原文大家可以参考http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/x2428.html。我这里只翻译了关于pluto这部分。文章可能稍微有些过时,不过还是有很大的参考价值的。例如在较老的Linux内核版本一般安装的是openswan,由于版权还是别的什么问题,现在改为了libreswan。
IKE daemon "pluto包含在*S/WAN项目中。*S/WAN项目最开始是FreeS/WAN。很不幸,FreeS/WAN项目在2004年停止了开发。因为过去开发进度缓慢,两个新的分支项目开始了:strongSwan和Openswan。今天,Openswan至少在Linux系统是可安装的包。(例如Fedora Core 3).
和"racoon"最大的不同,pluto只需要一个配置文件。当然,一个initscript用来在启动的时候做自动配置。
20.3.2.1. 配置IKE daemon “pluto”
配置文件和IPv4的非常类似,只有一个重要的选项是必须的。
文件: /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="control parsing" #Disable Opportunistic Encryption include /etc/ipsec.d/examples/no_oe.conf conn ipv6-p1-p2 connaddrfamily=ipv6 # Important for IPv6! left=2001:db8:1:1::1 right=2001:db8:2:2::2 authby=secret esp=aes128-sha1 ike=aes128-sha-modp1024 type=transport #type=tunnel compress=no #compress=yes auto=add #auto=start |
不要忘记定义pre-shared密钥
文件: /etc/ipsec.secrets
2001:db8:1:1::1 2001:db8:2:2::2 : PSK "verysecret" |
20.3.2.2. 运行IKE daemon “pluto”
如果Openswan安装成功,一个initscript脚步可以用来启动IPsec,非常简单(在两端都运行):
# /etc/rc.d/init.d/ipsec start |
然后,开始在一端启动。如果你看到"IPsec SA established"这一行,那么一切正常。
# ipsec auto --up ipv6-peer1-peer2 104 "ipv6-p1-p2" #1: STATE_MAIN_I1: initiate 106 "ipv6-p1-p2" #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 "ipv6-p1-p2" #1: STATE_MAIN_I3: sent MI3, expecting MR3 004 "ipv6-p1-p2" #1: STATE_MAIN_I4: ISAKMP SA established 112 "ipv6-p1-p2" #2: STATE_QUICK_I1: initiate 004 "ipv6-p1-p2" #2: STATE_QUICK_I2: sent QI2, ¬ IPsec SA established {ESP=>0xa98b7710 <0xa51e1f22} |
因为 *S/WAN 和setkey/racoon 在Linux 2.6内核中使用相同的IPsec,所以可以使用"setkey"命令显示当前活跃的参数:
# setkey -D 2001:db8:1:1::1 2001:db8:2:2::2 esp mode=transport spi=2844489488(0xa98b7710) reqid=16385(0x00004001) E: aes-cbc 082ee274 2744bae5 7451da37 1162b483 A: hmac-sha1 b7803753 757417da 477b1c1a 64070455 ab79082c seq=0x00000000 replay=64 flags=0x00000000 state=mature created: Jan 1 21:16:32 2005 current: Jan 1 21:22:20 2005 diff: 348(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=23825 refcnt=0 2001:db8:2:2::2 2001:db8:1:1::1 esp mode=transport spi=2770214690(0xa51e1f22) reqid=16385(0x00004001) E: aes-cbc 6f59cc30 8d856056 65e07b76 552cac18 A: hmac-sha1 c7c7d82b abfca8b1 5440021f e0c3b335 975b508b seq=0x00000000 replay=64 flags=0x00000000 state=mature created: Jan 1 21:16:31 2005 current: Jan 1 21:22:20 2005 diff: 349(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=23825 refcnt=0