Linux FreeSWAN VPN安装配置技术资料.docx
《Linux FreeSWAN VPN安装配置技术资料.docx》由会员分享,可在线阅读,更多相关《Linux FreeSWAN VPN安装配置技术资料.docx(11页珍藏版)》请在冰豆网上搜索。
LinuxFreeSWANVPN安装配置技术资料
LinuxFreeS-WANVPN安装配置技术资料
一、概述
为了准备建立北京与深圳的VPN网络,达到两个局域网络通过Internet互访的目的,建立了以下测试环境(如下图),本文对系统的安装、配置、测试说明都以此环境为准。
二、软硬件基础:
1、FreeS/WAN-1.5
2、RedHat6.2withKernel-2.2.14(kernel-source,kernel-header)
3、Win2000Server
4、上图为硬件最小配置。
5、安装Linux服务器
6、以Server形式安装,选择全部安装(Everything)。
7、验证并删除系统安装的RPM包。
验证:
[root@vpn]#rpm–qa|grepkernel
kernel-headers-2.2.14-5.0.i386.rpm
kernel-2.2.14-5.0.i386.rpm
…………………………..
删除:
[root@vpn]#rpm–e--nodepskernel-headers……
[root@vpn]#rpm–e--nodepskernel-source
然后手工删除“/usr/src/linux-2.2.14”和“/lib/modules/2.2.14-5.0”目录。
[root@vpn]#rm–rf/usr/src/linux-2.2.14/
[root@vpn]#rm–rf/lib/modules/2.2.14-5.0/
8、安装新的rpm包
从关盘上将rpm包拷贝到硬盘上:
cp/Linux/RedHat/……./kernel-source.rpm/root/
安装,并将/usr/src/linux/的所有者改为root用户:
[root@vpn]#rpm–ivhkernel-headers.rpm
[root@vpn]#rpm–ivhkernel-source.rpm
[root@vpn]#chown–R0.0/usr/src/linux/
9、确保“/usr/include/asm”,“/usr/include/linux”,“/usr/include/scsi”等子目录是指向内核源代码的链接
[root@vpn]#cd/usr/include/
[root@vpn]#rm–rfasmlinuxscsi
[root@vpn]#ln–s/usr/src/linux/include/asm-i386asm
[root@vpn]#ln–s/usr/src/linux/include/linuxlinux
[root@vpn]#ln–s/usr/src/linux/include/scsiscsi
检查陈旧的“.o”文件及依赖关系:
[root@vpn]#cd/usr/src/linux/
[root@vpn]#makemrproper
10、配置和编译内核
[root@vpn]#cd/usr/src/linux
[root@vpn]#makemenuconfig(ormakeconfig,makexconfig)
确保Loadablemodulesupport中的
Enableloadablemodulesupport(CONFIG_MODULES)选为Y。
确保Networkingoptions中的
Kernel/usernerlinksocket(CONFIG_NETLINK)
Netlindeviceemulation(CONFIG_NETLINK_DEV)
Networkfirewalls(CONFIG_FIREWALL)
选项为Y。
确保有关IP和Ipv4的选项为“Y”
NetDevice中选中对应的网卡。
保存退出,开始编译:
[root@vpn]#makedep;makeclean;makebzImage
如果出错,返回内核配置,重新编译;编译成功,则进行下面步骤;
安装新模块
[root@vpn]#makemodules;makemodules_install
11、安装新内核
拷贝“/usr/src/linux/arch/i386/boot/bzImage”和“/usr/src/linux/System.map”到启动目录,改为适当的名字:
[root@vpn]#cp/usr/src/linux/arch/i386/boot/bzImage/boot/kernel-2.2.14-1
[root@vpn]#cp/usr/src/linux/System.map/boot/System.map1
重新建立文件链接:
[root@vpn]#cd/boot
[root@vpn]#rm–rfvmlinuz
[root@vpn]#rm–rfSystem.map
[root@vpn]#ln–fskernel-2.2.141vmlinuz
[root@vpn]#ln–fsSystem.map1System.map
[root@vpn]#rm–fmodule-info
12、修改“/etc/lilo.conf”文件,引入新内核
[root@vpn]#vi/etc/lilo.conf
修改default=linux_new
增加image=/boot/vmlinuz-2.2.14-5.0
label=linux
read-only
root=/dev/hda6
13、更新对lilo.conf的修改
/sbin/lilo–v
14、设置IP报文转发功能
[root@vpn]#cd/etc
[root@vpn]#visysctl.conf
将FORWARD_IPV4=0改为FORWARD_IPV4=1
[root@vpn]#cdsysconfig
[root@vpn]#vinetwork
增加一行FORWARD_IPV4=yes
15、新启动,运行新内核。
16、安装FreeS/WAN软件
a)将压缩软件解开,并改变其用户为根用户。
[root@vpn]#cpfreeswan-1.5.tar.gz/usr/src
[root@vpn]#cd/usr/src
[root@vpn]#tar–xzpffreeswan-1.5.tar.gz
[root@vpn]#chown–R0.0/usr/src/freeswan-1.5
b)编译FreeS/WAN并安装
[root@vpnfreeswan-1.5]#makeinsert;makeprograms;makeinstall
c)重新编译内核
[root@vpnfreeswan-1.5]#cd/usr/src/linux
[root@vpn]#makemenuconfig
确保在NetworkOption中的关于IPSec的选项为”Y”
确保Kernel/Usernetlinksocket(CONFIG_NETLINK)和
Netlinkdeviceemulation(CONFIG_NETLINK_DEV)
的选项为“Y”。
其他操作同
(一)中的步骤5-9。
d)从新启动后,启动信息里显示:
Oct2413:
09:
26vpn1kernel:
klips_debug:
ipsec_tunnel_init:
initialisationofdevice:
ipsec0
…………………………………………………………………………………………………………..
Oct2413:
09:
27vpn1ipsec_setup:
StartingFreeS/WANIPSEC1.5...
Oct2413:
09:
27vpn1ipsec_setup:
KLIPSdebug`none'
Oct2413:
09:
27vpn1ipsec_setup:
KLIPSipsec0oneth0202.104.120.235/255.255.255.248broadcast202.104.120.239
Oct2413:
09:
27vpn1ipsec_setup:
Plutodebug`none'
…………………………………
…………………………………
Oct2413:
09:
30vpn1ipsec_setup:
...FreeS/WANIPSECstarted
17、配置FREESWANVPN
测试环境使用的子网IP、外部IP、gateway及网络号如下表
Eth0Eth1
NetworkLeftandrightSubnetNETXTHOPIntGate
RightHOST1202.104.120.224202.104.120.228192.168.1.0/24202.104.120.225192.168.0.36
LeftHOST2202.104.120.232202.104.120.235192.168.0.0/24202.104.120.233192.168.1.22
a)备份freeswan的原始配置文件ipsec.conf和ipsec.secrets
#cp/etc/ipsec.conf/etc/ipsec.conf.org
#cp/etc/ipsec.secrets/etc/ipsec.secrets.org
b)产生新的sharesecretkey
#/usr/local/sbin/ipsecranbits256>temp.key
c)在两台安装FREESWAN软件的LINUX主机上产生RSAkey
[host1]#/usr/local/sbin/ipsecrsasigkey–verbose1024>myrsakey1.key
[host2]#/usr/local/sbin/ipsecrsasigkey–verbose1024>myrsakey2.key
d)配置ipsec.secrets文件
将sharekey、RSAkey的private部分粘贴至各主机的ipsec.secrets文件的相应部分,并按格式编辑为如下样式:
#ThisfileholdssharedsecretsorRSAprivatekeysforinter-Pluto
#authentication.Seeipsec_pluto(8)manpage,andHTMLdocumentation.
#Sharedsecret(anarbitrarycharacterstring,whichshouldbebothlong
#andhardtoguess,enclosedinquotes)forapairofnegotiatinghosts.
#Mustbesameonboth;generateononeandcopytotheother.
202.104.120.235202.104.120.228"0xc691abb2_20ce8f76_0caebf64_0ee81f38_1e40a750_f9c337a9_bbc172fe_7f4d76ea"
#RSAprivatekeyforthishost,authenticatingittoanyotherhost
#whichknowsthepublicpart.PutONLYthe"pubkey"partintoconnection
#descriptionsontheotherhost(s);itneednotbekeptsecret.
:
RSA{
#1024bits,FriOct2016:
16:
102000
#forsignaturesonly,UNSAFEFORENCRYPTION
#pubkey=0x010352a0d36556f63ea87c9c64d61983c021e4d70290409b78ed17d798fe4b82a5ade536641cee5ceaae1039fc02f845cee1dc2c29605290e1215ad750cd07d0536da51b4eea46a5bbb46355c6153edf43e670c2294fe27f6ea564dbbef5daac9c07f4a9edb49a307da653f2d86a18c63465b700133186f4a0345008843a9db7abc5
#INKEY0x420041AQNSoNNlVvY+qHycZNYZg8Ah5NcCkECbeO0X15j+S4KlreU2ZBzuXOquEDn8AvhFzuHcLClgUpDhIVrXUM0H0FNtpRtO6kalu7RjVcYVPt9D5nDCKU/if26lZNu+9dqsnAf0qe20mjB9plPy2GoYxjRltwATMYb0oDRQCIQ6nberxQ==
#(0x4200=auth-onlyhost-level,4=IPSec,1=RSA)
Modulus:
0x52a0d36556f63ea87c9c64d61983c021e4d70290409b78ed17d798fe4b82a5ade536641cee5ceaae1039fc02f845cee1dc2c29605290e1215ad750cd07d0536da51b4eea46a5bbb46355c6153edf43e670c2294fe27f6ea564dbbef5daac9c07f4a9edb49a307da653f2d86a18c63465b700133186f4a0345008843a9db7abc5
PublicExponent:
0x03
#everythingafterthispointissecret
PrivateExponent:
0x3715e2438f4ed4705312ede411028016988f570ad5bcfb48ba8fbb543257191e98ceed689ee89c740ad152aca583df413d72c640370b40c0e73a35de05358cf3013c497b5a5de846111fe4c30e5326bbbd8f271b83d3cab9b9687b7e1796e58143172e4ce8aecf7655a5aff680b8563f9bd7c4917a991681bc09a00dad3cbd2b
Prime1:
0x98ff1c6884d9074551ff96181b8d0f8866a001ed215f828116f49706198c17ac803e6789e6e265441f0c3f149f5ad715ac8a2320c69c30b83a0fc37a1fed6131
Prime2:
0x8a41c448ba3fd805f7a658d88dd57a446dcb6cb97b623c0db7ca6eb29dbe2c198fc8c0b75647e130b46e1163b856dbf0a0b249368872cdb97bea50abf9ef2ed5
Exponent1:
0x65ff6845ade604d8e1550ebabd08b50599c00148c0ea5700b9f864aebbb2ba7300299a5bef4198d814b2d4b86a3c8f63c85c176b2f12cb257c0a82516a9e40cb
Exponent2:
0x5c2bd8307c2a9003fa6ee5e5b3e3a6d84932487ba796d2b3cfdc49cc692972bbb530807a398540cb22f40b97d039e7f5c076db79b04c8926529c35c7fbf4c9e3
Coefficient:
0x56cccbdbc2e899210f5f0daf3bf5045e9d09f49334e58f31519880887e8aaf2498f2018529fea0528972e94a19cff4fd2367b565cf39ca90ab7c7ac92f82fd07
}
将RSAkey的public部分粘贴至各主机的ipsec.conf文件的相应部分。
e)将另一主机的RSAkey的public部分粘贴至本机的ipsec.conf文件相应部分,(内容如下)至此freeswan的配置已完成。
#basicconfiguration
configsetup
#THISSETTINGMUSTBECORRECToralmostnothingwillwork;
#%defaultrouteisokayformostsimplecases.
interfaces="ipsec0=eth0"
#Debug-loggingcontrols:
"none"for(almost)none,"all"forlots.
klipsdebug=none
plutodebug=none
#Useauto=parametersinconndescriptionstocontrolstartupactions.
pluto=yes
plutoload="mangoGate-orangeGatemangoGate-orangeNetmangoNet-orangeGatemangoNet-orangeNet"
plutostart="mangoGate-orangeGatemangoGate-orangeNetmangoNet-orangeGatemangoNet-orangeNet"
plutowait=no
connmangoNet-orangeNet
#Leftsecuritygateway,subnetbehindit,nexthoptowardright.
left=202.104.120.235
leftsubnet=192.168.0.0/24
leftnexthop=202.104.120.233
#leftfirewall=yes
#Rightsecuritygateway,subnetbehindit,nexthoptowardleft.
right=202.104.120.228
rightsubnet=192.168.1.0/24
rightnexthop=202.104.120.225
#rightfirewall=yes
#Authorizethisconnection,butdon'tactuallystartit,atstartup.
auth=ah
auto=start
keyingtries=0
#TouseRSAauthentication(notlegalinUSuntil20Sept2000),
#uncommentthisnextline.
authby=rsasig
leftrsasigkey=0x010352a0d36556f63ea87c9c64d61983c021e4d70290409b78ed17d798fe4b82a5ade536641cee5ceaae1039fc02f845cee1dc2c29605290e1215ad750cd07d0536da51b4eea46a5bbb46355c6153edf43e670c2294fe27f6ea564dbbef5daac9c07f4a9edb49a307da653f2d86a18c63465b700133186f4a0345008843a9db7abc5
rightrsasigkey=0x01037327caf4428fa00c3bec7e27654554d58aed62ea386c23be1f2b4d5ad44bb25ff7021c0f4d6e8a3ab2aa556edb65bf988d622b8f1b09a8b30eea50c4bffec35db0fd2691d1ac19896b126ffceb76825dd71f6d41f7e04b624e80cbedcf1b9ee28b5caa5f56b85444cf057a61dd8feffc8308435d97dd257e2a5d8c824a611c99
connmangoGate-orangeNet
left=202.104.120.235
leftnexthop=202.104.120.233
right=202.104.120.228
rightsubnet=192.168.1.0/24
rightnexthop=202.104.120.225
#rightfirewall=yes
auto=start
authby=rsasig
leftrsasigkey=0x010352a0d36556f63ea87c9c64d61983c021e4d70290409b78ed17d798fe4b82a5ade536641cee5ceaae1039fc02f845cee1dc2c29605290e1215ad750cd07d0536da51b4eea46a5bbb46355c6153edf43e670c2294fe27f6ea564dbbef5daac9c07f4a9edb49a307da653f2d86a18c63465b700133186f4a0345008843a9db7abc5
rightrsasigkey=0x01037327caf4428fa00c3bec7e27654554d58aed62ea386c23be1f2b4d5ad44bb25ff7021c0f4d6e8a3ab2aa556edb65bf988d622b8f1b09a8b30eea50c4bffec35db0fd2691d1ac19896b126ffceb76825dd71f6d41f7e04b624e80cbedcf1b9ee28b5caa5f56b85444cf057a61dd8feffc8308435d97dd257e2a5d8c824a611c99
connmangoNet-orangeGate
left=202.104.120.235