Use openswan to build a lan-to-lan VPN (KLIPS)

Use openswan to build a lan-to-lan VPN (KLIPS) I. OpenSWan introduction OpenSWan is the best implementation method for IPsec in Linux, and its functions are powerful, this maximizes the security and integrity of data transmission. OpenSWan supports 2.0, 2.2, 2.4, and 2.6 kernels and can run on different system platforms, including X86, X86_64, IA64, MIPS, and ARM. OpenSWan is a successor branch project of the open-source project FreeS/WAN after the development is stopped. It consists of three main components: Configuration tool (ipsec Command Script) Key management tool (pluto) the kernel component (KLIPS/26sec) 26sec uses the 2.6 kernel built-in module Netkey to replace the KLIPS module developed by OpenSWan. The kernel version 2.4 and earlier does not support the Netkey module and can only use KLIPS. If you are using a Kernel 2.6.9 or later, we recommend using 26sec. You do not need to apply a Nat-T patch to the kernel to use NAT. A Bug exists in the NETKEY of a kernel earlier than 2.6.9, KLIPS is recommended. Ii. System Environment Operating System (server): CentOS 4.5 kernel version: 2.6.9-55 client (windows XP) host network parameter settings: Unless otherwise specified, the subnet mask is 255.255.0 host name Nic eth0 Nic eth1 Default Gateway usage LServer 192.168.1.10 172.16.1.1 192.168.1.1 Left Gateway RServer 192.168.1.20 172.16.2.1 192.168.1.1 Right gateway LClient 255.255.left client RClient 172.16.2.2 172.16.2.1 Right client III. Install and set the operating minimum installation for the system: only install the development tools. The following steps can be performed on LServer and RServer. Run the following commands on LServer and RServer: sysctl-a | egrep "1274. * (accept | send) _ redirects "| awk-F" = "'{print $1" = 0 "}'>/etc/sysctl. conf edit/etc/sysctl. conf vi/etc/sysctl. conf: net. ipv4.ip _ forward = 0 net. ipv4.conf. default. rp_filter = 1 to: net. ipv4.ip _ forward = 1 net. ipv4.conf. default. rp_filter = 0 execute the following command to make the settings take effect: sysctl-p on LServer execute the following command to set NAT: iptables-t nat-a postrouting-o eth0-s 172.16.1.0/24-d! 172.16.2.0/24-j MASQUERADE on RServer, execute the following command to set NAT: iptables-t nat-a postrouting-o eth0-s 172.16.2.0/24-d! 172.16.1.0/24-j MASQUERADE 4. Install OpenSWan 1. Download the source code package cd wget. http://www.openswan.org/download/openswan-2.4.7.tar.gz 2. Unzip the source package tar zxvf openswan-2.4.7.tar.gz 3. install UserLand cd openswan-2.4.7 make programs make install 4. install KLIPS cd ~ /Openswan-2.4.7 make KERNELSRC =/lib/modules/'uname-R'/build module minstall depmod-a Must uninstall the NETKEY module rmmod xfrmuser af_key esp4 ah4 ipcomp xfrm4_tunnel before loading the KLIPS module command to load KLIPS modprobe ipsec 5. verify the installation and run the following command to verify that OpenSWan is correctly installed with ipsec -- version if the program is correctly installed, the command displays the following results: If the loaded IPsec stack is KLIPS, the following Linux Openswan 2.4.7 (klips) See 'ipsec -- copyright' for copyright information is displayed. if no IPsec stack is loaded, the following Linux O Penswan U2.4.7/K (no kernel code presently loaded) See 'ipsec -- copyright' for copyright information. 5. Configure OpenSWan 1. openSWan configuration file/etc/ipsec. secrets is used to save private RSA keys and preshared secrets (PSKs)/etc/ipsec. conf configuration file (settings, options, defaults, connections) 2. openSWan mainly configures the directory/etc/ipsec. d/cacerts stores the X.509 Certificate (root certificate-"root certificates")/etc/ipsec. d/certs store X.509 client Certificates (X.509 client Certificates)/et C/ipsec. d/private: stores the X.509 Certificate private key (X.509 Certificate private keys)/etc/ipsec. d/crls stores the X.509 Certificate Revocation List (X.509 Certificate Revocation Lists)/etc/ipsec. d/ocspcerts stores X.500 OCSP certificates (Online Certificate Status Protocol certificates)/etc/ipsec. d/passwd XAUTH password file/etc/ipsec. d/policies stores Opportunistic Encryption policy Group (The Opportunistic Encryption policy groups) 3. openSWan has two Connection Methods: 1) The Network-To-Network method, as its name implies, is To connect two networks into a virtual private Network. After the connection is established, each subnet host can transparently access the host of the remote subnet. To achieve this connection method, you must meet the following two conditions: I. each subnet has a host installed with OpenSWan as its egress gateway. II. the IP segments of each subnet cannot be overlapped. 2) When Network-To-Network is used in Road Warrior mode, hosts of each subnet gateway cannot transparently access hosts of the remote subnet as they are in the subnet. That is to say, if you are a mobile user who uses Laptop and often travels or works in different locations, your Laptop won't be connected To the company Network using the Network-To-Network method. The Road Warrior method is designed for this situation. After a connection is established, your Laptop can be connected to a remote network. 4. openSWan supports many different authentication methods, including RSA keys, pre-shared keys, XAUTH, And x.509 certificates. use the RSA Digital Signature (RSASIG) authentication method to prepare OpenSWan 1) generate a new hostkey ipsec newhostkey -- output/etc/ipsec on the LServer and RServer. secrets continue To the following 2-4 steps To configure the Network-To-Network connection between LServer-RServer: 2) execute the following command on LServer To obtain the leftrsasigkey (that is, the LServer Public Key Pulic Key) ipsec showhostkey -- left the output format of this command is as follows: # RSA 2192 bits LServer. foxBB. com Sat Mar 3 15:45:00 2007 l Eftrsasigkey = 0sAQOBIJFmj ...... 3) run the following command on RServer to obtain the rightrsasigkey (the Public Key Pulic Key of RServer) ipsec showhostkey -- right. The output format of this command is as follows: # RSA 2192 bits RServer. foxBB. com Sat Mar 3 15:51:56 2007 rightrsasigkey = 0sAQNZZZjj ...... 4) edit/etc/ipsec on LServer and RServer. conf vi/etc/ipsec. add the following content at the end of the conf file (replace the leftrsasigkey and rightrsasigkey rows with the values obtained in the previous step 2 and 3) conn net-to-net left = 192.168.1.10 # LServer Internet IP address leftsubnet = 172.16.1. 0/24 # LServer Intranet IP segment leftid = @ LServer.uddtm.com # LServer ID leftrsasigkey = 0sAQOBIJFmj... # leftnexthop = % defaultroute # The Next Hop of LServer is specified as the default route address right = 192.168.1.20 # RServer Internet IP address rightsubnet = 172.16.2.0/24 # RServer Intranet IP segment rightid = @ RServer.uddtm.com # RServer ID rightrsasigkey = 0sAQNZZZjj... # Rserver's public key rightnexthop = % defaultroute # RServer's next hop is specified as the default route Address auto = add # add this link, but it is not automatically connected when OpenSWan is started. Run the following commands on LServer and RServer to start OpenSWan service ipsec start 6) on LServer and RServer to verify that OpenSWan runs ipsec verify normally, the output similar to the following Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.4.7/K2.6.9-55.EL (netkey) will be obtained) checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [OK] NET KEY detected, testing for disabled ICMP accept_redirects [OK] Checking for RSA private key (/etc/ipsec. secrets) [OK] Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'IP' command [OK] Checking for 'iptable' command [OK] Opportunistic Encryption Support [DISABLED] 7) run the following command on LServer or RServer to run Network-To-Network connection to ipsec auto -- up net-To-net will get output similar to the following (if the last output line shows IPsec SA established, the connection is successful) 104 "net-to-net" #1: STATE_MAIN_I1: initiate 003 "net-to-net" #1: received Vendor ID payload [Openswan (this version) 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR] 003 "net-to-net" #1: received Vendor ID payload [Dead Peer Detection] 003 "net-to-net" #1: specified ed Vendor ID payload [RFC 3947] method Set to = 110 106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 "net-to-net" #1: NAT-Traversal: result using RFC 3947 (NAT-Traversal): no NAT detected 108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3 004 "net-to-net" #1: STATE_MAIN_I4: isakmp sa established {auth = OAKLEY_RSA_SIGcipher = oakley_3des_cbc_192 prf = oakley_md5 group = modp1536} 117 "net-to-net" #2: STATE_QUICK_I1: initia Te 004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP => 0xa329d030 8) run ping 172.16.2.2 on the LClient or ping 172.16.1.2 on the RClient, run tcpdump-I eth0-n host 192.168.1.10 and 192.168.1.20 on LServer or RServer. If the LClient and RClient can ping each other, tcpdump has output similar to the following, network-To-Network IPSEC has been successfully connected To 12:34:32. 478903 IP 192.168.1.10> 192.168.1.20: ESP (spi = 0xf225b168, seq = 0x7f) 12: 34: 32.480050 IP 192.168.1.20> 192.168.1.10: ESP (spi = 0x8451_ca, seq = 0x7f) 12:34:33. 450660 IP 192.168.1.10> 192.168.1.20: ESP (spi = 0xf225b168, seq = 0x80) 12:34:33. 450938 IP 192.168.1.20> 192.168.1.10: ESP (spi = 0x8451_ca, seq = 0x80) 12:34:34. 449218 IP 192.168.1.10> 192.168.1.20: ESP (spi = 0xf225b168, seq = 0x81) 12:34:34. 451034 IP 192.168.1.20> 192.168.1.10: ESP (spi = 0x8451_ca, seq = 0x81) 9) after the automatic connection test is passed In the connection configuration, change auto = add to: auto = start so that OpenSWan can automatically connect when it starts.