IPsec-Tools中的racoon工具实现了IKE的功能,既实现了双向认证,又能建立和维护IPsec SA。下面使用psk的认证方法配置
racooon。
一、网络拓扑
二、配置网络
子网1: 192.168.1.0/24,网关GW1
子网2: 192.168.0.0/24,网关GW2
GW1和GW2已添加到子网2、1的路由。
A和B现在可正常ping 通
三、IPsec配置
1. 客户端A
(1) setkey.conf
[root@localhost ~]# cat /etc/setkey.conf (权限为600)
#flush SAD entries
flush;
#flush SPD entries
spdflush;
#add SA entries
#add SP entries
spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec esp/transport//require esp/transport//require;
spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec esp/transport//require esp/transport//require;
(2) psk.txt
[root@localhost ~]# cat /etc/racoon/psk.txt
192.168.0.2 0x123456
(3)racoon.conf
[root@localhost ~]# cat /etc/racoon/racoon.conf(权限为600)
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote anonymous
{
exchange_mode main;
lifetime time 2 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
proposal {
encryption_algorithm aes;
hash_algorithm sha512;
authentication_method pre_shared_key;
dh_group modp2048;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
2. 客户端B
(1)setkey.conf
[root@localhost ~]# cat /etc/setkey.conf
#flush SAD entries
flush;
#flush SPD entries
spdflush;
#add SA entries
#add SP entries
spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec esp/transport//require esp/transport//require;
#spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec esp/transport//require esp/tunnel//require;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec esp/transport//require esp/transport//require;
(2) psk.txt
[root@localhost ~]# cat /etc/racoon/psk.txt
192.168.1.2 0x123456
(3) racoon.conf
[root@localhost ~]# cat /etc/racoon/racoon.conf
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote anonymous
{
exchange_mode main;
lifetime time 2 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
proposal {
encryption_algorithm aes;
hash_algorithm sha512;
authentication_method pre_shared_key;
dh_group modp2048;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
四、测试
1.在客户A和B上分别激活setkey.conf和racoon.conf
#setkey –f /etc/racoon/setkey.conf
#racoon –f /etc/raccoon/racoon.conf
setkey -D 显示显示 spd 内容
setkey -P -F 清除 spd 内容
encryption_algorithm 这里可以选择 des、3des、blowfish、cast128、rijndael 这个是加密算法
authentication_algorithm 指定 AH 及 ESP 协议中所有使用的验证算法 md5 和 sha1
lifetime time 加密淘汰时间 30 ——60 分钟
compression_algorithm 压缩算法
authentication_method 这里验证 *** 另一个端点 是否可信,验证的方法有 pre_shared_key (这个速度最快而且简单)rsasig
将证书作为验证的依据。证书是 无法被伪造的数字信息
remote 指定 另一端的 ip
dh_group modp768 modp1024 modp1536
转载于:https://blog.51cto.com/ltxin/938363