Openswan部署
一、OpenSWan简介
OpenSWan是Linux下IPsec的最佳实现方式,其功能强大,最大程度地保证了数据传输中的安全性、完整性问题。
OpenSWan支持2.0、2.2、2.4以及2.6内核,可以运行在不同的系统平台下,包括X86、X86_64、IA64、MIPS以及ARM。
OpenSWan是开源项目
FreeS/WAN
停止开发后的后继分支项目,由三个主要组件构成:
配置工具(ipsec命令脚本)
Key管理工具(pluto)
内核组件(KLIPS/26sec)
26sec使用2.6内核内建模块Netkey,用来替代OpenSWan开发的KLIPS模块,2.4及以下版本内核无Netkey模块支持,只能使用KLIPS。如果你用的是2.6.9以上的内核,推荐使用26sec,可以不用给内核打Nat-T补丁就可以使用NAT,2.6.9以下版本内核的NETKEY存在Bug,推荐使用KLIPS。
更多详情请参见OpenSWan项目主页:
http://www.openswan.org
二、系统环境
使用workstation安装一个centos5.7 64bit的虚拟机,然后克隆4台机器
服务器名 | 模拟角色 | 模拟公网ip | 内网ip | 默认网关 |
1.tangck.com | Lan1-pc1 | 无 | 192.168.0.1/24 | 无 |
2.tangck.com | Lan1-***server | 10.8.15.182/16 | 192.168.0.2/24 | 10.8.0.1/外网出口地址 |
3.tangck.com | Lan2-***server | 10.8.15.183/16 | 172.16.0.2/24 | 10.8.0.1/外网出口地址 |
4.tangck.com | Lan2-pc2 | 无 | 172.16.0.1/24 | 无 |
基础环境:(4台机器除了主机名不一样,其他基础环境都一样)
[root@2 ~]# hostname
2.tangck.com
[root@2 ~]# uname -a
Linux 2.tangck.com 2.6.18-274.el5 #1 SMP Fri Jul 22 04:43:29 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
[root@2 ~]# cat /etc/redhat-release
CentOS release 5.7 (Final)
按照上面表格配置4台机器的ip地址
1.tangck.com
网卡信息
网络信息
lan1-pc1只能和lan1-***server的内网网卡通讯
2.tangck.com
网卡信息
[root@2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
DEVICE=eth0
BOOTPROTO=static
ONBOOT=yes
IPADDR=10.8.15.182
NETMASK=255.255.0.0
GATEWAY=10.8.0.1
[root@2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.0.2
NETWORK=255.255.255.0
网络信息
[root@2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
10.8.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.8.0.1 0.0.0.0 UG 0 0 0 eth0
[root@2 ~]# ping 10.8.15.183
PING 10.8.15.183 (10.8.15.183) 56(84) bytes of data.
64 bytes from 10.8.15.183: icmp_seq=1 ttl=64 time=4.99 ms
64 bytes from 10.8.15.183: icmp_seq=2 ttl=64 time=1.14 ms
--- 10.8.15.183 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 1.140/3.068/4.997/1.929 ms
[root@2 ~]# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=8.62 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.262 ms
--- 192.168.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.262/4.441/8.621/4.180 ms
[root@2 ~]# ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
--- 172.16.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms
两***server可以使用公网ip通讯,但是无法和对端内网的机器通讯
3.tangck.com
网卡信息
[root@3 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:30:D7:83
inet addr:10.8.15.183 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20143 errors:0 dropped:0 overruns:0 frame:0
TX packets:120 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2240909 (2.1 MiB) TX bytes:14624 (14.2 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:30:D7:8D
inet addr:172.16.0.2 Bcast:172.16.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:43 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:5302 (5.1 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
网络信息
[root@3 ~]# ping 10.8.15.182
PING 10.8.15.182 (10.8.15.182) 56(84) bytes of data.
64 bytes from 10.8.15.182: icmp_seq=1 ttl=64 time=6.10 ms
64 bytes from 10.8.15.182: icmp_seq=2 ttl=64 time=0.260 ms
--- 10.8.15.182 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.260/3.181/6.102/2.921 ms
[root@3 ~]# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
--- 192.168.0.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms
[root@3 ~]# ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=6.22 ms
64 bytes from 172.16.0.1: icmp_seq=2 ttl=64 time=0.275 ms
--- 172.16.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.275/3.252/6.229/2.977 ms
两***server可以使用公网ip通讯,但是无法和对端内网的机器通讯
4.tangck.com
网卡信息
网络信息
lan2-pc2只能和lan2-***server的内网网卡通讯
描述一下吧,可能信息太多看着有点晕。
Lan1-pc1,可以和lan1内网的机器通讯,不能ping通lan2的机器
Lan2-pc1,可以和lan2内网的机器通讯,不能ping通lan1的机器
Lan1-***server 可以和lan2-***server通讯,两机器也可以和各自的内网机器通讯,但是不能和对端内网内的机器通讯,也就是lan1-***server只能ping通lan2-***server的公网ip地址,内网ip地址是无法ping通的。
注:openswan连通后***server也无法ping通对端内网ip地址(软件bug),openswan连通后,两端内网的机器可以相互通讯
三:workstation的环境配置
(1)1.tangck.com的虚拟机的网络设置
虚拟网络是指:workstation可以虚拟出一个内网环境
怎么添加?
点击虚拟网络,然后点击添加,定义一个名字即可
还不懂?
http://wangchunhai.blog.51cto.com/225186/667371
后期我在写一个vmware workstation 8 的使用说明,上述博文中的软件版本较低,我只想解释是什么vmware workstation team。
(2)2.tangck.com的虚拟机的网络设置
网络适配器是桥接模式,模拟的是公网环境,网络适配器2使用的是虚拟网络,模拟的是lan1的内网环境,这个team是一个独立的网络环境,lan1-pc1只能和lan1-***server的内网卡通讯。
(3)3.tangck.com的虚拟机的网络设置
4.tangck.com的虚拟机的网络设置
四:软件部署
环境搞清楚了,那么就进行软件的配置工作
(1-5步两个机器同时操作)
1. 查看并安装相应 ipsec 套件工具和基础软件环境
rpm -q ipsec-tools gmp gmp-devel flex bison
没有yum安装
2. 配置环境变量
/bin/cp /etc/sysctl.conf /etc/sysctl.conf.$(date +%F)
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf
sed -i "s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g" /etc/sysctl.conf
sed -i "s/net.ipv4.conf.default.rp_filter = 1/net.ipv4.conf.default.rp_filter = 0/g" /etc/sysctl.conf
sysctl -p 生效配置
3.下载openswan软件并上传到服务器上
[root@recordsh01 tools]# ls
openswan-2.6.32.tar.gz
tar zxf openswan-2.6.32.tar.gz && cd openswan-2.6.32 && make programs && make install
#安装完成后会多出一个配置文件和一个目录
ls /etc/ipsec.* (按tab键 )
ipsec.conf ipsec.d/
4. 验证安装
启动ipsec
[root@recordsh01 ~]# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.18-194.el5...
检查ipsec状态
[root@recordsh01 ~]# /etc/init.d/ipsec status
IPsec running - pluto pid: 22693
pluto pid 22693
No tunnels up
检查是否加载了netkey
[root@hollyuc03 tools]# ipsec --version
Linux Openswan U2.6.32/K2.6.18-194.el5 (netkey)
See `ipsec --copyright' for copyright information.
5.生成RSA密钥对
ipsec newhostkey --output /etc/ipsec.secrets
查看rsa密钥: |
[root@2 openswan-2.6.32]# ipsec showhostkey --right |
# rsakey AQOI3jDZu |
rightrsasigkey=0sAQOI3jDZu0Twuti5BMT6q+G8ru1X5sv1D0EUl8MmSbmjjYII7Owe6//9OVPz2SuP2pLe/+oUtgbcqG/9LeR5K5SHB9S9p+XNp3/fS+MV1w3BEBXjP1Cm5dgmlbrVFPTd8UQcmwFkXr3GeQWxihQ42RJMEXvTmqc3m6anM2wYkEPe6mHik3QwLpR2xW/ZEGKekKxr6MN3pyNN/V/dQaPKv8iVXB6cKbwcKzgwHk5WkXhw7GEJAPmFgUbaGgqom9Eggf177VdFwC7wjPoyYqgaOvZqR4ZN+j5DG2jgtkLuHTs4xrtNqw7OmscXXfo3aDVDn9rOXa/JwfgbWAwNKq+/bSzg+tvI0ZJfKuXbEdlYlYKyFOMF |
[root@3 ~]# ipsec showhostkey --left |
# rsakey AQOFLbvIw |
leftrsasigkey=0sAQOFLbvIwOzFlP3YqTNGUW7NCf1+1tjgRLcLjumJ3Fvoi/zLr1KBx7aDiomYVVFj6hcmwjsXeL9bFv8DQ8GcZVhmvNaD2ymSua+xHHsNPfNwe0DOGkfamoZud+5cHmGfYkWdrK4qGo6yjV0Ner3fq/0hnJVsYEfPww5QSf0BBYLcCJszgcVLGMlW1756lzrVDLxTwaWmTF1tVbnimhV/dGS+gcd0uNXuOqazCZS3yi4X7fIzaFiSfiPVAbfnE32HlimQhw6y7+iriTCSf3OCpNZUikBQnVXz3Da0gyu/ghbieYoLhpLK5EstBb3gSXaLu2P0J5AVoqXFmhhLFvsDmjyVBJfbNKPH2AA6btv1txPZu6qN |
6.修改配置文件 (2个机器一起操作)
vi /etc/ipsec.conf |
1.把protostack=auto修改成protostack=netkey |
2.在文件末尾添加include /etc/ipsec.d/*.conf
保存退出
新建配置文件 (在一个机器上配置完成后,可以上传到对端机器上)
[root@2 ipsec.d]#touch /etc/ipsec.d/1to2.conf
[root@2 ipsec.d]# cat 1to2.conf
conn 1to2
left=10.8.15.182
leftid=@left2
leftsubnet=192.168.0.1/24 leftrsasigkey=0sAQOI3jDZu0Twuti5BMT6q+G8ru1X5sv1D0EUl8MmSbmjjYII7Owe6//9OVPz2SuP2pLe/+oUtgbcqG/9LeR5K5SHB9S9p+XNp3/fS+MV1w3BEBXjP1Cm5dgmlbrVFPTd8UQcmwFkXr3GeQWxihQ42RJMEXvTmqc3m6anM2wYkEPe6mHik3QwLpR2xW/ZEGKekKxr6MN3pyNN/V/dQaPKv8iVXB6cKbwcKzgwHk5WkXhw7GEJAPmFgUbaGgqom9Eggf177VdFwC7wjPoyYqgaOvZqR4ZN+j5DG2jgtkLuHTs4xrtNqw7OmscXXfo3aDVDn9rOXa/JwfgbWAwNKq+/bSzg+tvI0ZJfKuXbEdlYlYKyFOMF
leftnexthop=%defaultroute
right=10.8.15.183
rightsubnet=172.16.0.1/24
rightid=@right2
rightrsasigkey=0sAQOFLbvIwOzFlP3YqTNGUW7NCf1+1tjgRLcLjumJ3Fvoi/zLr1KBx7aDiomYVVFj6hcmwjsXeL9bFv8DQ8GcZVhmvNaD2ymSua+xHHsNPfNwe0DOGkfamoZud+5cHmGfYkWdrK4qGo6yjV0Ner3fq/0hnJVsYEfPww5QSf0BBYLcCJszgcVLGMlW1756lzrVDLxTwaWmTF1tVbnimhV/dGS+gcd0uNXuOqazCZS3yi4X7fIzaFiSfiPVAbfnE32HlimQhw6y7+iriTCSf3OCpNZUikBQnVXz3Da0gyu/ghbieYoLhpLK5EstBb3gSXaLu2P0J5AVoqXFmhhLFvsDmjyVBJfbNKPH2AA6btv1txPZ
rightnexthop=%defaultroute
auto=start
截个图吧,这个是有格式的,要不然提示语法错误。看我下面格式
注;
1.格式一定要和以上面一样
2.leftid和rightid不能和已有的配置文件中有相同(多个机房做链接的时候)
3.vi编辑的时候需要保证rightrsasigkey的内容在一行
7.修改的防火墙
(1)2.tangck.com机器
[root@2 openswan-2.6.38]# iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -d ! 172.16.0.0/24 -j MASQUERADE
[root@2 openswan-2.6.38]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@2 openswan-2.6.38]# /etc/init.d/iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@2 openswan-2.6.38]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sat Dec 22 12:58:48 2012
*nat
:PREROUTING ACCEPT [10:936]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d ! 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Dec 22 12:58:48 2012
# Generated by iptables-save v1.3.5 on Sat Dec 22 12:58:48 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8624:802105]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Dec 22 12:58:48 2012
(2)3.tangck.com机器
[root@3 openswan-2.6.38]# iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/24 -d ! 192.168.0.0/24 -j MASQUERADE
[root@3 openswan-2.6.38]# /etc/init.d/iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
两边的内网根据自己的真实环境修改
8.启动隧道 [root@2 ~]# /etc/init.d/ipsec restart ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.18-194.el5... [root@recordsh01 ~]# /etc/init.d/ipsec status IPsec running - pluto pid: 22693 pluto pid 22693 No tunnels up [root@2 ~]# ipsec auto --up 1to2 104 "up" #1: STATE_MAIN_I1: initiate 003 "up" #1: received Vendor ID payload [Openswan (this version) 2.6.32 ] 003 "up" #1: received Vendor ID payload [Dead Peer Detection] 003 "up" #1: received Vendor ID payload [RFC 3947] method set to=109 106 "up" #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 "up" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected 108 "up" #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 "up" #1: received Vendor ID payload [CAN-IKEv2] 004 "up" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048} 117 "up" #2: STATE_QUICK_I1: initiate 004 "up" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5b08ddb0 <0x8d592c04 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
##### ISAKMP SA established 提示已经建立隧道 ##### [root@2 ~]# /etc/init.d/ipsec status IPsec running - pluto pid: 22693 pluto pid 22693 2 tunnels up some eroutes exist |
9.添加lan1和lan2内网机器到对端网络的路由
测试:
为了方便可以在lan1内网的其他机器上执行
echo "any net 172.16.0.0 netmask 255.255.255.0 gw 192.168.0.2 " >> /etc/sysconfig/static-routes
重启网卡后路由自动添加,lan2的内网也是一样,网段和网关需要根据现实环境变更。
11.添加开机启动
chkconfig ipsec on
五:常见错误
以后补充
转载于:https://blog.51cto.com/ontheway2015/1098464