Ii. RSA Authentication Method
(1) net-to-net connection method
1. Network Environment
Left network subnet --- à left GateWay subnet ----- | ------ à Right Gateway subnet ---- à Right network
192.168.1.0/24 eth0: 192.168.1.1 eth0: 172.16.1.1 172.16.1.0
GW192.168.1.1 eth1: 1.1.1.1 eth1: 1.1.1.2 GW: 172.16.1.1
GW: 1.1.1.2 GW: 1.1.1.2
In addition to the above IP address information, you should also set a gateway for each gateway to identify each other in IPSEC negotiation, you can use the gateway's own FWDN, or other names, for example, @ left. Of course, these names can be compiled by yourself.
2. Get rsasigkey and save the obtained rsa
Obtain rsasigkey on Left Gateway
# Ipsec showhostkey -- letf
Obtain rsasigkey on Right Gateway
# Ipsec showhostkey -- right
3. Configure the master configuration file/etc/ipsec. conf of openswan on the Left GateWay.
Add a new connection and ensure that the configuration files in left GATEWAY and right GATEWAY are the same.
# Vim/etc/ipsec. conf
# Add connection here
Conn net-to-net
Left = 1.1.1.1 # left Gateway
# Rsakey AQNYfk + V8 # public key of the left Gateway, which is also obtained from the RSA
Leftrsasigkey = 0 sAQNYfk + response/I + tktkte3by1_skv + response/B9bjne11hHKsJQCu/response + response/response + avsn6SfXOImrDyp2DZ2 + response
Leftsubnet = 192.168.1.0/24 # Intranet segment of the left Gateway
Leftid = @ left # left network ID
Leftnexthop = % defaultroute # indicates the default route for the custom gateway.
Right = 1.1.1.2 # Internet IP address of the right Gateway
# Rsakey AQNYfk + V8 # Right gateway Public Key
Rightrsasigkey = 0 sAQNYfk + response/I + tktkte3by1_skv + response/B9bjne11hHKsJQCu/response + response/response + avsn6SfXOImrDyp2DZ2 + response
Rightsubnet = 172.16.1.0/24 # Intranet segment of the right Gateway
Rightid = @ right # ID of the right Gateway
Rightnexthop = % defaultroute # specify the next hop of the right gateway as the default route address.
Auto = start # Add this link and automatically connect at startup
4. Configure iptables on the left and right gateways respectively.
I configure the gateway as follows:
# Iptables-t nat-a postrouting-o eth1-s 192.168.1.0/24-d! 172.16.1.0/24-j MASQUERADE
II configure iptables on the right Gateway
# Iptables-t nat-a postrouting-o eth1-s 172.16.1.0/24-d! 192.168.1.0/24-j MASQUERADE
5. Start ipsec and connect
# Service ipsec start
# Ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.34/K2.6.18-164. el5 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'IP' command [OK]
Checking/bin/sh is not/bin/dash [OK]
Checking for 'iptable' command [OK]
Opportunistic Encryption Support [DISABLED]
# Ipsec auto -- up net-to-net
If IPsec SA established appears in the final output line, the connection is successful.
6. Test the connection.
In the left-side Intranet, ping
Ping 172.16.1.2
Run the following command on the gateway on the left
# Tcpdump-I eth1-n host 1.1.1.1 and 1.1.1.2
20:13:32. 485925 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x16b), length
100
20:13:33. 484953 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x6b26c2e7, seq = 0x16c), length
100
20:13:33. 487009 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x16c), length
100
20:13:34. 486172 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x6b26c2e7, seq = 0x16d), length
100
20:13:34. 488086 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x16d), length
100
20:13:35. 487436 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x6b26c2e7, seq = 0x16e), length
100
20:13:35. 489995 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x16e), length
100
20:13:36. 488668 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x6b26c2e7, seq = 0x16f), length
100
20:13:36. 490382 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x16f), length
100
20:13:37. 489973 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x6b26c2e7, seq = 0x170), length
100
20:13:37. 492400 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x170), length
100
Note: Only net-to-net connections can be established in this way, and the connections between gateway-gateway and gateway-subnet cannot be ensured. if you want to use this connection, for example, when one party's gateway is still a file server, you need to establish additional connections.
(2) Road Warrior
1. Network Environment
Left network connectivity --- à Left GateWay connectivity ------ à laptop (Linux)
192.168.1.0/24 eth0: 192.168.1.1 eth1: 1.1.1.2
Eth1: 1.1.1.1 GW 1.1.1.2
GW: 1.1.1.2
2. You also need to obtain the public key of the other party. The laptop is right. The configuration method is similar to that of net-to-net.
3. Add the following at the end of the main road configuration file:
# Vim/etc/ipsec. conf
Conn road
Left = 1.1.1.1
Leftid = @ vpnserver
Leftsubnet = 192.168.1.0/24
# Rsakey AQOebBxva
Leftrsasigkey = release/PaU + OKmIA4MwXgAextJ + release/v4tWI/release/Oc/release/+ vb7etAOAt4QAp/U6dE4/L + release
# Leftnexthop = % defaultroute
Right = % any
Rightid = @ laptop
# Rsakey AQOebBxva
Rightrsasigkey = encrypt/decrypt/PaU + OKmIA4MwXgAextJ + encrypt/v4tWI/average/Oc/average/+ vb7etAOAt4QAp/U6dE4/L + merge
# Rightnexthop = % defaultroute
Auto = start
4. Add the following content to the master configuration file ON laptop:
# Vim/etc/ipsec. conf
Conn road
Left = % defaultroute
# Rsakey AQNYfk + V8
Leftrsasigkey = 0 sAQNYfk + response/I + tktkte3by1_skv + response/B9bjne11hHKsJQCu/response + response/response + avsn6SfXOImrDyp2DZ2 + response
Right = 1.1.1.1
# Leftsubnet = 192.168.1.0/24
Leftid = @ laptop
# Leftnexthop = % defaultroute
Rightsubnet = 192.168.1.0/24
Rightid = @ vpnserver
# Rsakey AQNYfk + V8
Rightrsasigkey = 0 sAQNYfk + response/I + tktkte3by1_skv + response/B9bjne11hHKsJQCu/response + response/response + avsn6SfXOImrDyp2DZ2 + response
Auto = start
5. Start ipsec connection
# Service ipsec start
The Road Worrior connection must be performed on the laptop end.
# Ipsec auto -- up road
6. Test the connection.
On the laptop side, ping the remote gateway to a node and test it. Do not ping the gateway.
19:15:20. 978391 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x0cbb5cbr, seq = 0x313), length 132
19:15:20. 979030 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x46fa942f, seq = 0x313), length 132
This article is from the "Gone with the wind" blog