High Availability of Linux gateway and vpn Client

Source: Internet
Author: User

I. Requirements

According to the business development needs, the US branch of the company connects to the Hong Kong data center through vpn dialing. the dialing client serves both as the vpn Client and also as the linux gateway. Currently, there is only one server, I am afraid that I will not be able to contact Hong Kong in the United States after it becomes a machine, so that I can configure its high availability to implement a machine as a machine to ensure the normal operation of another machine.

Ii. Planning
Master node: 172.18.5.105
Slave node: 172.18.5.106
High Availability of two nodes using keepalived-1.2.8
Configuration System: CentOS5.5

Step 3

--------------------------------------------------------------------------------
(1) Add rules that allow vrrp and vpn to the firewall

-A RH-Firewall-1-INPUT-p gre-j ACCEPT
-A RH-Firewall-1-INPUT-p ipip-j ACCEPT
-A RH-Firewall-1-INPUT-I eth0-p vrrp-j ACCEPT
-A RH-Firewall-1-INPUT-p tcp -- dport 53-j ACCEPT
-A RH-Firewall-1-INPUT-p udp -- dport 53-j ACCEPT

--------------------------------------------------------------------------------
(2) Disable selinux
Setenforce 0

--------------------------------------------------------------------------------
(3) Synchronization time
1. Set synchronization time to double-click mutual trust
# Ntpdate + time server
# Ssh-keygen-t rsa-p''
# Ssh-copy-id-I. ssh/id_rsa.pub 172.18.5.106
Both sides are required to execute commands on the other node in the script.

--------------------------------------------------------------------------------
(4) Compile and install keepalived-1.2.8

Http://www.keepalived.org/download.html
Note that the latest version is not necessarily the best, so select 1.2.8.
Tar xf keepalived-1.2.8.tar.gz

Cd keepalived-1.2.8

Mkdir-p/data/soft/keepalived

./Configure -- prefix =/data/soft/keepalived
Note: Before compilation and installation, you may need to install gcc and some additional packages first.

Make & make install
Compilation Error
../Include/vrrp_ipaddress.h: 32: 27: error: linux/if_addr.h: No such file or directory
In file already ded from ../include/vrrp. h: 31,
From ../include/smtp. h: 34,
From smtp. c: 27:
../Include/vrrp_ipaddress.h: 41: error: field 'ifa 'has incomplete type
Make2: * [smtp. o] Error 1
Make2: Leaving directory '/root/keepalived-1.2.7/keepalived/core'
Make1: [all] Error 1
Make1: Leaving directory '/root/keepalived-1.2.7/keepalived'
Make: ** [all] Error 2
Cause and solution:
This is caused by the low kernel-headers software version.

Yum-y install kernel-headers
Problem Solving
Transfer the file to the correct location

Mkdir/etc/keepalived

Pwd
/Data/soft/keepalived

Cp etc/keepalived. conf/etc/keepalived/

Cp etc/rc. d/init. d/keepalived/etc/init. d/

Cp etc/sysconfig/keepalived/etc/sysconfig/

Cp sbin/keepalived/usr/sbin/

Chkconfig -- add keepalived

Service keepalived start
Starting keepalived: [OK]

Chkconfig -- add keepalived

Chkconfig keepalived on
After the compilation is complete and the master and slave nodes are compiled and started, it is necessary to configure keepalived as the master node. Before that, we first compile and install the vpn Client.

(5) Compile and install pptp-1.7.1

Http://pkgs.Fedoraproject.org/repo/pkgs/pptp/
Tar xf pptp-1.7.1.tar.gz

Cd pptp-1.7.1

Make & make install
Configure the client

Vim/etc/ppp/peers/vpn
Pty "pptp 172.18.8.254 -- nolaunchpppd" // the ip address of the vpn Server. If the ip address is remote, enter the public ip address of the vpn.
Lock
Noauth
Nobsdcomp
Nodeflate
Name amos. lu // vpn dialing user
Remotename vpn // The name Of The Connection created on the remote server. The two names must be consistent with the fields in chap-secrets.
Ipparam vpn // it is best to keep the same name as above
Require-mppe-128 // If the remote vpn Server requires encryption, write, do not require, do not need to write.

Vim/etc/ppp/chap-secrets
Username remotename password * (ip address is assigned by default)
If the user already exists on the server side, you can make a dial-up connection.

/Usr/sbin/pppd call vpn logfd 1 updetach // This vpn is the/etc/ppp/peers/vpn directory
Using interface ppp0
Connect: ppp0 <-->/dev/pts/3
CHAP authentication succeeded
MPPE 128-bit stateless compression enabled
Local IP address 172.18.8.101
Remote IP address 172.18.8.254
Dial successful!
Configure the master and slave nodes.


(6) Implementation of High Availability Configuration

Master node configuration file

Vim/etc/keepalived. conf
! Configuration File for keepalived
Global_defs {
Notification_email {
Root @ localhost
}
Notification_email_from amos.lu@sky-mobi.com
Smtp_server 127.0.0.1
Smtp_connect_timeout 30
Router_id LVS_DEVEL
}
Vrrp_script monitor {
Script "nohup/etc/keepalived/monitor. sh 2>/root/error. log &>/dev/null"
Interval 20
}
Vrrp_instance VI_1 {
State MASTER
Interface eth0
Virtual_router_id 200
Priority100
Advert_int 1
Authentication {
Auth_type PASS
Auth_pass 1111
}
Virtual_ipaddress {
172.18.5.10
}
Track_script {
Monitor
}
Notify_master "/etc/keepalived/notify. sh master"
Notify_backup "/etc/keepalived/notify. sh backup"
Notify_fault "/etc/keepalived/notify. sh fault"
}

Related reading:

OpenVPN client configuration tutorial in Ubuntu

Build OpenVPN in Ubuntu 10.04

Ubuntu 13.04 VPN (OpenVPN) configuration and connection cannot access the Intranet and Internet at the same time

How to build a secure remote network architecture using OpenVPN in Linux

OpenVPN details: click here
OpenVPN: click here

  • 1
  • 2
  • 3
  • 4
  • Next Page

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.