FreeS/WAN 2.04 + x509 (RedHat9.0 kernel 2.4.20-8)
(left LAN=192.168.0.0/24)--(left GW==eth0=192.168.0.1--eth1=192.168.133.151)--192.168.133.1
(right LAN=192.168.1.0/24)--(right GW==eth0=192.168.1.1--eth1=192.168.133.47)--192.168.133.1
未做隧道连接的时候,两边GW互通,两边LAN不通
GW上需要启动IP forward: echo 1 > /proc/sys/net/ipv4/ip_forward
生成证书---在left的GW主机上做以下操作
生成CA根证书
# /usr/share/ssl/misc/CA -newca
直接回车
输入口令:000000 (自定义)
输入相关信息
完成后生成以下文件
/usr/share/ssl/misc/demoCA/cacert.pem 根证书
/usr/share/ssl/misc/demoCA/private/cakey.pem 根证书私钥
把根证书复制到freeswan的工作目录下
#cp /usr/share/ssl/misc/demoCA/cacert.pem /etc/ipsec.d/cacerts/cacert.pem
生成left主机用的证书
# /usr/share/ssl/misc/CA -newreq 签发私钥
输入口令:111111
# /usr/share/ssl/misc/CA -sign 用CA Root的公钥签发证书
生成以下文件,并复制到freeswan的工作目录下
# mv newreq.pem /etc/ipsec.d/private/freeswan-priv.pem 私钥
# mv newcert.pem /etc/ipsec.d/freeswan-cert.pem 签发的证书
让FreeS/WAN读取x509格式的证书,使用以下命令生成/etc/x509cert.der文件
openssl x509 -in /etc/ipsec.d/freeswan-cert.pem -outform DER -out /etc/x509cert.der
生成right主机用的证书
# /usr/share/ssl/misc/CA -newreq 签发私钥
输入口令:222222
# /usr/share/ssl/misc/CA -sign 用CA Root的公钥签发证书
生成以下文件,并复制到freeswan的工作目录下
# mv newreq.pem /etc/ipsec.d/private/client-priv.pem 私钥
# mv newcert.pem /etc/ipsec.d/client-cert.pem 签发的证书
创建CRL
To create the CA's revocation list: Make sure the /etc/ipsec.d/crls directory exists when executing the following command.
# openssl ca -gencrl -out /etc/ipsec.d/crls/crl.pem
This creates an empty revocation list with a validity that is listed in openssl.cnf If you want to revoke a certificate you can do this as follows:
# openssl ca -revoke certificate.pem
Then the revocation list has to be regenerated using the following command:
# openssl ca -gencrl -crldays xx -out /etc/ipsec.d/crls/crl.pem
Where xx is the number of days. If for some reason, you want to view the contents of the crl then it can be listed with the following command:
# openssl crl -in /etc/ipsec.d/crls/crl.pem -noout -text
以上生成的证书部分需要复制到right GW的主机上
# cp client-cert.pem /etc/ipsec.d/.
# cp client-priv.pem /etc/ipsec.d/private/.
# cp freeswan-cert.pem /etc/ipsec.d/. //可选
# cp cacert.der /etc/ipsec.d/cacerts/.
# cp crl.pem /etc/ipsec.d/crls/.
在right GW主机上也需要执行以下命令
openssl x509 -in /etc/ipsec.d/client-cert.pem -outform der -out /etc/x509cert.der
证书发布完成
开始配置ipsec.conf和ipsec.secrets
left GW's ipsec.conf
config setup
interfaces="ipsec0=eth1"
klipsdebug = none
plutodebug = none
uniqueids = yes
conn %default
keyingtries=0
authby=rsasig
conn test1
left=192.168.133.151
leftsubnet=192.168.0.0/24
[email protected]
leftcert=freeswan-cert.pem
leftrsasigkey=%cert
right=192.168.133.49
rightsubnet=192.168.1.0/24
[email protected]
rightcert=client-cert.pem
rightrsasigkey=%cert
auto=add
compress=no
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
left GW's ipsec.secrets
192.168.133.151 192.168.133.47 : RSA freeswan-priv.pem "111111"
right GW' ipsec.conf
config setup
interfaces="ipsec0=eth1"
klipsdebug = none
plutodebug = none
uniqueids = yes
conn %default
keyingtries=0
authby=rsasig
conn test1
left=192.168.133.151
leftsubnet=192.168.0.0/24
[email protected]
right=192.168.133.49
rightsubnet=192.168.1.0/24
[email protected]
rightcert=client-cert.pem
auto=add
compress=no
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
right GW's ipsec.secrets
192.168.133.151 192.168.133.47 : RSA client-priv.pem "222222"
iptables规则
left GW's iptables
iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -d !192.168.1.0/24 -j SNAT --to 192.168.133.151
right GW's iptables
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d !192.168.0.0/24 -j SNAT --to 192.168.133.47