目标:北京区域的一个VPC和宁夏区域的一个VPC实现,内网互通.

需求:

• 北京区域:
  • 一台EC2,T2.s
  • 一个EIP
• 宁夏区域:
  • 一台EC2,T2.s
  • 一个EIP

EC2准备

• 在公有子网中创建EC2(公有子网属于VPC的知识,这里不细说)

• 申请新的EIP,并关联在新创建的EC2上

• 在EC2设置界面中,点击网络接口,再点击接口ID

  
  
  image.png

• 在网络接口界面,点击操作-->更改源/目标检查-->已禁用--->保存

  
  
  image.png

路由和安全组设置

• 添加路由,目标为对端region的subnet,下一跳ENI是EC2实例ID

  
  
  image.png

• 安全组,添加对端region的subnet即可.

software setup and configuration

部署openswan

yum -y install openswan 

配置openswan

• log路径
• include内容

cat /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        nat_traversal=yes
        force_keepalive=yes
        oe=off
        nhelpers=0
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf

配置ipsec连接文件

• 注意文件格式
• 2个region主机同样操作
• 注意left和right地址

cat /etc/ipsec.d/bj-to-nx.conf

conn bj-to-nx
        left=10.0.0.1    #本region EC2,内网IP   
        leftid=xxx.xxx.xxx.xxx   #本region EC2,外网EIP
        leftsubnet=10.0.0.0/16    #本region VPC Subnet
        right=xxx.xxx.xxx.xxx   #对端 region EC2,外网EIP
        rightsubnet=20.0.0.0/16 region VPC Subnet
        rightid=xxx.xxx.xxx.xxx   #对端 region EC2,外网EIP
        pfs=no
        forceencaps=yes
        authby=secret
        auto=start

配置ipsec秘钥文件

• AAA.AAA.AAA.AAA 本region EC2,外网EIP
• BBB.BBB.BBB.BBB 对端 region EC2,外网EIP
• PSK vpn验证秘钥,需要2遍相同

cat /etc/ipsec.d/bj-to-nx.secrets

AAA.AAA.AAA.AAA BBB.BBB.BBB.BBB: PSK "WULIAODESHANGDI"

修改sysctl

cat /etc/sysctl.conf
net.ipv4.ip_forward = 1

sysctl -p

启动服务

service ipsec restart
chkconfig ipsec on

监控脚本

REMOTE="20.0.0.1"
 
ping -c 1 -W 3 -q $REMOTE > /dev/null
RET=$?
LOG="/tmp/ipsecWatchDog.log"
 
if [ $RET != 0 ];then
        DATE=$(date "+%F %T")
        echo "[$DATE] restart ipsec" >> $LOG
        /etc/init.d/ipsec restart >> $LOG
fi

healthcheck

• 2台EC2互ping内网IP
• 2台EC2互ping对方网段内,EC2内网IP