Openswan is a Linux ipsec vpn Server (2)

 

Ii. RSA Authentication Method

(1) net-to-net connection method

1. Network Environment

Left network subnet --- à left GateWay subnet ----- | ------ à Right Gateway subnet ---- à Right network

192.168.1.0/24 eth0: 192.168.1.1 eth0: 172.16.1.1 172.16.1.0

GW192.168.1.1 eth1: 1.1.1.1 eth1: 1.1.1.2 GW: 172.16.1.1

GW: 1.1.1.2 GW: 1.1.1.2

In addition to the above IP address information, you should also set a gateway for each gateway to identify each other in IPSEC negotiation, you can use the gateway's own FWDN, or other names, for example, @ left. Of course, these names can be compiled by yourself.

2. Get rsasigkey and save the obtained rsa

Obtain rsasigkey on Left Gateway

# Ipsec showhostkey -- letf

Obtain rsasigkey on Right Gateway

# Ipsec showhostkey -- right

3. Configure the master configuration file/etc/ipsec. conf of openswan on the Left GateWay.

Add a new connection and ensure that the configuration files in left GATEWAY and right GATEWAY are the same.

# Vim/etc/ipsec. conf

# Add connection here

Conn net-to-net

Left = 1.1.1.1 # left Gateway

# Rsakey AQNYfk + V8 # public key of the left Gateway, which is also obtained from the RSA

Leftrsasigkey = 0 sAQNYfk + response/I + tktkte3by1_skv + response/B9bjne11hHKsJQCu/response + response/response + avsn6SfXOImrDyp2DZ2 + response

Leftsubnet = 192.168.1.0/24 # Intranet segment of the left Gateway

Leftid = @ left # left network ID

Leftnexthop = % defaultroute # indicates the default route for the custom gateway.

Right = 1.1.1.2 # Internet IP address of the right Gateway

# Rsakey AQNYfk + V8 # Right gateway Public Key

Rightrsasigkey = 0 sAQNYfk + response/I + tktkte3by1_skv + response/B9bjne11hHKsJQCu/response + response/response + avsn6SfXOImrDyp2DZ2 + response

Rightsubnet = 172.16.1.0/24 # Intranet segment of the right Gateway

Rightid = @ right # ID of the right Gateway

Rightnexthop = % defaultroute # specify the next hop of the right gateway as the default route address.

Auto = start # Add this link and automatically connect at startup

4. Configure iptables on the left and right gateways respectively.

I configure the gateway as follows:

# Iptables-t nat-a postrouting-o eth1-s 192.168.1.0/24-d! 172.16.1.0/24-j MASQUERADE

II configure iptables on the right Gateway

# Iptables-t nat-a postrouting-o eth1-s 172.16.1.0/24-d! 192.168.1.0/24-j MASQUERADE

5. Start ipsec and connect

# Service ipsec start

# Ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path [OK]

Linux Openswan U2.6.34/K2.6.18-164. el5 (netkey)

Checking for IPsec support in kernel [OK]

SAref kernel support [N/A]

NETKEY: Testing XFRM related proc values [OK]

[OK]

[OK]

Checking that pluto is running [OK]

Pluto listening for IKE on udp 500 [OK]

Pluto listening for NAT-T on udp 4500 [OK]

Two or more interfaces found, checking IP forwarding [OK]

Checking NAT and MASQUERADEing

Checking for 'IP' command [OK]

Checking/bin/sh is not/bin/dash [OK]

Checking for 'iptable' command [OK]

Opportunistic Encryption Support [DISABLED]

# Ipsec auto -- up net-to-net

If IPsec SA established appears in the final output line, the connection is successful.

 

6. Test the connection.

In the left-side Intranet, ping

Ping 172.16.1.2

Run the following command on the gateway on the left

# Tcpdump-I eth1-n host 1.1.1.1 and 1.1.1.2

 

20:13:32. 485925 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x16b), length

100

20:13:33. 484953 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x6b26c2e7, seq = 0x16c), length

100

20:13:33. 487009 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x16c), length

100

20:13:34. 486172 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x6b26c2e7, seq = 0x16d), length

100

20:13:34. 488086 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x16d), length

100

20:13:35. 487436 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x6b26c2e7, seq = 0x16e), length

100

20:13:35. 489995 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x16e), length

100

20:13:36. 488668 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x6b26c2e7, seq = 0x16f), length

100

20:13:36. 490382 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x16f), length

100

20:13:37. 489973 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x6b26c2e7, seq = 0x170), length

100

20:13:37. 492400 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x170), length

100

Note: Only net-to-net connections can be established in this way, and the connections between gateway-gateway and gateway-subnet cannot be ensured. if you want to use this connection, for example, when one party's gateway is still a file server, you need to establish additional connections.

 

(2) Road Warrior

1. Network Environment

Left network connectivity --- à Left GateWay connectivity ------ à laptop (Linux)

192.168.1.0/24 eth0: 192.168.1.1 eth1: 1.1.1.2

Eth1: 1.1.1.1 GW 1.1.1.2

GW: 1.1.1.2

 

2. You also need to obtain the public key of the other party. The laptop is right. The configuration method is similar to that of net-to-net.

 

3. Add the following at the end of the main road configuration file:

# Vim/etc/ipsec. conf

Conn road

Left = 1.1.1.1

Leftid = @ vpnserver

Leftsubnet = 192.168.1.0/24

# Rsakey AQOebBxva

Leftrsasigkey = release/PaU + OKmIA4MwXgAextJ + release/v4tWI/release/Oc/release/+ vb7etAOAt4QAp/U6dE4/L + release

 

# Leftnexthop = % defaultroute

Right = % any

Rightid = @ laptop

# Rsakey AQOebBxva

Rightrsasigkey = encrypt/decrypt/PaU + OKmIA4MwXgAextJ + encrypt/v4tWI/average/Oc/average/+ vb7etAOAt4QAp/U6dE4/L + merge

# Rightnexthop = % defaultroute

Auto = start

4. Add the following content to the master configuration file ON laptop:

# Vim/etc/ipsec. conf

Conn road

Left = % defaultroute

# Rsakey AQNYfk + V8

Leftrsasigkey = 0 sAQNYfk + response/I + tktkte3by1_skv + response/B9bjne11hHKsJQCu/response + response/response + avsn6SfXOImrDyp2DZ2 + response

Right = 1.1.1.1

# Leftsubnet = 192.168.1.0/24

Leftid = @ laptop

# Leftnexthop = % defaultroute

Rightsubnet = 192.168.1.0/24

Rightid = @ vpnserver

# Rsakey AQNYfk + V8

Rightrsasigkey = 0 sAQNYfk + response/I + tktkte3by1_skv + response/B9bjne11hHKsJQCu/response + response/response + avsn6SfXOImrDyp2DZ2 + response

Auto = start

 

5. Start ipsec connection

# Service ipsec start

The Road Worrior connection must be performed on the laptop end.

# Ipsec auto -- up road

6. Test the connection.

On the laptop side, ping the remote gateway to a node and test it. Do not ping the gateway.

19:15:20. 978391 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x0cbb5cbr, seq = 0x313), length 132

19:15:20. 979030 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x46fa942f, seq = 0x313), length 132

This article is from the "Gone with the wind" blog