下载地址:www.openswan.org/download
下载源码包:openswan-2.6.32.tar.gz
64 位CentOS 5.8 系统环境
1,解压安装openswan
tar -xvf openswan-2.6.32.tar.gz
cd openswan-2.6.32
make programs
make install
ipsec --version
Linux Openswan 2.6.32 (netkey)
See `ipsec --copyright' for copyright information.
2,修改系统配置文件
echo “0” > /selinux/enforce (service selinux stop)
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf
vi /etc/sysctl.conf 将下面两项
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
改为
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
执行以下命令使设置生效
sysctl -p
3,配置SA,CA和SB,CB的ip地址
CA: 192.168.11.25
SA: eth0 192.168.11.215, eth1 192.168.13.215
CB: 192.168.15.191
SB: eth0 192.168.15.214, eth1 192.168.13.214
4,在SA和SB下分别执行以下命令,配置NAT表,为数组包加伪装
在SA上执行以下命令
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.11.0/24 ! -d 192.168.15.0/24 -j MASQUERADE
在SB上执行以下命令
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.15.0/24 ! -d 192.168.11.0/24 -j MASQUERADE
5,配置/etc/ipsec.secrets文件
SA:vim /etc/ipsec.secrets
192.168.13.215 192.168.13.214 : PSK "123456"
SB:与SA所执行操作完全相同
6,配置/etc/ipsec.conf文件
SA:vim /etc/ipsec.conf
conn net-net
auto=add (start)
left=192.168.13.215
compress=no
pfs=no
right=192.168.13.214
authby=secret
ikelifetime="3600"
keylife="28800"
dpddelay=30
dpdtimeout=120
dpdaction=restart
rekey=yes
keyingtries=0
leftsubnet=192.168.11.0/24
rightsubnet=192.168.15.0/24
SB:与SA所执行操作完全相同
7,启动openswan虚拟vpn
service ipsec restart (service ipsec status)
ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.18-308.el5 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
在SA和SB上分别执行以下命令,建立VPN隧道
ipsec auto --add net-net
ipsec auto --up net-net
8 验证ipsec是否配置成功
在网络层进行通信(飞秋),在SA或SB上tcpdump命令抓包验证(ping)
tcpdump –i eth0 host 192.168.11.11 and 192.168.15.15
openswan安装配置手册(PSK)
最新推荐文章于 2023-04-25 22:13:55 发布