本实验利用Source tunnel from loopbacks的方式建立ipsec配置,具体实验环境和配置文件如下
一、实验环境
服务端(公网IP:1.1.1.1)
vyos@vyos-server:~$ show version Version: VyOS 1.3.2 Release train: equuleus Built by: naa0yama@aoya6i.com Built on: Sat 10 Dec 2022 20:07 UTC Build UUID: 053cdd05-063f-4016-918b-c2718890fb23 Build commit ID: be55c073a51b0d Architecture: x86_64 Boot via: installed image System type: bare metal Hardware vendor: To be filled by O.E.M. Hardware model: To be filled by O.E.M. Hardware S/N: To be filled by O.E.M. Hardware UUID: 03000200-0400-0500-0006-000700080009 Copyright: VyOS maintainers and contributors客户端(公网IP:2.2.2.2)
vyos@vyos-client:/$ show version Version: VyOS 1.3.0-epa2 Release train: equuleus Built by: Sentrium S.L. Built on: Sun 17 Oct 2021 17:35 UTC Build UUID: 2a282866-08cf-40fc-82a1-29ac261d3fb4 Build commit ID: defac161082bc3-dirty Architecture: x86_64 Boot via: installed image System type: KVM guest Hardware vendor: Tencent Cloud Hardware model: CVM Hardware S/N: 22c867e7-87d5-414b-b2ee-c52333135825 Hardware UUID: 22c867e7-87d5-414b-b2ee-c52333135825 Copyright: VyOS maintainers and contributors
二、P2P模式配置
服务端配置
# ============================================================= # Phase 2 (ESP - 封装安全载荷) 配置 # 定义IPsec数据隧道的参数 # ============================================================= # 创建一个名为 office-srv-esp 的ESP组 # 禁用数据压缩,可以节省CPU资源 set vpn ipsec esp-group office-srv-esp compression 'disable' # 设置Phase 2隧道的生命周期为1800秒 (30分钟) set vpn ipsec esp-group office-srv-esp lifetime '1800' # 设置IPsec模式为隧道模式,用于保护两个网络之间的通讯 set vpn ipsec esp-group office-srv-esp mode 'tunnel' # 启用PFS (完全正向保密),为每次数据隧道重建生成新的密钥,增强安全性 set vpn ipsec esp-group office-srv-esp pfs 'enable' # 设置提案1:数据加密算法为 AES-256 set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256' # 设置提案1:数据完整性校验算法为 SHA1 set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1' # ============================================================= # Phase 1 (IKE - 互联网密钥交换) 配置 # 定义IPsec管理隧道的参数,用于协商和管理数据隧道 # ============================================================= # 创建一个名为 office-srv-ike 的IKE组 # 禁用IKEv2重新认证功能 set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no' # 指定使用IKEv1协议进行密钥交换 set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1' # 设置Phase 1隧道的生命周期为3600秒 (1小时) set vpn ipsec ike-group office-srv-ike lifetime '3600' # 设置提案1:密钥协商过程中的加密算法为 AES-256 set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' # 设置提案1:密钥协商过程中的哈希算法为 SHA1 set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' # ============================================================= # IPsec 接口绑定 # ============================================================= # 将IPsec VPN绑定到物理接口 eth3 的 VLAN 60 上,VPN流量将从该接口发出 set vpn ipsec ipsec-interfaces interface 'eth3.60' # ============================================================= # 站点到站点 (Site-to-Site) 对端配置 # ============================================================= # 定义对端路由器的公网IP地址为 2.2.2.2 # 设置本端ID为 1.1.1.1,用于向对端表明身份 set vpn ipsec site-to-site peer 2.2.2.2 authentication id '1.1.1.1' # 设置认证模式为预共享密钥 set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret' # 设置预共享密钥,这个密钥必须与对端完全一致 set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret 'SomePreSharedKey' # 设置期望收到的对端ID为 2.2.2.2 set vpn ipsec site-to-site peer 2.2.2.2 authentication remote-id '2.2.2.2' # 设置连接类型为“发起”,本端会主动尝试建立VPN连接 set vpn ipsec site-to-site peer 2.2.2.2 connection-type 'initiate' # 引用之前定义的ESP组 (Phase 2 参数) set vpn ipsec site-to-site peer 2.2.2.2 default-esp-group 'office-srv-esp' # 引用之前定义的IKE组 (Phase 1 参数) set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'office-srv-ike' # 指定本端VPN连接使用的源IP地址 set vpn ipsec site-to-site peer 2.2.2.2 local-address '1.1.1.1' # 定义IPsec隧道要保护的流量 (也叫“感兴趣流”) # 本端源地址前缀为 192.168.99.1/32 (即本端环回口地址) set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 local prefix '192.168.99.1/32' # 远端目标地址前缀为 192.168.99.2/32 (即对端环回口地址) set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 remote prefix '192.168.99.2/32' # ============================================================= # 接口配置 (环回口 和 GRE隧道) # ============================================================= # 创建一个环回接口 lo,并分配一个稳定的IP地址 # 这个地址将作为GRE隧道的源地址,被IPsec隧道保护 set interfaces loopback lo address 192.168.99.1/32 # 创建一个名为 tun1 的隧道接口,并设置封装类型为 GRE set interfaces tunnel tun1 encapsulation gre # 为GRE隧道的本端分配IP地址 10.10.10.1/30 set interfaces tunnel tun1 address 10.10.10.1/30 # 设置GRE数据包的源地址为本端环回口IP set interfaces tunnel tun1 source-address 192.168.99.1 # 设置GRE数据包的目标地址为对端环回口IP set interfaces tunnel tun1 remote 192.168.99.2 # ============================================================= # 静态路由配置 # ============================================================= # 添加一条静态路由,告诉路由器如何到达对端的公网IP,下一跳是本地网关 set protocols static route 2.2.2.2/32 next-hop 118.113.105.1 # [注意] 下面这条路由可能有问题。它将对端的环回口IP指向了一个公网IP。 # 通常,访问对端GRE地址 (10.10.10.2) 的流量应该通过 tun1 接口路由。 # 操作系统通常会根据IPsec策略自动处理发往 192.168.99.2 的流量。 set protocols static route 192.168.99.2/32 next-hop 110.184.175.1客户端配置
# ============================================================= # "david" 路由器配置 # ============================================================= # ============================================================= # 接口配置 (环回口 和 GRE隧道) # ============================================================= # 创建环回接口 lo 并分配IP地址,用于GRE隧道 set interfaces loopback lo address '192.168.99.2/32' # 创建GRE隧道接口 tun1 # 为GRE隧道的本端分配IP地址 10.10.10.2/30 set interfaces tunnel tun1 address '10.10.10.2/30' # 设置封装类型为 GRE set interfaces tunnel tun1 encapsulation 'gre' # 设置GRE数据包的目标地址为对端环回口IP set interfaces tunnel tun1 remote '192.168.99.1' # 设置GRE数据包的源地址为本端环回口IP set interfaces tunnel tun1 source-address '192.168.99.2' # ============================================================= # Phase 2 (ESP) 配置 # (参数与路由器1完全一致,以确保兼容) # ============================================================= set vpn ipsec esp-group office-srv-esp compression 'disable' set vpn ipsec esp-group office-srv-esp lifetime '1800' set vpn ipsec esp-group office-srv-esp mode 'tunnel' set vpn ipsec esp-group office-srv-esp pfs 'enable' set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256' set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1' # ============================================================= # Phase 1 (IKE) 配置 # (参数与路由器1完全一致,以确保兼容) # ============================================================= set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no' set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1' set vpn ipsec ike-group office-srv-ike lifetime '3600' set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' # ============================================================= # IPsec 接口绑定 # ============================================================= # 将IPsec VPN绑定到物理接口 eth0 (通常是WAN口) set vpn ipsec ipsec-interfaces interface 'eth0' # ============================================================= # 站点到站点 (Site-to-Site) 对端配置 # ============================================================= # 定义对端路由器的公网IP地址为 1.1.1.1 # 设置本端ID为 2.2.2.2,用于向对端表明身份 set vpn ipsec site-to-site peer 1.1.1.1 authentication id '2.2.2.2' # 设置认证模式为预共享密钥 set vpn ipsec site-to-site peer 1.1.1.1 authentication mode 'pre-shared-secret' # 设置预共享密钥 (必须与对端一致) set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret 'SomePreSharedKey' # 设置期望收到的对端ID为 1.1.1.1 set vpn ipsec site-to-site peer 1.1.1.1 authentication remote-id '1.1.1.1' # 设置连接类型为“发起”,两端都设为initiate可以确保任何一方掉线后都能主动重连 set vpn ipsec site-to-site peer 1.1.1.1 connection-type 'initiate' # 引用之前定义的ESP组 (Phase 2) set vpn ipsec site-to-site peer 1.1.1.1 default-esp-group 'office-srv-esp' # 引用之前定义的IKE组 (Phase 1) set vpn ipsec site-to-site peer 1.1.1.1 ike-group 'office-srv-ike' # 将本端VPN连接的源地址设为'any',路由器会自动选择出口IP,适用于IP不固定的情况 set vpn ipsec site-to-site peer 1.1.1.1 local-address 'any' # 定义IPsec隧道要保护的流量 (与路由器1的定义相反) # 本端源地址前缀 set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 local prefix '192.168.99.2/32' # 远端目标地址前缀 set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 remote prefix '192.168.99.1/32' # 这台路由器没有配置静态路由,通常意味着它有一条默认路由指向互联网, # 这足以让它找到对端的公网IP 1.1.1.1。
三、Server-Client模式配置
服务端配置
# ============================================================= # Phase 2 (ESP - 封装安全载荷) 配置 # ============================================================= # 禁用数据压缩 set vpn ipsec esp-group office-srv-esp compression 'disable' # Phase 2 隧道生命周期: 1800秒 (30分钟) set vpn ipsec esp-group office-srv-esp lifetime '1800' # IPsec 模式: 隧道模式 set vpn ipsec esp-group office-srv-esp mode 'tunnel' # 启用 PFS (完全正向保密) set vpn ipsec esp-group office-srv-esp pfs 'enable' # 提案1: 数据加密算法为 AES-256 set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256' # 提案1: 数据完整性校验为 SHA1 set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1' # ============================================================= # Phase 1 (IKE - 互联网密钥交换) 配置 # ============================================================= # 禁用 IKEv2 重新认证 set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no' # 使用 IKEv1 协议 set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1' # Phase 1 隧道生命周期: 3600秒 (1小时) set vpn ipsec ike-group office-srv-ike lifetime '3600' # 提案1: 密钥协商加密为 AES-256 set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' # 提案1: 密钥协商哈希为 SHA1 set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' # ============================================================= # IPsec 接口绑定 # ============================================================= # 将 IPsec 流量绑定到 vlan60 接口 set vpn ipsec ipsec-interfaces interface 'eth3.60' # ============================================================= # 站点到站点 (Site-to-Site) 对端配置 # ============================================================= # 定义一个对端,使用特殊标识符 '@RIGHT' 表示接受来自任何 IP 地址的连接请求 # 这通常用于对端是动态IP地址的场景 set vpn ipsec site-to-site peer @RIGHT authentication mode 'pre-shared-secret' # 设置用于验证的预共享密钥 set vpn ipsec site-to-site peer @RIGHT authentication pre-shared-secret 'SomePreSharedKey' # 设置连接类型为“响应”,本机将只响应连接请求,不主动发起 set vpn ipsec site-to-site peer @RIGHT connection-type 'respond' # 引用 Phase 2 (ESP) 参数 set vpn ipsec site-to-site peer @RIGHT default-esp-group 'office-srv-esp' # 引用 Phase 1 (IKE) 参数 set vpn ipsec site-to-site peer @RIGHT ike-group 'office-srv-ike' # 指定本端 VPN 连接使用的源公网 IP 地址 set vpn ipsec site-to-site peer @RIGHT local-address '1.1.1.1' # 定义IPsec保护的流量:从本端环回口到对端环回口 set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix '192.168.99.1/32' set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix '192.168.99.2/32' # ============================================================= # 接口配置 (环回口 和 GRE隧道) # ============================================================= # 创建环回接口 lo,并分配一个稳定的 IP 地址作为 GRE 隧道的端点 set interfaces loopback lo address 192.168.99.1/32 # 创建 GRE 隧道 tun1 set interfaces tunnel tun1 encapsulation gre # 分配 GRE 隧道本端 IP set interfaces tunnel tun1 address 10.10.10.1/30 # GRE 报文的源 IP 为本端环回口 set interfaces tunnel tun1 source-address 192.168.99.1 # GRE 报文的目标 IP 为对端环回口 set interfaces tunnel tun1 remote 192.168.99.2 # ============================================================= # 静态路由配置 # ============================================================= # [注意] 这条静态路由指向一个固定的对端公网IP,与上面使用 '@RIGHT' 的动态配置有所矛盾。 # 如果对端IP是固定的,建议直接在peer定义中指定IP地址而不是'@RIGHT'。 set protocols static route 2.2.2.2/32 next-hop 118.113.105.1 # [注意] 这条路由同样可能有问题,它将对端内部地址指向了公网网关。 # 通常,系统会通过 IPsec 策略自动处理发往 192.168.99.2 的流量。 set protocols static route 192.168.99.2/32 next-hop 110.184.175.1客户端配置
# ============================================================= # "david" 路由器配置 # ============================================================= # ============================================================= # 接口配置 (环回口 和 GRE隧道) # ============================================================= # 创建环回接口 lo set interfaces loopback lo address '192.168.99.2/32' # 创建 GRE 隧道 tun1 set interfaces tunnel tun1 address '10.10.10.2/30' set interfaces tunnel tun1 encapsulation 'gre' set interfaces tunnel tun1 remote '192.168.99.1' set interfaces tunnel tun1 source-address '192.168.99.2' # ============================================================= # Phase 2 (ESP) 和 Phase 1 (IKE) 配置 # (参数必须与响应方完全一致) # ============================================================= set vpn ipsec esp-group office-srv-esp compression 'disable' set vpn ipsec esp-group office-srv-esp lifetime '1800' set vpn ipsec esp-group office-srv-esp mode 'tunnel' set vpn ipsec esp-group office-srv-esp pfs 'enable' set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256' set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1' set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no' set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1' set vpn ipsec ike-group office-srv-ike lifetime '3600' set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' # ============================================================= # IPsec 接口绑定 # ============================================================= # 将 IPsec 流量绑定到 eth0 接口 set vpn ipsec ipsec-interfaces interface 'eth0' # ============================================================= # 站点到站点 (Site-to-Site) 对端配置 # ============================================================= # 定义对端的公网 IP 地址 set vpn ipsec site-to-site peer 1.1.1.1 authentication id '@RIGHT' # 设置认证模式 set vpn ipsec site-to-site peer 1.1.1.1 authentication mode 'pre-shared-secret' # 设置预共享密钥 (必须与响应方一致) set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret 'SomePreSharedKey' # 设置连接类型为“发起”,本机将主动建立连接 set vpn ipsec site-to-site peer 1.1.1.1 connection-type 'initiate' # 引用 Phase 2 (ESP) 参数 set vpn ipsec site-to-site peer 1.1.1.1 default-esp-group 'office-srv-esp' # 引用 Phase 1 (IKE) 参数 set vpn ipsec site-to-site peer 1.1.1.1 ike-group 'office-srv-ike' # 将本端 VPN 连接的源地址设为'any',路由器会自动选择出口IP,非常适用于动态公网IP的场景 set vpn ipsec site-to-site peer 1.1.1.1 local-address 'any' # 定义IPsec保护的流量 (与响应方的定义相反) set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 local prefix '192.168.99.2/32' set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 remote prefix '192.168.99.1/32' # 这台路由器没有配置静态路由,因为它有默认路由,可以找到对端的公网IP
转载请注明来源
