This article is based on the actual application of my company written, but a little modification can be applied to many places, the system runs two months, the proof is still safe and stable, ah ...
My company in Beijing, but the main equipment in Nanjing Telecom, a major IDC, there are our two pix525ur (did a failover), the above made a strict access control, so in order to facilitate the company's mobile, travel and Home Office staff, Have the idea of doing VPN system. To enable users with appropriate permissions to connect to the company's VPN server from a personal PC via a MPPE128 encrypted tunnel, and then forward the data via VPN server to our company's application network in Nanjing IDC, The connection is also a secure VPN tunnel based on IPSec. This can guarantee the safety and convenience of all the application requirements of our company.
1. Hardware Resources: Server One
PIX 525UR Firewall One
2. Software Resources: Mandrake 9.2
Kernelmod
Pptpd
Super-freeswan
Iptables
Public network IP Address
Note: After testing several Linux (including Redhat,suse,mandrake,astaro), I feel Mandrake is the simplest and safest platform.
The following is the installation process: 1. Operating System Installation:
There are no special requirements for the installation process, when you choose to install components in addition to the development tools are not selected, mainly for security reasons.
2. Install Kernelmod:
Tar zxvf kernelmod-0.7.1.tar.gz
Cd/kernelmod
./kernelmod.sh
3. Install PPTPD:
① Upgrade PPP
RPM–UVH ppp-2.4.2-0.1b3.i386.rpm
② Installation pptpd
RPM–IVH pptpd-1.1.4-1b4.fr.i386.rpm
Oh... At this point, all the installation process is complete, simple,
Note: The above software can be found in rpmfind.net!
The following are the main configuration processes:
1. Configuration of the operating system:
① Upgrade OpenSSH
② Turn off unwanted services (SendMail ISDN ...)
③ Editor/etc/sysctl.conf
Net.ipv4.ip_forward = 0=>1
Net.ipv4.conf.default.rp_filter = 1=>0
2.Pix configuration file (VPN section):
Access-list inside_outbound_nat0_acl Permit IP "Nanjing IP segment" 255.255.255.0 "Corporate VPN User IP segment" 255.255.255.0
Access-list outside_cryptomap_20 Permit IP "Nanjing IP segment" 255.255.255.0 "Corporate VPN User IP segment" 255.255.255.0
Nat (inside) 0 access-list Inside_outbound_nat0_acl
Sysopt Connection Permit-ipsec
Crypto IPSec Transform-set esp-3des-md5 esp-3des Esp-md5-hmac
Crypto map Outside_map IPSEC-ISAKMP
Crypto map Outside_map match address outside_cryptomap_20
Crypto map Outside_map set peer "IP of VPN Server"
Crypto map Outside_map set Transform-set esp-3des-md5
Crypto map Outside_map interface outside
ISAKMP enable outside
ISAKMP key "password" address "VPN server IP" netmask 255.255.255.255 no-xauth No-config-mode
ISAKMP Identity Address
ISAKMP Policy Authentication Pre-share
ISAKMP Policy Encryption 3DES
ISAKMP Policy Hash MD5
ISAKMP Policy Group 2
ISAKMP Policy Lifetime 28800
3.PPtP Configuration
①/etc/pptpd.conf
Speed 115200
Option/etc/ppp/options
Localip "Corporate VPN user's gateway (for example, 10.0.1.1)"
REMOTEIP "Corporate VPN User IP segment (for example, 10.0.1.200-250)"
②/etc/ppp/chap-secrets
"username" "VPN server IP" "Password" 10.0.1.20X (200
③/etc/ppp/options
Lock
Name "IP of VPN Server"
MTU 1490
MRU 1490
Proxyarp
Auth
-chap
-mschap
+mschap-v2
Require-mppe
Ipcp-accept-local
Ipcp-accept-remote
Lcp-echo-failure 3
Lcp-echo-interval 5
Ms-dns x.x.x.x
Deflate 0
# Basic Configuration
Config setup
# This SETTING must is correct or almost nothing would work;
#%defaultroute is okay to most simple cases.
Interfaces= "Ipsec0=eth0"
# Debug-logging Controls: ' None ' for (almost) none, ' all ' for lots.
Klipsdebug=none
Plutodebug=none
# use auto= parameters into conn descriptions to control startup actions.
Plutoload=%search
Plutostart=%search
# Close down old connection when the new one using same ID shows up.
Uniqueids=yes
Nat_traversal=yes
# defaults for subsequent connection descriptions
# (These defaults'll soon go away)
Conn%default
Keyingtries=0
Disablearrivalcheck=no
Authby=rsasig
#leftrsasigkey =%dnsondemand
#rightrsasigkey =%dnsondemand
Conn Pix
left= "VPN server IP"
leftnexthop= "Gateway to VPN Server"
leftsubnet= "Corporate VPN User IP segment (for example, 10.0.1.0/32)"
right= "The IP of Nanjing Pix525ur"
Rightnexthop=%direct
rightsubnet= "Nanjing IP section"
Authby=secret
Pfs=no
Auto=start
②/etc/freeswan/ipsec.secrets
"VPN server IP" "Nanjing pix525ur IP": PSK "Password"
5.iptables configuration (sample) to restrict access rights for corporate VPN users:
Iptables-t nat-a postrouting-o eth0-s 10.0.1.201/32-d "Nanjing IP section"-j Masquerade
Service Iptables Save
Note: 1. Add username and modify password/etc/ppp/chap-secrets
2. User Rights setting edit modify Iptables rule
3. If there is a access-list on the company router, add
Permit any host 219.238.213.244
4. Verify that the IPSec service started successfully
IPSec Verify
-
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.