Tunnel IPSec – VPN site-to-site

Cet article décrit la mise en place d’un lien VPN IPSec de site à site avec OpenSwan.

# yum install openswan lsof

Pour désactiver le VPN redirect

# for vpn in /proc/sys/net/ipv4/conf/*;
# do echo 0 > $vpn/accept_redirects;
# echo 0 > $vpn/send_redirects;
# done

Next, we modify the kernel parameters to allow IP forwarding and disable redirects permanently.

# vim /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Reload /etc/sysctl.conf:

# sysctl -p

 

We allow necessary ports in the firewall. Please make sure that the rules are not conflicting with existing firewall rules.

# iptables -A INPUT -p udp –dport 500 -j ACCEPT
# iptables -A INPUT -p tcp –dport 4500 -j ACCEPT
# iptables -A INPUT -p udp –dport 4500 -j ACCEPT

Finally, we create firewall rules for NAT.

# iptables -t nat -A POSTROUTING -s site-A-private-subnet -d site-B-private-subnet -j SNAT –to site-A-Public-IP

iptables-save > /etc/sysconfig/iptables

 

# vim /etc/ipsec.conf

## general configuration parameters ##
config setup
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        ## disable opportunistic encryption in Red Hat ##
        oe=off
## connection definition in Red Hat ##
conn demo-connection-redhat
type=tunnel
authby=secret
auto=start
pfs=yes
ikev2=propose
ike=aes256-sha1;modp1024

## phase 2 ##
phase2=esp
phase2alg=aes256-sha1;modp1024
aggrmode=no

        left=<siteA-public-IP>
        leftsubnet=<siteA-private-subnet>/netmask
        leftnexthop=%defaultroute
        right=<siteB-public-IP>
        rightsubnet=<siteB-private-subnet>/netmask
# vim /etc/ipsec.secrets
siteA-public-IP  siteB-public-IP:  PSK  "pre-shared-key"
# /etc/init.d/ipsec restart
 route add -net 192.168.56.0 netmask 255.255.255.0 gw 10.1.0.2 dev eth1

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *