Openswan部署

 

 

一、OpenSWan简介


OpenSWan是Linux下IPsec的最佳实现方式,其功能强大,最大程度地保证了数据传输中的安全性、完整性问题。
OpenSWan支持2.0、2.2、2.4以及2.6内核,可以运行在不同的系统平台下,包括X86、X86_64、IA64、MIPS以及ARM。
OpenSWan是开源项目
FreeS/WAN
停止开发后的后继分支项目,由三个主要组件构成:
配置工具(ipsec命令脚本)
Key管理工具(pluto)
内核组件(KLIPS/26sec)
26sec使用2.6内核内建模块Netkey,用来替代OpenSWan开发的KLIPS模块,2.4及以下版本内核无Netkey模块支持,只能使用KLIPS。如果你用的是2.6.9以上的内核,推荐使用26sec,可以不用给内核打Nat-T补丁就可以使用NAT,2.6.9以下版本内核的NETKEY存在Bug,推荐使用KLIPS。
更多详情请参见OpenSWan项目主页:
http://www.openswan.org

二、系统环境

 

使用workstation安装一个centos5.7 64bit的虚拟机,然后克隆4台机器

 

服务器名

模拟角色

模拟公网ip

内网ip

默认网关

1.tangck.com

Lan1-pc1

192.168.0.1/24

2.tangck.com

Lan1-***server

10.8.15.182/16

192.168.0.2/24

10.8.0.1/外网出口地址

3.tangck.com

Lan2-***server

10.8.15.183/16

172.16.0.2/24

10.8.0.1/外网出口地址

4.tangck.com

Lan2-pc2

172.16.0.1/24

 

 

 

 

基础环境:(4台机器除了主机名不一样,其他基础环境都一样)

[root@2 ~]# hostname

2.tangck.com

[root@2 ~]# uname -a

Linux 2.tangck.com 2.6.18-274.el5 #1 SMP Fri Jul 22 04:43:29 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

[root@2 ~]# cat /etc/redhat-release

CentOS release 5.7 (Final)

 

按照上面表格配置4台机器的ip地址

1.tangck.com

网卡信息

 网络信息

lan1-pc1只能和lan1-***server的内网网卡通讯

2.tangck.com

网卡信息

[root@2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0

# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)

DEVICE=eth0

BOOTPROTO=static

ONBOOT=yes

IPADDR=10.8.15.182

NETMASK=255.255.0.0

GATEWAY=10.8.0.1

[root@2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1

# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)

DEVICE=eth1

BOOTPROTO=static

ONBOOT=yes

IPADDR=192.168.0.2

NETWORK=255.255.255.0

网络信息

[root@2 ~]# route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1

10.8.0.0        0.0.0.0         255.255.0.0     U     0      0        0 eth0

0.0.0.0         10.8.0.1        0.0.0.0         UG    0      0        0 eth0

[root@2 ~]# ping 10.8.15.183

PING 10.8.15.183 (10.8.15.183) 56(84) bytes of data.

64 bytes from 10.8.15.183: icmp_seq=1 ttl=64 time=4.99 ms

64 bytes from 10.8.15.183: icmp_seq=2 ttl=64 time=1.14 ms

 --- 10.8.15.183 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1000ms

rtt min/avg/max/mdev = 1.140/3.068/4.997/1.929 ms

[root@2 ~]# ping 192.168.0.1

PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.

64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=8.62 ms

64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.262 ms

 --- 192.168.0.1 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 999ms

rtt min/avg/max/mdev = 0.262/4.441/8.621/4.180 ms

[root@2 ~]# ping 172.16.0.1

PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.

 --- 172.16.0.1 ping statistics ---

4 packets transmitted, 0 received, 100% packet loss, time 2999ms

两***server可以使用公网ip通讯,但是无法和对端内网的机器通讯

3.tangck.com

网卡信息

[root@3 ~]# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0C:29:30:D7:83 

          inet addr:10.8.15.183  Bcast:10.255.255.255  Mask:255.0.0.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:20143 errors:0 dropped:0 overruns:0 frame:0

          TX packets:120 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:2240909 (2.1 MiB)  TX bytes:14624 (14.2 KiB)

 

eth1      Link encap:Ethernet  HWaddr 00:0C:29:30:D7:8D 

          inet addr:172.16.0.2  Bcast:172.16.0.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:43 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 b)  TX bytes:5302 (5.1 KiB)

 

lo        Link encap:Local Loopback 

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:8 errors:0 dropped:0 overruns:0 frame:0

          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)

网络信息

[root@3 ~]# ping 10.8.15.182

PING 10.8.15.182 (10.8.15.182) 56(84) bytes of data.

64 bytes from 10.8.15.182: icmp_seq=1 ttl=64 time=6.10 ms

64 bytes from 10.8.15.182: icmp_seq=2 ttl=64 time=0.260 ms

--- 10.8.15.182 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 999ms

rtt min/avg/max/mdev = 0.260/3.181/6.102/2.921 ms

[root@3 ~]# ping 192.168.0.1

PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.

--- 192.168.0.1 ping statistics ---

2 packets transmitted, 0 received, 100% packet loss, time 1000ms

[root@3 ~]# ping 172.16.0.1

PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.

64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=6.22 ms

64 bytes from 172.16.0.1: icmp_seq=2 ttl=64 time=0.275 ms

--- 172.16.0.1 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1000ms

rtt min/avg/max/mdev = 0.275/3.252/6.229/2.977 ms

两***server可以使用公网ip通讯,但是无法和对端内网的机器通讯

4.tangck.com

网卡信息

网络信息 

lan2-pc2只能和lan2-***server的内网网卡通讯

 

描述一下吧,可能信息太多看着有点晕。 

 

Lan1-pc1,可以和lan1内网的机器通讯,不能ping通lan2的机器

Lan2-pc1,可以和lan2内网的机器通讯,不能ping通lan1的机器

Lan1-***server 可以和lan2-***server通讯,两机器也可以和各自的内网机器通讯,但是不能和对端内网内的机器通讯,也就是lan1-***server只能ping通lan2-***server的公网ip地址,内网ip地址是无法ping通的。

注:openswan连通后***server也无法ping通对端内网ip地址(软件bug),openswan连通后,两端内网的机器可以相互通讯

 

三:workstation的环境配置

 

(1)1.tangck.com的虚拟机的网络设置

虚拟网络是指:workstation可以虚拟出一个内网环境

怎么添加?

 

点击虚拟网络,然后点击添加,定义一个名字即可

还不懂?

http://wangchunhai.blog.51cto.com/225186/667371

后期我在写一个vmware workstation 8 的使用说明,上述博文中的软件版本较低,我只想解释是什么vmware workstation team。

 

 

(2)2.tangck.com的虚拟机的网络设置

 

网络适配器是桥接模式,模拟的是公网环境,网络适配器2使用的是虚拟网络,模拟的是lan1的内网环境,这个team是一个独立的网络环境,lan1-pc1只能和lan1-***server的内网卡通讯。

 

(3)3.tangck.com的虚拟机的网络设置

4.tangck.com的虚拟机的网络设置

 

 

四:软件部署

 

环境搞清楚了,那么就进行软件的配置工作

(1-5步两个机器同时操作)

1. 查看并安装相应 ipsec 套件工具和基础软件环境

rpm -q ipsec-tools gmp gmp-devel flex bison

没有yum安装

 

2. 配置环境变量

/bin/cp /etc/sysctl.conf /etc/sysctl.conf.$(date +%F)
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf 

sed -i "s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g" /etc/sysctl.conf

sed -i "s/net.ipv4.conf.default.rp_filter = 1/net.ipv4.conf.default.rp_filter = 0/g" /etc/sysctl.conf

sysctl -p  生效配置

 

3.下载openswan软件并上传到服务器上

[root@recordsh01 tools]# ls

openswan-2.6.32.tar.gz

tar zxf openswan-2.6.32.tar.gz && cd openswan-2.6.32 && make programs &&  make install

#安装完成后会多出一个配置文件和一个目录

ls /etc/ipsec.*      (按tab键 )

ipsec.conf     ipsec.d/  

 

4. 验证安装

启动ipsec

[root@recordsh01 ~]# /etc/init.d/ipsec start

ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.18-194.el5...

检查ipsec状态

[root@recordsh01 ~]# /etc/init.d/ipsec status

IPsec running  - pluto pid: 22693

pluto pid 22693

No tunnels up

检查是否加载了netkey

[root@hollyuc03 tools]# ipsec --version 

Linux Openswan U2.6.32/K2.6.18-194.el5 (netkey)

See `ipsec --copyright' for copyright information.

 

5.生成RSA密钥对

ipsec newhostkey --output /etc/ipsec.secrets

查看rsa密钥:

[root@2 openswan-2.6.32]# ipsec showhostkey   --right

          # rsakey AQOI3jDZu

          rightrsasigkey=0sAQOI3jDZu0Twuti5BMT6q+G8ru1X5sv1D0EUl8MmSbmjjYII7Owe6//9OVPz2SuP2pLe/+oUtgbcqG/9LeR5K5SHB9S9p+XNp3/fS+MV1w3BEBXjP1Cm5dgmlbrVFPTd8UQcmwFkXr3GeQWxihQ42RJMEXvTmqc3m6anM2wYkEPe6mHik3QwLpR2xW/ZEGKekKxr6MN3pyNN/V/dQaPKv8iVXB6cKbwcKzgwHk5WkXhw7GEJAPmFgUbaGgqom9Eggf177VdFwC7wjPoyYqgaOvZqR4ZN+j5DG2jgtkLuHTs4xrtNqw7OmscXXfo3aDVDn9rOXa/JwfgbWAwNKq+/bSzg+tvI0ZJfKuXbEdlYlYKyFOMF

[root@3 ~]# ipsec showhostkey --left

          # rsakey AQOFLbvIw

          leftrsasigkey=0sAQOFLbvIwOzFlP3YqTNGUW7NCf1+1tjgRLcLjumJ3Fvoi/zLr1KBx7aDiomYVVFj6hcmwjsXeL9bFv8DQ8GcZVhmvNaD2ymSua+xHHsNPfNwe0DOGkfamoZud+5cHmGfYkWdrK4qGo6yjV0Ner3fq/0hnJVsYEfPww5QSf0BBYLcCJszgcVLGMlW1756lzrVDLxTwaWmTF1tVbnimhV/dGS+gcd0uNXuOqazCZS3yi4X7fIzaFiSfiPVAbfnE32HlimQhw6y7+iriTCSf3OCpNZUikBQnVXz3Da0gyu/ghbieYoLhpLK5EstBb3gSXaLu2P0J5AVoqXFmhhLFvsDmjyVBJfbNKPH2AA6btv1txPZu6qN

 

 

6.修改配置文件  (2个机器一起操作)

vi /etc/ipsec.conf

1.把protostack=auto修改成protostack=netkey

2.在文件末尾添加include /etc/ipsec.d/*.conf

保存退出

 

新建配置文件 (在一个机器上配置完成后,可以上传到对端机器上)

[root@2 ipsec.d]#touch /etc/ipsec.d/1to2.conf

[root@2 ipsec.d]# cat 1to2.conf

conn 1to2

           left=10.8.15.182

           leftid=@left2

           leftsubnet=192.168.0.1/24  leftrsasigkey=0sAQOI3jDZu0Twuti5BMT6q+G8ru1X5sv1D0EUl8MmSbmjjYII7Owe6//9OVPz2SuP2pLe/+oUtgbcqG/9LeR5K5SHB9S9p+XNp3/fS+MV1w3BEBXjP1Cm5dgmlbrVFPTd8UQcmwFkXr3GeQWxihQ42RJMEXvTmqc3m6anM2wYkEPe6mHik3QwLpR2xW/ZEGKekKxr6MN3pyNN/V/dQaPKv8iVXB6cKbwcKzgwHk5WkXhw7GEJAPmFgUbaGgqom9Eggf177VdFwC7wjPoyYqgaOvZqR4ZN+j5DG2jgtkLuHTs4xrtNqw7OmscXXfo3aDVDn9rOXa/JwfgbWAwNKq+/bSzg+tvI0ZJfKuXbEdlYlYKyFOMF

           leftnexthop=%defaultroute

           right=10.8.15.183

           rightsubnet=172.16.0.1/24

           rightid=@right2

rightrsasigkey=0sAQOFLbvIwOzFlP3YqTNGUW7NCf1+1tjgRLcLjumJ3Fvoi/zLr1KBx7aDiomYVVFj6hcmwjsXeL9bFv8DQ8GcZVhmvNaD2ymSua+xHHsNPfNwe0DOGkfamoZud+5cHmGfYkWdrK4qGo6yjV0Ner3fq/0hnJVsYEfPww5QSf0BBYLcCJszgcVLGMlW1756lzrVDLxTwaWmTF1tVbnimhV/dGS+gcd0uNXuOqazCZS3yi4X7fIzaFiSfiPVAbfnE32HlimQhw6y7+iriTCSf3OCpNZUikBQnVXz3Da0gyu/ghbieYoLhpLK5EstBb3gSXaLu2P0J5AVoqXFmhhLFvsDmjyVBJfbNKPH2AA6btv1txPZ

           rightnexthop=%defaultroute

           auto=start

 

截个图吧,这个是有格式的,要不然提示语法错误。看我下面格式

 

注;

1.格式一定要和以上面一样

2.leftid和rightid不能和已有的配置文件中有相同(多个机房做链接的时候)

3.vi编辑的时候需要保证rightrsasigkey的内容在一行

 

7.修改的防火墙

 

(1)2.tangck.com机器

[root@2 openswan-2.6.38]# iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -d ! 172.16.0.0/24 -j MASQUERADE      

[root@2 openswan-2.6.38]# cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-securitylevel

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT

-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

[root@2 openswan-2.6.38]# /etc/init.d/iptables save

Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]

[root@2 openswan-2.6.38]# cat /etc/sysconfig/iptables

# Generated by iptables-save v1.3.5 on Sat Dec 22 12:58:48 2012

*nat

:PREROUTING ACCEPT [10:936]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d ! 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE

COMMIT

# Completed on Sat Dec 22 12:58:48 2012

# Generated by iptables-save v1.3.5 on Sat Dec 22 12:58:48 2012

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [8624:802105]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p esp -j ACCEPT

-A RH-Firewall-1-INPUT -p ah -j ACCEPT

-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

# Completed on Sat Dec 22 12:58:48 2012

 

(2)3.tangck.com机器

[root@3 openswan-2.6.38]# iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/24 -d ! 192.168.0.0/24 -j MASQUERADE      

[root@3 openswan-2.6.38]# /etc/init.d/iptables save

Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]

 两边的内网根据自己的真实环境修改

 

8.启动隧道

[root@2 ~]# /etc/init.d/ipsec restart

ipsec_setup: Starting Openswan IPsec   U2.6.32/K2.6.18-194.el5...

[root@recordsh01 ~]# /etc/init.d/ipsec   status

IPsec running  - pluto pid: 22693

pluto pid 22693

No tunnels up

[root@2    ~]# ipsec auto --up 1to2

104 "up" #1: STATE_MAIN_I1:   initiate

003 "up" #1: received Vendor ID   payload [Openswan (this version) 2.6.32 ]

003 "up" #1: received Vendor ID   payload [Dead Peer Detection]

003 "up" #1: received Vendor ID   payload [RFC 3947] method set to=109

106 "up" #1: STATE_MAIN_I2: sent   MI2, expecting MR2

003 "up" #1: NAT-Traversal:   Result using RFC 3947 (NAT-Traversal): no NAT detected

108 "up" #1: STATE_MAIN_I3: sent   MI3, expecting MR3

003 "up" #1: received Vendor ID   payload [CAN-IKEv2]

004 "up" #1: STATE_MAIN_I4:   ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha   group=modp2048}

117 "up" #2: STATE_QUICK_I1:   initiate

004 "up" #2: STATE_QUICK_I2: sent   QI2, IPsec SA established tunnel mode {ESP=>0x5b08ddb0 <0x8d592c04   xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

 

#####

ISAKMP SA established  提示已经建立隧道

#####

[root@2 ~]# /etc/init.d/ipsec status

IPsec running  - pluto pid: 22693

pluto pid 22693

2 tunnels up                          

some eroutes exist

 

9.添加lan1和lan2内网机器到对端网络的路由

 

测试:

 

为了方便可以在lan1内网的其他机器上执行

echo "any net 172.16.0.0 netmask 255.255.255.0 gw 192.168.0.2 " >> /etc/sysconfig/static-routes

重启网卡后路由自动添加,lan2的内网也是一样,网段和网关需要根据现实环境变更。

 

11.添加开机启动

chkconfig ipsec on

 

 

五:常见错误

 

    以后补充