推荐点击下面图片,通过本站淘宝优惠价购买:
IPSec是虚拟私密网络的一种实现,在server & client间建立加密隧道传输数据,分两个阶段
Phrase1
交换密钥建立隧道,使用IKE协议(Internet Key Exchange)
IKE分两个版本(IKE1/IKE2)
IKE1有两种模式,主力模式(main mode),积极模式(野蛮模式,aggressive mode),不同开源/闭源软件实现版本不同,不同网络设备实现版本也不同Phrase2
对隧道中的数据加密传输,使用ESP协议(Encapsulate Security Payload)
Phrase1 & Phrase2可以使用不同的加密算法(cipher suites)
IKE1:
main mode:
6个ISAKMP包aggressive mode:
3个ISAKMP包
OpenSwan:
Prerequisite:
开启转发
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf sysctl --system
iptables -t nat -A POSTROUTING -s 172.16.0.0/12 -o eth0 -j MASQUERADE
yum install openswan
默认安装的是libreswan,配置文件
修改内核参数,允许IP转发,永久性禁止redicret,关闭反向路径校验(reverse path filtering)
net.ipv4.ip_forward=1net.ipv4.conf.all.rp_filter=0net.ipv4.conf.default.rp_filter=0net.ipv4.conf.eth0.rp_filter=0sysctl -a 2> /dev/null|egrep '(.*)(accept_redirects|send_redirects)'|awk '{print $1" = "0}' >> /etc/sysctl.conf sysctl --systemipsec.conf
config setup protostack=netkey # IPSec stack logfile=/var/log/pluto.log virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 dumpdir=/var/run/pluto conn site-to-site type=tunnel #transport authby=secret # 定义认证方式PSK auto=start # 可选择add,route,start ikev2=never # 关闭IKEv2 rekey=no #aggrmode=yes # aggressive mode ## phase 1 ## keyexchange=ike # ike密钥交换方式 ike=aes128-sha1;modp1536 # 按照对端配置定义ike阶段算法和group #ike=3des-sha1;modp1024 ikelifetime=86400s # ike阶段生命周期 ## phase 2 ## phase2=esp # 二阶段传输格式 phase2alg=aes128-sha1;modp1536 # 按照对端配置定义ipsec阶段算法和group compress=yes pfs=no # 开启PFS type=tunnel # 开启隧道模式 ## left ## #left=%defaultroute left=192.168.1.10 # 本地IP,nat场景选择真实的主机地址 leftid=116.236.134.26 # 本地标识ID leftsourceip=116.236.134.26 # 存在nat源地址,选择nat后的公网ip leftsubnet=192.168.0.0/16 # 本地子网 leftnexthop=%defaultroute # nat场景下一跳选择nat后的网关ip ## right ## right=47.101.219.24 # 远端VPN网关ip rightid=47.101.219.24 # 远端表示ID rightsourceip=47.101.219.24 # 远端源地址,选择VPN网关ip rightsubnet=172.16.0.0/12 # 远端子网 rightnexthop=%defaultroute # 远端路由按缺省配置
ipsec --status ipsec auto --up connctionname
ip xfrm policy
查看tunnel信息
StrongSwan:
prerequisite:
RSA认证(PSK跳过)
cp cacert.pem /etc/strongswan/ipsec.d/cacerts/cp server.crt /etc/strongswan/ipsec.d/certs/cp server.key /etc/strongswan/ipsec.d/private/cp client.crt /etc/strongswan/ipsec.d/certs/cp client.key /etc/strongswan/ipsec.d/private/
/etc/strongswan/ipsec.conf
config setup uniqueids=never # 允许单账号多终端同时登录 conn %default type=tunnel # tunnel模式 type=transport ikelifetime=60m keylife=5m dpddelay=10s rekeymargin=3m keyingtries=3 conn ios_cert_authentication # 证书认证 fragmentation=yes auto=add ## phase 1 ## keyexchange=ikev1 ## left ## left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.crt ## right ## right=%any rightauth=pubkey rightauth2=xauth rightsourceip=10.31.2.0/24 rightcert=client.crt conn android_xauth_psk # 预共享密钥认证 auth=add ## phase 1 ## keyexchange=ikev1 ## left ## left=%defaultroute leftauth=psk leftsubnet=0.0.0.0/0 ## right ## right=%any rightauth=psk rightauth2=xauth rightsourceip=10.31.2.0/24 conn networkmanager-strongswan auto=add ## phase 1 ## keyexchange=ikev2 ## left ## left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert ## right ## right=%any rightauth=pubkey rightsourceip=10.31.2.0/24 rightcert=client.crt conn site-to-site # 定义连接名称 site-to-site auto=start # 启动strongswan时自动触发,可选add,route,start type=tunnel # 开启隧道模式 compress=yes authby=secret # 协商认证方式,key leftauth=psk rightauth=psk ## phase 1 ## keyexchange=ikev1 # ike密钥交换方式 ike=aes128-sha1-modp1536! # 按照对端配置定义ike阶段算法和group esp=aes128-sha1-modp1536! # 按照对端配置定义ipsec阶段算法和group ikelifetime=86400s # ike阶段生命周期 lifetime=3600s # 二阶段生命周期 ## left ## left=192.168.1.10 # 本端ip,nat场景选择真实的主机地址 leftid=116.236.134.26 # 本端发起协商的公网IP,即local-id leftsubnet=192.168.0.0/16 # 本端内网地址段 ## right ## right=47.101.219.24 # 远端VPN网关ip rightid=47.101.219.24 # 远端标识ID rightsubnet=172.16.0.0/12 # 远端子网
/etc/strongswan/ipsec.secrets
: RSA server.key : PSK "YourPSK"UserName1 %any : XAUTH "Password1"UserName2 %any : XAUTH "Password2" UserName1 %any : EAP "Password1"UserName2 %any : EAP "Password2"47.101.219.25 116.236.134.26 : PSK 'perpetual' # site-to-site : PSK "YourPSK" <=> %any %any : PSK "YourPSK"Host Peer : METHOD <server.key|PSK|Password> <password_of_server.key>
/etc/strongswan/strongswan.conf
charon { filelog { /var/log/strongswanlog { append = no default = 1 flush_line = yes ike_name = yes time_format = %b %e %T } } load_modular = yes compress=yes plugins { include strongswan.d/charon/*.conf } dns1=8.8.8.8 dns2=8.8.4.4} include strongswan.d/*.conf
本文链接:https://hqyman.cn/post/4897.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
休息一下,本站随机推荐观看栏目:
