如何使 eth1 啟動並始終可用於遠端訪問，其中 eth0 將用於主機到主機 IPSec VPN？

我正在使用 Red Hat Enterprise Linux 執行 Amazon EC2 實例，其中有兩個網路介面。

現在：

1. eth0 目前處於活動狀態，擁有我通過 SSH 遠端登錄的公共 IP，以配置 VPN（一旦 VPN 完成，我將無法再遠端訪問此 IP 和介面）
2. eth1 正在顯示（使用亞馬遜，我已經為其分配了另一個新的公共 ip，但無法 ping 通，也無法使用 SSH 登錄）
3. 一旦我啟動了 eth1 並可以遠端訪問，我必須在 eth0 上配置 VPN 客戶端以連接到另一個遠端伺服器

如何建立 eth1 以便我可以在 eth1 上進行遠端訪問，並且 eth0 可以專用於 VPN IPSec 主機託管？

[ec2-user@ip-10-0-0-41 ~]$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
   inet6 ::1/128 scope host 
      valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
   link/ether 0e:29:01:a8:c6:98 brd ff:ff:ff:ff:ff:ff
   inet 10.0.0.41/24 brd 10.0.0.255 scope global eth0
   inet6 fe80::c29:1ff:fea8:c698/64 scope link 
      valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
   link/ether 0e:29:01:a9:6e:32 brd ff:ff:ff:ff:ff:ff

編輯：

$ system-config-network-tui
eth1 is added as dhcp

$ ifup eth1
Determining IP information for eth1...

編輯：

$ ssh amazonec2@eth0...public...ip  - fails
$ ssh amazonec2@eth1...public...ip  - allow to login
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
   inet6 ::1/128 scope host 
      valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
   link/ether 0e:29:01:a8:c6:98 brd ff:ff:ff:ff:ff:ff
   inet 10.0.0.41/24 brd 10.0.0.255 scope global eth0
   inet6 fe80::c29:1ff:fea8:c698/64 scope link 
      valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
   link/ether 0e:29:01:a9:6e:32 brd ff:ff:ff:ff:ff:ff
   inet 10.0.0.110/24 brd 10.0.0.255 scope global eth1
   inet6 fe80::c29:1ff:fea9:6e32/64 scope link 
      valid_lft forever preferred_lft forever

編輯：

$ yum install openswan
$ cat /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
   protostack=netkey
   nat_traversal=yes
   virtual_private=
   oe=off
include /etc/ipsec.d/*.conf

$ cat /etc/ipsec.d/test.conf

### Administrator given this to setup
# Phase1: Encryption: AES128 Integrity: MD5 IKE Lifetime: 28800 sec.
# Phase2: Encryption: AES128 Integrity: MD5 IPsec lifetime: 3600 sec.

### Red hat we use Phase 1 and Phase 2 for IPSec 
conn test
   type=tunnel
   authby=secret
   pfs=no
   # Lifetime: 1440 sec
   ike=aes128-md5;modp1024!
   # Lifetime: 3600 sec
   phase2alg=aes128-md5;modp1024
   aggrmode=no    
   left=194.x.x.x
   right=54.x.x.x
   leftsubnet=10.109.0.0/24
   rightsubnet=10.0.0.0/24
   #auto=start

$ service ipsec restart && ipsec auto --add test
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.6.2.el6.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

$ ipsec auto --up test
022 "test": We cannot identify ourselves with either end of this connection.

• 如果添加沒有錯誤，那麼配置文件是正確的，剩下的就是隧道的其他問題。

有用！

#!/bin/bash
# Version 1.0 - Stable
# --------------------------------------------
# Amazon EC2 instance + VPC + RHEL 6.4 64-bit
# eth0: 10.0.0.108  public ip: 8.8.8.8
# eth1: 10.0.0.27   public ip: 9.9.9.9
# 
# VPN Sever: 2.2.2.2
#

amazonEth0="10.0.0.8"
amazonWan0="8.8.8.8"
vpnServer="2.2.2.2"
hosttoHost=(10.109.0.20/32 10.109.0.21/32 10.109.58.6/32 10.109.59.3/32)
pingHost=(10.109.0.20 10.109.0.21 10.109.58.6 10.109.59.3)

# Step 0
yum -y install openswan

cat > /etc/ipsec.d/secret.secrets << EOF
# Step 1
$vpnServer 0.0.0.0 %any: PSK "123"
EOF

cat > /etc/ipsec.conf << \EOF
# Step 2
version 2.0 # conforms to second version of ipsec.conf specification
config setup
   plutodebug="all"
       plutostderrlog=/var/log/pluto.log
   protostack=netkey
   nat_traversal=no
   virtual_private=
   oe=off
include /etc/ipsec.d/*.conf
EOF

for i in 1 2 3 4
do
cat > /etc/ipsec.d/test$i.conf << EOF
#Step 3
conn test$i
   #auto=start
   type=tunnel
   authby=secret
   pfs=no
   aggrmode=no
   ikelifetime=28800s
   lifetime=3600s
   ike=aes128-md5;modp1024!
   phase2alg=aes128-md5;modp1024
   forceencaps=yes
   left=$amazonEth0
   leftid=$amazonWan0
   leftsourceip=$amazonWan0
   right=$vpnServer
   rightsubnet=${hosttoHost[$i-1]}
EOF
done

### Run me
cat > /tmp/vpn.sh << EOF
#!/bin/bash
service ipsec restart
ipsec auto --add test1
ipsec auto --add test2
ipsec auto --add test3
ipsec auto --add test4

ipsec auto --up test1
ipsec auto --up test2
ipsec auto --up test3
ipsec auto --up test4

ipsec auto --status
ip xfrm policy
ip route show
ping -c 1 ${pingHost[0]}; 
ping -c 1 ${pingHost[1]};
ping -c 1 ${pingHost[2]}; 
ping -c 1 ${pingHost[3]}; 

EOF
chmod +x /tmp/vpn.sh

# Finishing - touch
/tmp/vpn.sh

引用自：https://unix.stackexchange.com/questions/84674