测试环境如上图:路由器A与路由器B通过wan口直连,主机C与两台路由器通过LAN口连接,使主机和路由器之间能互相通信。
然后按照以下步骤进行配置
1、找一台主机作为CA(主机C),在此主机上生成一个CA证书,用于给两台路由器的证书进行签名
生成CA:openssl req -x509 -days 3650 -newkey rsa:1024 -keyout cakey.pem -out caCert.pem
执行过程:Generating a 1024 bit RSA private key
................................................++++++
.++++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WIDE Project
Organizational Unit Name (eg, section) []:KAME Project
Common Name (e.g. server FQDN or YOUR name) []:Xelerance Root CA
Email Address []:ca@xelerance.com
在Common Name项中如果主机作为主CA可写Root CA,每个证书的此项必须不同
2、在各个路由器上使用openssl生成各自的证书
openssl req -newkey rsa:1024 -keyout ipsec8.key -out ipsec8Req.pem
如果不需要密码加密的话,在Enter pass phrase for client.key时直接回车,如果有密码,在racoon启动时可能需要密码
过程同生成CA时,唯一需要注意的是,Common Name必须唯一
然后将ipsec8Req.pem发送到CA的主机上进行签名认证
3、在CA主机上对路由器的证书进行签名认证
先将openssl.cnf中dir = ./demoCA目录修改或在openssl程序所在的目录上新建demoCA目录
在dir指定的目录下生成newcerts目录 mkdir newcerts
在dir指定的目录下新建文件index.txt touch index.txt
在dir指定的目录下执行echo "01" > serial
执行下面命令对路由器证书进行签名认证
openssl ca -in ipsec8Req.pem -days 365 -out ipsec8Cert.pem -notext -cert caCert.pem -keyfile cakey.pem
将生成的签名证书ipsec8Cert.pem发送到路由器,此文件中路由器的有效证书
4、在路由器上配置racoon.conf
path include "/etc/racoon";
path certificate "/u/cert";
remote anonymous
{
exchange_mode main;
ph1id 1;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "ipsec8Cert.pem" "ipsec8.key";
peers_certfile "ipsec1Cert.pem";
proposal {
encryption_algorithm 3des;
#authentication_method pre_shared_key;
authentication_method rsasig;
hash_algorithm sha1;
dh_group modp1024;
}
}
sainfo (anonymous )
{
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
remoteid 1;
}
在/u/下新建cert目录,cert目录的权限为700
将本路由器证书(ipsec8Cert.pem),本路由器的私有key(ipsec8.key),对端路由器的证书(ipsec1Cert.pem)放到cert目录下
执行racoon
将ipsec8.key权限修改为600
5、对端路由器的操作与此相同
6、在setkey.conf中指定setkey信息
flush;
spdflush;
spdadd 192.168.8.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/192.168.9.5-192.168.9.4/require;
spdadd 192.168.1.0/24 192.168.8.0/24 any -P in ipsec esp/tunnel/192.168.9.4-192.168.9.5/require;
7、启动racoon:racoon -f /etc/racoon.conf
如果在生成证书私钥时输入了密码,则在启动racoon时就需要输入密码,如果没有密码,则racoon会直接启动。当两端的racoon启来后,需要在一端ping另一端一次才能使两发起协商:ping -I 192.168.8.146 192.168.1.147
阅读(2016) | 评论(0) | 转发(0) |