怎样在 checkpoint 设备和 AWS 北京的 EC2 之间搭建 IPsec 隧道

缘起

为了直接打通办公室内网和 AWS 内网,我搞了个“骨干网搭建”项目,其实就是打通办公室内网和 AWS 各个节点的内网。

  • AWS 海外节点之间好弄,有 Transit Gateway
  • AWS 北京到 AWS 海外直接也好弄,用 wireguard

难点在于办公室到 AWS 北京之间,因为我在办公室内网没有资源,于是只能求助集团的 IT 团队的网络组同事。结果歪打正着,人家打通到总部内网也是走的 IPsec 方案,于是直接可以依葫芦画瓢。

准备工作

具体步骤

on the side of checkpoint

  • Public IP: 3.3.3.3(supposed)
  • Local network: 10.0.1.0/24

on the side of EC2

  • Elastic IP: 2.2.2.2(supposed)
  • Local network: 10.0.0.10/24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# write configuration to file(take effect after next boot)
cat > /etc/sysconfig/network-scripts/ifcfg-lo:elastic <<EOF
DEVICE=lo:elastic
# use your elastic ip here, supposed 2.2.2.2 here
IPADDR=2.2.2.2
NETMASK=255.255.255.255
ONBOOT=yes
NAME=elasticIP
EOF

# take effect immediately
ip a add 2.2.2.2/32 dev lo:elasticIP
# software installation
yum -y install libreswan
# kernel tune
cat > /etc/sysctl.d/libreswan.conf <<EOF
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
EOF

# take kernel variables effect
sysctl -p /etc/sysctl.d/libreswan.conf
# PSK here
cat > /etc/ipsec.d/ofc.secrets <<EOF
2.2.2.2 3.3.3.3 : PSK "mypskstring"
EOF

cat > /etc/ipsec.d/ofc.conf <<EOF
config setup
protostack=netkey

conn ofc
authby=secret
auto=start
# Amazon does not route ESP/AH packets, so these must be encapsulated in UDP
encapsulation=yes
# the following 4 lines must be matched with
# configuration at checkpoint in the office
ike=aes128-SHA1;modp1024
ikelifetime=24h
esp=aes128-SHA1
salifetime=24h
left=%defaultroute
# set our ID to your (static) elastic IP
leftid=2.2.2.2
leftsubnets=10.0.0.0/24,2.2.2.2/32
# remote endpoint IP
right=3.3.3.3
rightsubnet=10.0.1.0/24
dpdaction=restart
dpddelay=10
dpdtimeout=60
EOF

ipsec start
systemctl enable ipsec

It’s OK now.

收尾工作

  • 在 AWS VPC 中修改路由表,将到 10.0.1.0/24 段也就是办公室段的路由指向这一台 EC2
  • 在办公室的内网修改路由表,将 10.0.0.0/24 段也就是 AWS 内网的路由指向 checkpoint(非必需,特别是当 checkpoint 本来就是缺省网关的情况下)

参考文献