Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1176280
  • 博文数量: 101
  • 博客积分: 110
  • 博客等级: 民兵
  • 技术积分: 1842
  • 用 户 组: 普通用户
  • 注册时间: 2012-08-24 13:26
个人简介

专注linux

文章分类

全部博文(101)

文章存档

2017年(2)

2016年(12)

2015年(17)

2014年(41)

2013年(27)

2012年(3)

分类: LINUX

2015-12-09 16:28:03

1、安装
使用sudo yum install openswan进行ipsec的安装。安装后可使用以下命令进行验证。

ipsec –version
显示如下:
Linux Libreswan 3.15 (netkey) on 3.10.0-229.el7.x86_64

2、配置
1)
编辑/etc/sysctl.conf文件


net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
修改为
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
修改后执行sysctl –p,使配置生效。
2)
配置Openswan
Openswan主要的配置文件:

/etc/ipsec.conf 主配置文件
/etc/ipsec.secrets 用来指定证书的密钥文件
/etc/ipsec.d/cacerts 用来存放CA证书
/etc/ipsec.d/certs 用来存放个人证书,可将自己的pem证书放在这个下面
/etc/ipsec.d/private 存放x.509个人证书的私钥文件

把CA证书,个人证书及个人私钥放置在相关目录后,我们只需修改ipsec.conf和ipsec.secrets文件即可。

可使用以下处理,转换为新格式:
openssl pkcs12 -export -in cert_juchk_l.pem -inkey key.pem -certfile cacert.pem -out juchk.p12 -name juchk
将个人证书,私钥等转换为p12文件,并添加到ipsec密钥管理器中统一管理,名字为以上命令中最后部分的-name
ipsec import juchk.p12

配置文件举例:
[root@localhost ~]# vim /etc/ipsec.conf

点击(此处)折叠或打开

  1. # /etc/ipsec.conf - Libreswan IPsec configuration file
  2. # This file: /etc/ipsec.conf
  3. #
  4. # Enable when using this configuration file with openswan instead of libreswan
  5. #version 2
  6. #
  7. # Manual: ipsec.conf.5
  8. # basic configuration
  9. config setup
  10. # which IPsec stack to use, "netkey" (the default), "klips" or "mast".
  11. # For MacOSX use "bsd"
  12. protostack=netkey
  13. #
  14. # The interfaces= line is only required for the klips/mast stack
  15. #interfaces="%defaultroute"
  16. #interfaces="ipsec0=eth0 ipsec1=ppp0"
  17. #
  18. # If you want to limit listening on a single IP - not required for
  19. # normal operation
  20. #listen=127.0.0.1
  21. #
  22. # Do not set debug options to debug configuration issues!
  23. #
  24. # plutodebug / klipsdebug = "all", "none" or a combation from below:
  25. # "raw crypt parsing emitting control kernel pfkey natt x509 dpd
  26. # private".
  27. # Note: "crypt" is not included with "all", as it can show confidential
  28. # information. It must be specifically specified
  29. # examples:
  30. # plutodebug="control parsing"
  31. # plutodebug="all crypt"
  32. # Again: only enable plutodebug or klipsdebug when asked by a developer
  33. #plutodebug=none
  34. #klipsdebug=none
  35. #
  36. # Normally, pluto logs via syslog. If you want to log to a file,
  37. # specify below or to disable logging, eg for embedded systems, use
  38. # the file name /dev/null
  39. # Note: SElinux policies might prevent pluto writing to a log file at
  40. # an unusual location.
  41. #plutostderrlog=/var/log/pluto.log
  42. #
  43. # Enable core dumps (might require system changes, like ulimit -C)
  44. # This is required for abrtd to work properly
  45. # Note: SElinux policies might prevent pluto writing the core at
  46. # unusual locations
  47. dumpdir=/var/run/pluto/
  48. #
  49. # NAT-TRAVERSAL support
  50. # exclude networks used on server side by adding %v4:!a.b.c.0/24
  51. # It seems that T-Mobile in the US and Rogers/Fido in Canada are
  52. # using 25/8 as "private" address space on their wireless networks.
  53. # This range has not been announced via BGP (at least upto 2010-12-21)
  54. nat_traversal=yes
  55. #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
  56. # Add connections here
  57. conn vpn
  58. #left=10.3.0.0/21
  59. left=%defaultroute
  60. leftsubnet=0.0.0.0/0
  61. leftcert=juchk
  62. #authby=rsasig
  63. # leftcert=cert_juchk_l.cert
  64. # leftrsasigkey=key.pem
  65. leftxauthclient=yes
  66. leftmodecfgclient=yes
  67. connaddrfamily=ipv4
  68. modecfgpull=no
  69. right=10.1.4.254
  70. rightsubnet=10.254.1.0/24
  71. rightxauthserver=yes
  72. rightmodecfgserver=yes
  73. rightid="C=cn, ST=liaoning, O=neusoft, OU=nsd, CN=vpnser, E=vpnser@neusoft.com"
  74. auto=add
  75. # For example connections, see your distribution's documentation directory,
  76. # or the documentation which could be located at
  77. # /usr/share/docs/libreswan-3.*/ or look at
  78. #
  79. # There is also a lot of information in the manual page, "man ipsec.conf"
  80. include /etc/ipsec.d/*.conf

[root@localhost ~]# vi /etc/ipsec.secrets

点击(此处)折叠或打开

  1. : RSA juchk
  2. #: RSA /etc/ipsec.d/private/key.pem
  3. include /etc/ipsec.d/*.secrets
以上采用系统默认即可
新添加以下条目即可
: RSA juchk 即为导出的新格式密钥名

修改以上文件后,重启ipsec服务
Service ipsec restart
执行以下命令接入:
ipsec whack –name vpn –initiate

在看到提示后,输入正确用户名和密码即可登录成功。

注:遇到连接异常时,可通过service ipsec restart解决。

停止连接:
ipsec whack –name vpn –terminate
阅读(17320) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~