1、準備
系統:FreeBSD 9.0-RELEASE i386 (雙網卡)
IPSec-tools:http://jaist.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/ipsec-tools-0.8.0.tar.gz
2、編譯內核
1)freebsd內核默認不支持IPSec,需要手動添加,有幾個選項:
options IPSEC #IP security
device crypto
如果需要IPSec的調試支持,還應增加:
options IPSEC_DEBUG #debug for IP security
2)內核選項添加以及編譯安裝
ls /usr/src/sys
ls: /usr/src/sys: No such file or directory證明我們並沒有安裝內核源代碼,我們先把我們的FreeBSD的安裝光盤放進光驅,然後在FreeBSD下執行以root身份執行/stand/sysinstall,選擇Configure,接着是Distributions、src、sys,回車後能開始安裝了,一般只要幾分鐘就能安裝好
cd /usr/src/sys/i386/conf/
cp GENERIC *** # *** is the machine's hostname, all capital letters
vi ***
將1)中的全部或前2項加入***中,保存
cd /usr/src
make buildkernel KERNCONF=*** #約10多分鐘
make installkernel KERNCONF=***
3、軟件安裝
tar zxvf ipsec-tools-0.8.0.tar.gz
cd ipsec-tools-0.8.0
./configure
make && make install
4、相關配置
1)服務器網卡以及網絡互通配置
vi /etc/rc.conf
ifconfig_bge0=" inet 60.247.57.x netmask 255.255.255.x"
defaultrouter="60.247.57.x"
ifconfig_em0=" inet 192.168.190.20 netmask 255.255.255.0"
2)sp配置:setkey.conf
SP通過系統自帶的setkey來設置。
首先是創建setkey.conf文件,其規則用來指定哪些IP之間的交互需要做加密,採用
tunnel方式而非transport方式;配置文件放於任何目錄,本實驗存放在/etc/racoon/
#flush SAD entries
flush;
#flush SPD entries
spdflush;
#add SA entries
#add SP entries
spdadd 192.168.190.20/32 10.1.5.0/24 any -P out ipsec esp/tunnel/60.247.57.x-61.49.29.x/use;
spdadd 10.1.5.0/24 192.168.190.20/32 any -P in ipsec esp/tunnel/61.49.29.x-60.247.57.x/use;
3)SA配置:racoon.conf
1 path pre_shared_key "/etc/racoon/psk.txt"; #location of pre-shared key file
2 log debug; #set to 'notify' when testing and debugging is complete
3 padding # options are not to be changed
4 {
5 maximum_length 20;
6 randomize off;
7 strict_check off;
8 exclusive_tail off;
9 }
10 timer # timing options. change as needed
11 {
12 counter 5;
13 interval 20 sec;
14 persend 1;
15 # natt_keepalive 15 sec;
16 phase1 30 sec;
17 phase2 15 sec;
18 }
19 listen # address [port] that racoon will listening on
20 {
21 isakmp 60.247.57.x [500];
22 # isakmp_natt 60.247.57.x [4500];
23 }
24 remote 61.49.29.x [500]
25 {
26 exchange_mode main;
27 doi ipsec_doi;
28 situation identity_only;
29 my_identifier address 60.247.57.x;
30 peers_identifier address 61.49.29.x;
31 lifetime time 8 hour;
32 passive off;
33 proposal_check obey;
34 # nat_traversal off;
35 generate_policy off;
36 proposal {
37 encryption_algorithm 3des;
38 hash_algorithm sha1;
39 authentication_method pre_shared_key;
40 lifetime time 30 sec;
41 dh_group 2;
42 }
43 }
44 sainfo (address 10.1.5.0/24 any address 192.168.190.20/32 any)
45 {
46 pfs_group 1;
47 lifetime time 28800 sec; (兩端需一致)
48 encryption_algorithm 3des;
49 authentication_algorithm hmac_sha1;
50 compression_algorithm deflate;
51}
4)預共享KEY配置
配置共2列,第一列爲對端IP地址,第二列地址爲密鑰key
vi /etc/racoon/psk.txt
61.49.29.x Umessage-***
5、相關操作
1)修改sysctl,允許包轉發
Vi /etc/sysctl.conf
net.inet.ip.forwarding=1
2)設置預共享密鑰不允許其他用戶查看
chmod 700 /etc/raccoon/psk.txt
3)設置開機執行
vi /etc/rc.conf
setkey -f /etc/racoon/setkey.conf
4)IPsec設置
/usr/local/sbin/racoon -F -f /etc/racoon/racoon.conf -l /var/log/racoon.log
setkey –D
setkey -PD