Article Title: master advanced Linux sets up the simplest VPN system. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
The company is located in Beijing, but the main equipment is located in one of the main IDCs of Nanjing Telecom. There are two of our PIX525UR (with Failover), which implements strict access control. Therefore, in order to facilitate the company's mobility, business trips, and staff working at home, we had the idea of building a VPN system. so that users with corresponding permissions can connect to the company's VPN Server through an encrypted tunnel supporting MPPE128 from their personal PC, and then forward data to our company's application network in Nanjing IDC through the VPN Server, the connection is also an IPSEC-based secure VPN tunnel. this ensures the security and convenience of all application requirements of our company ..
1. hardware resources: one server
One PIX 525UR Firewall
2. Software resources: Mandrake 9.2
Kernelmod
Pptpd
Super-freeswan
Iptables
Public IP Address
Note: After I tested several LINUX systems (including Redhat, SuSE, Mandrake, and Astaro), I felt that Mandrake was the simplest and safest platform.
The installation process is as follows:
1. Operating System installation:
There are no special requirements for the installation process. When selecting and installing components, the installation tool is not selected except for development tools, mainly for security considerations.
2. Install kernelmod:
Tar zxvf kernelmod-0.7.1.tar.gz
Cd/kernelmod
./Kernelmod. sh
3. Install pptpd:
① Upgrade ppp
Rpm? Uvh ppp-2.4.2-0.1b3.i386.rpm
② Install pptpd
Rpm? Ivh pptpd-1.1.4-1b4.fr.i386.rpm
4. Install Super-freeswan:
Rpm? Ivh super-freeswan-1.99.8-8.2.100mdk.i586.rpm
5. Upgrade iptables:
Rpm? Uvh iptables-1.2.8-12.i386.rpm
Now, the installation process is complete,
Note: The above software can be found in rpmfind.net!
The following is the main configuration process:
1. Operating System Configuration:
① Upgrade openssh
② Disable unwanted services (sendmail isdn ...)
③ Edit/etc/sysctl. conf
Net. ipv4.ip _ forward = 0 => 1
Net. ipv4.conf. default. rp_filter = 1 => 0
2. Pix configuration file (VPN part ):
Access-list inside_outbound_nat0_acl permit ip "Nanjing IP segment" 255.255.255.0 "the IP segment of the company VPN user" 255.255.255.255.0
Access-list outside_cryptomap_20 permit ip "Nanjing IP segment" 255.255.255.0 "the IP segment of the company VPN user" 255.255.255.0
Nat (inside) 0 access-list inside_outbound_nat0_acl
Sysopt connection permit-ipsec
Crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
Crypto map outside_map 20 ipsec-isakmp
Crypto map outside_map 20 match address outside_cryptomap_20
Crypto map outside_map 20 set peer "IP address of the VPN Server"
Crypto map outside_map 20 set transform-set ESP-3DES-MD5
Crypto map outside_map interface outside
Isakmp enable outside
Isakmp key "password" address "VPN Server IP" netmask 255.255.255.255 no-xauth no-config-mode
Isakmp identity address
Isakmp policy 20 authentication pre-share
Isakmp policy 20 encryption 3des
Isakmp policy 20 hash md5
Isakmp policy 20 group 2
Isakmp policy 20 lifetime 28800
[1] [2] Next page