AWS上FortiGate和Openswan实现点到点IPsecVPN
- 安装部署
- AWS上安装FortiGateMarketplace搜索FortiGate,安装对应版本,之后登陆并导入LIC
 
- 安装Openswan 
 # yum -y install openswan lsof
 
 # ipsec verify //一开始会有报错
 
 # vi /etc/sysctl.conf
 # Controls IP packet forwarding
 net.ipv4.ip_forward = 0 ---改成1
 # Controls source route verification
 net.ipv4.conf.default.rp_filter = 1 ---改成0
 # Controls IP packet forwarding
 net.ipv4.ip_forward = 0
 # Controls source route verification
 net.ipv4.conf.default.rp_filter = 1
 改为
 # Controls IP packet forwarding
 net.ipv4.ip_forward = 1
 # Controls source route verification
 net.ipv4.conf.default.rp_filter = 0
 # sysctl -p
 
 运行如下命令配置环境变量(禁止ICMP重定向)
 sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf
 成功执行后运行sysctl -p使修改的参数生效。
 or(或以下命令修改ICMP重定向)
 for *** in /proc/sys/net/ipv4/conf/*;
 do
 echo 0 > $***/accept_redirects;
 echo 0 > $***/send_redirects;
 done
 
 关闭selinux:setenforce 0(关闭selinux,重启失效),接下来永久关闭selinux
 修改vi /etc/selinux/config 把
 SELINUX=enforcing
 改为
 SELINUX=disabled
 
 # /etc/init.d/iptables stop
 # chkconfig iptables off
 或
 放行openswan服务端口和NAT规则
 iptables -A INPUT -p udp --dport 500 -j ACCEPT
 iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
 iptables -A INPUT -p udp --dport 4500 -j ACCEPT
 
 运行#chkconfig ipsec on 开机自动启动ipsec服务
 启动ipsec # service ipsec restart 并重新运行检查命令ipsec verify(重新确认ipsec)
 
- 配置Openswan 
 cat /etc/ipsec.conf
 
 # /etc/ipsec.conf - Libreswan IPsec configuration file
 #
 # see 'man ipsec.conf' and 'man pluto' for more information
 #
 # For example configurations and documentation, see https://libreswan.org/wiki/
 
 config setup
 # Normally, pluto logs via syslog.
 logfile=/var/log/pluto.log
 #
 # Do not enable debug options to debug configuration issues!
 #
 # plutodebug="control parsing"
 # plutodebug="all crypt"
 plutodebug=all
 plutostderrlog=/var/log/pluto.log
 #
 # NAT-TRAVERSAL support
 # exclude networks used on server side by adding %v4:!a.b.c.0/24
 # It seems that T-Mobile in the US and Rogers/Fido in Canada are
 # using 25/8 as "private" address space on their wireless networks.
 # This range has never been announced via BGP (at least up to 2015)
 virtual_private=%v4:10.0.0.0/16,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
 
 # if it exists, include system wide crypto-policy defaults
 # include /etc/crypto-policies/back-ends/libreswan.config
 
 # It is best to add your IPsec connections as separate files in /etc/ipsec.d/
 include /etc/ipsec.d/*.conf
 
 
 cat /etc/ipsec.d/ipsec.conf
 
 config setup
 plutodebug=all
 plutostderrlog=/var/log/pluto.log
 protostack=netkey
 nat_traversal=yes
 virtual_private=%v4:10.0.0.0/16,%v4:192.168.0.0/16
 oe=off
 
 conn vpn-to-openswan
 ##phase 1##
 authby=secret
 auto=start
 ike=aes128-sha1
 keyexchange=ike
 ikelifetime=86400
 aggrmode=yes
 
 ##phase 2##
 phase2=esp
 phase2alg=aes128-sha1
 compress=no
 pfs=no
 type=tunnel
 keylife=43200
 
 leftid=52.194.222.255
 left=192.168.14.113
 #leftsourceip=52.194.222.255
 leftsubnet=192.168.0.0/16
 leftnexthop=%defaultroute
 
 right=54.238.113.251
 rightid=54.238.113.251
 rightsubnet=10.0.0.0/16
 rightnexthop=%defaultroute
 
 cat /etc/ipsec.d/ipsec.secret
 x.x.x.x(本地公网ip) x.x.x.x(对端公网ip) : PSK "Qwer@123456"
 
 重启服务
 systemctl restart ipsec
 
 查看Openswan日志
 tail -f /var/log/pluto.log
 
- FortiGate部署
IPsecVPN通道配置
野蛮模式,阶段二不开启PFS




防火墙策略

静态路由
到对端网段指向vpn接口,本地网段指向port1

AWS子网路由表要添加指向FortiGate网卡的路由
FortiGate网卡要关闭源/目标检查










