Lclient------------->Lserver……………….Rserver<---------------Rclient
172.16.10.16 10.86.10.17 10.86.10.18 192.168.10.16
首先要保证:
|
1
2
|
lclient
ping
通lserver和rserver
rclient
ping
通rserver和lserver
|
安装epel源:
|
1
2
3
|
rpm -Uvh http:
//mirrors
.ustc.edu.cn
/fedora/epel/6/x86_64/epel-release-6-8
.noarch.rpm
yum clean all
yum makecache
|
安装ipsec需要的基础软件包:
|
1
2
|
yum -y
install
ipsec-tools
yum -yinstall gmp gmp-devel
gawk
flex bison
|
配置内核参数:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
cp
/etc/sysctl
.conf
/etc/sysctl
.conf.bak-$(
date
+%F)
cat
>>
/etc/sysctl
.conf<<EOF
#create for darren
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter= 0
net.ipv4.conf.default.accept_source_route= 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.conf.eth1.send_redirects= 0
net.ipv4.conf.eth1.accept_redirects= 0
net.ipv4.conf.eth0.send_redirects= 0
net.ipv4.conf.eth0.accept_redirects= 0
net.ipv4.conf.lo.send_redirects= 0
net.ipv4.conf.lo.accept_redirects= 0
net.ipv4.conf.default.send_redirects= 0
net.ipv4.conf.default.accept_redirects= 0
net.ipv4.conf.all.send_redirects= 0
net.ipv4.conf.all.accept_redirects= 0
#create for Darren 2016/9/4
EOF
|
配置时间同步:
|
1
2
|
ntpdate pool.ntp.org
echo
'*/5 * * * * /usr/sbin/ntpdate pool.ntp.org'
>>
/var/spool/cron/root
|
下载openswan:
|
1
2
3
4
5
6
|
mkdir
-p
/home/darren/tools
cd
/home/darren/tools
wget https:
//download
.openswan.org
/openswan/openswan-2
.6.42.
tar
.gz
cd
openswan-2.6.42
make
programs
make
install
|
验证安装:
|
1
2
3
4
|
ipsec --version
#查看版本
ipsec verify
#验证
echo
'1'
>
/proc/sys/net/core/xfrm_larval_drop
#错误解决
/etc/init
.d
/ipsec
start
#启动ipsec
|
perl编译问题解决:
|
1
2
3
|
echo
'export LC_ALL=C'
>>
/etc/profile
tail
-1
/etc/profile
source
/etc/profile
|
配置openswan:
|
1
2
3
|
openswan的主要配置文件
/etc/ipsec
.secrets
#用来保存private RSA keys和preshared secrets
/etc/ipsec
.conf
#主要配置文件(settings、options、defaults、connections)
|
使用RSA数字签名认证方式配置openswan
1.在Lserver、Rserver上分别生成新的hostkey:
|
1
2
|
cp
/etc/ipsec
.secrets
/etc/ipsec
.secrets.$(
date
+%F)
ipsec newhostkey --output
/etc/ipsec
.secrets
|
此处有坑:生成很长时间没有成功。
|
1
2
|
第一,查看是否启动ipsec:
/etc/init
.d
/ipsec
start
第二,实在不行就需要换版本。
|
2.在Lserver上执行下面的命令获得leftrsasigkey(即Lserver的公钥public key)
|
1
|
ipsec showhostkey --left >
/tmp/key
.log
|
3.在Rserver上执行下面的命令获得Reftrsasigkey(即Lserver的公钥public key)
|
1
|
ipsec showhostkey --right >
/tmp/key
.log
|
4.在Lserver及Rserver上编辑/etc/ipsec.conf
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
左边:
cp
/etc/ipsec
.conf
/etc/ipsec
.conf.$(
date
+%F)
vi
/etc/ipsec
.conf
#create by darren.
#http://www.w501.pw
version 2.0
config setup
nat_traversal=
yes
virtual_private=%v4:192.1.1.0
/16
,%v4:172.1.1.0
/12
oe=off
protostack=netkey
conn left_lan
leftsubnet=172.1.1.0
/24
also=A-B
conn right_lan
rightsubnet=192.1.1.0
/24
also=A-B
###############################################
conn A-B
left=10.86.10.17
leftid=@left
#leftsubnet=172.1.1.0/24 #如果上面的不要这里可以取消注释。
# rsakey AQOgG5Gq4
# leftrsasigkey=这里的key需要复制/tmp/key.log的内容。
leftnexthop=%defaultroute
right=10.86.10.18
rightid=@right
#rightsubnet=192.168.1.0/24
# rsakey AQNDxTfqK
#rightrsasigkey=这里的key需要复制/tmp/key.log的内容
rightnexthop=%defaultroute
auto=start
|
|
1
2
3
4
|
右边:
cp
/etc/ipsec
.conf
/etc/ipsec
.conf.$(
date
+%F)
vi
/etc/ipsec
.conf
和左边一样,直接拷贝过去。
|
此时A和B客户端是不能上网的,需要在L和R服务器上设置iptables。
A:
|
1
2
|
iptables-t nat -A POSTROUTING -s 172.1.1.0
/24
-jSNAT --to-
source
10.86.10.17
echo
'iptables -t nat -A POSTROUTING -s 172.1.1.0/24 -j MASQUERADE'
>>
/etc/rc
.
local
|
B:
|
1
2
|
iptables-t nat -A POSTROUTING -s 192.1.1.0
/24
–o eth0 -j MASQUERADE
echo
'iptables -t nat -A POSTROUTING -s 192.1.1.0/24 -j MASQUERADE'
>>
/etc/rc
.
local
|
分别重新启动ipsec:
A:
|
1
2
|
/etc/init
.d
/ipsecrestart
chkconfigipsec on
|
B:
|
1
2
|
/etc/init
.d
/ipsecrestart
chkconfigipsec on
|
http://blog.51cto.com/xiaodongge/1919502
本文转自 王家东哥 51CTO博客,原文链接:http://blog.51cto.com/xiaodongge/1919502
