模板
教程
环境
性能
功能
管理
openswan实验
本实验在RedHat Enterprise Linux 4, Kernel 2.6.9上通过
Author: Iry
Date: June 10, 2005
openswan 在Linux kernel 2.6上,的使用
本实验在RedHat Enterprise Linux 4, Kernel 2.6.9上通过
step 1: 安装两台Linux机器, 示意图如下:
[PC 1 192.168.19.200/24] <----> [vpn_gw_1 192.168.19.100/24 172.16.1.100/24]
^
|
|
V
[PC 2 192.168.9.200/24] <----> [vpn_gw_2 192.168.9.100/24 172.16.1.100/24]
step 2: 在两台Linux机器上安装 openswan 2.3.1
[root@vpn_gw_1 ~]# tar -zxvf openswan-2.3.1.tar.gz
[root@vpn_gw_1 ~]# cd openswan-2.3.1
[root@vpn_gw_1 openswan-2.3.1]# make programs
[root@vpn_gw_1 openswan-2.3.1]# make install
[root@vpn_gw_1 openswan-2.3.1]# make KERNELSRC=/lib/modules/`uname -r`/build module minstall
over!
step 3: 修改配置文件
这里有两个配置文件需要修改 /etc/ipsec.conf and /etc/ipsec.secrets
eg.
//file /etc/ipsec.conf
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-loggin controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug="control parsing"
# Add connections here
# sample VPN connection
conn sample
# Left security gateway, subnet behind it, next hop toward right
left=172.16.1.100
leftesubnet=192.168.19.0/24
leftnexthop=172.16.1.1
# Right security gateway, subnet behind it, next hop toward left.
right=172.16.1.1
rightsubnet=192.168.9.0/24
rightnexthop=172.16.1.100
# To authorize this connecion, but not acturally start it, at startupp,
# uncomment this
auto=start
authby=secret
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
//file /etc/ipsec.secrets
172.16.1.100 172.16.1.1: PSK "111111"
vpn_gw_1 的配置文件如上所示, vpn_gw_2 的配置文件和上面的基本一致,
只需要172.16.1.1|172.16.1.100 192.168.19.0/24|192.168.9.0/24 互换即可.
step 4: 启动Openswan
[root@vpn_gw_1 openswan-2.3.1]# ipsec setup start
ipsec_setup: Starting Openswan IPsec 2.3.1...
ipsec_setup: insmod /lib/modules/2.6.9-5.EL/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.9-5.EL/kernel/net/ipv4/xfrm4_tunnel.ko
OK!
[root@vpn_gw_1 openswan-2.3.1]# ipsec look
vpn_gw_1 Fri Jun 10 12:59:20 CST 2005
cat: /proc/net/ipsec_spigrp: No such file or directory
cat: /proc/net/ipsec_eroute: No such file or directory
egrep: /proc/net/ipsec_tncfg: No such file or directory
sort: open failed: /proc/net/ipsec_spi: No such file or directory
DEstination Gateway Genmask Flags MSS Widnow irtt Iface
0.0.0.0 172.16.1.1 0.0.0.0 UG 0 0 0 eth0
172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.9.0 172.16.1.1 255.255.255.0 UG 0 0 0 eth0
这里显示有几个文件没有找到, 是因为我在这里只是使用了openswan的用户空间工具, 而使用了kernel 2.6的IPsec协议栈;
在kernel 2.6的IPsec实现中没有这几个/proc文件,在kernel 2.4中是由openswan的KLIPS实现的,
这里没有安装KLIPS当然就没有了(这是我的猜测,欢迎更正,补充)
既然没有这样几个文件,我们就不能再使用 ipsec look来查看VPN连接是否建立成功了, kernel 2.6 IPsec实现有相应的用户
空间工具: ipsec-tools(setkey)
我们用setkey来查看VPN连接是否建立成功
[root@vpn_gw_1 openswan-2.3.1]# setkey -D
172.16.1.100 172.16.1.1
esp mode=tunnel spi=4165626355(0xf84a69f3) reqid=16385(0x00004001)
E: aes-cbc 76b0e8a2 4941b4ff 969465c0 21f562f8
A: hmac-sha1 6c92039e 92e56237 81bf6974 64f8e57b 39d3162b
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Jun 10 13:39:50 2005 current: Jun 10 14:16:20 2005
diff: 2190(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=4339 refcnt=0
172.16.1.100 172.16.1.1
esp mode=tunnel spi=2917127540(0xaddfd574) reqid=16385(0x00004001)
E: aes-cbc 2e94clearcase/" target="_blank" >ccfc 6e62f0bc c711c7f6 c5ae561a
A: hmac-sha1 4cb969cb 0dc037d9 7cc50108 8da34275 335bcd2e
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Jun 10 13:38:43 2005 current: Jun 10 14:16:20 2005
diff: 2257(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=4339 refcnt=0
172.16.1.1 172.16.1.100
esp mode=tunnel spi=3441132601(0xcd1b8439) reqid=16385(0x00004001)
E: aes-cbc 1f32ff6f 8d1f1c5f f8c361e7 394b63a0
A: hmac-sha1 d7c31f11 4c79270a bd95fca7 504f6149 6eb5398d
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Jun 10 13:39:50 2005 current: Jun 10 14:16:20 2005
diff: 2190(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=4339 refcnt=0
172.16.1.1 172.16.1.100
esp mode=tunnel spi=1859760364(0x6ed9b0ec) reqid=16385(0x00004001)
E: aes-cbc 1c5463c3 a5cf9087 36dc587b e3c5e8bd
A: hmac-sha1 dc327a9f 4efe9a70 e9f58251 c73c92cd a070c32c
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Jun 10 13:38:41 2005 current: Jun 10 14:16:20 2005
diff: 2259(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=4339 refcnt=0
从上面可以看出双方向的SA,都已经建立成功,也就是说VPN连接已经成功的建立起来了.
可以从PC 1 ping PC 2 看看, 应该没有问题了.
后记: 一点说明
为了让VPN的建立足够简单,我没有启动iptables, 清空所有的规则,默认策略设置为空:
[root@vpn_gw_1 openswan-2.3.1]# iptables -P INPUT ACCEPT
[root@vpn_gw_1 openswan-2.3.1]# iptables -P FORWARD ACCEPT
[root@vpn_gw_1 openswan-2.3.1]# iptables -P OUTPUT ACCEPT
[root@vpn_gw_1 openswan-2.3.1]# iptables -F
[root@vpn_gw_1 openswan-2.3.1]# iptables -X
打开两台Linux机器的路由转发:
[root@vpn_gw_1 openswan-2.3.1]# echo 1 > /proc/sys/net/ipv4/ip_forward
这一点很重要,不然两台PC机是不能互相通信的,我有好几次忘记了打开,吃了苦头.
当你使用的kernel>=2.6.10的时候,必须使用ipsec-tools>=0.5
