假設 AWS VPC 為 10.100.0.0/16 網域,而 Azure VirtualNetwork 為 10.50.0.0/16 網域。
設置 Azure VPC:
Azure Portal -> New
-> Resource -> Create -> name=StudyVPN, Location=WestUS
-> Networking -> VirtualNetwork
-> Name=US
-> Address Space=10.50.0.0/16
-> Subnet Name=default
-> Subnet address range=10.50.0.0/24
-> Location = WestUS
-> Virtual Machines -> Ubuntu Server 14.04
-> Name=VPN
-> Location = WestUS
-> DS1_V2 Standard
請先將 AWS EC2 Security Group 跟 Azure Network security group 都設置好、開放對方 VPN IP。此例為 AWS EU-West-1 機器跟 Azure WestUS 機器,設置完防火牆後,先 ping 一下彼此吧。
在 EU-West-1 的 VPN Server 機器,其 public ip = 52.209.16.24:
$ ping 13.88.186.107
在 Azure WestUS 的 VPN Server 機器,其 public ip = 13.88.186.107:
$ ping 52.209.16.24
先設置 Azure VPN server:
$ sudo apt-get update && sudo apt-get -y upgrade && sudo apt-get -y dist-upgrade && sudo apt-get autoremove && sudo apt-get autoclean
$ sudo apt-get install openswan
$ ls /etc/ipsec*
/etc/ipsec.conf /etc/ipsec.secrets
/etc/ipsec.d:
aacerts cacerts certs crls examples ocspcerts policies private
$ sudo ipsec setup version
Linux Openswan U2.6.38/K3.19.0-65-generic (netkey)
See `ipsec --copyright' for copyright information.
$ sudo vim /etc/ipsec.d/AWS-EU-WEST-1.conf
conn Connect-to-AWS-EU-WEST-1
type=tunnel
authby=secret
leftid=13.88.186.107
left=%defaultroute
leftsubnet=10.50.0.0/16
leftnexthop=%defaultroute
right=52.209.16.24
rightsubnet=10.100.0.0/16
pfs=yes
auto=start
$ sudo vim /etc/ipsec.d/AWS-EU-WEST-1.secrets
13.88.186.107 52.209.16.24 : PSK "IPSEC_PASSWORD"
$ sudo vim /etc/ipsec.conf
#protostack=auto
protostack=netkey
#...
include /etc/ipsec.d/AWS-EU-WEST-1.conf
$ sudo vim /etc/ipsec.secrets
include /etc/ipsec.d/AWS-EU-WEST-1.secrets
$ sudo ipsec setup restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.38/K3.19.0-65-generic...
更新 AWS VPN server:
$ sudo vim /etc/ipsec.d/AZURE-US-WEST.conf
conn Connect-to-AZURE-EU-WEST
type=tunnel
authby=secret
leftid=52.209.16.24
left=%defaultroute
leftsubnet=10.100.0.0/16
leftnexthop=%defaultroute
right=13.88.186.107
rightsubnet=10.50.0.0/16
pfs=yes
auto=start
$ sudo vim /etc/ipsec.d/AZURE-US-WEST.secrets
$ sudo ipsec setup restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.37/K4.4.11-23.53.amzn1.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
當兩邊的設定好後,並且用 ipsec setup restart 後,另一方才可以用指令連上對方:
Azure VPN server:
$ sudo ipsec auto --up Connect-to-AWS-EU-WEST-1
117 "Connect-to-AWS-EU-WEST-1" #4: STATE_QUICK_I1: initiate
004 "Connect-to-AWS-EU-WEST-1" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x29ba22d7 <0x68b944dd xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=52.209.16.24:4500 DPD=none}
AWS VPN server:
$ sudo ipsec auto --up Connect-to-AZURE-EU-WEST
117 "Connect-to-AZURE-EU-WEST" #6: STATE_QUICK_I1: initiate
004 "Connect-to-AZURE-EU-WEST" #6: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x74246b5f <0x7156f72b xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=13.88.186.107:4500 DPD=none}
並且兩邊就可以 ping 彼此的 private ip 囉!
接著還需設定 routing table 以及對 AWS VPN Server機器打開 Change Source/Dest. Check 、對 Azure VPN Server 機器的網卡打開 IP forwarding 後,兩邊機器就可以互相 ping 到啦:
對 AWS 而言,在 VPC Dashboard -> Route 中,將相關的子網域都添加一則 10.50.0.0/16 導向至 AWS VPN Server (別忘了,若第一次設置 EC2 上的 VPN Server,還要從 EC2 Dashboard 修改該機器,取消 Change Source/Dest. Check)
對 Azure 而言,Azure portal -> New -> Networking -> Route table ,建立後,再去設定
Resource -> Route table -> Settings
-> Routes -> Add -> Route name=ToAWS, Address prefix=10.100.0.0/16, Next hop type=Virtual appliance -> Next hop address=10.50.0.4 (Azure VPN Server Private IP)
-> Subnet -> Associate subnet -> 挑選 VirtualNetwork、挑選 Subnet
最後,記得 NAT 相關要設定好,像在 Azure 上的 VPN server 是從一台乾淨的 Ubuntu 14.04 裝後,還必須設定以下:
$ echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
$ echo "net.ipv4.conf.all.accept_redirects = 0" | sudo tee -a /etc/sysctl.conf
$ echo "net.ipv4.conf.all.send_redirects = 0" | sudo tee -a /etc/sysctl.conf
$ for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 | sudo tee $vpn/accept_redirects; echo 0 | sudo tee $vpn/send_redirects; done
$ sudo sysctl -p
其他備註:
$ sudo ipsec setup restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.6.38...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
解法 => protostack=netkey
$ sudo ipsec auto --up Connect-to-AWS-EU-WEST-1
022 "Connect-to-AWS-EU-WEST-1": We cannot identify ourselves with either end of this connection.
解法 => 先把一些錯誤訊息修掉,如 sudo ipsec setup restart 看到的問題,接著再看 conn 的設定,當設定錯誤也會看到這段訊息。
沒有留言:
張貼留言