各地機房逐漸增多,每個機房都有幾台機器,隻通過外網IP進行機房之間的資料傳輸很麻煩,是以考慮用VPN把所有機房連接配接起來,由于沒有一個合适的中心點,于是選擇各地機房兩兩配對連接配接。看了一下OpenVPN和IPsec,IPsec因為是在核心中進行的,性能稍微好一些,配合Openswan配置也不複雜。
目前的2.6核心都自帶了Netkey模式,雖然沒有KLIPS配置功能強,但是也足夠用了。
假設有三個機房,節點用的機器選擇每個網段的第一個IP
名稱 | 外網IP | 内網IP |
Mars | 12.43.65.50~12.43.65.70/24 | 10.16.76.1~10.16.76.11/24 |
Jupiter | 21.78.65.11~21.78.65.21/24 | 10.16.77.1~10.16.77.11/24 |
Venus | 87.64.90.21~87.64.90.31/24 | 10.16.78.1~10.16.78.11/24 |
安裝Openswan: 伺服器系統是CentOS 5.5,直接yum安裝
yum install openswan.x86_64
配置核心選項(sysctl.conf):
net.ipv4.ip_forward = 1
net.ipv4.conf.*.send_redirects = 0
net.ipv4.conf.*.accept_redirects = 0
配置防火牆:
需要打開UDP的500和4500端口
配置證書:
# 在/etc/ipsec.d建立新證書,可以不輸入密碼直接按回車
certutil -N -d /etc/ipsec.d/
# 生成本機的key,如果上一步輸入了密碼,這一步就要用--password把密碼加上
ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/ipsec.secrets [--password password]
配置/etc/ipsec.conf:
version 2.0
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:a.b.c.d # a.b.c.d為本地内網位址/掩碼長度
oe=off
nhelpers=0
include /etc/ipsec.d/*.conf
每次從機房中選擇兩個,其中一個為left,另一個為right,誰是left或right都不重要,選好後順序不要變就行。
三個機房兩兩配對一共三組:Mars<=>Jupiter,Mars<=>Venus,Jupiter<=>Venus
在left上執行 ipsec showhostkey --left 得到left的key。
在right上執行 ipsec showhostkey --right 得到right的key。
以Mars<=>Jupiter為例,建立在Mars機器上的/etc/ipsec.d/Mars_Jupiter.conf:
conn Mars_Jupiter
left=12.43.65.50
leftid=12.43.65.50
leftsubnet=10.16.76.0/24
leftsourceip=10.16.76.1
leftrsasigkey=xxxxxx # xxxxxx換成Mars作為left的key
leftnexthop=%defaultroute
right=21.78.65.11
rightid=21.78.65.11
rightsubnet=10.16.77.0/24
rightsourceip=10.16.77.1
rightrsasigkey=yyyyyy # yyyyyy換成Jupiter作為right的key
rightnexthop=%defaultroute
auto=add #改為start,ipsec啟動時會自動建立連接配接
通過scp之類的工具把這個Mars_Jupiter.conf複制到Jupiter上的同樣位置上,兩邊重新開機ipsec,然後檢查一下狀态:
ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.21/K2.6.36 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: localhost.localdomain [MISSING]
Does the machine have at least one non-private address? [FAILED]
最後的兩個錯誤可以不管。
建立連接配接,在Mars上執行:
ipsec auto --up Mars_Jupiter
104 "Mars_Jupiter" #1: STATE_MAIN_I1: initiate
003 "Mars_Jupiter" #1: received Vendor ID payload [Openswan (this version) 2.6.21 ]
003 "Mars_Jupiter" #1: received Vendor ID payload [Dead Peer Detection]
003 "Mars_Jupiter" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "Mars_Jupiter" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "Mars_Jupiter" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "Mars_Jupiter" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "Mars_Jupiter" #1: received Vendor ID payload [CAN-IKEv2]
004 "Mars_Jupiter" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "Mars_Jupiter" #2: STATE_QUICK_I1: initiate
004 "Mars_Jupiter" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xaf55a13b<0xc2d4a7ee xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Mars<=>Jupiter連接配接成功,依照上面過程把另外兩個也配置好。
最後給子網内其他機器添加一條路由:
ip route add 10.16.0.0/16 via 10.16.XX.1 # XX對應該機器所在子網
完成,可以測試一下,由于進行了加密解密操作,實際可用帶寬下降的很大。
這個方法一開始比較簡單,如果節點繼續增加就會越來越麻煩,還有很多要改進的地方。