> CentOS > CentOS教程 >

CentOS6.4安装openswan

时间:2015-06-06 03:47  来源:51cto.com   作者:IT

一、环境

系统:CentOS 6.4x64最小化安装

R-Server    eth0    192.168.3.72

        eth1    10.1.1.72

R-Client    eth0    10.1.1.74

L-Server    eth0    192.168.3.71

        eth1    172.16.10.71

L-Client    eth0    172.16.10.74

注:所有在R-Client和L-Client都通过各自的网关ssh过去进行操作

二、R-Server和L-Server配置epel源和ntp时间同步

R-Server:

[root@R-Server ~]# rpm -ivh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Retrieving http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
warning: /var/tmp/rpm-tmp.xTUJx4: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing...                ########################################### [100%]
   1:epel-release           ########################################### [100%]
[root@R-Server ~]# sed -i 's@#b@b@g' /etc/yum.repos.d/epel.repo
[root@R-Server ~]# sed  -i 's@mirrorlist@#mirrorlist@g' /etc/yum.repos.d/epel.repo
[root@R-Server ~]# yum -y install ntp
[root@R-Server ~]# echo "*/10 * * * * /usr/sbin/ntpdate asia.pool.ntp.org  &>/dev/null" >/var/spool/cron/root
[root@R-Server ~]# ntpdate asia.pool.ntp.org
 5 Jun 10:07:39 ntpdate[1563]: step time server 218.189.210.3 offset 157.466990 sec
[root@R-Server ~]# hwclock -w

三、安装前系统初始化

R-Server和L-Server执行同样的操作

开启路由转发

[root@R-Server ~]# egrep "ip_forward|rp_filter" /etc/sysctl.conf 
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0    #确保这里的值是正确的

禁用icmp重定向

[root@R-Server ~]# sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >>/etc/sysctl.conf 
[root@R-Server ~]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.send_redirects = 0

四、安装openswan

R-Server:

[root@R-Server ~]# yum install openswan lsof -y
 
#执行下面的命令,确认安装正确
[root@R-Server ~]# ipsec --version
Linux Openswan U2.6.32/K(no kernel code presently loaded)
See `ipsec --copyright' for copyright information.
 
#启动ipsec
[root@R-Server ~]# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.el6.x86_64...
 
#检查状态
[root@R-Server ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                [OK]
Linux Openswan U2.6.32/K2.6.32-358.el6.x86_64 (netkey)
Checking for IPsec support in kernel                           [OK]
 SAref kernel support                                         [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects             [OK]
NETKEY detected, testing for disabled ICMP accept_redirects  [OK]
Checking that pluto is running                                [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                         [OK]
Two or more interfaces found, checking IP forwarding         [OK]
Checking NAT and MASQUERADEing                                 [OK]
Checking for 'ip' command                                     [OK]
Checking /bin/sh is not /bin/dash                            [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                              [DISABLED]

L-Server:

[root@L-Server ~]# yum install openswan lsof -y
[root@L-Server ~]# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.el6.x86_64...
[root@L-Server ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                [OK]
Linux Openswan U2.6.32/K2.6.32-358.el6.x86_64 (netkey)
Checking for IPsec support in kernel                           [OK]
 SAref kernel support                                         [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects             [OK]
NETKEY detected, testing for disabled ICMP accept_redirects  [OK]
Checking that pluto is running                                [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                         [OK]
Two or more interfaces found, checking IP forwarding         [OK]
Checking NAT and MASQUERADEing                                 [OK]
Checking for 'ip' command                                     [OK]
Checking /bin/sh is not /bin/dash                            [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                              [DISABLED]

五、认证和配置

5.1 RSA Signature(RSA数字签名)认证的配制

 

Openswan支持许多不同的认证方式,包括RSA keys、pre-shared keys或x.509证书方式。RSA Signature比较简单,我先介绍下所要使用的命令

生成一个新的RSA密钥对
ipsec newhostkey  –output /etc/ipsec.secert
按left或right格式生成RSA Sig
ipsec showhostkey –left(或–right)

知道了上面的命令,我们就可以配置一个net-to-net,就是网关对网关的通讯。所在的Linux主机为通讯的网关,作为其子网的出口,对于子网的用户来所是透明的,远程的子网在通讯后可以像自己的局域网一样的访问。

L-Sserver:

#缩短rsa的生成时间
[root@L-Server ~]# rm -rf /dev/random
[root@L-Server ~]# ln -s /dev/urandom /dev/random
 
#生成key
[root@L-Server ~]# ipsec newhostkey --output /etc/ipsec.d/ipsec.secrets
Generated RSA key pair using the NSS database
[root@L-Server ~]# ipsec showhostkey --left
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
    # rsakey AQPAmogsx
    leftrsasigkey=0sAQPAmogsxNVCtDDP8MyhufHBLFT4ki9bprm0G7QCUEOQgehhyqVIlRgq6gqytUbaGW/thiNc4NIiG/Kyk6deha6Xv7H2CvGkIU7W+fcbe/ysgT382laVgYGJGAbXSsDTHBOrfPEeHJGxvzBIitCJV8pQQbekwXHE1Ci1YQXWcpwkSvdqYAJdxxS6bbviQxHwI04Om9bKBOMFz3cvHN38yPtZUfo99FkYhKhxzBUBfUsPT0R87/5jnZz6cGWmZrHA7Z4B9I8qOXuq67jNFTK+M2Y4O9sFm6zQqvsIYI0fnC2ItvxmskDyqrm4Y6J1LyHhYAqtob139Nugd6/jnuOmpcW6sK1iXvU/Qh7McKMy4dnXc67wTqHzcjrbBfU7BO25qvZJijVCRQiUJo9puVPligXZpGnnvPZx0tFV7Wep9SSZtqfkjeHt/jimdxnYMCl3oJ8F7Z1srQcRGqdn4736pOAm8/OYN7KTAK0/hqY502v6Qt85HXlVfTshbsKrEjDQYLJXHURVOq1LNrZDdQ/BvG76eyFc54fB2l5Tntgyn0tIGIsasaBQGZWSce6ycymaxORpaWy6d739Gq2ylFXyiMEmxXc56kIo0gz0hwgQQ88=   

L-Sserver:

编辑/etc/ipsec.conf文件

[root@L-Server ~]# egrep -v "^$|^#|^[[:space:]]+#" /etc/ipsec.conf 
version 2.0 # conforms to second version of ipsec.conf specification
config setup
    protostack=netkey
    nat_traversal=yes
    virtual_private=
    oe=off
conn net-to-net
    left=192.168.3.71
    leftsubnet=172.16.10.0/24
    leftrsasigkey=0sAQPAmogsxNVCtDDP8MyhufHBLFT4ki9bprm0G7QCUEOQgehhyqVIlRgq6gqytUbaGW/thiNc4NIiG/Kyk6deha6Xv7H2CvGkIU7W+fcbe/ysgT382laVgYGJGAbXSsDTHBOrfPEeHJGxvzBIitCJV8pQQbekwXHE1Ci1YQXWcpwkSvdqYAJdxxS6bbviQxHwI04Om9bKBOMFz3cvHN38yPtZUfo99FkYhKhxzBUBfUsPT0R87/5jnZz6cGWmZrHA7Z4B9I8qOXuq67jNFTK+M2Y4O9sFm6zQqvsIYI0fnC2ItvxmskDyqrm4Y6J1LyHhYAqtob139Nugd6/jnuOmpcW6sK1iXvU/Qh7McKMy4dnXc67wTqHzcjrbBfU7BO25qvZJijVCRQiUJo9puVPligXZpGnnvPZx0tFV7Wep9SSZtqfkjeHt/jimdxnYMCl3oJ8F7Z1srQcRGqdn4736pOAm8/OYN7KTAK0/hqY502v6Qt85HXlVfTshbsKrEjDQYLJXHURVOq1LNrZDdQ/BvG76eyFc54fB2l5Tntgyn0tIGIsasaBQGZWSce6ycymaxORpaWy6d739Gq2ylFXyiMEmxXc56kIo0gz0hwgQQ88=
    leftnexthop=%defaultroute
    right=192.168.3.72
    rightsubnet=10.1.1.0/24
    rightrsasigkey=0sAQPMOO3f17FCNCRu+kPilQGitId8+4HEvWm+GovVuFeemer+OxPcA3Nf67i16fS0BGIIfNafJ6vgjS1wu2cOPDbOYv6dG/gptfFm42ByQI/qQKNMhiMNK4STal94hfswM1dm309yBVTbUm/g/ychSboBIFIW6kShhF8y8wGBWPvu/FlR8nGLNvdSIdPd0tGGnCEZAXHBc75v0eZ3x4zxv5tefAVDlPScQ1+dYwAJbgzHAXNjVCMUtn1qyHHAvmQsMTNFx6CQBSBWmCmCHPvXFBy3raR4XL7voNiOn1FyyINEsiDE+fY1ogkRj4NmW7ZQHxfCS6b9S3SbS9sAwz19awnK7LbFwkFpwR9muuBSkCTq+ZaX5bM0BRPeUXje9IfD+4bCzT8KO4gli1eDX42HW9EK4/1/tFQrHngiPgpz9tYMVuk1sNQpEd2mWgPtglh6/2pOusrIBqfj2vPXQ+LMeCvrbWyKN7UgSyj0Fz8/IdBzXlId2iOQCKKXOuLA8tDbE0tNTBE+kvRpjQP/dFWUZCKg0rbiFvfbBHPnHyXf7KnpktQqVlHBYyfp2bWdinSVFUeiv5LejzpOfCtQscLQOJpNWxJkjoR3GiICrmACnl0=
    rightnexthop=%defaultroute
    auto=add

R-Sserver:

#缩短rsa的生成时间
[root@R-Server ~]# rm -rf /dev/random
[root@R-Server ~]# ln -s /dev/urandom /dev/random
 
#生成key
[root@R-Server ~]# ipsec newhostkey --output /etc/ipsec.d/ipsec.secrets
Generated RSA key pair using the NSS database
[root@R-Server ~]# ipsec showhostkey --left
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
    # rsakey AQPMOO3f1
    leftrsasigkey=0sAQPMOO3f17FCNCRu+kPilQGitId8+4HEvWm+GovVuFeemer+OxPcA3Nf67i16fS0BGIIfNafJ6vgjS1wu2cOPDbOYv6dG/gptfFm42ByIFIW6kShhF8y8wGBWPvu/FlR8nGLNvdSIdPd0tGGnCEZAXHBc75v0eZ3x4zxv5tefAVDlPScQ1+dYwAJbgzHAXNjVCMUtn1qyHHAvmQsMTNFx6CQBSBWmCmCHPvXFBy3S3SbS9sAwz19awnK7LbFwkFpwR9muuBSkCTq+ZaX5bM0BRPeUXje9IfD+4bCzT8KO4gli1eDX42HW9EK4/1/tFQrHngiPgpz9tYMVuk1sNQpEd2mWgPtglh6/2pOusrIOuLA8tDbE0tNTBE+kvRpjQP/dFWUZCKg0rbiFvfbBHPnHyXf7KnpktQqVlHBYyfp2bWdinSVFUeiv5LejzpOfCtQscLQOJpNWxJkjoR3GiICrmACnl0=
    
#重启ipsec服务
[root@L-Server ~]# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.el6.x86_64...

R-Sserver:

编辑/etc/ipsec.conf

[root@R-Server ~]# egrep -v "^[[:space:]]+#|^$|^#" /etc/ipsec.conf 
version 2.0 # conforms to second version of ipsec.conf specification
config setup
    protostack=netkey
    nat_traversal=yes
    virtual_private=
    oe=off
conn net-to-net
    left=192.168.3.72
    leftsubnet=10.1.1.0/24
    leftrsasigkey=0sAQPMOO3f17FCNCRu+kPilQGitId8+4HEvWm+GovVuFeemer+OxPcA3Nf67i16fS0BGIIfNafJ6vgjS1wu2cOPDbOYv6dG/gptfFm42ByQI/qQKNMIFIW6kShhF8y8wGBWPvu/FlR8nGLNvdSIdPd0tGGnCEZAXHBc75v0eZ3x4zxv5tefAVDlPScQ1+dYwAJbgzHAXNjVCMUtn1qyHHAvmQsMTNFx6CQBSBWmCmCHPvXFBy3S3SbS9sAwz19awnK7LbFwkFpwR9muuBSkCTq+ZaX5bM0BRPeUXje9IfD+4bCzT8KO4gli1eDX42HW9EK4/1/tFQrHngiPgpz9tYMVuk1sNQpEd2mWgPtglh6/2pOusrIOuLA8tDbE0tNTBE+kvRpjQP/dFWUZCKg0rbiFvfbBHPnHyXf7KnpktQqVlHBYyfp2bWdinSVFUeiv5LejzpOfCtQscLQOJpNWxJkjoR3GiICrmACnl0=
    leftnexthop=%defaultroute
    right=192.168.1.71
    rightsubnet=172.16.10.0/24
    rightrsasigkey=0sAQPAmogsxNVCtDDP8MyhufHBLFT4ki9bprm0G7QCUEOQgehhyqVIlRgq6gqytUbaGW/thiNc4NIiG/Kyk6deha6Xv7H2CvGkIU7W+fcbe/ysgT382laVgYGJGAbXSsDTHBOrfPEeHJGxvzBIitCJV8pQQbekwXHE1Ci1YQXWcpwkSvdqYAJdxxS6bbviQxHwI04Om9bKBOMFz3cvHN38yPtZUfo99FkYhKhxzBUBfUsPT0R87/5jnZz6cGWmZrHA7Z4B9I8qOXuq67jNFTK+M2Y4O9sFm6zQqvsIYI0fnC2ItvxmskDyqrm4Y6J1LyHhYAqtob139Nugd6/jnuOmpcW6sK1iXvU/Qh7McKMy4dnXc67wTqHzcjrbBfU7BO25qvZJijVCRQiUJo9puVPligXZpGnnvPZx0tFV7Wep9SSZtqfkjeHt/jimdxnYMCl3oJ8F7Z1srQcRGqdn4736pOAm8/OYN7KTAK0/hqY502v6Qt85HXlVfTshbsKrEjDQYLJXHURVOq1LNrZDdQ/BvG76eyFc54fB2l5Tntgyn0tIGIsasaBQGZWSce6ycymaxORpaWy6d739Gq2ylFXyiMEmxXc56kIo0gz0hwgQQ88=
    rightnexthop=%defaultroute
    auto=add
    
#重启ipsec服务
[root@R-Server ~]# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.el6.x86_64... 

注意leftrightip值,对于ipsec而言,永远认为自己的内网是left端,对端为right端。

本文出自 “ly36843运维” 博客,请务必保留此出处http://ly36843.blog.51cto.com/3120113/1658387

 

(责任编辑:IT)
    最近关注
    热点内容