CentOS6.4安装openswan

一、环境

系统：CentOS 6.4x64最小化安装

R-Server eth0 192.168.3.72

eth1 10.1.1.72

R-Client eth0 10.1.1.74

L-Server eth0 192.168.3.71

eth1 172.16.10.71

L-Client eth0 172.16.10.74

注：所有在R-Client和L-Client都通过各自的网关ssh过去进行操作

二、R-Server和L-Server配置epel源和ntp时间同步

R-Server：

		
								[root@R-Server ~]# rpm -ivh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

								Retrieving http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

								warning: /var/tmp/rpm-tmp.xTUJx4: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY

								Preparing...                ########################################### [100%]

								   1:epel-release           ########################################### [100%]

								[root@R-Server ~]# sed -i 's@#b@b@g' /etc/yum.repos.d/epel.repo

								[root@R-Server ~]# sed  -i 's@mirrorlist@#mirrorlist@g' /etc/yum.repos.d/epel.repo

								[root@R-Server ~]# yum -y install ntp

								[root@R-Server ~]# echo "*/10 * * * * /usr/sbin/ntpdate asia.pool.ntp.org  &>/dev/null" >/var/spool/cron/root

								[root@R-Server ~]# ntpdate asia.pool.ntp.org

								 5 Jun 10:07:39 ntpdate[1563]: step time server 218.189.210.3 offset 157.466990 sec

								[root@R-Server ~]# hwclock -w

三、安装前系统初始化

R-Server和L-Server执行同样的操作

开启路由转发

		
								[root@R-Server ~]# egrep "ip_forward|rp_filter" /etc/sysctl.conf 

								net.ipv4.ip_forward = 1

								net.ipv4.conf.default.rp_filter = 0    #确保这里的值是正确的

禁用icmp重定向

		
								[root@R-Server ~]# sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >>/etc/sysctl.conf 

								[root@R-Server ~]# sysctl -p

								net.ipv4.ip_forward = 1

								net.ipv4.conf.default.rp_filter = 0

								net.ipv4.conf.default.accept_source_route = 0

								kernel.sysrq = 0

								kernel.core_uses_pid = 1

								net.ipv4.tcp_syncookies = 1

								kernel.msgmnb = 65536

								kernel.msgmax = 65536

								kernel.shmmax = 68719476736

								kernel.shmall = 4294967296

								net.ipv4.conf.all.accept_redirects = 0

								net.ipv4.conf.all.send_redirects = 0

								net.ipv4.conf.default.accept_redirects = 0

								net.ipv4.conf.default.send_redirects = 0

								net.ipv4.conf.lo.accept_redirects = 0

								net.ipv4.conf.lo.send_redirects = 0

								net.ipv4.conf.eth0.accept_redirects = 0

								net.ipv4.conf.eth0.send_redirects = 0

								net.ipv4.conf.eth1.accept_redirects = 0

								net.ipv4.conf.eth1.send_redirects = 0

四、安装openswan

R-Server:

		
								[root@R-Server ~]# yum install openswan lsof -y

								#执行下面的命令，确认安装正确

								[root@R-Server ~]# ipsec --version

								Linux Openswan U2.6.32/K(no kernel code presently loaded)

								See `ipsec --copyright' for copyright information.

								#启动ipsec

								[root@R-Server ~]# service ipsec start

								ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.el6.x86_64...

								#检查状态

								[root@R-Server ~]# ipsec verify

								Checking your system to see if IPsec got installed and started correctly:

								Version check and ipsec on-path                                [OK]

								Linux Openswan U2.6.32/K2.6.32-358.el6.x86_64 (netkey)

								Checking for IPsec support in kernel                           [OK]

								 SAref kernel support                                         [N/A]

								 NETKEY:  Testing for disabled ICMP send_redirects             [OK]

								NETKEY detected, testing for disabled ICMP accept_redirects  [OK]

								Checking that pluto is running                                [OK]

								 Pluto listening for IKE on udp 500                             [OK]

								 Pluto listening for NAT-T on udp 4500                         [OK]

								Two or more interfaces found, checking IP forwarding         [OK]

								Checking NAT and MASQUERADEing                                 [OK]

								Checking for 'ip' command                                     [OK]

								Checking /bin/sh is not /bin/dash                            [OK]

								Checking for 'iptables' command                                 [OK]

								Opportunistic Encryption Support                              [DISABLED]

L-Server:

		
								[root@L-Server ~]# yum install openswan lsof -y

								[root@L-Server ~]# service ipsec start

								ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.el6.x86_64...

								[root@L-Server ~]# ipsec verify

								Checking your system to see if IPsec got installed and started correctly:

								Version check and ipsec on-path                                [OK]

								Linux Openswan U2.6.32/K2.6.32-358.el6.x86_64 (netkey)

								Checking for IPsec support in kernel                           [OK]

								 SAref kernel support                                         [N/A]

								 NETKEY:  Testing for disabled ICMP send_redirects             [OK]

								NETKEY detected, testing for disabled ICMP accept_redirects  [OK]

								Checking that pluto is running                                [OK]

								 Pluto listening for IKE on udp 500                             [OK]

								 Pluto listening for NAT-T on udp 4500                         [OK]

								Two or more interfaces found, checking IP forwarding         [OK]

								Checking NAT and MASQUERADEing                                 [OK]

								Checking for 'ip' command                                     [OK]

								Checking /bin/sh is not /bin/dash                            [OK]

								Checking for 'iptables' command                                 [OK]

								Opportunistic Encryption Support                              [DISABLED]

五、认证和配置

5.1 RSA Signature（RSA数字签名）认证的配制

Openswan支持许多不同的认证方式，包括RSA keys、pre-shared keys或x.509证书方式。RSA Signature比较简单，我先介绍下所要使用的命令

生成一个新的RSA密钥对
ipsec newhostkey –output /etc/ipsec.secert
按left或right格式生成RSA Sig
ipsec showhostkey –left（或–right）

知道了上面的命令，我们就可以配置一个net-to-net，就是网关对网关的通讯。所在的Linux主机为通讯的网关，作为其子网的出口，对于子网的用户来所是透明的，远程的子网在通讯后可以像自己的局域网一样的访问。

L-Sserver:

		
								#缩短rsa的生成时间

								[root@L-Server ~]# rm -rf /dev/random

								[root@L-Server ~]# ln -s /dev/urandom /dev/random

								#生成key

								[root@L-Server ~]# ipsec newhostkey --output /etc/ipsec.d/ipsec.secrets

								Generated RSA key pair using the NSS database

								[root@L-Server ~]# ipsec showhostkey --left

								ipsec showhostkey nss directory showhostkey: /etc/ipsec.d

								    # rsakey AQPAmogsx

								    leftrsasigkey=0sAQPAmogsxNVCtDDP8MyhufHBLFT4ki9bprm0G7QCUEOQgehhyqVIlRgq6gqytUbaGW/thiNc4NIiG/Kyk6deha6Xv7H2CvGkIU7W+fcbe/ysgT382laVgYGJGAbXSsDTHBOrfPEeHJGxvzBIitCJV8pQQbekwXHE1Ci1YQXWcpwkSvdqYAJdxxS6bbviQxHwI04Om9bKBOMFz3cvHN38yPtZUfo99FkYhKhxzBUBfUsPT0R87/5jnZz6cGWmZrHA7Z4B9I8qOXuq67jNFTK+M2Y4O9sFm6zQqvsIYI0fnC2ItvxmskDyqrm4Y6J1LyHhYAqtob139Nugd6/jnuOmpcW6sK1iXvU/Qh7McKMy4dnXc67wTqHzcjrbBfU7BO25qvZJijVCRQiUJo9puVPligXZpGnnvPZx0tFV7Wep9SSZtqfkjeHt/jimdxnYMCl3oJ8F7Z1srQcRGqdn4736pOAm8/OYN7KTAK0/hqY502v6Qt85HXlVfTshbsKrEjDQYLJXHURVOq1LNrZDdQ/BvG76eyFc54fB2l5Tntgyn0tIGIsasaBQGZWSce6ycymaxORpaWy6d739Gq2ylFXyiMEmxXc56kIo0gz0hwgQQ88=

L-Sserver:

编辑/etc/ipsec.conf文件

		
								[root@L-Server ~]# egrep -v "^$|^#|^[[:space:]]+#" /etc/ipsec.conf 

								version 2.0 # conforms to second version of ipsec.conf specification

								config setup

								    protostack=netkey

								    nat_traversal=yes

								    virtual_private=

								    oe=off

								conn net-to-net

								    left=192.168.3.71

								    leftsubnet=172.16.10.0/24

								    leftrsasigkey=0sAQPAmogsxNVCtDDP8MyhufHBLFT4ki9bprm0G7QCUEOQgehhyqVIlRgq6gqytUbaGW/thiNc4NIiG/Kyk6deha6Xv7H2CvGkIU7W+fcbe/ysgT382laVgYGJGAbXSsDTHBOrfPEeHJGxvzBIitCJV8pQQbekwXHE1Ci1YQXWcpwkSvdqYAJdxxS6bbviQxHwI04Om9bKBOMFz3cvHN38yPtZUfo99FkYhKhxzBUBfUsPT0R87/5jnZz6cGWmZrHA7Z4B9I8qOXuq67jNFTK+M2Y4O9sFm6zQqvsIYI0fnC2ItvxmskDyqrm4Y6J1LyHhYAqtob139Nugd6/jnuOmpcW6sK1iXvU/Qh7McKMy4dnXc67wTqHzcjrbBfU7BO25qvZJijVCRQiUJo9puVPligXZpGnnvPZx0tFV7Wep9SSZtqfkjeHt/jimdxnYMCl3oJ8F7Z1srQcRGqdn4736pOAm8/OYN7KTAK0/hqY502v6Qt85HXlVfTshbsKrEjDQYLJXHURVOq1LNrZDdQ/BvG76eyFc54fB2l5Tntgyn0tIGIsasaBQGZWSce6ycymaxORpaWy6d739Gq2ylFXyiMEmxXc56kIo0gz0hwgQQ88=

								    leftnexthop=%defaultroute

								    right=192.168.3.72

								    rightsubnet=10.1.1.0/24

								    rightrsasigkey=0sAQPMOO3f17FCNCRu+kPilQGitId8+4HEvWm+GovVuFeemer+OxPcA3Nf67i16fS0BGIIfNafJ6vgjS1wu2cOPDbOYv6dG/gptfFm42ByQI/qQKNMhiMNK4STal94hfswM1dm309yBVTbUm/g/ychSboBIFIW6kShhF8y8wGBWPvu/FlR8nGLNvdSIdPd0tGGnCEZAXHBc75v0eZ3x4zxv5tefAVDlPScQ1+dYwAJbgzHAXNjVCMUtn1qyHHAvmQsMTNFx6CQBSBWmCmCHPvXFBy3raR4XL7voNiOn1FyyINEsiDE+fY1ogkRj4NmW7ZQHxfCS6b9S3SbS9sAwz19awnK7LbFwkFpwR9muuBSkCTq+ZaX5bM0BRPeUXje9IfD+4bCzT8KO4gli1eDX42HW9EK4/1/tFQrHngiPgpz9tYMVuk1sNQpEd2mWgPtglh6/2pOusrIBqfj2vPXQ+LMeCvrbWyKN7UgSyj0Fz8/IdBzXlId2iOQCKKXOuLA8tDbE0tNTBE+kvRpjQP/dFWUZCKg0rbiFvfbBHPnHyXf7KnpktQqVlHBYyfp2bWdinSVFUeiv5LejzpOfCtQscLQOJpNWxJkjoR3GiICrmACnl0=

								    rightnexthop=%defaultroute

								    auto=add

R-Sserver:

		
								#缩短rsa的生成时间

								[root@R-Server ~]# rm -rf /dev/random

								[root@R-Server ~]# ln -s /dev/urandom /dev/random

								#生成key

								[root@R-Server ~]# ipsec newhostkey --output /etc/ipsec.d/ipsec.secrets

								Generated RSA key pair using the NSS database

								[root@R-Server ~]# ipsec showhostkey --left

								ipsec showhostkey nss directory showhostkey: /etc/ipsec.d

								    # rsakey AQPMOO3f1

								    leftrsasigkey=0sAQPMOO3f17FCNCRu+kPilQGitId8+4HEvWm+GovVuFeemer+OxPcA3Nf67i16fS0BGIIfNafJ6vgjS1wu2cOPDbOYv6dG/gptfFm42ByIFIW6kShhF8y8wGBWPvu/FlR8nGLNvdSIdPd0tGGnCEZAXHBc75v0eZ3x4zxv5tefAVDlPScQ1+dYwAJbgzHAXNjVCMUtn1qyHHAvmQsMTNFx6CQBSBWmCmCHPvXFBy3S3SbS9sAwz19awnK7LbFwkFpwR9muuBSkCTq+ZaX5bM0BRPeUXje9IfD+4bCzT8KO4gli1eDX42HW9EK4/1/tFQrHngiPgpz9tYMVuk1sNQpEd2mWgPtglh6/2pOusrIOuLA8tDbE0tNTBE+kvRpjQP/dFWUZCKg0rbiFvfbBHPnHyXf7KnpktQqVlHBYyfp2bWdinSVFUeiv5LejzpOfCtQscLQOJpNWxJkjoR3GiICrmACnl0=

								#重启ipsec服务

								[root@L-Server ~]# service ipsec restart

								ipsec_setup: Stopping Openswan IPsec...

								ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.el6.x86_64...

R-Sserver:

编辑/etc/ipsec.conf

		
								[root@R-Server ~]# egrep -v "^[[:space:]]+#|^$|^#" /etc/ipsec.conf 

								version 2.0 # conforms to second version of ipsec.conf specification

								config setup

								    protostack=netkey

								    nat_traversal=yes

								    virtual_private=

								    oe=off

								conn net-to-net

								    left=192.168.3.72

								    leftsubnet=10.1.1.0/24

								    leftrsasigkey=0sAQPMOO3f17FCNCRu+kPilQGitId8+4HEvWm+GovVuFeemer+OxPcA3Nf67i16fS0BGIIfNafJ6vgjS1wu2cOPDbOYv6dG/gptfFm42ByQI/qQKNMIFIW6kShhF8y8wGBWPvu/FlR8nGLNvdSIdPd0tGGnCEZAXHBc75v0eZ3x4zxv5tefAVDlPScQ1+dYwAJbgzHAXNjVCMUtn1qyHHAvmQsMTNFx6CQBSBWmCmCHPvXFBy3S3SbS9sAwz19awnK7LbFwkFpwR9muuBSkCTq+ZaX5bM0BRPeUXje9IfD+4bCzT8KO4gli1eDX42HW9EK4/1/tFQrHngiPgpz9tYMVuk1sNQpEd2mWgPtglh6/2pOusrIOuLA8tDbE0tNTBE+kvRpjQP/dFWUZCKg0rbiFvfbBHPnHyXf7KnpktQqVlHBYyfp2bWdinSVFUeiv5LejzpOfCtQscLQOJpNWxJkjoR3GiICrmACnl0=

								    leftnexthop=%defaultroute

								    right=192.168.1.71

								    rightsubnet=172.16.10.0/24

								    rightrsasigkey=0sAQPAmogsxNVCtDDP8MyhufHBLFT4ki9bprm0G7QCUEOQgehhyqVIlRgq6gqytUbaGW/thiNc4NIiG/Kyk6deha6Xv7H2CvGkIU7W+fcbe/ysgT382laVgYGJGAbXSsDTHBOrfPEeHJGxvzBIitCJV8pQQbekwXHE1Ci1YQXWcpwkSvdqYAJdxxS6bbviQxHwI04Om9bKBOMFz3cvHN38yPtZUfo99FkYhKhxzBUBfUsPT0R87/5jnZz6cGWmZrHA7Z4B9I8qOXuq67jNFTK+M2Y4O9sFm6zQqvsIYI0fnC2ItvxmskDyqrm4Y6J1LyHhYAqtob139Nugd6/jnuOmpcW6sK1iXvU/Qh7McKMy4dnXc67wTqHzcjrbBfU7BO25qvZJijVCRQiUJo9puVPligXZpGnnvPZx0tFV7Wep9SSZtqfkjeHt/jimdxnYMCl3oJ8F7Z1srQcRGqdn4736pOAm8/OYN7KTAK0/hqY502v6Qt85HXlVfTshbsKrEjDQYLJXHURVOq1LNrZDdQ/BvG76eyFc54fB2l5Tntgyn0tIGIsasaBQGZWSce6ycymaxORpaWy6d739Gq2ylFXyiMEmxXc56kIo0gz0hwgQQ88=

								    rightnexthop=%defaultroute

								    auto=add

								#重启ipsec服务

								[root@R-Server ~]# service ipsec restart

								ipsec_setup: Stopping Openswan IPsec...

								ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.el6.x86_64...

注意left和right的ip值，对于ipsec而言，永远认为自己的内网是left端，对端为right端。

本文出自 “ly36843运维” 博客，请务必保留此出处http://ly36843.blog.51cto.com/3120113/1658387

(责任编辑：IT)

搜索

热门标签:

CentOS6.4安装openswan