AWS上FortiGate和Openswan实现点到点IPsecVPN

时间：2023-07-05 19:31:41浏览次数：42

标签：log 0.0 点到点 AWS IPsecVPN etc v4 conf ipsec

AWS上FortiGate和Openswan实现点到点IPsecVPN

安装部署

AWS上安装FortiGateMarketplace搜索FortiGate，安装对应版本，之后登陆并导入LIC
安装Openswan
# yum -y install openswan lsof

# ipsec verify //一开始会有报错

# vi /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 0 ---改成1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1 ---改成0

# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
改为
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 0

# sysctl -p

运行如下命令配置环境变量（禁止ICMP重定向）
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf
成功执行后运行sysctl -p使修改的参数生效。
or（或以下命令修改ICMP重定向）
for *** in /proc/sys/net/ipv4/conf/*;
do
echo 0 > $***/accept_redirects;
echo 0 > $***/send_redirects;
done

关闭selinux：setenforce 0（关闭selinux，重启失效），接下来永久关闭selinux
修改vi /etc/selinux/config 把
SELINUX=enforcing
改为
SELINUX=disabled

# /etc/init.d/iptables stop
# chkconfig iptables off

或

放行openswan服务端口和NAT规则
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

运行#chkconfig ipsec on 开机自动启动ipsec服务
启动ipsec # service ipsec restart 并重新运行检查命令ipsec verify（重新确认ipsec）
配置Openswan
cat /etc/ipsec.conf

# /etc/ipsec.conf - Libreswan IPsec configuration file
#
# see 'man ipsec.conf' and 'man pluto' for more information
#
# For example configurations and documentation, see https://libreswan.org/wiki/

config setup
# Normally, pluto logs via syslog.
logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
# plutodebug="control parsing"
# plutodebug="all crypt"
plutodebug=all
plutostderrlog=/var/log/pluto.log
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least up to 2015)
virtual_private=%v4:10.0.0.0/16,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config

# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf

cat /etc/ipsec.d/ipsec.conf

config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/16,%v4:192.168.0.0/16
oe=off

conn vpn-to-openswan
##phase 1##
authby=secret
auto=start
ike=aes128-sha1
keyexchange=ike
ikelifetime=86400
aggrmode=yes

##phase 2##
phase2=esp
phase2alg=aes128-sha1
compress=no
pfs=no
type=tunnel
keylife=43200

leftid=52.194.222.255
left=192.168.14.113
#leftsourceip=52.194.222.255
leftsubnet=192.168.0.0/16
leftnexthop=%defaultroute

right=54.238.113.251
rightid=54.238.113.251
rightsubnet=10.0.0.0/16
rightnexthop=%defaultroute

cat /etc/ipsec.d/ipsec.secret
x.x.x.x(本地公网ip) x.x.x.x（对端公网ip） : PSK "Qwer@123456"

重启服务
systemctl restart ipsec

查看Openswan日志
tail -f /var/log/pluto.log
FortiGate部署

IPsecVPN通道配置

野蛮模式，阶段二不开启PFS

AWS上FortiGate和Openswan实现点到点IPsecVPN_FortiGate

AWS上FortiGate和Openswan实现点到点IPsecVPN_IPsecVPN_02

AWS上FortiGate和Openswan实现点到点IPsecVPN_FortiGate_03

AWS上FortiGate和Openswan实现点到点IPsecVPN_Openswan_04

防火墙策略

AWS上FortiGate和Openswan实现点到点IPsecVPN_IPsecVPN_05

静态路由

到对端网段指向vpn接口，本地网段指向port1

AWS上FortiGate和Openswan实现点到点IPsecVPN_Openswan_06

AWS子网路由表要添加指向FortiGate网卡的路由

FortiGate网卡要关闭源/目标检查

标签：log,0.0,点到点,AWS,IPsecVPN,etc,v4,conf,ipsec
From： https://blog.51cto.com/u_9528444/6634301

Pacu：一款全面的AWS渗透测试框架
亚马逊AWS云服务平台是全球最受欢迎的云平台之一。由于其成本低、灵活性强、速度快等优势，吸引了大量的企业客户，越来越多的企业开始将其技术资产转移到了云端。随着模式的转变，Sysadmin和DevOps团队也不得不面对随之而来的新安全挑战。这已不仅仅是安全意识缺失的问题。即使是一些大......
aws 开源的微前端发现实现 frontend-discovery
实际上此协议已经开放一段时间了（一年左右），里边一些实践还是很不错的，对于微前端实现的同学可以参考学习同时官方也提供了一个基于aws服务的参考实践，作者的一些演讲也是值得学习的参考格式如下图，可以看到包含了一些不错的设计，以及对于实际的部署维护，包含了元数据，多版本，fallback，......
Amazon AWS
全局基础设施概念：Networkingcompute：存储（storage）数据库（Database）提供应用程序服务 ......
AWS Certificate SAA - Course 2.2 IAM & AWS CLI
AWSAccessKeys,CLIandSDKHowcanusersaccessAWS?ToaccessAWS,youhavethe3optioins:AWSManagementConsole(password+MFA)AWSCommandLineInterface(CLI):protectedbyaccesskeysAWSSoftwareDeveloperKit(SDK)-forcode:protectedbyacce......
F5Cloud第一期如何在AWS上部署F5 VE
F5Cloud第一期如何在AWS上部署F5VEF5VE初始化：配置VLAN,Selfip,LOCALDNS,NTP,创建设备组，创建信任关系peer,组建双机，同步配置......
AWS Certificate SAA - Course 2 IAM & AWS CLI
IAM:Users&GroupsIAM=IdentityandAccessManagement,GlobalserviceRootaccountcreatedbydefault,shouldn'tbeusedorsharedUsersarepeoplewithinyourorganization,andcanbegroupedIAM:PermisionsUsersareGroupscanbeassigne......
AWS Certificate SAA - Course 1 Getting started with AWS
AWSCoulduseCasesAWSenablesyoutobuildsophisticated,scalableapplicationsApplicabletoadiversesetofindustriesUsecasesincludeEnterpriseIT,Backup&Storage,BigDataanalyticsWebsitehosting,Mobile&SocialAppsGamingAWS......
Apple、AWS 这些科技巨头，已悄然入局隐私计算
随着数字化时代的到来，数据已经成为企业竞争的重要资源。然而，与此同时，数据隐私泄露的风险也在不断增加，这已经成为了公共安全和个人权利保护的重要问题。为了解决这个问题，科技巨头谷歌、苹果、亚马逊纷纷入局隐私计算领域，希望通过隐私计算技术来保护数据隐私和安全。隐私计算技术......
AWScli container yaml file
AWSclicontaineryamlfileapiVersion:v1kind:Podmetadata:name:awsclilabels:app:awsclispec:#serviceAccountName:YOUR_SERVICE_ACCOUNTcontainers:-image:amazon/aws-clicommand:-"sleep"-"604800&q......
Codeforces Round 875 (Div. 2) C. Copil Copac Draws Trees
bfs解法如果是暴力求解的话就每次都扫描一次所有边直到所有点都和树连接优化:每次扫描我们可以发现会重复扫描那些已经存在树中的边了，因此我们可以只扫描还没有存在树中的边且是没扫过的边对于每次更新，比如由点a已经在树中，更新点b，我们只需判断点a被更新到树中点的编号和a-b边的......

AWS上FortiGate和Openswan实现点到点IPsecVPN

相关文章

赞助商

阅读排行