Configure Openswan in ten minutes

Ten minutes to configure Openswan, what to do, I don't want to talk about it here, I really don't know, just google it. For theoretical knowledge, please google. Here, we only want to configure the dead steps like 1, 2, 4, 5, 6, and 7 to ensure that the configuration can be completed. This is because there are a lot of materials on the Internet, but it seems a little difficult for new users, and it is not easy to configure it successfully. 1. system installation. 1. download the software cd/usr/local/src. I like to download the program to this directory. Wget requests. 2, tar zxvf openswan-2.4.7.tar.gz3, cd/usr/local/src/openswan-2.4.74, make programs5, make install6, export KERNELSRC =/usr/src/kernels/2.6.9-11. EL-i686 my core file is put here, you put in what position should first determine their own good, this article does not move hard. 7. make module8, make minstall9, depmod-a10, modprobe ipsec11, echo "1">/proc/sys/net/ipv4/ip_forward12, echo "0">/selinux/enforce okay, installation is complete. Check the installation status # ipsec -- versionLinux Openswan 2.4.7 (klips) See 'ipsec -- copyright' for copyright information. The above prompt is displayed, and the installation is successful. 2. There are two main configuration files: ipsec. conf and ipsec. secrets. Here, let's look at the network topology. The Intranet of the network server is connected to the eth0 interface, the address is 172.21.1.1, the Internet is connected to the eth1 interface, the address is 203.86.61.172, and the host is left, connect to the Local Area Network 172.21.1.0/24. The Intranet of the Network 2 server is connected to the eth0 interface. The address is 176.20.1.1, the Internet is connected to the eth1 interface, the address is 203.86.61.173, the host is right, and the local area network is connected to 176.20.1.0/24. 1. ipsec newhostkey-output/etc/ipsec. secrets are on the left and right servers, and the preceding commands are executed respectively. 2. vi/etc/ipsec. conf, the content is as follows. Compare the following files to modify and Add. In fact, there are not many changes and additions. Comments are used. #/Etc/ipsec. conf-Openswan IPsec configuration file # RCSID $ Id: ipsec. conf. in, v 1.15.2.6 2006/10/19 03:49:46 paul Exp $ # This file:/usr/local/share/doc/openswan/ipsec. conf-sample # Manual: ipsec. conf.5 version 2.0 # conforms to second version of ipsec. conf specification # basic configurationconfig setup # plutodebug/klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emi Extends control klips pfkey natt x509 private "# eg: plutodebug =" control parsing "# ONLY enable plutodebug = all or klipsdebug = all if you are a developer !! # NAT-TRAVERSAL support, see README. NAT-Traversalinterfaces = % defaultroutenat_traversal = yes # virtual_private = % v4: 10.0.0.0/8, % v4: 192.168.0.0/16, % v4: 172.16.0.0/12 # enable this if you see "failed to find any available worker" nhelpers = 0 # Add connections hereconn % defaultauthby = rsasigcompress = yes # sample VPN connections, see/etc/ipsec. d/examples/# Disable Opportunistic Encryptioninclude/etc/ipsec. d /Examples/no_oe.conf conn network-to-networkleft = bytes = 176.20.1.0/24 leftid = @ left # RSA 2192 bits left Tue Mar 13 14:55:48 2007 leftrsasigkey = 0 sAQPW/queues ++ JGe97t7m1As + QPiVyLP6KuWlLBjIJzwvpUbipiCmKjmNKXZ + eS0dtAw1faVpVxa + 7DJLgAnHjyafYW3SxXRF/logs Keys/Vku + keys/keys = % defaultrouteright = keys = 172.21.1.0/24 rightid = @ right # RSA 2192 bits right Sun Mar 11 02:17:24 2007 rightrsasigkey = 0 sAQO/ygUllGNfYd /3athFYSqb6GUdp18oMZ2LdOa3ToJCGATpJp6/C/Example CEpOCKDfqKtF0CbqghbqCtv2wV + capacity + hA/capacity + T/capacity = % defaultrouteauto = add leftrsasigkey and rightrsasigkey. Do not hard move these two lines because they are on my machine, your value is different from mine. You can input it using the following method. In the left server. 3. ipsec showhostkey -- left>/etc/ipsec. conf. Be sure to enter ">" instead of "> ". 4. Go to the right server, and ipsec showhostkey -- right> rightrsasigkey. tmp5, scp. /rightrsasigkey. tmp root @ left:/etc/rightrsasigkey. tmp will generate the rightrsasigkey on the right server. copy the tmp file to the/etc/directory of the left server. 6. In the left service, cd/etc/cat rightrsasigkey. tmp>/etc/ipsec. conf. Be sure to enter ">" instead of "> ". 7. scp/etc/ipsec. conf root @ right:/etc/ipsec. conf on the left server, configure the configured ipsec. conf is copied to the right server. If so much is done here, it is necessary to achieve ipsec on the left and right servers. the configuration of the conf file is the same, and the rsasigkey value generated by the two servers is different. Of course, you can also input the rsasigkey value through the copy and paste methods. Maybe you have a better way, the goal is to use the left server's ipsec. the conf file must have the rsasigkey value of the right server, and vice versa. 8. Verify ipsec [root @ right ~] # Ipsec verifyChecking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan 2.4.7 (klips) checking for IPsec support in kernel [OK] Testing against enforced SElinux mode [OK] Checking for RSA private key (/etc/ipsec. secrets) [OK] Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQ UERADEing [OK] Checking for 'IP' command [OK] Checking for 'iptable' command [OK] Opportunistic Encryption Support [DISABLED] The above prompt appears, your VPN is OK, 9. ipsec auto -- up network-to-network: run the preceding commands on the two servers to start the VPN. 10. Check the tunnel establishment. On the right server, [root @ right ~] # Ipsec eroute922 172.21.1.0/24-> 176.20.1.0/24 => tun0x1004@203.86.61.173 [root @ right ~] # On the left server, [root @ left ~] # Ipsec eroute915 176.20.1.0/24-> 172.21.1.0/24 => tun0x1004@203.86.61.172 [root @ left ~] # The two lines indicate that the tunnel has been established. You can also use the following command to check the tunnel. The information is richer. [Root @ right ~] # Ipsec look can ping each other in the 172.21.1.0/24 and 176.20.1.0/24 networks. Now we can access the services in the two LAN. This is the real environment configuration.