ipsec for linux有很多选择,具体可以参看下面这篇文章
http://blog.chinaunix.net/u2/66435/showart_2238175.html
我的环境是ubuntu server 10.04,kernel都是2.6.32以后的,已经包含了ipsec的内核模块netkey。
由于内核模块已经有了,我们可以选择openswan,也可以选择ipsec-tools来开发ipsec。
我的server端用ipsec-tools。
我的client端用openswan(因为我的3G路由器是客户端,我打算把openswan移植到arm上)。
下面是我的服务器的配置
我的xp客户端ip是192.168.0.102
我的ubuntu客户端是192.168.0.117
我的服务器ip是192.168.0.109
1,安装l2tp服务和ipsec工具
sudo apt-get install xl2tpd
sudo apt-get install racoon
2. 配置/etc/xl2tpd/xl2tpd.conf.
[global] ; set global parameters
port = 1701 ; * use
port 1701
auth file =
/etc/ppp/chap-secrets ; use ppp secret file
[lns default] ; fallthrough LNS definition
exclusive = yes ;
permit one tunnel per host
ip range = 192.168.10.10-192.168.10.100 ; ip range for remote
peer
lac =
0.0.0.0-255.255.255.255 ; lac ip range
local ip = 192.168.1.5 ;
length bit = yes ;
require chap = yes ; use CHAP auth
require
authentication = yes ; require authenticate
name = vpnservername ;
pppoptfile = /etc/ppp/options.xl2tpd ; ppp options file
3. 生成配置/etc/ppp/options.xl2tpd
name ABC
lock
auth
debug
dump
logfile
/var/log/l2tpd.log
passive
nodetach
noccp
novj
novjccomp
nopcomp
noaccomp
4. 在/etc/ppp/chap-secrets添加用户和密码
test * 1234 *
5. run xl2tpd
sudo
/etc/init.d/xl2tpd start
6. 配置/etc/racoon/racoon.conf
path
pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote anonymous {
exchange_mode
main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
#generate_policy off;
}
sainfo anonymous {
#pfs_group
modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
2.3 添加/etc/racoon/psk.txt
192.168.0.117
123456
192.168.0.102
123456
2.4 添加/etc/racoon/setkey.conf.
flush;
spdflush;
spdadd 192.168.0.117
192.168.0.109 any -P in ipsec
esp/transport//require;
spdadd 192.168.0.109 192.168.0.117 any -P out ipsec
esp/transport//require;
spdadd
192.168.0.102
192.168.0.109 any -P in ipsec
esp/transport//require;
spdadd
192.168.0.109 192.168.0.102 any -P out ipsec
esp/transport//require;
2.5 set key.
sudo setkey -f /etc/racoon/setkey.conf
2.6 start racoon.
sudo
/etc/init.d/racoon start.
这时候服务器算是开启了,允许两个客户端接入。
阅读(2666) | 评论(0) | 转发(0) |