linux点到点vpn ipsec配置
Juniper netscreen interop
Juniper end point:
set ike gateway "GW-01" address <Your SM IP Here> Main outgoing-zone "V1-Untrust" preshare "Your PSK Here" proposal "pre-g2-3des-md5" set ike respond-bad-spi 1 set ike ikev2 ike-sa-soft-lifetime 60 unset ike ikeid-enumeration unset ike dos-protection unset ipsec access-session enable set ipsec access-session maximum 5000 set ipsec access-session upper-threshold 0 set ipsec access-session lower-threshold 0 set ipsec access-session dead-p2-sa-timeout 0 unset ipsec access-session log-error unset ipsec access-session info-exch-connected unset ipsec access-session use-error-log set vpn "VPN-01" gateway "GW-01" no-replay tunnel idletime 0 proposal "g2-esp-3des-md5" set vrouter "untrust-vr" exit set vrouter "trust-vr" exit set url protocol websense exit set policy id 58 from "V1-Trust" to "V1-Untrust" "10.10.0.0/24" "172.16.0.0/16-VPN-01" "ANY" tunnel vpn "VPN-01" id 0x23 pair-policy 57 log set policy id 58 set log session-init exit set policy id 57 from "V1-Untrust" to "V1-Trust" "172.16.0.0/16-VPN-01" "10.10.0.0/24" "ANY" tunnel vpn "VPN-01" id 0x23 pair-policy 58 log set policy id 57 set log session-init exit
Openswan endpoint:
/etc/ipsec.conf:
conn NetScreen ike=3des-md5 esp=3des-md5 authby=secret keyingtries=0 left=<Juniper IP Here> leftsubnet=<Remote Subnet Here> leftnexthop=%defaultroute right=<SW IP Here> rightsubnet=<Local Subnet Here> rightnexthop=%defaultroute compress=no auto=start
/etc/ipsec.secrets:
: PSK “Your PSK Here”
此处对端用思科VPN设备配置ipsec,本地用linux作为另一端。
本机(阿里云专用网络vps)配置ip=y.y.y.y
对端ip=x.x.x.x
本端子网=172.16.1.0/24
对端子网=10.10.10.96/29
加密算法:3des-sha
验证:PSK
安装:
yum -y install openswan
配置如下:
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:172.16.10.0/24,%v4:10.10.10.98/29
oe=off
plutostderrlog=/var/log/pluto.log
conn vpc-dx-boc
type=tunnel
authby=secret
left=%defaultroute
leftid=y.y.y.y
leftnexthop=%defaultroute
leftsubnet=172.16.10.0/24
right=x.x.x.x
rightsubnet=10.10.10.98/29
keyexchange=ike
ike=3des-sha;modp1024
ikelifetime=28800s
phase2=esp
phase2alg=3des-sha
aggrmode=no
keyingtries=3
rekey=no
salifetime=28800s
pfs=no
auto=start
配置/etc/ipsec.secrets内容:
y.y.y.y x.x.x.x: PSK "LD35n/V4"
启动服务:
/etc/init.d/ipsec start
资料:http://www.ibm.com/developerworks/cn/linux/l-ipsec/ (未测,不知道可不可行)
#################################
迷途小运维随笔
作者:john
转载请注明出处