Chinaunix首页 | 论坛 | 博客
  • 博客访问: 7377033
  • 博文数量: 159
  • 博客积分: 10424
  • 博客等级: 少将
  • 技术积分: 14605
  • 用 户 组: 普通用户
  • 注册时间: 2010-07-14 12:45
个人简介

啦啦啦~~~

文章分类
文章存档

2015年(5)

2014年(1)

2013年(5)

2012年(10)

2011年(116)

2010年(22)

分类: 网络与安全

2011-03-25 12:09:32

为了让openswan与linux的IPsec栈同时工作,首先要在编译linux内核是,enable NETKEY这个feature,同时还要enable一些openswan所需要的option。

必须enable的kernel options:
Option NameDescription
CONFIG_UNIX
Unix domain sockets. Openswan userland (Pluto) uses these.
CONFIG_PROC_FS
The /proc filesystem (needed by both KLIPS and NETKEY).
CONFIG_CRYPTO
CryptoAPI, pluggable crypto modules. Necessary for NETKEY; optional for KLIPS.
CONFIG_CRYPTO_*
Various crypto modules. HMAC, MD5, 3DES, AES, SHA1 are necessary for NETKEY; optional for KLIPS. Most of the other crypto modules should be treated with severe skepticism and probably not used at all. 

强烈建议enable的kernel options:
Option Name
Description
CONFIG_IP_ADVANCED_ROUTER
This gives far better routing control and is needed for some script features, such as _updown. 
CONFIG_PACKET
Necessary for tcpdump, a debugging tool, as well as KLIPS and NETKEY
CONFIG_NETFILTER
TCP/IP packet filter. You need this to make a firewall, or to support NAT.
CONFIG_IPSEC_NAT_TRAVERSAL
This option only appears after the kernel has been patched with the NAT-T patch
This adds support for NAT traversal by encapsulating ESP packets in UDP packets. This is needed if you wish to connect from behind a NATed network to your Openswan server. 
Older versions of this code call this option CONFIG_ESPINUDP. These versions are broken and should not be used. 

NETKEY栈的option
Option Name
Description
CONFIG_NET_KEY
PF_KEYv2 (IPsec) sockets.
CONFIG_XFRM_USER
IPsec user configuration interface (Openswan userland uses this).
CONFIG_INET_AH
Authentication Header (AH) for IPv4. You probably don't need this.
CONFIG_INET_ESP
Encapsulating Security Payload (ESP) for IPv4.
CONFIG_INET_IPCOMP
Payload compression support.
CONFIG_INET_TUNNEL
Generic IP tunnel transformation, needed by ipcomp.
CONFIG_INET6_AH
Authentication Header (AH) for IPv6. You probably don't need this.
CONFIG_INET6_ESP
Encapsulating Security Payload (ESP) for IPv6.
CONFIG_INET6_IPCOMP
Compression mode for IPv6.

如果会使用微软的L2TP,还需要enable以下的option。
Option NameDescription
CONFIG_UNIX98_PTYS
Unix PTYs.
CONFIG_PPP
PPP support.
CONFIG_PPP_SYNC_TTY
Synchronous PPP support.
CONFIG_PPP_DEFLATE
Deflate support.
CONFIG_PPP_BSDCOMP
BSD (de)compression support for IP headers.
CONFIG_LEGACY_PTYS(linux 2.6)
Legacy PTYs (only needed when using certain older L2TP daemons).
Note: This is disabled in the stock kernels for Fedora Core 2 and up.


下面开始编译openswan。
openswan没有使用GNU风格的configure脚本来指定编译和安装option,大部分用户可配置的option在最顶层目录中的Makefile.inc中。根据自己的需求,修改Makefile.in。最后备份一份原始文件,用于恢复。

然后make programs编译;make install安装。

最后验证一下ipsec
-bash-3.00# ipsec --version
Linux Openswan U2.6.33/K2.6.26.5 (netkey)
See `ipsec --copyright' for copyright information.
这个命令可以显示ipsec和kernel的版本,以及ipsec是与哪个linux的IPsec栈合作的。

还可以使用ipsec verify来进一步验证,可以得到更为详细的信息
-bash-3.00# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                       [OK]
Linux Openswan U2.6.33/K2.6.26.5 (netkey)
Checking for IPsec support in kernel                  [OK]
SAref kernel support                                  [N/A]
NETKEY:  Testing XFRM related proc values             [OK]
Checking that pluto is running                        [OK]
Checking NAT and MASQUERADEing                        [OK]
Checking for 'ip' command                             [OK]
Checking /bin/sh is not /bin/dash                     [OK]
Checking for 'iptables' command                       [OK]
Opportunistic Encryption Support                      [DISABLED]

参考资料:
1.
2. openswan官方网站
阅读(15113) | 评论(4) | 转发(0) |
给主人留下些什么吧!~~

GFree_Wind2011-04-18 22:11:32

dagun: 你们公司做什么啊?.....
网络设备。。。面很大吧,具体的不好说了

dagun2011-04-18 16:39:00

你们公司做什么啊?

GFree_Wind2011-04-18 15:54:56

dagun: 你在哪里,兄弟。好久的东西了,你们才研究啊。.....
是啊。好老的技术啊。没办法,客户需求。。。就要用ipsec

dagun2011-04-18 15:03:22

你在哪里,兄弟。好久的东西了,你们才研究啊。