First, the software description
1, Openswan Introduction
Openswan is the best way to implement IPSec under Linux, and it is powerful to ensure the security and integrity of data transmission.
The Openswan supports 2.0, 2.2, 2.4, and 2.6 cores that can run on different system platforms, including X86, x86_64, IA64, MIPS, and arm.
Openswan is an open source project Frees/wan after the development of the subsequent branch project, which split into two projects, Openswan and Strongswan,openswan consists of three main components: Configuration tool (IPSec command script), Key management Tools (Pluto),
Kernel components (KLIPS/26SEC)
26SEC uses the 2.6 kernel built-in module Netkey, to replace the Klips module developed by Openswan, 2.4 and below the kernel without Netkey module support, only use Klips. If you use 2.6.9 above the kernel, we recommend using 26SEC, you can use nat,2.6.9 the following version of the kernel Netkey bug, we recommend using Klips without giving the kernel a nat-t patch. IPSec is almost the oldest VPN standard, she is still very safe, of course, after the configuration is good. The implication is that her configuration is more troublesome. This article will explain below.
Since Frees/wan was discontinued in March 2004, we used her successor project Openswan to do our IPSec experiment. Compared to Frees/wan has a benefit, if the use of 26sec, Openswan without patching, you can use NAT.
2, the installation of Openswan
Because IPSec works on the network layer, it requires the support of the kernel state of the system, as mentioned above, there are two options, with the self-band (26sec) or with Openswan (klips), for convenience (how to patch and compile the kernel is not the focus of this article), This article uses the compiled Openswan from the CentOS source to perform the experiment.
# yum Install Openswan
If you want to install from the source, download the package to Http://www.openswan.org/code, and then follow the instructions in the package to install it. Since we use 26sec, so long as make, makes install can be done. It is worth noting that now the Openswan has built-in thousand easy to use patches, such as the support of the traversal and NAT, using it very convenient. You can also use the following command to verify your installation.
# IPSec Verify
3, the Openswan certification method
Openswan supports a number of different authentication methods, including RSA keys, pre-shared keys, or the Certificate of honor. RSA signature is relatively simple.
4, the Openswan connection way :
1) network-to-network mode
The Network-to-network method is to connect two networks into a virtual private network. When a connection is established, each subnet's host can transparently access the host of the remote subnet. To achieve this type of connection, the following two conditions are met:
I. Each subnet has a host with Openswan installed as an egress gateway or route for its subnet;
II. The IP segment of each subnet cannot have an overlay
2) Road Warrior Way
When using the Network-to-network mode, the host that is the gateway of each subnet does not have the same transparent access to the host of the remote subnet as the internal host of the subnet, that is, if you are a mobile user using lclient, often travel or work in different locations, Your lclient will not be able to connect to the corporate network in a network-to-network way. Road Warrior mode is precisely designed for this situation, after the connection is established, your lclient can connect to the remote network.
For more information, see Openswan Project home page: http://www.openswan.org
Ii. Environmental Notes
1. Network topology
2, the purpose of the experiment
The purpose of this use is to realize the interoperability of different subnets in two different regions of CLIENT1 and Client2.
3. Introduction of experimental environment
Device Name
|
IP address Information |
Affiliated Room |
Vpnserver1 |
External network eth0 192.168.0.50 Bridge connection Intranet eth1 192.168.20.1 VMnet4 Gateway 192.168.0.1 |
Beijing |
Vpnserver2 |
External network eth0 192.168.0.51 Bridge connection Intranet eth1 192.168.10.1 VMnet5 Gateway 192.168.0.1 |
Shanghai |
Client1 |
Eth0 192.168.20.2 VMnet4 Gateway 192.168.20.1 |
Beijing |
Client2 |
Eth0 192.168.10.2 VMnet5 Gateway 192.168.10.1 |
Shanghai |
My local network is the 192.168.0.0/24 network segment, in order to let VPNServer can surf the internet, I have vpnserver eht0 set to the 192.168.0.0/24 network segment, and the network card is set to bridge, other networks installed above the table configuration, So that we can all remote operation, the host name of each host modified well, so as to facilitate our observation.
Three, Openswan installation configuration
1. Turn on and forward
# vim/etc/sysctl.conf
Net.ipv4.ip_forward = 1
Net.ipv4.conf.default.rp_filter = 0
2. Turn off ICMP redirection
# Sysctl-a | egrep "ipv4.* (accept|send) _redirects" | awk-f "=" ' {print$1 "= 0"} ' >>/etc/sysctl.conf
# sysctl-p
3. Turn off SELinux
# Setenforce 0
4, Installation Openswan
# yum Install Openswan lsof-y
# RPM-QL Openswan//view installed those files.
# IPSec--version//view version of IPSec
This article is from the "Stones" blog, make sure to keep this source http://wangzan18.blog.51cto.com/8021085/1681173
CentOS 6.3 Openswan realizes double IDC interconnect