Lclient------------->Lserver……………….Rserver<---------------Rclient
172.16.10.16 10.86.10.17 10.86.10.18 192.168.10.16
首先要保證:
lclient ping通lserver和rserver rclient ping通rserver和lserver
安裝epel源:
rpm -Uvh http://mirrors.ustc.edu.cn/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm yum clean all yum makecache
安裝ipsec需要的基礎軟件包:
yum -y install ipsec-tools yum -yinstall gmp gmp-devel gawk flex bison
配置內核參數:
cp /etc/sysctl.conf/etc/sysctl.conf.bak-$(date +%F) cat>>/etc/sysctl.conf<<EOF #create for darren net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter= 0 net.ipv4.conf.default.accept_source_route= 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 net.ipv4.conf.eth1.send_redirects= 0 net.ipv4.conf.eth1.accept_redirects= 0 net.ipv4.conf.eth0.send_redirects= 0 net.ipv4.conf.eth0.accept_redirects= 0 net.ipv4.conf.lo.send_redirects= 0 net.ipv4.conf.lo.accept_redirects= 0 net.ipv4.conf.default.send_redirects= 0 net.ipv4.conf.default.accept_redirects= 0 net.ipv4.conf.all.send_redirects= 0 net.ipv4.conf.all.accept_redirects= 0 #create for Darren 2016/9/4 EOF
配置時間同步:
ntpdate pool.ntp.org echo '*/5 * * * * /usr/sbin/ntpdate pool.ntp.org' >>/var/spool/cron/root
下載openswan:
mkdir -p /home/darren/tools cd /home/darren/tools wget https://download.openswan.org/openswan/openswan-2.6.42.tar.gz cd openswan-2.6.42 make programs make install
驗證安裝:
ipsec --version #查看版本 ipsec verify #驗證 echo '1'>/proc/sys/net/core/xfrm_larval_drop #錯誤解決 /etc/init.d/ipsec start #啓動ipsec
perl編譯問題解決:
echo 'export LC_ALL=C' >>/etc/profile tail -1 /etc/profile source /etc/profile
配置openswan:
openswan的主要配置文件 /etc/ipsec.secrets #用來保存private RSA keys和preshared secrets /etc/ipsec.conf #主要配置文件(settings、options、defaults、connections)
使用RSA數字簽名認證方式配置openswan
1.在Lserver、Rserver上分別生成新的hostkey:
cp /etc/ipsec.secrets /etc/ipsec.secrets.$(date +%F) ipsec newhostkey --output/etc/ipsec.secrets
此處有坑:生成很長時間沒有成功。
第一,查看是否啓動ipsec:/etc/init.d/ipsec start 第二,實在不行就需要換版本。
2.在Lserver上執行下面的命令獲得leftrsasigkey(即Lserver的公鑰public key)
ipsec showhostkey --left >/tmp/key.log
3.在Rserver上執行下面的命令獲得Reftrsasigkey(即Lserver的公鑰public key)
ipsec showhostkey --right >/tmp/key.log
4.在Lserver及Rserver上編輯/etc/ipsec.conf
左邊: cp /etc/ipsec.conf /etc/ipsec.conf.$(date +%F) vi /etc/ipsec.conf #create by darren. #http://www.w501.pw version 2.0 config setup nat_traversal=yes virtual_private=%v4:192.1.1.0/16,%v4:172.1.1.0/12 oe=off protostack=netkey conn left_lan leftsubnet=172.1.1.0/24 also=A-B conn right_lan rightsubnet=192.1.1.0/24 also=A-B ############################################### conn A-B left=10.86.10.17 leftid=@left #leftsubnet=172.1.1.0/24 #如果上面的不要這裏可以取消註釋。 # rsakey AQOgG5Gq4 # leftrsasigkey=這裏的key需要複製/tmp/key.log的內容。 leftnexthop=%defaultroute right=10.86.10.18 rightid=@right #rightsubnet=192.168.1.0/24 # rsakey AQNDxTfqK #rightrsasigkey=這裏的key需要複製/tmp/key.log的內容 rightnexthop=%defaultroute auto=start
右邊: cp /etc/ipsec.conf/etc/ipsec.conf.$(date +%F) vi /etc/ipsec.conf 和左邊一樣,直接拷貝過去。
此時A和B客戶端是不能上網的,需要在L和R服務器上設置iptables。
A:
iptables-t nat -A POSTROUTING -s 172.1.1.0/24 -jSNAT --to-source 10.86.10.17 echo'iptables -t nat -A POSTROUTING -s 172.1.1.0/24 -j MASQUERADE' >>/etc/rc.local
B:
iptables-t nat -A POSTROUTING -s 192.1.1.0/24 –o eth0 -j MASQUERADE echo'iptables -t nat -A POSTROUTING -s 192.1.1.0/24 -j MASQUERADE' >>/etc/rc.local
分別重新啓動ipsec:
A:
/etc/init.d/ipsecrestart chkconfigipsec on
B:
/etc/init.d/ipsecrestart chkconfigipsec on