使用sudo yum install openswan进行ipsec的安装。安装后可使用以下命令进行验证。
ipsec –version
显示如下:
Linux Libreswan 3.15 (netkey) on 3.10.0-229.el7.x86_64
2、配置
1)
编辑/etc/sysctl.conf文件
将
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
修改为
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
修改后执行sysctl –p,使配置生效。
2)
配置Openswan
Openswan主要的配置文件:
/etc/ipsec.conf 主配置文件
/etc/ipsec.secrets 用来指定证书的密钥文件
/etc/ipsec.d/cacerts 用来存放CA证书
/etc/ipsec.d/certs 用来存放个人证书,可将自己的pem证书放在这个下面
/etc/ipsec.d/private 存放x.509个人证书的私钥文件
把CA证书,个人证书及个人私钥放置在相关目录后,我们只需修改ipsec.conf和ipsec.secrets文件即可。
可使用以下处理,转换为新格式:
openssl pkcs12 -export -in cert_juchk_l.pem -inkey key.pem -certfile cacert.pem -out juchk.p12 -name juchk
将个人证书,私钥等转换为p12文件,并添加到ipsec密钥管理器中统一管理,名字为以上命令中最后部分的-name
ipsec import juchk.p12
配置文件举例:
[root@localhost ~]# vim /etc/ipsec.conf
点击(此处)折叠或打开
- # /etc/ipsec.conf - Libreswan IPsec configuration file
- # This file: /etc/ipsec.conf
- #
- # Enable when using this configuration file with openswan instead of libreswan
- #version 2
- #
- # Manual: ipsec.conf.5
- # basic configuration
- config setup
- # which IPsec stack to use, "netkey" (the default), "klips" or "mast".
- # For MacOSX use "bsd"
- protostack=netkey
- #
- # The interfaces= line is only required for the klips/mast stack
- #interfaces="%defaultroute"
- #interfaces="ipsec0=eth0 ipsec1=ppp0"
- #
- # If you want to limit listening on a single IP - not required for
- # normal operation
- #listen=127.0.0.1
- #
- # Do not set debug options to debug configuration issues!
- #
- # plutodebug / klipsdebug = "all", "none" or a combation from below:
- # "raw crypt parsing emitting control kernel pfkey natt x509 dpd
- # private".
- # Note: "crypt" is not included with "all", as it can show confidential
- # information. It must be specifically specified
- # examples:
- # plutodebug="control parsing"
- # plutodebug="all crypt"
- # Again: only enable plutodebug or klipsdebug when asked by a developer
- #plutodebug=none
- #klipsdebug=none
- #
- # Normally, pluto logs via syslog. If you want to log to a file,
- # specify below or to disable logging, eg for embedded systems, use
- # the file name /dev/null
- # Note: SElinux policies might prevent pluto writing to a log file at
- # an unusual location.
- #plutostderrlog=/var/log/pluto.log
- #
- # Enable core dumps (might require system changes, like ulimit -C)
- # This is required for abrtd to work properly
- # Note: SElinux policies might prevent pluto writing the core at
- # unusual locations
- dumpdir=/var/run/pluto/
- #
- # NAT-TRAVERSAL support
- # exclude networks used on server side by adding %v4:!a.b.c.0/24
- # It seems that T-Mobile in the US and Rogers/Fido in Canada are
- # using 25/8 as "private" address space on their wireless networks.
- # This range has not been announced via BGP (at least upto 2010-12-21)
- nat_traversal=yes
- #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
- # Add connections here
- conn vpn
- #left=10.3.0.0/21
- left=%defaultroute
- leftsubnet=0.0.0.0/0
- leftcert=juchk
- #authby=rsasig
- # leftcert=cert_juchk_l.cert
- # leftrsasigkey=key.pem
- leftxauthclient=yes
- leftmodecfgclient=yes
- connaddrfamily=ipv4
- modecfgpull=no
- right=10.1.4.254
- rightsubnet=10.254.1.0/24
- rightxauthserver=yes
- rightmodecfgserver=yes
- rightid="C=cn, ST=liaoning, O=neusoft, OU=nsd, CN=vpnser, E=vpnser@neusoft.com"
- auto=add
- # For example connections, see your distribution's documentation directory,
- # or the documentation which could be located at
- # /usr/share/docs/libreswan-3.*/ or look at
- #
- # There is also a lot of information in the manual page, "man ipsec.conf"
- include /etc/ipsec.d/*.conf
[root@localhost ~]# vi /etc/ipsec.secrets
点击(此处)折叠或打开
- : RSA juchk
- #: RSA /etc/ipsec.d/private/key.pem
- include /etc/ipsec.d/*.secrets
新添加以下条目即可
: RSA juchk 即为导出的新格式密钥名
修改以上文件后,重启ipsec服务
Service ipsec restart
执行以下命令接入:
ipsec whack –name vpn –initiate
在看到提示后,输入正确用户名和密码即可登录成功。
注:遇到连接异常时,可通过service ipsec restart解决。
停止连接:
ipsec whack –name vpn –terminate