...
Code Block | ||
---|---|---|
| ||
# if you are logged in with your normal user you have to become root now sudo su - # create eth0:0add transfer network to eth0 (as secondary IP address), since strongswan expects packets from/to 172.20.0.0/22 cat << EOF >> /etc/sysconfig/network-scripts/ifcfg-eth0:0 BOOTPROTO=static DEVICE=eth0:0 ONBOOT=yes IPADDR=172.20.0.1 NETMASK=255.255.255.0 EOF # disable automatic updating of /etc/resolv.conf cat << EOF >> /etc/sysconfig/network-scripts/ifcfg-eth0 DNS1=127.0.0.1 PEERDNS=no EOF # clear resolv.conf once echo "" > /etc/resolv.conf # install strongswan yum install -y strongswan # add ipsec config and use the internal IP of your instance for the <cloud-ip> cat << EOF >> /etc/strongswan/ipsec.conf conn cmts-cm left=<cloud-ip> leftsubnet=172.20.0.0/22 leftid=<cloud-ip> leftfirewall=yes right=<cmts-ip> rightsubnet=10.0.0.0/19 rightid=<cmts-ip> auto=start ike=aes256-sha-modp1536 esp=aes256-sha1-modp1536 keyexchange=ikev1 authby=secret conn cmts-cpepriv also=cmts-cm rightsubnet=100.64.0.0/22 conn cmts-mta also=cmts-cm rightsubnet=100.96.0.0/22 EOF # add pre-shared key echo '<cloud-ip> <cmts-ip> : PSK "<secret>"' >> /etc/strongswan/ipsec.secrets # restart network systemctl restart network.service # enable strongswan systemctl enable strongswan |
Setup, test and teardown of IPsec tunnels
Code Block | ||
---|---|---|
| ||
# add transfer network to eth0 (as secondary IP address), since strongswan expects packets from/to 172.20.0.0/22 ip addr add 172.20.0.1/22 dev eth0 # start strongswan systemctl start strongswan # start all ipsec tunnels/associations strongswan up cmts-cm strongswan up cmts-cpepriv strongswan up cmts-mta # get routes - note that they originate from 172.20.0.1, thus going through the tunnel ip r get 10.0.31.254 10.0.31.254 via <cmts-ip> dev eth0 src 172.20.0.1 ip r get 100.64.3.254 100.64.3.254 via <cmts-ip> dev eth0 src 172.20.0.1 ip r get 100.96.3.254 100.96.3.254 via <cmts-ip> dev eth0 src 172.20.0.1 # ping all bundle interface ip addresses ping -c1 10.0.31.254 PING 10.0.31.254 (10.0.31.254) 56(84) bytes of data. 64 bytes from 10.0.31.254: icmp_seq=1 ttl=255 time=0.475 ms ping -c1 100.64.3.254 PING 100.64.3.254 (100.64.3.254) 56(84) bytes of data. 64 bytes from 100.64.3.254: icmp_seq=1 ttl=255 time=0.696 ms ping -c1 100.96.3.254 PING 100.96.3.254 (100.96.3.254) 56(84) bytes of data. 64 bytes from 100.96.3.254: icmp_seq=1 ttl=255 time=0.495 ms # teardown all ipsec tunnels/associations strongswan down cmts-mta strongswan down cmts-cpepriv strongswan down cmts-cm # stop strongswan systemctl stop strongswan |