使用 FreeBSD 网关在两个被 Internet 分开的网络之间架设 ×××,以实现两个网络通过×××通道互访,IPsec 是一种建立在 Internet 协议 (IP) 层之上的协议,它能够让两个或更多主机以安全的方式来通讯,IPsec 既
可以用来直接加密主机之间的网络通讯 (也就是 传输模式); 也可以用来在两个子网之间建造 “虚拟隧道” 用于两个网络之间的安全通讯 (也就是 隧道模式)。 后一种更多的被称为是 虚拟专用网 (×××)。
1、编译内核
-------------------------------
#要把 IPsec 支持放进内核, 应该在配置文件中加入下面的选项:
-------------------------------
#要把 IPsec 支持放进内核, 应该在配置文件中加入下面的选项:
options IPSEC #IP security
options IPSEC_ESP
device crypto
#如果需要 IPsec 的调试支持, 还应增加:
options IPSEC_ESP
device crypto
#如果需要 IPsec 的调试支持, 还应增加:
options IPSEC_DEBUG #debug for IP security
device gif # IPv6 and IPv4 tunneling
device gif # IPv6 and IPv4 tunneling
#编译内核
2、×××配置
---------------------------------
#security/ipsec-tools安装
---------------------------------
#security/ipsec-tools安装
server1# tar -zxvf ipsec-tools-0.8-alpha20090422.tar.bz2
server1# cd ipsec-tools-0.8-alpha20090422
server1# ./configure
server1# make;make install
server1# cd ipsec-tools-0.8-alpha20090422
server1# ./configure
server1# make;make install
server1:
server1# ifconfig gif0 create
server1# ifconfig gif0 222.11.33.23 222.11.34.56
server1# ifconfig gif0 tunnel 10.10.10.100 172.16.16.100
server1# ifconfig gif0 create
server1# ifconfig gif0 222.11.33.23 222.11.34.56
server1# ifconfig gif0 tunnel 10.10.10.100 172.16.16.100
server2:
server2# ifconfig gif0 create
server2# ifconfig gif0 222.11.34.56 222.11.33.23
server2# ifconfig gif0 tunnel 172.16.16.100 10.10.10.100
server2# ifconfig gif0 create
server2# ifconfig gif0 222.11.34.56 222.11.33.23
server2# ifconfig gif0 tunnel 172.16.16.100 10.10.10.100
#一旦完成以后,两个私有的 IP 地址都应该能像下面ping命令输出那样互相访问
server1# ping 172.16.16.100
PING 172.16.16.100 (172.16.16.100): 56 data bytes
64 bytes from 172.16.16.100: icmp_seq=0 ttl=64 time=7.140 ms
64 bytes from 172.16.16.100: icmp_seq=1 ttl=64 time=7.268 ms
64 bytes from 172.16.16.100: icmp_seq=2 ttl=64 time=7.070 ms
64 bytes from 172.16.16.100: icmp_seq=3 ttl=64 time=7.020 ms
^C
--- 172.16.16.100 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 7.020/7.125/7.268/0.093 ms
server1# ping 172.16.16.100
PING 172.16.16.100 (172.16.16.100): 56 data bytes
64 bytes from 172.16.16.100: icmp_seq=0 ttl=64 time=7.140 ms
64 bytes from 172.16.16.100: icmp_seq=1 ttl=64 time=7.268 ms
64 bytes from 172.16.16.100: icmp_seq=2 ttl=64 time=7.070 ms
64 bytes from 172.16.16.100: icmp_seq=3 ttl=64 time=7.020 ms
^C
--- 172.16.16.100 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 7.020/7.125/7.268/0.093 ms
server2# ping 10.10.10.100
PING 10.10.10.100 (10.10.10.100): 56 data bytes
64 bytes from 10.10.10.100: icmp_seq=0 ttl=64 time=7.186 ms
64 bytes from 10.10.10.100: icmp_seq=1 ttl=64 time=7.079 ms
64 bytes from 10.10.10.100: icmp_seq=2 ttl=64 time=7.001 ms
64 bytes from 10.10.10.100: icmp_seq=3 ttl=64 time=7.064 ms
64 bytes from 10.10.10.100: icmp_seq=4 ttl=64 time=6.989 ms
^C
--- 10.10.10.100 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.989/7.064/7.186/0.070 ms
#配置路由规则使两边私有地址都能相互访问
server1:
server1# route add 172.16.16.0 172.16.16.100 255.255.255.0
server1# route add net 172.16.16.0: gateway 172.16.16.100
server1:
server1# route add 172.16.16.0 172.16.16.100 255.255.255.0
server1# route add net 172.16.16.0: gateway 172.16.16.100
server2:
server2# route add 10.10.10.0 10.10.10.100 255.255.255.0
server2# route add net 10.10.10.0: gateway 10.10.10.100
server2# route add 10.10.10.0 10.10.10.100 255.255.255.0
server2# route add net 10.10.10.0: gateway 10.10.10.100
#这样配置后,不论从网关还是网关后的机器都能访问内部的网络
server1# ping 172.16.16.23
PING 172.16.16.23 (172.16.16.23): 56 data bytes
64 bytes from 172.16.16.23: icmp_seq=0 ttl=64 time=7.140 ms
64 bytes from 172.16.16.23: icmp_seq=1 ttl=64 time=7.268 ms
64 bytes from 172.16.16.23: icmp_seq=2 ttl=64 time=7.070 ms
64 bytes from 172.16.16.23: icmp_seq=3 ttl=64 time=7.020 ms
^C
--- 172.16.16.23 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 7.020/7.125/7.268/0.093 ms
server1# ping 172.16.16.23
PING 172.16.16.23 (172.16.16.23): 56 data bytes
64 bytes from 172.16.16.23: icmp_seq=0 ttl=64 time=7.140 ms
64 bytes from 172.16.16.23: icmp_seq=1 ttl=64 time=7.268 ms
64 bytes from 172.16.16.23: icmp_seq=2 ttl=64 time=7.070 ms
64 bytes from 172.16.16.23: icmp_seq=3 ttl=64 time=7.020 ms
^C
--- 172.16.16.23 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 7.020/7.125/7.268/0.093 ms
server2# ping 10.10.10.16
PING 10.10.10.100 (10.10.10.16): 56 data bytes
64 bytes from 10.10.10.16: icmp_seq=0 ttl=64 time=7.186 ms
64 bytes from 10.10.10.16: icmp_seq=1 ttl=64 time=7.079 ms
64 bytes from 10.10.10.16: icmp_seq=2 ttl=64 time=7.001 ms
64 bytes from 10.10.10.16: icmp_seq=3 ttl=64 time=7.064 ms
64 bytes from 10.10.10.16: icmp_seq=4 ttl=64 time=6.989 ms
^C
--- 10.10.10.16 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.989/7.064/7.186/0.070 ms
PING 10.10.10.100 (10.10.10.16): 56 data bytes
64 bytes from 10.10.10.16: icmp_seq=0 ttl=64 time=7.186 ms
64 bytes from 10.10.10.16: icmp_seq=1 ttl=64 time=7.079 ms
64 bytes from 10.10.10.16: icmp_seq=2 ttl=64 time=7.001 ms
64 bytes from 10.10.10.16: icmp_seq=3 ttl=64 time=7.064 ms
64 bytes from 10.10.10.16: icmp_seq=4 ttl=64 time=6.989 ms
^C
--- 10.10.10.16 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.989/7.064/7.186/0.070 ms
3、通道的加密传输
------------------------------------------------------
#使用 pre-shared(PSK)RSA 密钥对通道进行加密,保证数据的安全传输
#安装security/ipsec-tools
server1#
server1# vi /usr/local/etc/racoon/racoon.conf //两边文件差不多一样,只做稍许修改
------------------------------------------------------
#使用 pre-shared(PSK)RSA 密钥对通道进行加密,保证数据的安全传输
#安装security/ipsec-tools
server1#
server1# vi /usr/local/etc/racoon/racoon.conf //两边文件差不多一样,只做稍许修改
path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete
log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete
padding # options are not to be changed
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer # timing options. change as needed
{
counter 5;
interval 20 sec;
persend 1;
# natt_keepalive 15 sec;
phase1 30 sec;
phase2 15 sec;
}
{
counter 5;
interval 20 sec;
persend 1;
# natt_keepalive 15 sec;
phase1 30 sec;
phase2 15 sec;
}
listen # address [port] that racoon will listening on
{
isakmp 222.11.33.23 [500];
isakmp_natt 222.11.33.23 [4500];
}
{
isakmp 222.11.33.23 [500];
isakmp_natt 222.11.33.23 [4500];
}
remote 222.11.34.56 [500]
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 222.11.33.23;
peers_identifier address 222.11.34.56;
lifetime time 8 hour;
passive off;
proposal_check obey;
# nat_traversal off;
generate_policy off;
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 222.11.33.23;
peers_identifier address 222.11.34.56;
lifetime time 8 hour;
passive off;
proposal_check obey;
# nat_traversal off;
generate_policy off;
proposal {
encryption_algorithm blowfish;
hash_algorithm md5;
authentication_method pre_shared_key;
lifetime time 30 sec;
dh_group 1;
}
}
encryption_algorithm blowfish;
hash_algorithm md5;
authentication_method pre_shared_key;
lifetime time 30 sec;
dh_group 1;
}
}
sainfo (address 10.10.10.0/24 any address 172.16.16.0/24 any) # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
{ # $network must be the two internal networks you are joining.
pfs_group 1;
lifetime time 36000 sec;
encryption_algorithm blowfish,3des,des;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
}
{ # $network must be the two internal networks you are joining.
pfs_group 1;
lifetime time 36000 sec;
encryption_algorithm blowfish,3des,des;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
}
server1# vi /usr/local/etc/racoon/setkey.conf
flush;
spdflush;
# To the home network
spdadd 10.10.10.0/24 172.16.16.0/24 any -P out ipsec esp/tunnel/222.11.33.23-222.11.34.56/use;
spdadd 172.16.16.0/24 10.10.10.0/24 any -P in ipsec esp/tunnel/222.11.34.56-222.11.33.23/use;
spdflush;
# To the home network
spdadd 10.10.10.0/24 172.16.16.0/24 any -P out ipsec esp/tunnel/222.11.33.23-222.11.34.56/use;
spdadd 172.16.16.0/24 10.10.10.0/24 any -P in ipsec esp/tunnel/222.11.34.56-222.11.33.23/use;
#一旦完成后,便使用下面的命令在两边的网关上都启动 racoon
server1# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf
server2# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf
server1# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf
server2# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf
#确认一下“隧道”是否正常工作
server1# tcpdump -i em0 host 222.11.33.23 and dst 222.11.34.56
server1# tcpdump -i em0 host 222.11.33.23 and dst 222.11.34.56
4、防火墙设置
------------------------------------------------
#ipfw设置
------------------------------------------------
#ipfw设置
ipfw add 00201 allow log esp from any to any
ipfw add 00202 allow log ah from any to any
ipfw add 00203 allow log ipencap from any to any
ipfw add 00204 allow log udp from any 500 to any
ipfw add 00202 allow log ah from any to any
ipfw add 00203 allow log ipencap from any to any
ipfw add 00204 allow log udp from any 500 to any
#pf设置
pass in quick proto esp from any to any
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any port = 500 to any port = 500
pass in quick on gif0 from any to any
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any port = 500 to any port = 500
pass out quick on gif0 from any to any
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any port = 500 to any port = 500
pass in quick on gif0 from any to any
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any port = 500 to any port = 500
pass out quick on gif0 from any to any
#允许机器初始化的时候开始 ××× 支持
server1# vi /etc/rc.conf
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="yes"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="yes"
转载于:https://blog.51cto.com/3228283/1053619
1135
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
