FreeS/WAN 2.04 + x509 (RedHat9.0 kernel 2.4.20-8)
(left LAN=192.168.0.0/24)--(left GW==eth0=192.168.0.1--eth1=192.168.133.151)--192.168.133.1
(right LAN=192.168.1.0/24)--(right GW==eth0=192.168.1.1--eth1=192.168.133.47)--192.168.133.1
未做隧道連接的時候,兩邊GW互通,兩邊LAN不通
GW上需要啓動IP forward: echo 1 > /proc/sys/net/ipv4/ip_forward
生成證書---在left的GW主機上做以下操作
生成CA根證書
# /usr/share/ssl/misc/CA -newca
直接回車
輸入口令:000000 (自定義)
輸入相關信息
完成後生成以下文件
/usr/share/ssl/misc/demoCA/cacert.pem 根證書
/usr/share/ssl/misc/demoCA/private/cakey.pem 根證書私鑰
把根證書複製到freeswan的工作目錄下
#cp /usr/share/ssl/misc/demoCA/cacert.pem /etc/ipsec.d/cacerts/cacert.pem
生成left主機用的證書
# /usr/share/ssl/misc/CA -newreq 簽發私鑰
輸入口令:111111
# /usr/share/ssl/misc/CA -sign 用CA Root的公鑰簽發證書
生成以下文件,並複製到freeswan的工作目錄下
# mv newreq.pem /etc/ipsec.d/private/freeswan-priv.pem 私鑰
# mv newcert.pem /etc/ipsec.d/freeswan-cert.pem 簽發的證書
讓FreeS/WAN讀取x509格式的證書,使用以下命令生成/etc/x509cert.der文件
openssl x509 -in /etc/ipsec.d/freeswan-cert.pem -outform DER -out /etc/x509cert.der
生成right主機用的證書
# /usr/share/ssl/misc/CA -newreq 簽發私鑰
輸入口令:222222
# /usr/share/ssl/misc/CA -sign 用CA Root的公鑰簽發證書
生成以下文件,並複製到freeswan的工作目錄下
# mv newreq.pem /etc/ipsec.d/private/client-priv.pem 私鑰
# mv newcert.pem /etc/ipsec.d/client-cert.pem 簽發的證書
創建CRL
To create the CA's revocation list: Make sure the /etc/ipsec.d/crls directory exists when executing the following command.
# openssl ca -gencrl -out /etc/ipsec.d/crls/crl.pem
This creates an empty revocation list with a validity that is listed in openssl.cnf If you want to revoke a certificate you can do this as follows:
# openssl ca -revoke certificate.pem
Then the revocation list has to be regenerated using the following command:
# openssl ca -gencrl -crldays xx -out /etc/ipsec.d/crls/crl.pem
Where xx is the number of days. If for some reason, you want to view the contents of the crl then it can be listed with the following command:
# openssl crl -in /etc/ipsec.d/crls/crl.pem -noout -text
以上生成的證書部分需要複製到right GW的主機上
# cp client-cert.pem /etc/ipsec.d/.
# cp client-priv.pem /etc/ipsec.d/private/.
# cp freeswan-cert.pem /etc/ipsec.d/. //可選
# cp cacert.der /etc/ipsec.d/cacerts/.
# cp crl.pem /etc/ipsec.d/crls/.
在right GW主機上也需要執行以下命令
openssl x509 -in /etc/ipsec.d/client-cert.pem -outform der -out /etc/x509cert.der
證書發佈完成
開始配置ipsec.conf和ipsec.secrets
left GW's ipsec.conf
config setup
interfaces="ipsec0=eth1"
klipsdebug = none
plutodebug = none
uniqueids = yes
conn %default
keyingtries=0
authby=rsasig
conn test1
left=192.168.133.151
leftsubnet=192.168.0.0/24
[email protected]
leftcert=freeswan-cert.pem
leftrsasigkey=%cert
right=192.168.133.49
rightsubnet=192.168.1.0/24
[email protected]
rightcert=client-cert.pem
rightrsasigkey=%cert
auto=add
compress=no
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
left GW's ipsec.secrets
192.168.133.151 192.168.133.47 : RSA freeswan-priv.pem "111111"
right GW' ipsec.conf
config setup
interfaces="ipsec0=eth1"
klipsdebug = none
plutodebug = none
uniqueids = yes
conn %default
keyingtries=0
authby=rsasig
conn test1
left=192.168.133.151
leftsubnet=192.168.0.0/24
[email protected]
right=192.168.133.49
rightsubnet=192.168.1.0/24
[email protected]
rightcert=client-cert.pem
auto=add
compress=no
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
right GW's ipsec.secrets
192.168.133.151 192.168.133.47 : RSA client-priv.pem "222222"
iptables規則
left GW's iptables
iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -d !192.168.1.0/24 -j SNAT --to 192.168.133.151
right GW's iptables
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d !192.168.0.0/24 -j SNAT --to 192.168.133.47