Master advanced Linux setup of the simplest VPN System

Article Title: master advanced Linux sets up the simplest VPN system. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

The company is located in Beijing, but the main equipment is located in one of the main IDCs of Nanjing Telecom. There are two of our PIX525UR (with Failover), which implements strict access control. Therefore, in order to facilitate the company's mobility, business trips, and staff working at home, we had the idea of building a VPN system. so that users with corresponding permissions can connect to the company's VPN Server through an encrypted tunnel supporting MPPE128 from their personal PC, and then forward data to our company's application network in Nanjing IDC through the VPN Server, the connection is also an IPSEC-based secure VPN tunnel. this ensures the security and convenience of all application requirements of our company ..

1. hardware resources: one server

One PIX 525UR Firewall

2. Software resources: Mandrake 9.2

Kernelmod

Pptpd

Super-freeswan

Iptables

Public IP Address

Note: After I tested several LINUX systems (including Redhat, SuSE, Mandrake, and Astaro), I felt that Mandrake was the simplest and safest platform.

The installation process is as follows:

1. Operating System installation:

There are no special requirements for the installation process. When selecting and installing components, the installation tool is not selected except for development tools, mainly for security considerations.

2. Install kernelmod:

Tar zxvf kernelmod-0.7.1.tar.gz

Cd/kernelmod

./Kernelmod. sh

3. Install pptpd:

① Upgrade ppp

Rpm? Uvh ppp-2.4.2-0.1b3.i386.rpm

② Install pptpd

Rpm? Ivh pptpd-1.1.4-1b4.fr.i386.rpm

4. Install Super-freeswan:

Rpm? Ivh super-freeswan-1.99.8-8.2.100mdk.i586.rpm

5. Upgrade iptables:

Rpm? Uvh iptables-1.2.8-12.i386.rpm

Now, the installation process is complete,

Note: The above software can be found in rpmfind.net!

The following is the main configuration process:

1. Operating System Configuration:

① Upgrade openssh

② Disable unwanted services (sendmail isdn ...)

③ Edit/etc/sysctl. conf

Net. ipv4.ip _ forward = 0 => 1

Net. ipv4.conf. default. rp_filter = 1 => 0

2. Pix configuration file (VPN part ):

Access-list inside_outbound_nat0_acl permit ip "Nanjing IP segment" 255.255.255.0 "the IP segment of the company VPN user" 255.255.255.255.0

Access-list outside_cryptomap_20 permit ip "Nanjing IP segment" 255.255.255.0 "the IP segment of the company VPN user" 255.255.255.0

Nat (inside) 0 access-list inside_outbound_nat0_acl

Sysopt connection permit-ipsec

Crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

Crypto map outside_map 20 ipsec-isakmp

Crypto map outside_map 20 match address outside_cryptomap_20

Crypto map outside_map 20 set peer "IP address of the VPN Server"

Crypto map outside_map 20 set transform-set ESP-3DES-MD5

Crypto map outside_map interface outside

Isakmp enable outside

Isakmp key "password" address "VPN Server IP" netmask 255.255.255.255 no-xauth no-config-mode

Isakmp identity address

Isakmp policy 20 authentication pre-share

Isakmp policy 20 encryption 3des

Isakmp policy 20 hash md5

Isakmp policy 20 group 2

Isakmp policy 20 lifetime 28800

[1] [2] Next page