openswan实验

发表于:2007-05-25来源:作者:点击数: 标签:linuxopenswanker实验
openswan 在Linux kernel 2.6上,的使用 本实验在RedHat Enterprise Linux 4, Kernel 2.6.9上通过 Author: Iry Date: June 10, 2005 openswan 在Linux kernel 2.6上,的使用 本实验在RedHat Enterprise Linux 4, Kernel 2.6.9上通过 step 1: 安装两台Linux机器
openswan 在Linux kernel 2.6上,的使用
本实验在RedHat Enterprise Linux 4, Kernel 2.6.9上通过

Author: Iry
Date: June 10, 2005

openswan 在Linux kernel 2.6上,的使用
本实验在RedHat Enterprise Linux 4, Kernel 2.6.9上通过

step 1: 安装两台Linux机器, 示意图如下:

[PC 1 192.168.19.200/24] <----> [vpn_gw_1 192.168.19.100/24 172.16.1.100/24]
                                                ^
                                                |
                                                |
                                                V
[PC 2  192.168.9.200/24] <----> [vpn_gw_2 192.168.9.100/24  172.16.1.100/24]

step 2: 在两台Linux机器上安装 openswan 2.3.1
[root@vpn_gw_1 ~]# tar -zxvf openswan-2.3.1.tar.gz
[root@vpn_gw_1 ~]# cd openswan-2.3.1
[root@vpn_gw_1 openswan-2.3.1]# make programs
[root@vpn_gw_1 openswan-2.3.1]# make install
[root@vpn_gw_1 openswan-2.3.1]# make KERNELSRC=/lib/modules/`uname -r`/build module minstall
over!

step 3: 修改配置文件
这里有两个配置文件需要修改 /etc/ipsec.conf and /etc/ipsec.secrets
eg.
//file /etc/ipsec.conf
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:    ipsec.conf.5

version 2.0  # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-loggin controls: "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug="control parsing"
       
# Add connections here

# sample VPN connection
conn sample
        # Left security gateway, subnet behind it, next hop toward right
        left=172.16.1.100
        leftesubnet=192.168.19.0/24
        leftnexthop=172.16.1.1
        # Right security gateway, subnet behind it, next hop toward left.
        right=172.16.1.1
        rightsubnet=192.168.9.0/24
        rightnexthop=172.16.1.100
        # To authorize this connecion, but not acturally start it, at startupp,
        # uncomment this
        auto=start
        authby=secret
       
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

//file /etc/ipsec.secrets
172.16.1.100 172.16.1.1: PSK "111111"

vpn_gw_1 的配置文件如上所示, vpn_gw_2 的配置文件和上面的基本一致,
只需要172.16.1.1|172.16.1.100 192.168.19.0/24|192.168.9.0/24 互换即可.

step 4: 启动Openswan
[root@vpn_gw_1 openswan-2.3.1]# ipsec setup start
ipsec_setup: Starting Openswan IPsec 2.3.1...
ipsec_setup: insmod /lib/modules/2.6.9-5.EL/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.9-5.EL/kernel/net/ipv4/xfrm4_tunnel.ko
OK!
[root@vpn_gw_1 openswan-2.3.1]# ipsec look
vpn_gw_1 Fri Jun 10 12:59:20 CST 2005
cat: /proc/net/ipsec_spigrp: No such file or directory
cat: /proc/net/ipsec_eroute: No such file or directory
egrep: /proc/net/ipsec_tncfg: No such file or directory
sort: open failed: /proc/net/ipsec_spi: No such file or directory
DEstination        Gateway         Genmask         Flags      MSS  Widnow      irtt   Iface
0.0.0.0            172.16.1.1      0.0.0.0         UG           0  0              0   eth0
172.16.1.0         0.0.0.0         255.255.255.0   U            0  0              0   eth0
192.168.9.0        172.16.1.1      255.255.255.0   UG           0  0              0   eth0
这里显示有几个文件没有找到, 是因为我在这里只是使用了openswan的用户空间工具, 而使用了kernel 2.6的IPsec协议栈;
在kernel 2.6的IPsec实现中没有这几个/proc文件,在kernel 2.4中是由openswan的KLIPS实现的,
这里没有安装KLIPS当然就没有了(这是我的猜测,欢迎更正,补充)
既然没有这样几个文件,我们就不能再使用 ipsec look来查看VPN连接是否建立成功了, kernel 2.6 IPsec实现有相应的用户
空间工具: ipsec-tools(setkey)
我们用setkey来查看VPN连接是否建立成功
[root@vpn_gw_1 openswan-2.3.1]# setkey -D
172.16.1.100 172.16.1.1
 esp mode=tunnel spi=4165626355(0xf84a69f3) reqid=16385(0x00004001)
 E: aes-cbc  76b0e8a2 4941b4ff 969465c0 21f562f8
 A: hmac-sha1  6c92039e 92e56237 81bf6974 64f8e57b 39d3162b
 seq=0x00000000 replay=32 flags=0x00000000 state=mature
 created: Jun 10 13:39:50 2005 current: Jun 10 14:16:20 2005
 diff: 2190(s) hard: 0(s) soft: 0(s)
 last:                      hard: 0(s) soft: 0(s)
 current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
 allocated: 0 hard: 0 soft: 0
 sadb_seq=3 pid=4339 refcnt=0
172.16.1.100 172.16.1.1
 esp mode=tunnel spi=2917127540(0xaddfd574) reqid=16385(0x00004001)
 E: aes-cbc  2e94clearcase/" target="_blank" >ccfc 6e62f0bc c711c7f6 c5ae561a
 A: hmac-sha1  4cb969cb 0dc037d9 7cc50108 8da34275 335bcd2e
 seq=0x00000000 replay=32 flags=0x00000000 state=mature
 created: Jun 10 13:38:43 2005 current: Jun 10 14:16:20 2005
 diff: 2257(s) hard: 0(s) soft: 0(s)
 last:                      hard: 0(s) soft: 0(s)
 current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
 allocated: 0 hard: 0 soft: 0
 sadb_seq=2 pid=4339 refcnt=0
172.16.1.1 172.16.1.100
 esp mode=tunnel spi=3441132601(0xcd1b8439) reqid=16385(0x00004001)
 E: aes-cbc  1f32ff6f 8d1f1c5f f8c361e7 394b63a0
 A: hmac-sha1  d7c31f11 4c79270a bd95fca7 504f6149 6eb5398d
 seq=0x00000000 replay=32 flags=0x00000000 state=mature
 created: Jun 10 13:39:50 2005 current: Jun 10 14:16:20 2005
 diff: 2190(s) hard: 0(s) soft: 0(s)
 last:                      hard: 0(s) soft: 0(s)
 current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
 allocated: 0 hard: 0 soft: 0
 sadb_seq=1 pid=4339 refcnt=0
172.16.1.1 172.16.1.100
 esp mode=tunnel spi=1859760364(0x6ed9b0ec) reqid=16385(0x00004001)
 E: aes-cbc  1c5463c3 a5cf9087 36dc587b e3c5e8bd
 A: hmac-sha1  dc327a9f 4efe9a70 e9f58251 c73c92cd a070c32c
 seq=0x00000000 replay=32 flags=0x00000000 state=mature
 created: Jun 10 13:38:41 2005 current: Jun 10 14:16:20 2005
 diff: 2259(s) hard: 0(s) soft: 0(s)
 last:                      hard: 0(s) soft: 0(s)
 current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
 allocated: 0 hard: 0 soft: 0
 sadb_seq=0 pid=4339 refcnt=0
从上面可以看出双方向的SA,都已经建立成功,也就是说VPN连接已经成功的建立起来了.
可以从PC 1 ping PC 2 看看, 应该没有问题了.

后记: 一点说明
为了让VPN的建立足够简单,我没有启动iptables, 清空所有的规则,默认策略设置为空:
[root@vpn_gw_1 openswan-2.3.1]# iptables -P INPUT ACCEPT
[root@vpn_gw_1 openswan-2.3.1]# iptables -P FORWARD ACCEPT
[root@vpn_gw_1 openswan-2.3.1]# iptables -P OUTPUT ACCEPT
[root@vpn_gw_1 openswan-2.3.1]# iptables -F
[root@vpn_gw_1 openswan-2.3.1]# iptables -X
打开两台Linux机器的路由转发:
[root@vpn_gw_1 openswan-2.3.1]# echo 1 > /proc/sys/net/ipv4/ip_forward
这一点很重要,不然两台PC机是不能互相通信的,我有好几次忘记了打开,吃了苦头.
当你使用的kernel>=2.6.10的时候,必须使用ipsec-tools>=0.5

原文转自:http://www.ltesting.net