Alibaba Cloud Ubuntu 16.04 builds IPSec service

Introduction to IPSec

IPSec (Internet Protocol Security): is a set of secure communication protocols based on the network layer and applied cryptography. IPSec does not refer to any specific protocol, but is an open protocol family.

The design goal of the IPSec protocol is to provide flexible security services for network layer traffic in IPV4 and IPV6 environments.

IPSec VPN: A secure virtual private network implemented at the IP layer based on the IPSec protocol suite. The security of OSI upper layer protocol data is ensured by inserting a predefined header into the data packet. It is mainly used to protect TCP, UDP, ICMP and tunneled IP data packets.

Due to some restrictions on Alibaba Cloud, deploying IPSec on Alibaba Cloud ECS is different from deploying it on ordinary servers.

Install strongswan

apt-get update
apt-get install strongswan strongswan-plugin-xauth-generic

Edit /etc/ipsec.secrets

vi /etc/ipsec.secrets

Increase:

:PSK "test"
user1 : XAUTH "user1password"

PSK is the pre-shared key, which is a Unicode string used to authenticate the L2TP/IPSec connection. user1 is the user name and user1password is the password.

Edit /etc/ipsec.conf

config setup
 cachecrls=yes
 uniqueids=yes

conn ios
 keyexchange=ikev1
 authby=xauthpsk
 xauth=server
 left=%defaultroute
 leftsubnet=0.0.0.0/0
 leftfirewall=yes
 right=%any
 rightsubnet=192.168.0.1/16
 rightsourceip=192.168.0.1/16
 rightdns=223.5.5.5
 auto=add

Note that you should use the 192.168 network segment instead of the 10.0.0.1 network segment. The 10.0.0.1 network segment seems to have problems on Alibaba Cloud (it is said to be banned?).

Restart strongswan

ipsec restart

Modify the security group rules corresponding to the Alibaba Cloud server

Add two public network access ports: UDP 500 and UDP 4500

Enable IPv4 forwarding and set NAT rules

sysctl net.ipv4.ip_forward=1

iptables -t nat -A POSTROUTING -s 192.168.0.1/16 -o eth1 -j MASQUERADE

Note that eth1 is used, not eth0.

In ECS, eth1 is bound to the external network card, and eth0 is the internal network card.

Related reading:

How to build pptpd service in Alibaba Cloud Ubuntu 16.04

Summarize

The above is the introduction of Alibaba Cloud Ubuntu 16.04 IPSec service. I hope it will be helpful to you. If you have any questions, please leave me a message and I will reply to you in time. I would also like to thank everyone for their support of the 123WORDPRESS.COM website!
If you find this article helpful, please feel free to reprint it and please indicate the source. Thank you!