如何设置分支机构互连 (1) IPSec VPN

简介

站点到站点的VPN应用是IPSec最常见的使用场景。通过VPN隧道,企业内部多个站点可以无缝连接,内部应用可以通过虚拟网络互联互通。

本篇介绍如何在Ubiquiti EdgeRouter与VyOS之间建立点对点IPSec隧道,实现两个分支机构的互访。

下图是一个简单的测试模型。左边的站点(EdgeOS)的笔记本用户,需要通过VPN访问右边站点(VyOS)的服务器。左右两边内网网段分别是10.0.0.0/24和10.1.0.0/24。

预先准备

路由设备

实现本文介绍的功能,你需要一台EdgeRouter和安装好VyOS的软路由。在参考本文开始配置以前,我们假定大家已经按照介绍VyOS一文完成了VyOS的初始化配置。使用EdgeOS的用户,可以使用系统自带的wizard完成初始配置。

设置动态域名

考虑到大多数客户的宽带接入都是动态IP地址, 因此需要通过域名来获取当前使用的IP地址。我们假定左边EdgeOS的域名是edgeos.ddns.com,右边的VyOS的域名是vyos.ddns.com

如何配置动态域名,请参见本站另一篇帖子EdgeRouter/VyOS配置DDNS动态域名

RSA密钥

许多同学都有过用预共享密钥设置VPN隧道的经验。的确,预共享密钥使用起来非常方便,但是他有一个很大的缺点,WAN口必须是静态地址,而能提供静态地址的企业专线成本非常高,所以现实生活中大多数企业还是使用性价比高的共享宽带。

共享宽带带来的一个缺点是,只能得到一个动态地址。运营商大多数每24-48小时,就要更换一次公网地址。

在这个情况下,使用RSA签名进行IKE认证就非常有用了。RSA算法配合两端的ID就可以完成认证。下面我们先生成密钥。

EdgeOS/VyOS自带生成RSA密钥的模块。在shell下执行以下命令,

[email protected]:~$ generate vpn rsa-key
Generating 2048 bit rsa-key to /config/ipsec.d/rsa-keys/localhost.key
.........+++++
...........................+++++

Your new local RSA key has been generated
The public portion of the key is:

0sAwEAAe7k2zE85tw4T7BGQGjkGEcIB3K7PnktckNx/JskpkhAjcU3TE7Q9xj6MtjWw794XKNFk2cnGmLCD9tkNPK30vITi3quJQxVNfuTJy3rFT6uJfPxyNsnCr+D483UNYdJThtsac8zenBoqQVMS5O50Db7/6UFdKF6QsoAMd9aRyROFZ+3RBiPe3uDMMwCaFEW28EFKN3Ye47LTCk1r1V/cXIUsMa9uVkgy9b5Axp+FnYwDl84m2mbViE+/sm7WPRGpuR15nFVwZHlk8Fj+USXMmjdteqOzq0Q19I4ma7v15LLdKlhhboxJiwjO/OqRzKsW4zt+5GcvbCagF6PzM942ok=

这个命令会在生成PEM格式的2048bit RSA密钥,存放在/config/ipsec.d/rsa-keys/localhost.key文件里。同时会生成RFC3110格式的公钥。

我们需要在配置里保存新生成的密钥和公钥,你需要将刚才生成的公钥粘贴替换到下面的命令里。

configure

set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name local-pub rsa-key 0sAwEAAe7k2zE85tw4T7BGQGjkGEcIB3K7PnktckNx/JskpkhAjcU3TE7Q9xj6MtjWw794XKNFk2cnGmLCD9tkNPK30vITi3quJQxVNfuTJy3rFT6uJfPxyNsnCr+D483UNYdJThtsac8zenBoqQVMS5O50Db7/6UFdKF6QsoAMd9aRyROFZ+3RBiPe3uDMMwCaFEW28EFKN3Ye47LTCk1r1V/cXIUsMa9uVkgy9b5Axp+FnYwDl84m2mbViE+/sm7WPRGpuR15nFVwZHlk8Fj+USXMmjdteqOzq0Q19I4ma7v15LLdKlhhboxJiwjO/OqRzKsW4zt+5GcvbCagF6PzM942ok=

同样,在右端VyOS侧执行同样的命令。

[email protected]:~$ generate vpn rsa-key
Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
Generating RSA private key, 2192 bit long modulus (2 primes)
.+++++
.........................+++++
e is 65537 (0x010001)

Your new local RSA key has been generated
The public portion of the key is:

0sAwEAAd3MOCvSY2WnMCz9uVOLO34o+Cmhwlld+ldz0iP+x4jdCiD/676r5C4hfc9m8VDWfaFy/Ya6r4cprfM6XuPymRH+VgRPXoHafBdLY+1y6//HES/f2QUGqRfxjIbDn6fzDBqLHSPIB8eryYA6YFj0cgZMlG7EJGmkk/yEP5nziGJUHHKyGu+yAXdEsHoHar4Fp13hdzzdXFiqQ6hNg4LP3q8cTOiXVd1Ba3UuAwH+9tiLxUmPOBkYQXBxcBrlYu9tkU9kGB0vOj6crMnCt73qUO9aOrLSK8qEoi/4JnHLA9HHNna9fcTlCrn7fXRANzq0CYHfoyoosUhRIBnzeqUzGcDvCZ3diMxm8pmKI3vWD8RdUqs=

并且把两端的公钥都保存到VyOS配置里。

configure

set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name local-pub rsa-key 0sAwEAAd3MOCvSY2WnMCz9uVOLO34o+Cmhwlld+ldz0iP+x4jdCiD/676r5C4hfc9m8VDWfaFy/Ya6r4cprfM6XuPymRH+VgRPXoHafBdLY+1y6//HES/f2QUGqRfxjIbDn6fzDBqLHSPIB8eryYA6YFj0cgZMlG7EJGmkk/yEP5nziGJUHHKyGu+yAXdEsHoHar4Fp13hdzzdXFiqQ6hNg4LP3q8cTOiXVd1Ba3UuAwH+9tiLxUmPOBkYQXBxcBrlYu9tkU9kGB0vOj6crMnCt73qUO9aOrLSK8qEoi/4JnHLA9HHNna9fcTlCrn7fXRANzq0CYHfoyoosUhRIBnzeqUzGcDvCZ3diMxm8pmKI3vWD8RdUqs=
set vpn rsa-keys rsa-key-name edgeos-pub rsa-key 0sAwEAAe7k2zE85tw4T7BGQGjkGEcIB3K7PnktckNx/JskpkhAjcU3TE7Q9xj6MtjWw794XKNFk2cnGmLCD9tkNPK30vITi3quJQxVNfuTJy3rFT6uJfPxyNsnCr+D483UNYdJThtsac8zenBoqQVMS5O50Db7/6UFdKF6QsoAMd9aRyROFZ+3RBiPe3uDMMwCaFEW28EFKN3Ye47LTCk1r1V/cXIUsMa9uVkgy9b5Axp+FnYwDl84m2mbViE+/sm7WPRGpuR15nFVwZHlk8Fj+USXMmjdteqOzq0Q19I4ma7v15LLdKlhhboxJiwjO/OqRzKsW4zt+5GcvbCagF6PzM942ok=

回到左边的EdgeOS,我们再把VyOS的公钥保存到配置里。

set vpn rsa-keys rsa-key-name vyos-pub rsa-key 0sAwEAAd3MOCvSY2WnMCz9uVOLO34o+Cmhwlld+ldz0iP+x4jdCiD/676r5C4hfc9m8VDWfaFy/Ya6r4cprfM6XuPymRH+VgRPXoHafBdLY+1y6//HES/f2QUGqRfxjIbDn6fzDBqLHSPIB8eryYA6YFj0cgZMlG7EJGmkk/yEP5nziGJUHHKyGu+yAXdEsHoHar4Fp13hdzzdXFiqQ6hNg4LP3q8cTOiXVd1Ba3UuAwH+9tiLxUmPOBkYQXBxcBrlYu9tkU9kGB0vOj6crMnCt73qUO9aOrLSK8qEoi/4JnHLA9HHNna9fcTlCrn7fXRANzq0CYHfoyoosUhRIBnzeqUzGcDvCZ3diMxm8pmKI3vWD8RdUqs=

Policy-based IPSec VPN

通常IPSec是通过匹配预设置的隧道两端的网段来确定哪些流量走隧道的。本例中,假定笔记本电脑需要访问远端服务器,那么相应的流量包里,对应的源地址和目标地址分别是10.0.0.100和10.1.0.200,而隧道两端的网段设置是10.0.0.0/24和10.1.0.200/24,于是流量就会走隧道。

这种匹配方式类似于防火墙的规则,因此我们也称之为基于规则的IPSec VPN。下面我们就开始配置。

EdgeOS端

set vpn ipsec auto-update 30
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group ESP_GRP compression disable
set vpn ipsec esp-group ESP_GRP lifetime 3600
set vpn ipsec esp-group ESP_GRP mode tunnel
set vpn ipsec esp-group ESP_GRP pfs enable
set vpn ipsec esp-group ESP_GRP proposal 1 encryption aes256
set vpn ipsec esp-group ESP_GRP proposal 1 hash sha1
set vpn ipsec ike-group IKE_V1 dead-peer-detection action restart
set vpn ipsec ike-group IKE_V1 dead-peer-detection interval 30
set vpn ipsec ike-group IKE_V1 dead-peer-detection timeout 120
set vpn ipsec ike-group IKE_V1 ikev2-reauth no
set vpn ipsec ike-group IKE_V1 key-exchange ikev1
set vpn ipsec ike-group IKE_V1 lifetime 28800
set vpn ipsec ike-group IKE_V1 proposal 1 dh-group 2
set vpn ipsec ike-group IKE_V1 proposal 1 encryption aes256
set vpn ipsec ike-group IKE_V1 proposal 1 hash sha1
set vpn ipsec ike-group IKE_V2 dead-peer-detection action restart
set vpn ipsec ike-group IKE_V2 dead-peer-detection interval 30
set vpn ipsec ike-group IKE_V2 dead-peer-detection timeout 120
set vpn ipsec ike-group IKE_V2 ikev2-reauth no
set vpn ipsec ike-group IKE_V2 key-exchange ikev2
set vpn ipsec ike-group IKE_V2 lifetime 28800
set vpn ipsec ike-group IKE_V2 proposal 1 dh-group 2
set vpn ipsec ike-group IKE_V2 proposal 1 encryption aes256
set vpn ipsec ike-group IKE_V2 proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
edit vpn ipsec site-to-site peer vyos.ddns.com
set authentication id edgeos.ddns.com
set authentication mode rsa
set authentication remote-id vyos.ddns.com
set authentication rsa-key-name vyos-pub
set connection-type initiate
set description 'ipsec tunnel edgeos ... vyos'
set ike-group IKE_V2
set ikev2-reauth inherit
set local-address any
set tunnel 0 allow-nat-networks disable
set tunnel 0 allow-public-networks disable
set tunnel 0 esp-group ESP_GRP
set tunnel 0 local prefix 10.0.0.0/24
set tunnel 0 remote prefix 10.1.0.0/24

设置说明

  • auto-update:让IPSec daemon定时去检查DDNS是否有更新,时间单位是秒;
  • auto-firwall-nat-exclude:启用后系统会自动配置相应的防火墙和NAT策略;
  • dead-peer-detection:自动检测并重置死连接;
  • ipsec-interface:设置成你所要使用的WAN口;
  • connection-type initiate:在EdgeOS里,Initiate对应的连接类型是”route”,隧道流量会自动触发连接;
  • peer vyos.ddns.com:要用对端域名
  • authentication id:本地域名或者你设置的本地名称
  • authentication remote-id: 对端域名或者你设置的对端名称
  • authentication rsa-key-name:对端公钥
  • local prefix: 是要开放给对端访问的本地内网网段;
  • remote prefxi:需要访问的远端内网网段。

由于IPSec对流量进行加密,相应的esp包会被占用大约100字节,因此需要调整TCP MSS设定。

set firewall options mss-clamp interface-type all 
set firewall options mss-clamp mss 1300

commit;save;exit

VyOS端

防火墙

VyOS和EdgeOS略有不同。VyOS没有内置auto-firewall-nat-exclude命令,因此需要单独先配置防火墙策略。

set firewall name WAN_LOCAL rule 200 action 'accept'
set firewall name WAN_LOCAL rule 200 description 'ipsec ike'
set firewall name WAN_LOCAL rule 200 destination port '500,4500'
set firewall name WAN_LOCAL rule 200 log 'disable'
set firewall name WAN_LOCAL rule 200 protocol 'udp'
set firewall name WAN_LOCAL rule 201 action 'accept'
set firewall name WAN_LOCAL rule 201 description 'ipsec esp'
set firewall name WAN_LOCAL rule 201 log 'disable'
set firewall name WAN_LOCAL rule 201 protocol 'esp'
set firewall name WAN_LOCAL rule 210 action 'accept'
set firewall name WAN_LOCAL rule 210 description 'ipsec traffic'
set firewall name WAN_LOCAL rule 210 log 'disable'
set firewall name WAN_LOCAL rule 210 protocol 'all'
set firewall name WAN_LOCAL rule 210 ipsec match-ipsec
set firewall name WAN_IN rule 210 action 'accept'
set firewall name WAN_IN rule 210 description 'ipsec traffic'
set firewall name WAN_IN rule 210 log 'disable'
set firewall name WAN_IN rule 210 protocol 'all'
set firewall name WAN_IN rule 210 ipsec match-ipsec

NAT

我们需要配置地址转换规则,把隧道流量排除在出口NAT之外。

set nat source rule 10 description 'exclude ipsec'
set nat source rule 10 destination address '10.0.0.0/24'
set nat source rule 10 source address '10.1.0.0/24'
set nat source rule 10 exclude
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 protocol 'all'
set nat source rule 10 translation address 'masquerade'

IPSec

然后是配置VPN。

set vpn ipsec auto-update 30
set vpn ipsec esp-group ESP_GRP compression disable
set vpn ipsec esp-group ESP_GRP lifetime 3600
set vpn ipsec esp-group ESP_GRP mode tunnel
set vpn ipsec esp-group ESP_GRP pfs enable
set vpn ipsec esp-group ESP_GRP proposal 1 encryption aes256
set vpn ipsec esp-group ESP_GRP proposal 1 hash sha1
set vpn ipsec ike-group IKE_V1 dead-peer-detection action restart
set vpn ipsec ike-group IKE_V1 dead-peer-detection interval 30
set vpn ipsec ike-group IKE_V1 dead-peer-detection timeout 120
set vpn ipsec ike-group IKE_V1 ikev2-reauth no
set vpn ipsec ike-group IKE_V1 key-exchange ikev1
set vpn ipsec ike-group IKE_V1 lifetime 28800
set vpn ipsec ike-group IKE_V1 proposal 1 dh-group 2
set vpn ipsec ike-group IKE_V1 proposal 1 encryption aes256
set vpn ipsec ike-group IKE_V1 proposal 1 hash sha1
set vpn ipsec ike-group IKE_V2 dead-peer-detection action restart
set vpn ipsec ike-group IKE_V2 dead-peer-detection interval 30
set vpn ipsec ike-group IKE_V2 dead-peer-detection timeout 120
set vpn ipsec ike-group IKE_V2 ikev2-reauth no
set vpn ipsec ike-group IKE_V2 key-exchange ikev2
set vpn ipsec ike-group IKE_V2 lifetime 28800
set vpn ipsec ike-group IKE_V2 proposal 1 dh-group 2
set vpn ipsec ike-group IKE_V2 proposal 1 encryption aes256
set vpn ipsec ike-group IKE_V2 proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
edit vpn ipsec site-to-site peer edgeos.ddns.com
set authentication id vyos.ddns.com
set authentication mode rsa
set authentication remote-id edgos.ddns.com
set authentication rsa-key-name edgeos-pub
set connection-type respond
set description 'ipsec tunnel vyos ... edgeos'
set ike-group IKE_V2
set ikev2-reauth inherit
set local-address any
set tunnel 0 allow-nat-networks disable
set tunnel 0 allow-public-networks disable
set tunnel 0 esp-group ESP_GRP
set tunnel 0 local prefix 10.1.0.0/24
set tunnel 0 remote prefix 10.0.0.0/24

设置说明

  • connection-type initiate:在VyOS里,respond对应的连接类型是”route”,隧道流量会自动触发连接,与EdgeOS实现不同;

与 EdgeOS一样,我们需要配置TCP MSS。因为IPSec流量通过WAN口,这里对应的接口就是eth0,如果你使用pppoe,相应的端口应该是pppoe0。

set firewall options interface eth0 adjust-mss '1300'

commit;save;exit

测试与诊断

我们这里介绍几个常用的命令:

  • 查看连接状态: sudo ipsec statusall
[email protected]:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.118-amd64-vyos, x86_64):
  uptime: 20 hours, since Sep 17 20:00:02 2020
  malloc: sbrk 3211264, mmap 0, used 1447440, free 1763824
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  192.0.0.1
Connections:
peer-edgeos.ddns.com-tunnel-0:  %any...edgeos.ddns.com  IKEv2, dpddelay=30s
peer-edgeos.ddns.com-tunnel-0:   local:  [vyos.ddns.com] uses public key authentication
peer-edgeos.ddns.com-tunnel-0:    cert:  "vyos.ddns.com"
peer-edgeos.ddns.com-tunnel-0:   remote: [edgeos.ddns.com] uses public key authentication
peer-edgeos.ddns.com-tunnel-0:    cert:  "edgeos.ddns.com"
peer-edgeos.ddns.com-tunnel-0:   child:  10.1.0.0/24 === 10.0.0.0/24 TUNNEL, dpdaction=restart
Routed Connections:
peer-edgeos.ddns.com-tunnel-0{2}:  ROUTED, TUNNEL, reqid 2
peer-edgeos.ddns.com-tunnel-0{2}:   10.1.0.0/24 === 10.0.0.0/24
Security Associations (1 up, 0 connecting):
peer-edgeos.ddns.com-tunnel-0[165]: ESTABLISHED 4 hours ago, 10.1.8.50[vyos.ddns.com]...35.220.139.62[edgeos.ddns.com]
peer-edgeos.ddns.com-tunnel-0[165]: IKEv2 SPIs: 4156b61c9b60c765_i* fdec6e13d63f6640_r, rekeying in 2 hours
peer-edgeos.ddns.com-tunnel-0[165]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
peer-edgeos.ddns.com-tunnel-0{30}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c99726b9_i ccf4d342_o
peer-edgeos.ddns.com-tunnel-0{30}:  AES_CBC_256/HMAC_SHA1_96/MODP_2048, 1596 bytes_i (19 pkts, 44s ago), 1596 bytes_o (19 pkts, 44s ago), rekeying in 23 minutes
peer-edgeos.ddns.com-tunnel-0{30}:   10.1.0.0/24 === 10.0.0.0/24
  • 重启IPSec进程: sudo ipsec restart

如果查看IPsec状态时,“Routed Connections:“下面没有显示相应的隧道信息,就需要执行这个命令重启进程。一般第一次配置完,常常会发生这种情况。

  • 强制连接: sudo ipsec up <peer>
  • 在线查看ipsec日志: sudo swanctl –log