Test Environment:
(172.17.1.100) IPSec VPN1 (10.12.95.3) ----- (10.12.95.2) IPSec VPN2 (172.17.2.100)
1. 安裝:
# yum install openswan*
2. 透過sysctl.conf修改Kernel參數:
修改Kernel相關參數,使得之後跑ipsec verify時不會出錯。# vi /etc/sysctl.conf*********************************************************************# example entries for /etc/sysctl.conf# forwarding is needed for subnet or l2tp connectionsnet.ipv4.ip_forward = 1# rp_filter is stupid and cannot deal decrypted packets "appearing out of# nowhere"net.ipv4.conf.default.rp_filter = 0# when using 1 interface for two networks, and in some other cases with# NETKEY, the kernel thinks it can be clever but breaks things.net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.icmp_ignore_bogus_error_responses = 1net.ipv4.conf.all.log_martians = 0net.ipv4.conf.default.log_martians = 0# these are non-ipsec specific security policies you should usenet.ipv4.conf.default.accept_source_route = 0net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0*********************************************************************#sysctl -p
3. 套用並修改範例:
# cp/usr/share/doc/openswan-doc*/examples /etc/ipsec.d/hosttohost.conf# vi /etc/hosttohost.conf*********************************************************************# sample connections# This file is RCSID $Id: examples,v 1.5 1999/12/13 02:38:16 henry Exp $# sample tunnel (manually or automatically keyed)# Here we just use ESP for both encryption and authentication, which is# the simplest and often the best method.conn sample# left security gateway (public-network address)left=10.12.95.3# next hop to reach right#leftnexthop=10.44.55.66# subnet behind left (omit if left end of the tunnel is just the s.g.)leftsubnet=172.17.1.0/24# right s.g., subnet behind it, and next hop to reach leftright=10.12.95.2#rightnexthop=10.88.77.66rightsubnet=172.17.2.0/24# (manual) SPI number#spi=0x200# (manual) encryption/authentication algorithm and parameters to itesp=3des-md5-96#espenckey=[192 bits]#espauthkey=[128 bits]authby=secretauto=add*********************************************************************
4. 新增PSK:
# vi /etc/ipsec.secrets*********************************************************************include /etc/ipsec.d/*.secrets10.12.95.3 10.12.95.2 : PSK "1234567890"10.12.95.2 10.12.95.3 : PSK "1234567890"
5. 修改/etc/ipsec.conf
# vi /etc/ipsec.conf*********************************************************************# /etc/ipsec.conf - Openswan IPsec configuration file## Manual: ipsec.conf.5## Please place your own config files in /etc/ipsec.d/ ending in .confversion 2.0 # conforms to second version of ipsec.conf specification# basic configurationconfig setup# Debug-logging controls: "none" for (almost) none, "all" for lots.# klipsdebug=none# plutodebug="control parsing"# For Red Hat Enterprise Linux and Fedora, leave protostack=netkeyprotostack=netkeynat_traversal=yesvirtual_private=oe=off# Enable this if you see "failed to find any available worker"nhelpers=0#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.include /etc/ipsec.d/*.conf
PS. 另外一邊的VPN gateway與以上的架設方法都一樣,只是將/etc/hosttohost.conf中的left與right的資訊對調即可。
6. 啟動IPSec:
# /etc/init.d/ipsec start/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabledipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.18-164.6.1.el5...ipsec_setup: multiple ip addresses, using 10.12.95.3 on eth0ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
7. 執行IPSec verify:
# ipsec verifyChecking your system to see if IPsec got installed and started correctly:Version check and ipsec on-path [OK]Linux Openswan U2.6.21/K2.6.18-164.6.1.el5 (netkey)Checking for IPsec support in kernel [OK]NETKEY detected, testing for disabled ICMP send_redirects [OK]NETKEY detected, testing for disabled ICMP accept_redirects [OK]Checking for RSA private key (/etc/ipsec.secrets) [OK]Checking that pluto is running [OK]Two or more interfaces found, checking IP forwarding [OK]Checking NAT and MASQUERADEing [N/A]Checking for 'ip' command [OK]Checking for 'iptables' command [OK]Opportunistic Encryption DNS checks:Looking for TXT in forward dns zone: centos.example.com [MISSING]Does the machine have at least one non-private address? [FAILED]
8. 建立IPSec tunnel:
# ipsec auto --up sample104 "sample" #1: STATE_MAIN_I1: initiate003 "sample" #1: received Vendor ID payload [Openswan (this version) 2.6.21 ]003 "sample" #1: received Vendor ID payload [Dead Peer Detection]003 "sample" #1: received Vendor ID payload [RFC 3947] method set to=109106 "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2003 "sample" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected108 "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3003 "sample" #1: received Vendor ID payload [CAN-IKEv2]004 "sample" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}117 "sample" #2: STATE_QUICK_I1: initiate004 "sample" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xca7bd686 <0x193e1d71 xfrm="3DES_0-HMAC_MD5" natoa="none" natd="none" dpd="">
9. 測試:
# ping 172.17.2.100 -I 172.17.1.100 -c 10PING 172.17.2.100 (172.17.2.100) from 172.17.1.100 : 56(84) bytes of data.64 bytes from 172.17.2.100: icmp_seq=1 ttl=64 time=1.65 ms64 bytes from 172.17.2.100: icmp_seq=2 ttl=64 time=0.716 ms64 bytes from 172.17.2.100: icmp_seq=3 ttl=64 time=1.16 ms64 bytes from 172.17.2.100: icmp_seq=4 ttl=64 time=1.41 ms64 bytes from 172.17.2.100: icmp_seq=5 ttl=64 time=1.24 ms64 bytes from 172.17.2.100: icmp_seq=6 ttl=64 time=1.17 ms64 bytes from 172.17.2.100: icmp_seq=7 ttl=64 time=1.52 ms64 bytes from 172.17.2.100: icmp_seq=8 ttl=64 time=0.544 ms64 bytes from 172.17.2.100: icmp_seq=9 ttl=64 time=0.796 ms64 bytes from 172.17.2.100: icmp_seq=10 ttl=64 time=1.58 m
Note:
此次使用的版本分別為:
openswan-doc-2.6.21-5.el5_4.1openswan-2.6.21-5.el5_4.1
不同的版本間,example configure file有點差異,需請注意。
1 comment:
請問iptables要開哪些table及哪些port裁不會被檔
Post a Comment