Linux配备IPsec vpn
日期:2014-05-16 浏览次数:20848 次
1,下载 openswan
?www.openswan.org/download/openswan-2.6.tar.gz
??? tar zxvf openswan-2.4.7.tar.gz
???????? cd /usr/local/src/openswan-2.4.7
???????? make programs
???????? make install
?export KERNELSRC=/usr/src/kernels/2.6.XX
? make module
???????? make minstall
??????? depmod -a
??????? modprobe ipsec
??????? echo “1” > /proc/sys/net/ipv4/ip_forward
??????? echo “0” > /selinux/enforce
检查安装情况
?# ipsec --version
2,配置
主要配置文件有两个,ipsec.conf、ipsec.secrets。
网络一服务器的内网接eth0接口,地址是192.168.43.2,外网接eth1接口,地址是203.86.61.172,主机是left,下连192.168.43.0/24这个局域网。
网络二服务器的内网接eth0接口,地址是192.168.222.2,外网接eth1接口,地址是203.86.61.173,主机是right,下连192.168.222.0/24这个局域网。
nat
ipsec newhostkey –output /etc/ipsec.secrets
?左、右服务器里,分别执行以上命令
?生成密钥
编辑 nano /etc/ipsec.conf
?
conn network-to-network
??????? left=203.86.61.173
??????? leftsubnet=192.168.222.0/24
??????? leftid=@left
??????? # RSA 2192 bits?? left?? Tue Mar 13 14:55:48 2007
??????? leftrsasigkey=0sAQPW/s8yMYIAPS97rK2JESc0ZOMrcuE2sFSdsfh++JGe97t7m1As+QPiVyLP6KuWlLBjIJzwvpUbipiCmKjmNKXZ+eS0dtAw1faVpVxa+7DJLgAnHjyafYW3SxXRF/xEp0HBckJNeGtjJheqtmWggUa6WejjhPNosmA7Zyj07ikW05JZYvUNf2uFBBupRMC0kwmFRpdah2IiDSecOy57LkACS6AFhX60PTh0Eip1N0cJUXjbrS95KudcPYsXpw6bKQbHl/Vku+0RfqIfZ2tXXcqj5OKJSeMp1fh6Bt+zh8T5qPZJNvU19xJufdSDQmaxI4XaGHwKmA1KIBotVS4F+0DVn0mvDIf1HfF/YNsKPiI9diJn
??????? leftnexthop=%defaultroute
??????? right=203.86.61.172
??????? rightsubnet=192.168.43.0/24
??????? rightid=@right
??????? # RSA 2192 bits?? right?? Sun Mar 11 02:17:24 2007
??????? rightrsasigkey=0sAQO/ygUllGNfYd/3athFYSqb6GUdp18oMZ2LdOa3ToJCGATpJp6/C/0BpShGybNtb95kyKI63mVnWkYmN6NUW5qZJpMSnR5nWAVyHaNF1KbQ9j6ZhGLX0kRb80NNXPRCEpOCKDfqKtF0CbqghbqCtv2wV+gjt3MSO3d9WXWOT5xXJIwLohV+hA/rGrAMAz4Axcl9RudFnkKr3g0KYp86YktAPYJt8xBtqBFWdIO0WncWB3F/XpZKZdUMJ78M50yOHlBqOOnemkAnVfFFGCBJj27aheDFpp1QPhRdqjExsHK5mT3uKxJPehOqoJaIqcHMHJlBUxXNhGz5+T/AiaLkiwtbtHQjIWAtyUklbGUAql8EG1o9
??????? rightnexthop=%defaultroute
??????? auto=add
leftrsasigkey和rightrsasigkey这行,不要复制,需要自己生成
生成方式
在left的机器上
?ipsec showhostkey --left >> /etc/ipsec.conf? ( >> 是追加文件后面 )
在再right的机器上
ipsec showhostkey? --right > rightrsasigkey.tmp
要确保left和right的ipsec.conf文件配置相同,但两台服务器产生的rsasigkey值又不一样,可以复制,粘贴rsasigkey
校验ipsec
#ipsec verify
如果不出现错误的情况下,说明配置成功
再两台服务器上运行以下命令,启动vpn
ipsec auto --up network-to-network
检测隧道建立情况
在right的服务器上运行
ipsec eroute
在left的服务器上运行
ipsec eroute
如果能看到输出数据
ipseck look
如果配置正确,则两个局域网 互相可以ping通
-------------------------------------
关于这里
NETKEY detected, testing for disabled ICMP send_redirects?????? [FAILED]
? Please disable /proc/sys/net/ipv4/conf/*/send_redirects
? or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects???? [FAILED]
vi /etc/sysctl.conf?? 新建 (由于LFS没有这个东西)
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
然后再执行# sysctl -p
? 再检测是否成功
# ipsec verify
?
