What is openswan and how to use it? I don't want to talk about it here. If I don't know it, I just need to Google it. For theoretical knowledge, please google. Here, we only want to configure the dead steps like 1, 2, 4, 5, 6, and 7 to ensure that the configuration can be completed. This is because there are a lot of materials on the Internet, but it seems a little difficult for new users, and it is not easy to configure it successfully.
1. system installation.
1. Download Software
CD/usr/local/src
I like to download the program to this directory.
Wget
Http://www.openswan.org/download/openswan-2.4.7.tar.gz
However, we recommend that you download the package in windows and copy it to the linunx system, which is faster.
2. Tar zxvf openswan-2.4.7.tar.gz
3. CD/usr/local/src/openswan-2.4.7
4. Make programs
5. Make install
6. Export kernelsrc =/usr/src/kernels/2.6.9-11. EL-i686
My core file is put here. You must first determine where you put it. Do not move it hard.
7. Make Module
8. Make minstall
9. depmod-
10. modprobe IPSec
11. Echo "1">/proc/sys/NET/IPv4/ip_forward
12. Echo "0">/SELinux/Enforce
Now, the installation is complete.
Check installation status
# IPSec -- version
Linux openswan 2.4.7 (klips)
See 'ipsec -- copyright' for copyright information.
The above prompt is displayed, and the installation is successful.
Ii. Configuration
There are two main configuration files: IPSec. conf and IPSec. Secrets.
Here, let's look at the network topology. The Intranet of the network server is connected to the eth0 interface, the address is 172.21.1.1, the Internet is connected to the eth1 interface, the address is 203.86.61.172, and the host is left, connect to the Local Area Network 172.21.1.0/24. The Intranet of the Network 2 server is connected to the eth0 interface. The address is 176.20.1.1, the Internet is connected to the eth1 interface, the address is 203.86.61.173, the host is right, and the local area network is connected to 176.20.1.0/24.
1. IPSec newhostkey-output/etc/IPSec. Secrets
On the left and right servers, run the preceding commands.
2. VI/etc/IPSec. conf, the content is as follows. Compare the following files to modify and Add. In fact, there are not many changes and additions. Comments are used.
#/Etc/IPSec. conf-openswan IPSec configuration file
# Rcsid $ ID: IPSec. conf. In, V 1.15.2.6 2006/10/19 03:49:46 Paul exp $
# This file:/usr/local/share/doc/openswan/IPSec. conf-Sample
#
# Manual: IPSec. CONF.5
Version 2.0 # conforms to second version of IPSec. conf Specification
# Basic configuration
Config setup
# Plutodebug/klipsdebug = "all", "NONE" or a combation from below:
# "Raw crypt parsing emitting control klips pfkey natt X509 private"
# Eg: plutodebug = "control Parsing"
#
# Only Enable plutodebug = All or klipsdebug = all if you are a developer !!
#
# NAT-TRAVERSAL support, see readme. Nat-Traversal
Interfaces = % defaultroute
Nat_traversal = Yes
# Virtual_private = % V4: 10.0.0.0/8, % V4: 192.168.0.0/16, % V4: 172.16.0.0/12
#
# Enable this if you see "failed to find any available worker"
Nhelpers = 0
# Add connections here
Conn % default
Authby = rsasig
Compress = Yes
# Sample VPN connections, see/etc/IPSec. d/examples/
# Disable opportunistic Encryption
Include/etc/IPSec. d/examples/no_oe.conf
Conn network-to-network
Left = 203.86.61.173
Leftsubnet = 176.20.1.0/24
Leftid = @ left
# RSA 2192 bits left Tue Mar 13 14:55:48 2007
Leftrsasigkey = 0 saqpw/keys ++ jge97t7m1as + keys + es0dtaw1favpvxa + keys/vku + keys + 0dvn0mvdif1hff/ynskpii9dijn
Leftnexthop = % defaultroute
Right = 203.86.61.172
Rightsubnet = 172.21.1.0/24
Rightid = @ right
# RSA 2192 bits right sun Mar 11 02:17:24 2007
Rightrsasigkey = 0 saqo/ygullgnfyd/examples/C/examples + gjt3mso3d9wxwot5xxjiwlohv + HA/samples + T/aialkiwtbthqjiwatyuklbguaql8eg1o9
Rightnexthop = % defaultroute
Auto = add
This line of leftrsasigkey and rightrsasigkey should not be hard-moved, because these two lines are on my machine and your values are different from mine. You can enter them using the following method.
In the left server.
3. IPSec showhostkey -- left>/etc/IPSec. conf. Be sure to enter ">" instead of "> ".
4. Go to the right server,
IPSec showhostkey -- Right> rightrsasigkey. tmp
5. SCP./rightrsasigkey. tmp root @ left:/etc/rightrsasigkey. tmp
Copy the rightrsasigkey. tmp file generated on the right server to the/etc/directory of the Left server.
6. In the left service,
CD/etc/
Cat rightrsasigkey. tmp>/etc/IPSec. conf. Be sure to enter ">" instead of "> ".
7. SCP/etc/IPSec. conf root @ right:/etc/IPSec. conf
On the left server, set the configured IPSec. conf is copied to the right server. If so much is done here, it is necessary to achieve IPSec on the left and right servers. the configuration of the conf file is the same, and the rsasigkey value generated by the two servers is different. Of course, you can also input the rsasigkey value through the copy and paste methods. Maybe you have a better way, the goal is to use the left server's IPSec. the conf file must have the rsasigkey value of the right server, and vice versa.
8. Verify IPSec
[Root @ right ~] # IPSec verify
Checking your system to see if IPSec got installed and started correctly:
Version Check and IPSec on-path [OK]
Linux openswan 2.4.7 (klips)
Checking for IPSec support in kernel [OK]
Testing against enforced SELinux mode [OK]
Checking for RSA private key (/etc/IPSec. Secrets) [OK]
Checking that Pluto is running [OK]
Two or more interfaces found, checking IP Forwarding [OK]
Checking Nat and masqueradeing [OK]
Checking for 'IP' Command [OK]
Checking for 'iptable' Command [OK]
Opportunistic encryption support [disabled]
When the above prompt appears, your VPN is OK,
9. IPSec auto -- up network-to-network
Run the preceding commands on the two servers to start the VPN.
10. Check the tunnel establishment on the right server,
[Root @ right ~] # IPSec eroute
922 172.21.1.0/24-> 176.20.1.0/24 =>
Tun0x1004@203.86.61.173
[Root @ right ~] #
On the left server,
[Root @ left ~] # IPSec eroute
915 176.20.1.0/24-> 172.21.1.0/24 =>
Tun0x1004@203.86.61.172
[Root @ left ~] #
The two lines indicate that the tunnel has been established. You can also use the following command to check the tunnel, which provides more information.
[Root @ right ~] # IPSec look
Ping each other in the 172.21.1.0/24 and 176.20.1.0/24 networks. Now we can access the services in the two LAN. This is the real environment configuration.