Openswan is a Linux ipsec vpn Server (2)

Source: Internet
Author: User

 

Ii. RSA Authentication Method

(1) net-to-net connection method

1. Network Environment

Left network subnet --- à left GateWay subnet ----- | ------ à Right Gateway subnet ---- à Right network

192.168.1.0/24 eth0: 192.168.1.1 eth0: 172.16.1.1 172.16.1.0

GW192.168.1.1 eth1: 1.1.1.1 eth1: 1.1.1.2 GW: 172.16.1.1

GW: 1.1.1.2 GW: 1.1.1.2

In addition to the above IP address information, you should also set a gateway for each gateway to identify each other in IPSEC negotiation, you can use the gateway's own FWDN, or other names, for example, @ left. Of course, these names can be compiled by yourself.

2. Get rsasigkey and save the obtained rsa

Obtain rsasigkey on Left Gateway

# Ipsec showhostkey -- letf

Obtain rsasigkey on Right Gateway

# Ipsec showhostkey -- right

3. Configure the master configuration file/etc/ipsec. conf of openswan on the Left GateWay.

Add a new connection and ensure that the configuration files in left GATEWAY and right GATEWAY are the same.

# Vim/etc/ipsec. conf

# Add connection here

Conn net-to-net

Left = 1.1.1.1 # left Gateway

# Rsakey AQNYfk + V8 # public key of the left Gateway, which is also obtained from the RSA

Leftrsasigkey = 0 sAQNYfk + response/I + tktkte3by1_skv + response/B9bjne11hHKsJQCu/response + response/response + avsn6SfXOImrDyp2DZ2 + response

Leftsubnet = 192.168.1.0/24 # Intranet segment of the left Gateway

Leftid = @ left # left network ID

Leftnexthop = % defaultroute # indicates the default route for the custom gateway.

Right = 1.1.1.2 # Internet IP address of the right Gateway

# Rsakey AQNYfk + V8 # Right gateway Public Key

Rightrsasigkey = 0 sAQNYfk + response/I + tktkte3by1_skv + response/B9bjne11hHKsJQCu/response + response/response + avsn6SfXOImrDyp2DZ2 + response

Rightsubnet = 172.16.1.0/24 # Intranet segment of the right Gateway

Rightid = @ right # ID of the right Gateway

Rightnexthop = % defaultroute # specify the next hop of the right gateway as the default route address.

Auto = start # Add this link and automatically connect at startup

4. Configure iptables on the left and right gateways respectively.

I configure the gateway as follows:

# Iptables-t nat-a postrouting-o eth1-s 192.168.1.0/24-d! 172.16.1.0/24-j MASQUERADE

II configure iptables on the right Gateway

# Iptables-t nat-a postrouting-o eth1-s 172.16.1.0/24-d! 192.168.1.0/24-j MASQUERADE

5. Start ipsec and connect

# Service ipsec start

# Ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path [OK]

Linux Openswan U2.6.34/K2.6.18-164. el5 (netkey)

Checking for IPsec support in kernel [OK]

SAref kernel support [N/A]

NETKEY: Testing XFRM related proc values [OK]

[OK]

[OK]

Checking that pluto is running [OK]

Pluto listening for IKE on udp 500 [OK]

Pluto listening for NAT-T on udp 4500 [OK]

Two or more interfaces found, checking IP forwarding [OK]

Checking NAT and MASQUERADEing

Checking for 'IP' command [OK]

Checking/bin/sh is not/bin/dash [OK]

Checking for 'iptable' command [OK]

Opportunistic Encryption Support [DISABLED]

# Ipsec auto -- up net-to-net

If IPsec SA established appears in the final output line, the connection is successful.

 

6. Test the connection.

In the left-side Intranet, ping

Ping 172.16.1.2

Run the following command on the gateway on the left

# Tcpdump-I eth1-n host 1.1.1.1 and 1.1.1.2

 

20:13:32. 485925 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x16b), length

100

20:13:33. 484953 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x6b26c2e7, seq = 0x16c), length

100

20:13:33. 487009 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x16c), length

100

20:13:34. 486172 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x6b26c2e7, seq = 0x16d), length

100

20:13:34. 488086 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x16d), length

100

20:13:35. 487436 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x6b26c2e7, seq = 0x16e), length

100

20:13:35. 489995 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x16e), length

100

20:13:36. 488668 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x6b26c2e7, seq = 0x16f), length

100

20:13:36. 490382 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x16f), length

100

20:13:37. 489973 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x6b26c2e7, seq = 0x170), length

100

20:13:37. 492400 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x5dd784dd, seq = 0x170), length

100

Note: Only net-to-net connections can be established in this way, and the connections between gateway-gateway and gateway-subnet cannot be ensured. if you want to use this connection, for example, when one party's gateway is still a file server, you need to establish additional connections.

 

(2) Road Warrior

1. Network Environment

Left network connectivity --- à Left GateWay connectivity ------ à laptop (Linux)

192.168.1.0/24 eth0: 192.168.1.1 eth1: 1.1.1.2

Eth1: 1.1.1.1 GW 1.1.1.2

GW: 1.1.1.2

 

2. You also need to obtain the public key of the other party. The laptop is right. The configuration method is similar to that of net-to-net.

 

3. Add the following at the end of the main road configuration file:

# Vim/etc/ipsec. conf

Conn road

Left = 1.1.1.1

Leftid = @ vpnserver

Leftsubnet = 192.168.1.0/24

# Rsakey AQOebBxva

Leftrsasigkey = release/PaU + OKmIA4MwXgAextJ + release/v4tWI/release/Oc/release/+ vb7etAOAt4QAp/U6dE4/L + release

 

# Leftnexthop = % defaultroute

Right = % any

Rightid = @ laptop

# Rsakey AQOebBxva

Rightrsasigkey = encrypt/decrypt/PaU + OKmIA4MwXgAextJ + encrypt/v4tWI/average/Oc/average/+ vb7etAOAt4QAp/U6dE4/L + merge

# Rightnexthop = % defaultroute

Auto = start

4. Add the following content to the master configuration file ON laptop:

# Vim/etc/ipsec. conf

Conn road

Left = % defaultroute

# Rsakey AQNYfk + V8

Leftrsasigkey = 0 sAQNYfk + response/I + tktkte3by1_skv + response/B9bjne11hHKsJQCu/response + response/response + avsn6SfXOImrDyp2DZ2 + response

Right = 1.1.1.1

# Leftsubnet = 192.168.1.0/24

Leftid = @ laptop

# Leftnexthop = % defaultroute

Rightsubnet = 192.168.1.0/24

Rightid = @ vpnserver

# Rsakey AQNYfk + V8

Rightrsasigkey = 0 sAQNYfk + response/I + tktkte3by1_skv + response/B9bjne11hHKsJQCu/response + response/response + avsn6SfXOImrDyp2DZ2 + response

Auto = start

 

5. Start ipsec connection

# Service ipsec start

The Road Worrior connection must be performed on the laptop end.

# Ipsec auto -- up road

6. Test the connection.

On the laptop side, ping the remote gateway to a node and test it. Do not ping the gateway.

19:15:20. 978391 IP 1.1.1.2> 1.1.1.1: ESP (spi = 0x0cbb5cbr, seq = 0x313), length 132

19:15:20. 979030 IP 1.1.1.1> 1.1.1.2: ESP (spi = 0x46fa942f, seq = 0x313), length 132

This article is from the "Gone with the wind" blog

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.