我正在使用 Red Hat Enterprise Linux 运行 Amazon EC2 实例,其中有两个网络接口。
现在:
eth0 当前处于活动状态,具有公共 IP,我通过 SSH 远程登录,以配置 VPN(一旦 VPN 完成,我将无法再远程访问该 IP 和接口)
eth1 正在显示下来(使用亚马逊,我已经为它分配了另一个新的公共 IP,但无法 ping 通它,也无法使用 SSH 登录它)
一旦我启动了 eth1 并可远程访问,我必须在 eth0 上配置 VPN 客户端以连接到另一个远程服务器
如何设置 eth1,以便可以远程访问 eth1,而 eth0 可以专用于 VPN IPSec 主机到主机?
[ec2-user@ip-10-0-0-41 ~]$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 0e:29:01:a8:c6:98 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.41/24 brd 10.0.0.255 scope global eth0
inet6 fe80::c29:1ff:fea8:c698/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 0e:29:01:a9:6e:32 brd ff:ff:ff:ff:ff:ff
编辑:
$ system-config-network-tui
eth1 is added as dhcp
$ ifup eth1
Determining IP information for eth1...
编辑:
$ ssh [email protected] - fails
$ ssh [email protected] - allow to login
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 0e:29:01:a8:c6:98 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.41/24 brd 10.0.0.255 scope global eth0
inet6 fe80::c29:1ff:fea8:c698/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 0e:29:01:a9:6e:32 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.110/24 brd 10.0.0.255 scope global eth1
inet6 fe80::c29:1ff:fea9:6e32/64 scope link
valid_lft forever preferred_lft forever
编辑:
$ yum install openswan
$ cat /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
include /etc/ipsec.d/*.conf
$ cat /etc/ipsec.d/test.conf
### Administrator given this to setup
# Phase1: Encryption: AES128 Integrity: MD5 IKE Lifetime: 28800 sec.
# Phase2: Encryption: AES128 Integrity: MD5 IPsec lifetime: 3600 sec.
### Red hat we use Phase 1 and Phase 2 for IPSec
conn test
type=tunnel
authby=secret
pfs=no
# Lifetime: 1440 sec
ike=aes128-md5;modp1024!
# Lifetime: 3600 sec
phase2alg=aes128-md5;modp1024
aggrmode=no
left=194.x.x.x
right=54.x.x.x
leftsubnet=10.109.0.0/24
rightsubnet=10.0.0.0/24
#auto=start
$ service ipsec restart && ipsec auto --add test
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.6.2.el6.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
$ ipsec auto --up test
022 "test": We cannot identify ourselves with either end of this connection.
- 如果添加工作没有错误,则配置文件是正确的,其余的是隧道的其他问题。
答案1
有用!
#!/bin/bash
# Version 1.0 - Stable
# --------------------------------------------
# Amazon EC2 instance + VPC + RHEL 6.4 64-bit
# eth0: 10.0.0.108 public ip: 8.8.8.8
# eth1: 10.0.0.27 public ip: 9.9.9.9
#
# VPN Sever: 2.2.2.2
#
amazonEth0="10.0.0.8"
amazonWan0="8.8.8.8"
vpnServer="2.2.2.2"
hosttoHost=(10.109.0.20/32 10.109.0.21/32 10.109.58.6/32 10.109.59.3/32)
pingHost=(10.109.0.20 10.109.0.21 10.109.58.6 10.109.59.3)
# Step 0
yum -y install openswan
cat > /etc/ipsec.d/secret.secrets << EOF
# Step 1
$vpnServer 0.0.0.0 %any: PSK "123"
EOF
cat > /etc/ipsec.conf << \EOF
# Step 2
version 2.0 # conforms to second version of ipsec.conf specification
config setup
plutodebug="all"
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=no
virtual_private=
oe=off
include /etc/ipsec.d/*.conf
EOF
for i in 1 2 3 4
do
cat > /etc/ipsec.d/test$i.conf << EOF
#Step 3
conn test$i
#auto=start
type=tunnel
authby=secret
pfs=no
aggrmode=no
ikelifetime=28800s
lifetime=3600s
ike=aes128-md5;modp1024!
phase2alg=aes128-md5;modp1024
forceencaps=yes
left=$amazonEth0
leftid=$amazonWan0
leftsourceip=$amazonWan0
right=$vpnServer
rightsubnet=${hosttoHost[$i-1]}
EOF
done
### Run me
cat > /tmp/vpn.sh << EOF
#!/bin/bash
service ipsec restart
ipsec auto --add test1
ipsec auto --add test2
ipsec auto --add test3
ipsec auto --add test4
ipsec auto --up test1
ipsec auto --up test2
ipsec auto --up test3
ipsec auto --up test4
ipsec auto --status
ip xfrm policy
ip route show
ping -c 1 ${pingHost[0]};
ping -c 1 ${pingHost[1]};
ping -c 1 ${pingHost[2]};
ping -c 1 ${pingHost[3]};
EOF
chmod +x /tmp/vpn.sh
# Finishing - touch
/tmp/vpn.sh