Chinaunix首页 | 论坛 | 博客
  • 博客访问: 18925952
  • 博文数量: 7460
  • 博客积分: 10434
  • 博客等级: 上将
  • 技术积分: 78178
  • 用 户 组: 普通用户
  • 注册时间: 2008-03-02 22:54
文章分类

全部博文(7460)

文章存档

2011年(1)

2009年(669)

2008年(6790)

分类: BSD

2008-04-07 21:44:52

配置网络:/etc/rc.conf

network_interface="dc0 lo0"
ifconfig_dc0="192.168.2.11"
defaultrouter="192.168.2.1"

远程登陆

FreeBSD远程登陆默认的是ssh,但是不能su到root,为了能su到root,打开/etc/group文件把你的用户名添加的wheel组中:

wheel:*:0:root,name

重新配置内核

#cd /usr/src/sys/i386/conf
#cp GENERIC MYKERNEL

编辑MYKERNEL加入

options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG

然后

#/usr/sbin/config MYKERNEL
#cd ../compile/MYKERNEL
#make depend
#make
#make install

安装racoon

#cd /usr/ports/security/racoon
#make install clean

要确保你的/usr/ports/distfiles目录中有racoon-20021120a.tar.gz,没有的话就下一个吧。

3.创建证书
认证的方法选择证书的方法。利用OpenSSL来创建证书。

首先创建CA,然后为将要互连的两个计算机发放证书。先创建RSA公私钥对,然后创建子签名的证书。

创建CA

$ openssl genrsa -des3 -out ca.key 1024
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
..............++++++
................++++++
e is 65537 (0x10001)
Enter PEM pass phrase: fearBeans
Verifying password - Enter PEM pass phrase: fearBeans

$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase: fearBeans
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Heilongjiang
Locality Name (eg, city) []:Daqing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linuxdevice
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:zhangp
Email Address []:zhangp@cy9.dq.cnpc.com.cn

为主机创建证书,首先创建RSA私钥,然后创建CA签名的证书。

$ openssl genrsa -out win2k.key 1024
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
.....++++++
.....++++++
e is 65537 (0x10001)

$ openssl req -new -key win2k.key -out win2k.csr
Using configuration from /etc/ssl/openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Heilongjiang
Locality Name (eg, city) []:Daqing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linuxdevice
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:win2k
Email Address []:win2k@cy9.dq.cnpc.com.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

$ openssl x509 -req -days 182 -in win2k.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out win2k.crt
Signature ok
subject=/C=CN/ST=Heilongjiang/L=Daqing/O=Linuxdevice/
CN=win2k/Email=win2k@cy9.dq.cnpc.com.cn
Getting CA Private Key
Enter PEM pass phrase: 123456

类似的为主机freebsd创建证书。对于win2k的证书来说,还要做成PKCS12的格式。

$ openssl pkcs12 -export -inkey win2k.key -certfile ca.crt -in win2k.crt -out win2k.p12
Enter Export Password: 123456
Verifying password - Enter Export Password: 123456

配置FreeBSD
准备配置文件 /etc/ipsec.conf,其中192.168.2.11为FreeBSD,192.168.2.6为win2k:

spdadd 192.168.2.11/32 192.168.2.6/32 any -P out ipsec
esp/transport/192.168.2.11-192.168.2.6/require;
spdadd 192.168.2.6/32 192.168.2.11/32 any -P in ipsec
esp/transport/192.168.2.6-192.168.2.11/require;

在配置文件/etc/rc.conf中加入:

ipsec_enable="YES"

准备配置文件/usr/local/etc/racoon/racoon.conf:

# Directory in which we will store this, and other machines' certificates

path certificate "/usr/local/etc/racoon/certs" ;

log debug2;

# Padding values. These have been copied verbatim from the example.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}

# Timer values. I've bumped up the phase 1 & 2 timeouts.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.

# timer for waiting to complete each phase.
phase1 90 sec;
phase2 60 sec;
}

remote anonymous
{
exchange_mode main,aggressive;
#exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier user_fqdn "zhangp@cy9.dq.cnpc.com.cn";
peers_identifier user_fqdn "win2k@cy9.dq.cnpc.com.cn";
certificate_type x509 "freebsd.crt" "freebsd.key";
peers_certfile "win2k.crt";

nonce_size 16;
lifetime time 4 hour; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim

# This is the same as one of the default proposals on Windows.
# 3DES, MD5 and RSA (certificate) authentication.
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2 ;
}
}

sainfo anonymous
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm 3des,des ;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate ;
}

把证书存储到/usr/local/etc/racoon/certs中:

#mkdir -m 0700 /usr/local/etc/racoon/certs
#cp freebsd.crt freebsd.key win2k.crt /usr/local/etc/racoon/certs
#chmod 0600 /usr/local/etc/racoon/certs/*

现在可以启动守护程序racoon了

#racoon
阅读(515) | 评论(0) | 转发(0) |
0

上一篇:FreeBSD内核定制参考

下一篇:BSD与网络安全

给主人留下些什么吧!~~