PowerShell 远程重置Vyos IPSec连接

PowerShell 远程重置Vyos IPSec连接

豆子最近换了个工作 新公司是个宠物诊所集团 这两年发展很快 在澳洲收购了130多个诊所， 但是整合了不到15个。为了节约成本 每个诊所用的网络路由器几乎都是最便宜的那种，比如思科的rv320，为了和AWS直接建立IPsec 连接，同样处于节约成本的考虑，我们没有使用AWS的v-p-n gateway，而是使用的第三方的软路由 EC2 实例 Vyos。便宜的后果就是网络不太稳定！我的第一个任务来了，想办法解决一下不稳定的问题，但是不要提钱买贵设备~

有些诊所的v-p-n连接几乎每隔2天就得重置一下，怎么办呢？而且有的诊所所在区域过于偏僻，只能使用4G上网 偏偏我们的廉价路由器对于动态dns的支持又很烂，只能使用IP连接。

第一个反应是写个脚本巡回检查，有问题就重置吧。Vyos这个实例本身是基于linux的 但是他把Shell这些命令都移除了，控制台只能输入网络相关的配置命令。不过我可以通过PowerShell的posh-ssh模块远程连接，然后通过ssh的session发送命令是一样的。

if( Test-connection -ComputerName au-svr-dc-01 -Count 3 -Quiet){ Write-Host "Connection to Gladsville is good" -ForegroundColor Green } else{ $nopasswd = new-object System.Security.SecureString $Crendential= New-Object System.Management.Automation.PSCredential ("vyos", $nopasswd) New-SSHSession –ComputerName 172.16.1.52 -KeyFile 'c:\temp\vpau.pem' -Credential $Crendential $session = Get-SSHSession -Index 0 $stream = $Session.Session.CreateShellStream("dumb", 0, 0, 0, 0, 1000) #Invoke-VyOSCommand -Command "show *** ike sa | grep -A5 -B5 Bexley" -Stream $stream #sleep 4 $command="reset *** ipsec-peer 61.69.91.242" $stream.write($command) sleep 2 $stream.read() Remove-SSHSession -SessionId 0 $Changetime=get-date "$Changetime Reset tunnel of Gladsvilled" | out-file C:\temp\bexley\logs.txt -Append } if(Test-Connection -ComputerName BX-SVR-DCDB-01 -Count 3 -Quiet){ #if connection is fine, ignore Write-Host "Connection to Bexley is good" -ForegroundColor Green } else{ $temp=gc C:\temp\bexley\bexley.txt $computer='bexleyvet.dyndns.org' $new=[system.net.Dns]::GetHostAddresses($computer) | select -expand IPaddressTostring if($temp -eq $new){ Write-Host "IP is the same, will reset tunnel.." -ForegroundColor Yellow #if IP is the same, simply reset the tunnel $nopasswd = new-object System.Security.SecureString $Crendential= New-Object System.Management.Automation.PSCredential ("vyos", $nopasswd) New-SSHSession –ComputerName 172.16.1.52 -KeyFile 'c:\temp\vpau.pem' -Credential $Crendential $session = Get-SSHSession -Index 0 $stream = $Session.Session.CreateShellStream("dumb", 0, 0, 0, 0, 1000) #Invoke-VyOSCommand -Command "show *** ike sa | grep -A5 -B5 Bexley" -Stream $stream #sleep 4 $command="reset *** ipsec-peer $new" $stream.write($command) sleep 2 $stream.read() Remove-SSHSession -SessionId 0 $Changetime=get-date "$Changetime Reset tunnel of Bexley" | out-file C:\temp\bexley\logs.txt -Append } else{ Write-Host "IP is changed, will create new entry" -ForegroundColor Red $nopasswd = new-object System.Security.SecureString $Crendential= New-Object System.Management.Automation.PSCredential ("vyos", $nopasswd) New-SSHSession –ComputerName 172.16.1.52 -KeyFile 'c:\temp\vpau.pem' -Credential $Crendential $session = Get-SSHSession -Index 0 $stream = $Session.Session.CreateShellStream("dumb", 0, 0, 0, 0, 1000) #Invoke-VyOSCommand -Command "config" -Stream $stream sleep 6 $commands=@( "config" "set *** ipsec site-to-site peer $new" "set *** ipsec site-to-site peer $new authentication mode pre-shared-secret" "set *** ipsec site-to-site peer $new authentication pre-shared-secret 8M6b111ddd" "set *** ipsec site-to-site peer $new connection-type respond" "set *** ipsec site-to-site peer $new default-esp-group AWSGL" "set *** ipsec site-to-site peer $new description Bexley" "set *** ipsec site-to-site peer $new ike-group AWSGL" "set *** ipsec site-to-site peer $new local-address 172.16.1.52" "set *** ipsec site-to-site peer $new tunnel 0 local prefix 172.16.0.0/16" "set *** ipsec site-to-site peer $new tunnel 0 remote prefix 10.2.2.0/24" "set *** ipsec site-to-site peer $new authentication id 54.66.164.57" "del *** ipsec site-to-site peer $temp" "commit" "save" "exit" ) foreach ($command in $commands){ #Invoke-VyOSCommand -Command $command -Stream $stream $stream.write($command+"`n") $stream.read() sleep 2 } $stream.write("show *** ike sa | grep -A5 -B5 Bexley") $Changetime=get-date "$Changetime IP Address is changed from $temp to $new" | out-file C:\temp\bexley\logs.txt -Append $new | out-file C:\temp\bexley\bexley.txt Remove-SSHSession -SessionId 0 } }

执行上面的脚本 每分钟跑一次，可以看见日志他会自动根据IP的变化自动配置vyos或者进行reset

09/19/2018 08:59:32 IP Address is changed from 123.209.234.194 to 123.209.111.152 09/19/2018 16:22:59 Reset tunnel of Bexley 09/19/2018 16:39:56 Reset tunnel of Gladsvilled

aws的服务器这边可以自动重置了 但是诊所那头的路由器时不时也得重置一下。前面说了 廉价路由器嘛，不支持ssh，不支持api，只有一个网页可以进行配置。一时半刻想不出太好的方法，爬虫的话，Python scrapy好像有点小题大做，后来干脆用IE com来模拟一下网页操作好了。

测试工作之后就扔到计划任务里面跑就是了

if(Test-Connection -ComputerName aws-svr-dc-01 -count 2 -Quiet){ Write-Host 'Good connection' -ForegroundColor Green } else { $a=get-process -Name iexplore -ErrorAction SilentlyContinue if($a -ne $null){ Stop-Process $a } $Url = "https://10.1.1.1” $Username=”cisco” $Password=”ABC” $IE = New-Object -com internetexplorer.application; $IE.visible = $true; $IE.navigate($url); # Wait a few seconds and then launch the executable. while ($IE.Busy -eq $true) { Start-Sleep -s 2; } # if($IE.Document.url -match "invalidcert"){ Write-Host "Bypass SSL Error Page" -ForegroundColor Cyan $link=$IE.Document.getElementsByTagName('A') | Where-Object{$_.id -eq 'overridelink'} Write-Host "Loading Login page " $link.click() Start-Sleep -s 3 } $document = $ie.Document $form = $document.forms[0] $inputs = $form.getElementsByTagName("input") ($inputs | where {$_.name -eq "username"}).value = $Username ($inputs | where {$_.name -eq "Password"}).value = $Password ($inputs | where {$_.name -eq "login"}).click() while ($IE.Busy -eq $true) { Start-Sleep -s 2; } $table1=$ie.Document.IHTMLDocument3_getElementsByTagName('table') $p = ($table1[1].getElementsByTagName("iframe"))[0] # Getting the 1st Frame $q = $p.contentWindow.document $table2=$q.IHTMLDocument3_getElementsByTagName('table') $a=$table2[0].getElementsByTagName('a')| Where-Object {$_.id -eq "menuNode_a_7"} $d=$a.getElementsByClassName('menuDivBg_ChildN') $d[0].click() while ($IE.Busy -eq $true) { Start-Sleep -s 2; } Start-Sleep -s 2; $document = $ie.Document $form=$document.body.getElementsByTagName('form')[0] $d=$form.getElementsByTagName('div') | Where-Object {$_.id -eq 'bodydiv'} $d2=$d.getElementsByTagName('div') | Where-Object {$_.id -eq 'mainContent'} $t3=$d2.getElementsByTagName('table') #contentframe $i= ($t3[0].getElementsByTagName("iframe"))[1] # Getting the 1st Frame $q = $i.contentWindow.document $f=$q.forms[0] $t=$f.getElementsByTagName('table') | Where-Object {$_.id -eq 'TopPage'} $t2=$t.getElementsByTagName('table') | Where-Object {$_.id -eq '*** tunnel status'} $t3=$t.getElementsByTagName('table') | Where-Object {$_.id -eq 'tblonetoone'} $ss=$t3[0].getElementsByTagName("tr") | Where-Object {$_.id -eq 'tunnel_2_tr'} $btn=$ss.getElementsByTagName("input") | Where-Object {$_.classname -eq 'stbutton'} "Click once" $btn.click() while ($IE.Busy -eq $true) { Start-Sleep -s 2; } Start-Sleep -s 10; $document = $ie.Document $form=$document.body.getElementsByTagName('form')[0] $d=$form.getElementsByTagName('div') | Where-Object {$_.id -eq 'bodydiv'} $d2=$d.getElementsByTagName('div') | Where-Object {$_.id -eq 'mainContent'} $t3=$d2.getElementsByTagName('table') #contentframe $i= ($t3[0].getElementsByTagName("iframe"))[1] # Getting the 1st Frame $q = $i.contentWindow.document $f=$q.forms[0] $t=$f.getElementsByTagName('table') | Where-Object {$_.id -eq 'TopPage'} $t2=$t.getElementsByTagName('table') | Where-Object {$_.id -eq '*** tunnel status'} $t3=$t.getElementsByTagName('table') | Where-Object {$_.id -eq 'tblonetoone'} $ss=$t3[0].getElementsByTagName("tr") | Where-Object {$_.id -eq 'tunnel_2_tr'} $btn=$ss.getElementsByTagName("input") | Where-Object {$_.classname -eq 'stbutton'} "Click twice" $btn.click() }

基本上我的结局方案就暂时这样了，AWS的服务器和路由器两头都靠脚本不停的扫描，一旦发现虚拟专用网中断 就进行重置和配置。出了问题大概30秒内也能自动回复。按照我老板的话说，如果咱们买个5000刀的设备，那么肯定是要求0中断，不过咱用的是300刀的设备，那么每年重启个几次，或者有些网络不稳定也是okay的啦~

最后严厉鄙视51的关键字过滤系统，v-p-n不能用，但是virtual private network, ipsec, 虚拟专用网就可以了， 医-院不能用 但是诊所就可以

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。