Lclient------------->Lserver……………….Rserver<---------------Rclient
172.16.10.16 10.86.10.17 10.86.10.18 192.168.10.16
首先要保证:
lclient ping通lserver和rserver rclient ping通rserver和lserver
安装epel源:
rpm -Uvh http://mirrors.ustc.edu.cn/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm yum clean all yum makecache
安装ipsec需要的基础软件包:
yum -y install ipsec-tools yum -yinstall gmp gmp-devel gawk flex bison
配置内核参数:
cp /etc/sysctl.conf/etc/sysctl.conf.bak-$(date +%F) cat>>/etc/sysctl.conf<<EOF #create for darren net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter= 0 net.ipv4.conf.default.accept_source_route= 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 net.ipv4.conf.eth1.send_redirects= 0 net.ipv4.conf.eth1.accept_redirects= 0 net.ipv4.conf.eth0.send_redirects= 0 net.ipv4.conf.eth0.accept_redirects= 0 net.ipv4.conf.lo.send_redirects= 0 net.ipv4.conf.lo.accept_redirects= 0 net.ipv4.conf.default.send_redirects= 0 net.ipv4.conf.default.accept_redirects= 0 net.ipv4.conf.all.send_redirects= 0 net.ipv4.conf.all.accept_redirects= 0 #create for Darren 2016/9/4 EOF
配置时间同步:
ntpdate pool.ntp.org echo '*/5 * * * * /usr/sbin/ntpdate pool.ntp.org' >>/var/spool/cron/root
下载openswan:
mkdir -p /home/darren/tools cd /home/darren/tools wget https://download.openswan.org/openswan/openswan-2.6.42.tar.gz cd openswan-2.6.42 make programs make install
验证安装:
ipsec --version #查看版本 ipsec verify #验证 echo '1'>/proc/sys/net/core/xfrm_larval_drop #错误解决 /etc/init.d/ipsec start #启动ipsec
perl编译问题解决:
echo 'export LC_ALL=C' >>/etc/profile tail -1 /etc/profile source /etc/profile
配置openswan:
openswan的主要配置文件 /etc/ipsec.secrets #用来保存private RSA keys和preshared secrets /etc/ipsec.conf #主要配置文件(settings、options、defaults、connections)
使用RSA数字签名认证方式配置openswan
1.在Lserver、Rserver上分别生成新的hostkey:
cp /etc/ipsec.secrets /etc/ipsec.secrets.$(date +%F) ipsec newhostkey --output/etc/ipsec.secrets
此处有坑:生成很长时间没有成功。
第一,查看是否启动ipsec:/etc/init.d/ipsec start 第二,实在不行就需要换版本。
2.在Lserver上执行下面的命令获得leftrsasigkey(即Lserver的公钥public key)
ipsec showhostkey --left >/tmp/key.log
3.在Rserver上执行下面的命令获得Reftrsasigkey(即Lserver的公钥public key)
ipsec showhostkey --right >/tmp/key.log
4.在Lserver及Rserver上编辑/etc/ipsec.conf
左边: cp /etc/ipsec.conf /etc/ipsec.conf.$(date +%F) vi /etc/ipsec.conf #create by darren. #http://www.w501.pw version 2.0 config setup nat_traversal=yes virtual_private=%v4:192.1.1.0/16,%v4:172.1.1.0/12 oe=off protostack=netkey conn left_lan leftsubnet=172.1.1.0/24 also=A-B conn right_lan rightsubnet=192.1.1.0/24 also=A-B ############################################### conn A-B left=10.86.10.17 leftid=@left #leftsubnet=172.1.1.0/24 #如果上面的不要这里可以取消注释。 # rsakey AQOgG5Gq4 # leftrsasigkey=这里的key需要复制/tmp/key.log的内容。 leftnexthop=%defaultroute right=10.86.10.18 rightid=@right #rightsubnet=192.168.1.0/24 # rsakey AQNDxTfqK #rightrsasigkey=这里的key需要复制/tmp/key.log的内容 rightnexthop=%defaultroute auto=start
右边: cp /etc/ipsec.conf/etc/ipsec.conf.$(date +%F) vi /etc/ipsec.conf 和左边一样,直接拷贝过去。
此时A和B客户端是不能上网的,需要在L和R服务器上设置iptables。
A:
iptables-t nat -A POSTROUTING -s 172.1.1.0/24 -jSNAT --to-source 10.86.10.17 echo'iptables -t nat -A POSTROUTING -s 172.1.1.0/24 -j MASQUERADE' >>/etc/rc.local
B:
iptables-t nat -A POSTROUTING -s 192.1.1.0/24 –o eth0 -j MASQUERADE echo'iptables -t nat -A POSTROUTING -s 192.1.1.0/24 -j MASQUERADE' >>/etc/rc.local
分别重新启动ipsec:
A:
/etc/init.d/ipsecrestart chkconfigipsec on
B:
/etc/init.d/ipsecrestart chkconfigipsec on