主機資訊
GCP VPN Server 35.99.99.1 // 192.168.80.1
GCP VPN Client 35.99.99.2 // 192.168.80.2
Local VPN Server 213.213.213.1 // 192.168.81.1
Local VPN Client 213.213.213.2 // 192.168.81.2
#GCP VPN Server
1. 建立一個GCP專案"project-456"
2.預約靜態IP給新的VM使用.並建立一台VM主機(centos6)
gcloud compute --project=project-123 addresses create yourvpnsvrip --region=asia-east1
touch /etc/strongswan/ipsec.secrets
3. 關閉iptables , Seliunx ,開放防火牆 udp 4500 , udp 500 , esp , icmp
4. 允許封包轉送
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
4. 允許封包轉送
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
5. 安裝Strongswan
yum install strongswan -y
6. 編輯 /etc/strongswan/ipsec.conf
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=psk
auto=start
dpdaction=hold
esp=aes128-sha1!
forceencaps=yes
ike=aes128-sha1-modp2048!
keyexchange=ikev2
mobike=yes
conn net-net
left=0.0.0.0/0
leftsubnet=192.168.80.0/24
leftfirewall=yes
right=213.213.213.1
rightsubnet=192.168.81.0/24
auto=start
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=psk
auto=start
dpdaction=hold
esp=aes128-sha1!
forceencaps=yes
ike=aes128-sha1-modp2048!
keyexchange=ikev2
mobike=yes
conn net-net
left=0.0.0.0/0
leftsubnet=192.168.80.0/24
leftfirewall=yes
right=213.213.213.1
rightsubnet=192.168.81.0/24
auto=start
7. 新增pre share key檔案
touch /etc/strongswan/ipsec.secrets
chmod 600 /etc/strongswan/ipsec.secret
8.編輯/etc/strongswan/ipsec.secrets
%any : PSK "presharekey"
9.啟動服務
/etc/init.d/strongswan start
10.查看log
tail -f /var/log/message
#GCP VPN Client
1. 建立一台VM主機(centos6) , 內網IP 192.168.80.2
2. 關閉iptables , Seliunx
3. 新增透過VPN到GCP內網的路由
gcloud compute --project=-pro-456 routes create rouute-to-81 --network=test-vpc --priority=1000 --destination-range=192.168.81.0/24 --next-hop-address=192.168.80.1
#Local VPN Server
1. 關閉iptables , Seliunx ,開放防火牆 udp 4500 , udp 500 , esp , icmp
2. 允許封包轉送
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
3. 安裝Strongswan
yum install strongswan -y
4. 編輯 /etc/strongswan/ipsec.conf
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=psk
auto=start
dpdaction=hold
esp=aes128-sha1!
forceencaps=yes
ike=aes128-sha1-modp2048!
keyexchange=ikev2
mobike=yes
conn net-net
left=0.0.0.0/0
leftsubnet=192.168.81.0/24
right=35.99.99.1
rightsubnet=192.168.80.0/24
auto=start
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=psk
auto=start
dpdaction=hold
esp=aes128-sha1!
forceencaps=yes
ike=aes128-sha1-modp2048!
keyexchange=ikev2
mobike=yes
conn net-net
left=0.0.0.0/0
leftsubnet=192.168.81.0/24
right=35.99.99.1
rightsubnet=192.168.80.0/24
auto=start
5. 新增pre share key檔案
touch /etc/strongswan/ipsec.secrets
chmod 600 /etc/strongswan/ipsec.secret
6.編輯/etc/strongswan/ipsec.secrets
%any : PSK "presharekey"
7.啟動服務
/etc/init.d/strongswan start
8.查看log
tail -f /var/log/message
#Local VPN Client
1. 新增內網IP 192.168.81.2
2. 關閉iptables , Seliunx
3. 新增透過VPN到GCP內網的路由
route add -net 192.168.80.0 netmask 255.255.255.0 gw 192.168.81.1
#測試
192.168.80.2 互相ping 192.168.80.2 要能通
沒有留言:
張貼留言