1、安装
使用sudo yum install openswan进行ipsec的安装。安装后可使用以下命令进行验证。
ipsec –version
显示如下:
Linux Libreswan 3.15 (netkey) on 3.10.0-229.el7.x86_64
2、配置
1)
编辑/etc/sysctl.conf文件
将
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
修改为
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
修改后执行sysctl –p,使配置生效。
2)
配置Openswan
Openswan主要的配置文件:
/etc/ipsec.conf 主配置文件
/etc/ipsec.secrets 用来指定证书的密钥文件
/etc/ipsec.d/cacerts 用来存放CA证书
/etc/ipsec.d/certs 用来存放个人证书,可将自己的pem证书放在这个下面
/etc/ipsec.d/private 存放x.509个人证书的私钥文件
把CA证书,个人证书及个人私钥放置在相关目录后,我们只需修改ipsec.conf和ipsec.secrets文件即可。
可使用以下处理,转换为新格式:
openssl pkcs12 -export -in cert_juchk_l.pem -inkey key.pem -certfile cacert.pem -out juchk.p12 -name juchk
将个人证书,私钥等转换为p12文件,并添加到ipsec密钥管理器中统一管理,名字为以上命令中最后部分的-name
ipsec import juchk.p12
配置文件举例:
[root@localhost ~]# vim /etc/ipsec.conf
-
# /etc/ipsec.conf - Libreswan IPsec configuration file
-
-
# This file: /etc/ipsec.conf
-
#
-
# Enable when using this configuration file with openswan instead of libreswan
-
#version 2
-
#
-
# Manual: ipsec.conf.5
-
-
# basic configuration
-
config setup
-
# which IPsec stack to use, "netkey" (the default), "klips" or "mast".
-
# For MacOSX use "bsd"
-
protostack=netkey
-
#
-
# The interfaces= line is only required for the klips/mast stack
-
#interfaces="%defaultroute"
-
#interfaces="ipsec0=eth0 ipsec1=ppp0"
-
#
-
# If you want to limit listening on a single IP - not required for
-
# normal operation
-
#listen=127.0.0.1
-
#
-
# Do not set debug options to debug configuration issues!
-
#
-
# plutodebug / klipsdebug = "all", "none" or a combation from below:
-
# "raw crypt parsing emitting control kernel pfkey natt x509 dpd
-
# private".
-
# Note: "crypt" is not included with "all", as it can show confidential
-
# information. It must be specifically specified
-
# examples:
-
# plutodebug="control parsing"
-
# plutodebug="all crypt"
-
# Again: only enable plutodebug or klipsdebug when asked by a developer
-
#plutodebug=none
-
#klipsdebug=none
-
#
-
# Normally, pluto logs via syslog. If you want to log to a file,
-
# specify below or to disable logging, eg for embedded systems, use
-
# the file name /dev/null
-
# Note: SElinux policies might prevent pluto writing to a log file at
-
# an unusual location.
-
#plutostderrlog=/var/log/pluto.log
-
#
-
# Enable core dumps (might require system changes, like ulimit -C)
-
# This is required for abrtd to work properly
-
# Note: SElinux policies might prevent pluto writing the core at
-
# unusual locations
-
dumpdir=/var/run/pluto/
-
#
-
# NAT-TRAVERSAL support
-
# exclude networks used on server side by adding %v4:!a.b.c.0/24
-
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
-
# using 25/8 as "private" address space on their wireless networks.
-
# This range has not been announced via BGP (at least upto 2010-12-21)
-
nat_traversal=yes
-
#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
-
-
# Add connections here
-
conn vpn
-
#left=10.3.0.0/21
-
left=%defaultroute
-
leftsubnet=0.0.0.0/0
-
leftcert=juchk
-
#authby=rsasig
-
# leftcert=cert_juchk_l.cert
-
# leftrsasigkey=key.pem
-
leftxauthclient=yes
-
leftmodecfgclient=yes
-
connaddrfamily=ipv4
-
modecfgpull=no
-
right=10.1.4.254
-
rightsubnet=10.254.1.0/24
-
rightxauthserver=yes
-
rightmodecfgserver=yes
-
rightid="C=cn, ST=liaoning, O=neusoft, OU=nsd, CN=vpnser, E=vpnser@neusoft.com"
-
auto=add
-
-
# For example connections, see your distribution's documentation directory,
-
# or the documentation which could be located at
-
# /usr/share/docs/libreswan-3.*/ or look at
-
#
-
# There is also a lot of information in the manual page, "man ipsec.conf"
-
include /etc/ipsec.d/*.conf
[root@localhost ~]# vi /etc/ipsec.secrets
-
: RSA juchk
-
#: RSA /etc/ipsec.d/private/key.pem
-
include /etc/ipsec.d/*.secrets
以上采用系统默认即可
新添加以下条目即可
: RSA juchk 即为导出的新格式密钥名
修改以上文件后,重启ipsec服务
Service ipsec restart
执行以下命令接入:
ipsec whack –name vpn –initiate
在看到提示后,输入正确用户名和密码即可登录成功。
注:遇到连接异常时,可通过service ipsec restart解决。
停止连接:
ipsec whack –name vpn –terminate
阅读(17297) | 评论(0) | 转发(0) |