocol "ESP" --target-vpn-gateway "my-vpn-tunnel"

gcloud compute --project "project-123" forwarding-rules create "my-vpn-tunnel-rule-udp500" --region "asia-east1" --address "yourtunnelip" --ip-protocol "UDP" --port-range "500" --target-vpn-gateway "my-vpn-tunnel"

gcloud compute --project "project-123" forwarding-rules create "my-vpn-tunnel-rule-udp4500" --region "asia-east1" --address "yourtunnelip" --ip-protocol "UDP" --port-range "4500" --target-vpn-gateway "my-vpn-tunnel"

gcloud compute --project "project-123" vpn-tunnels create "myvpn-tunnel-1" --region "asia-east1" --peer-address "213.213.213.1" --shared-secret "presharekey" --ike-version "2" --target-vpn-gateway "my-vpn-tunnel"

#這個步驟是新增透過VPN連線到Local Server內網的路由

gcloud compute --project "project-123" routes create "myvpn-tunnel-1-route-1" --network "test-vpc" --next-hop-vpn-tunnel "myvpn-tunnel-1" --next-hop-vpn-tunnel-region "asia-east1" --destination-range "192.168.165.0/24"

#GCP VPN Client

關閉iptables , Seliunx

#Local VPN Server

1. 關閉iptables , Seliunx ,開放防火牆 udp 4500 , udp 500 , esp  , icmp

2. 允許封包轉送

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf

sysctl -p 

3. 安裝Strongswan

yum install strongswan -y

4. 編輯 /etc/strongswan/ipsec.conf

conn gcp-to-lab

        authby=psk

        auto=start

        dpdaction=hold

        ike = aes256-sha1-modp2048,aes256-sha256-modp2048,aes256-sha384-modp2048,aes256-sha512-modp2048!

        esp = aes256-sha1-modp2048,aes256-sha256-modp2048,aes256-sha384-modp2048,aes256-sha512-modp2048!

        forceencaps=yes

        keyexchange=ikev2

        mobike=no

        type=tunnel

        left=%any

        leftid=213.213.213.1

        leftsubnet=192.168.165.0/24

        leftauth=psk

        leftikeport=4500

        right=35.99.99.1

        rightsubnet=192.168.100.0/24

        rightauth=psk

       rightikeport=4500

5. 新增pre share key檔案 

touch /etc/strongswan/ipsec.secrets

chmod 600 /etc/strongswan/ipsec.secrets

6.編輯/etc/strongswan/ipsec.secrets

%any : PSK "presharekey"

7.啟動服務

/etc/init.d/strongswan start

8.查看log

tail -f /var/log/message

#Local VPN Client

1. 新增內網IP 192.168.165.2 

2. 關閉iptables , Seliunx 

3. 新增透過VPN到GCP內網的路由

route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.165.1

#測試

192.168.100.2  互相ping 192.168.165.2  要能通