施永新 编译,原文引自:http://www.freebsddiary.org/ipsec-tunnel.php |
两台FreeBSD机器都分别配置为两个子网的防火墙,并对内核配置增加IPSec支持,相关的内核配置参数如下:
# IP security (crypto; define w/ IPSEC) options IPSEC options IPSEC_ESP options IPSEC_DEBUG # Generic tunnel interface pseudo-device gif 4 # Berkeley packet filter used by dhcp server. pseudo-device bpf 4 # Firewall flags options IPFIREWALL options IPDIVERT options IPFILTER options IPFILTER_LOG 重新编译内核。 为启动防火墙功能,/etc/rc.conf中加入如下的配置选项: gateway_enable="YES" defaultrouter="172.x.1.110" # 由接入服务商提供 firewall_enable="YES" firewall_type="open" natd_enable="YES" natd_interface="rl0" # 根据机器网卡配置确定 named_enable="YES" 要进行两台FreeBSD机器之间的自动的IPSec key交换,必须安装port /usr/ports/.security/racoon,配置文件存储在/usr/local/etc/racoon/racoon.conf,key文件存储在/usr/local/etc/racoon/psk.txt。要在系统启动时启动/usr/local/sbin/racoon。 不需要修改配置文件,只需修改key文件即可,如下: # /usr/local/etc/racoon/psk.txt # IPv4/v6 addresses # 192.168.1.1 foobar 192.168.2.1 foobar key文件必须设置存储权限为0600,否则racoon无法运行; #chown root.wheel /usr/local/etc/racoon/psk.txt #chmod 0600 /usr/local/etc/raccoon/psk.txt 为了在启动时建立IPSec tunnel连接并添加两个内网的路由,可使用下面的shell脚本,存储在/usr/local/etc/rc.d/tunnel.sh #!/bin/sh # BSD1_IP="192.168.1.1" BSD1_PUB_IP="172.16.1.254" BSD1_NET="192.168.1.0/24" BSD2_IP="192.168.2.1" BSD2_PUB_IP="172.17.1.254" BSD2_NET="192.168.2.0/24" GIF0="gif0 inet" GIFCONFIG="/usr/sbin/gifconfig" IFCONFIG="/sbin/ifconfig" HOSTNAME=`/bin/hostname` NETMASK="255.255.255.0" echo "/nStarting ipsec tunnel... " case $HOSTNAME in bsd1.test.com) $GIFCONFIG $GIF0 $BSD1_PUB_IP $BSD2_PUB_IP $IFCONFIG $GIF0 $BSD1_IP $BSD2_IP netmask $NETMASK /usr/sbin/setkey -FP /usr/sbin/setkey -F /usr/sbin/setkey -c << EOF spdadd $BSD1_NET $BSD2_NET any -P out ipsec esp/tunnel/${BSD1_PUB_IP}-${BSD2_PUB_IP}/require; spdadd $BSD2_NET $BSD1_NET any -P in ipsec esp/tunnel/${BSD2_PUB_IP}-${BSD1_PUB_IP}/require; EOF /sbin/route add $BSD2_NET $BSD1_IP ;; bsd2.test.com) $GIFCONFIG $GIF0 $BSD2_PUB_IP $BSD1_PUB_IP $IFCONFIG $GIF0 $BSD2_IP $BSD1_IP netmask $NETMASK /usr/sbin/setkey -FP /usr/sbin/setkey -F /usr/sbin/setkey -c << EOF spdadd $BSD2_NET $BSD1_NET any -P out ipsec esp/tunnel/${BSD2_PUB_IP}-${BSD1_PUB_IP}/require; spdadd $BSD1_NET $BSD2_NET any -P in ipsec esp/tunnel/${BSD1_PUB_IP}-${BSD2_PUB_IP}/require; EOF /sbin/route add $BSD1_NET $BSD2_IP ;; esac 基本的配置完成。这样在系统启动时,自动交换key,并建立tunnel。 |
采用FreeBSD IPSec Tunnel方式连接两个局域网络
最新推荐文章于 2021-05-05 20:04:26 发布