Use openswan on centos/RedHat 5.4 to build a VPN between data centers

Recently, due to the high traffic of the primary data center, several independent hosts were purchased abroad for traffic distribution and cost. This requires two data centers.
Data Synchronization, including MySQL, MongoDB, and reverse proxy. By creating a VPN using IPSec to connect two subnets together
The most suitable solution.

We have initially considered using openvpn, but because our application involves a large amount of data transmission, the performance of openvpn is still inferior to the IPsec solution,
We cannot deploy hardware acceleration for openvpn either. For cost consideration, select a pure soft VPN.

First, try to use the built-in IPSec of centos for configuration, but it will soon fail. The RedHat document description is not clear. In addition, the configuration is cumbersome,
According to the instructions, the configuration cannot be connected, so there is no patience, so we use openswan for deployment.

Before deploying openswan, you must first draw a topology of two subnets, as long as you separate the "Left", "-", and "right:

A (192.168.8.x/211. x) + ---- + B (192.168.9.x/174. xx)

For example, a is the left node, and B is the right node. 192.168.8.x and 192.168.9.x are two network segments respectively.
Select a host as the gateway in the two CIDR blocks, so that you can set the two gateways respectively.
Actually:
Gate_a (192.168.8.70/211. x), gate_ B (192.168.9.1/174. x)

Both hosts need two NICs, which are connected to the Intranet and the Internet. Remember the Intranet and Internet IP addresses above.

Install gate_a as follows)

1. Install openswan
Gate_a.nightsailer.com> Yum install IPSec-Tools
Gate_a.nightsailer.com> Yum install openswan

Note: The following step is critical, the CentOS-5.4 has a bug, the installation of openswan automatic creation of Cert dB is not correct, so the first need
Create a new key. Otherwise, an error is reported when the key is generated in the next step.

Gate_a.nightsailer.com> certutil-n-d/etc/IPSec. d

2. Now, generate a key for gate_a:
Gate_a.nightsailer.com> IPSec newhostkey-configdir/etc/IPSec. d/-output/etc/IPSec. d/keys. Secrets

3. display the output gate_a as the left public key:
Gate_a.nightsailer.com> IPSec showhostkey-left
IPSec showhostkey NSS directory showhostkey:/etc/IPSec. d
# Rsakey axxxx
Leftrsasigkey = 0sa .........

Set eftrsasigkey = 0sa ..... Write down the output in this line.

4. Modify/etc/ip_sec.conf

#/Etc/IPSec. conf-openswan IPSec configuration file
#
# Manual: IPSec. CONF.5
#
# Please place your own config files in/etc/IPSec. d/ending in. conf

Version 2.0 # conforms to second version of IPSec. conf Specification

# Basic configuration
Config setup
# Debug-logging controls: "none" for (almost) None, "all" for lots.
# Klipsdebug = none
# Plutodebug = "control Parsing"
# For Red Hat Enterprise Linux and fedora, leave protostack = netkey
Protostack = netkey
Nat_traversal = Yes
Virtual_private =
OE = off
# Enable this if you see "failed to find any available worker"
Nhelpers = 0

# You may put your configuration (. conf) file in the "/etc/IPSec. d/" and uncomment this.
Include/etc/IPSec. d/*. conf

5. Now create a separate CONF file for this VPN and place it in/etc/IPSec. d/nightsailer.com _ VPN. conf.

Conn nightsailer_vpn
# Public IP address of the Left node (gate_a)
Left = 211. x
# Intranet segment of the Left Node
Leftsubnet = 192.168.8.0/24
# Intranet IP address of the gateway on the left node (optional)
Leftsourceip = 192.168.8.70
# The ID of the Left node, which can be an IP address or a domain name:
# Leftid = @ gate_a.chinavisual.com
# It is recommended that IP addresses be used. Reverse DNS resolution is required for domain names. If DNS is not properly configured, problems may occur.
Leftid = 211. x
# The gate_a shown in the previous step serves as the left public key.
Leftrsasigkey = 0 saqo...
Leftnexthop = % defaultroute
# The meanings of the following parameters are the same as those above
Right = 174. x
Rightsubnet = 192.168.9.0/24
Rightsourceip = 192.168.9.1
Rightid = 174. x
Rightrsasigkey = 0 saqop ....
Rightnexthop = % defaultroute
# Whether to enable this link automatically when IPSec is started
# Auto = add (If this option is selected, You need to manually up the VPN link)
Auto = start

Now, log on to gate_ B and repeat steps 1-5 above.

Note that step 1 is slightly different because gate_ B is a right node, so you need to display its right key:
Gate_ B .nightsailer.com> IPSec showhostkey-Right
IPSec showhostkey NSS directory showhostkey:/etc/IPSec. d
# Rsakey axxxx
Rightrsasigkey = 0sa .........

Set rightrsasigkey = 0sa ..... This line outputs/etc/IPSec. d/nightsailer.com _ VPN. conf (including those on gate_a)

Start IPSec
Gate_a.nightsailer.com>/etc/init. d/IPSec start
Gate_ B .nightsailer.com>/etc/init. d/IPSec start

Now, Ping gate_a and gate_ B.

When the gateway is connected, you need to add a route in the respective subnet:
Add a CIDR Block:
Route add-net 192.168.9.0 netmask 255.255.255.0 GW 192.168.8.70 eth1
# Add a static route
Append in/etc/sysconfig/network-scripts/route-eth1:
192.168.9.0/24 Via 192.168.8.70 Dev eth1

Add CIDR Block B:
Route add-net 192.168.8.0 netmask 255.255.255.0 GW 192.168.9.1 eth1
Append in/etc/sysconfig/network-scripts/route-eth1:
192.168.8.0/24 Via 192.168.9.1 Dev eth1

Everything is done.