centos安装openswan
2015-07-18 12:53
603 查看
1. 开启路由和转发
egrep "ip_forward|rp_filter" /etc/sysctl.conf
确保如下结果
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
2. 禁用icmp重定向
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >>/etc/sysctl.conf
sysctl -p
3. 关闭selinux
sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
setenforce 0
getenforce
关闭iptables或者开启iptables必要端口,注意要保存iptables配置
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
/etc/init.d/iptables save
4. 安装openswan
yum install openswan lsof -y
ipsec --version
启动ipsec
/etc/init.d/ipsec start
chkconfig ipsec --level 35 on
检查状态
ipsec verify
5.认证和配置
使用pre-shared方式
修改left psk秘钥文件
vim /etc/ipsec.secrets
添加
#leftIP rightIP: PSK "123456"
192.168.20.211 192.168.20.212: PSK "123456"
修改right psk秘钥文件
vim /etc/ipsec.secrets
添加
#leftIP rightIP: PSK "123456"
192.168.20.212 192.168.20.211: PSK "123456"
修改left配置
vim /etc/ipsec.conf
添加
version 2.0
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
oe=off
conn net-net
authby=secret
auto=start
ike=3des-md5
## phase 1 ##
keyexchange=ike
## phase 2 ##
phase2=esp
phase2alg=3des-md5
compress=no
pfs=yes
type=tunnel
left=192.168.20.211
leftsourceip=192.168.20.211
leftsubnet=10.1.1.0/24
leftnexthop=%defaultroute
right=192.168.20.212
rightsubnet=10.1.2.0/24
修改right配置(根据left的配置文件进行修改)
vim /etc/ipsec.conf
6. 重启ipsec并查看状态
/etc/init.d/ipsec restart
/etc/init.d/ipsec status
ipsec status
ipsec eroute
tail -f /var/log/pluto.log
查看当前ipsec协商状态,是否建立的链接等
ipsec look
该文档以下部分目前还未验证通过,暂不使用
1. 安装epel
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
2. 安装软件包
yum -y install openswan xl2tpd ppp
3. 编辑/etc/sysctl.conf文件
vim /etc/sysctl.conf
修改
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
执行sysctl -p 使它生效
4.配置ipsec
cp /etc/ipsec.conf /etc/ipsec.conf.bak
vim /etc/ipsec.conf
添加
conn %default
forceencaps=yes
conn L2TP-PSK-NAT
rightsubnet=vhost:%no,%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=服务器公网IP
leftid=服务器公网IP
leftprotoport=17/1701
right=%any
rightid=%any
rightprotoport=17/%any
设置PSK共享密钥
vim /etc/ipsec.secrets
添加
服务器的公网ip %any: PSK "共享密钥"
5. 调整网络策略
vim /usr/local/reset_redirects.sh
添加
#!/bin/bash
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
chmod 755 /usr/local/reset_redirects.sh
/usr/local/reset_redirects.sh
echo "/usr/local/reset_redirects.sh" >> /etc/rc.local
6. 添加iptables规则
iptables --table nat --append POSTROUTING --jump MASQUERADE
/etc/init.d/iptables save
/etc/init.d/iptables status
7. 配置xl2tpd
vim /etc/xl2tpd/xl2tpd.conf
修改
ipsec saref = no
[lns default]
ip range = 192.168.199.128-192.168.199.254
local ip = 192.168.199.1
8. 检查一下OPENSWAN是否正常工作
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
ipsec verify
ipsec whack --status
9. 配置ppp
vim /etc/ppp/chap-secrets
添加用户名密码
zhao * abc123456ymn *
/etc/init.d/xl2tpd restart
重启服务器
chkconfig iptables --level 35 on
chkconfig ipsec --level 35 on
chkconfig xl2tpd --level 35 on
reboot
virtual_private=%v4:10.0.0.0/8,%v4:192.168.140.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
virtual_private=%v4:10.0.0.0/8,%v4:192.168.140.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
参考
http://www.simlinux.com/archives/342.html
egrep "ip_forward|rp_filter" /etc/sysctl.conf
确保如下结果
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
2. 禁用icmp重定向
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >>/etc/sysctl.conf
sysctl -p
3. 关闭selinux
sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
setenforce 0
getenforce
关闭iptables或者开启iptables必要端口,注意要保存iptables配置
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
/etc/init.d/iptables save
4. 安装openswan
yum install openswan lsof -y
ipsec --version
启动ipsec
/etc/init.d/ipsec start
chkconfig ipsec --level 35 on
检查状态
ipsec verify
5.认证和配置
使用pre-shared方式
修改left psk秘钥文件
vim /etc/ipsec.secrets
添加
#leftIP rightIP: PSK "123456"
192.168.20.211 192.168.20.212: PSK "123456"
修改right psk秘钥文件
vim /etc/ipsec.secrets
添加
#leftIP rightIP: PSK "123456"
192.168.20.212 192.168.20.211: PSK "123456"
修改left配置
vim /etc/ipsec.conf
添加
version 2.0
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
oe=off
conn net-net
authby=secret
auto=start
ike=3des-md5
## phase 1 ##
keyexchange=ike
## phase 2 ##
phase2=esp
phase2alg=3des-md5
compress=no
pfs=yes
type=tunnel
left=192.168.20.211
leftsourceip=192.168.20.211
leftsubnet=10.1.1.0/24
leftnexthop=%defaultroute
right=192.168.20.212
rightsubnet=10.1.2.0/24
修改right配置(根据left的配置文件进行修改)
vim /etc/ipsec.conf
6. 重启ipsec并查看状态
/etc/init.d/ipsec restart
/etc/init.d/ipsec status
ipsec status
ipsec eroute
tail -f /var/log/pluto.log
查看当前ipsec协商状态,是否建立的链接等
ipsec look
该文档以下部分目前还未验证通过,暂不使用
1. 安装epel
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
2. 安装软件包
yum -y install openswan xl2tpd ppp
3. 编辑/etc/sysctl.conf文件
vim /etc/sysctl.conf
修改
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
执行sysctl -p 使它生效
4.配置ipsec
cp /etc/ipsec.conf /etc/ipsec.conf.bak
vim /etc/ipsec.conf
添加
conn %default
forceencaps=yes
conn L2TP-PSK-NAT
rightsubnet=vhost:%no,%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=服务器公网IP
leftid=服务器公网IP
leftprotoport=17/1701
right=%any
rightid=%any
rightprotoport=17/%any
设置PSK共享密钥
vim /etc/ipsec.secrets
添加
服务器的公网ip %any: PSK "共享密钥"
5. 调整网络策略
vim /usr/local/reset_redirects.sh
添加
#!/bin/bash
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
chmod 755 /usr/local/reset_redirects.sh
/usr/local/reset_redirects.sh
echo "/usr/local/reset_redirects.sh" >> /etc/rc.local
6. 添加iptables规则
iptables --table nat --append POSTROUTING --jump MASQUERADE
/etc/init.d/iptables save
/etc/init.d/iptables status
7. 配置xl2tpd
vim /etc/xl2tpd/xl2tpd.conf
修改
ipsec saref = no
[lns default]
ip range = 192.168.199.128-192.168.199.254
local ip = 192.168.199.1
8. 检查一下OPENSWAN是否正常工作
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
ipsec verify
ipsec whack --status
9. 配置ppp
vim /etc/ppp/chap-secrets
添加用户名密码
zhao * abc123456ymn *
/etc/init.d/xl2tpd restart
重启服务器
chkconfig iptables --level 35 on
chkconfig ipsec --level 35 on
chkconfig xl2tpd --level 35 on
reboot
virtual_private=%v4:10.0.0.0/8,%v4:192.168.140.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
virtual_private=%v4:10.0.0.0/8,%v4:192.168.140.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
参考
http://www.simlinux.com/archives/342.html
相关文章推荐
- 在CentOS 6.3/6.5 64bit上为python 2.7.10安装pycurl模块
- Linux 注意
- linux常用命令或功能
- 如何在默认安装openjdk的Linux系统中安装独立JDK
- linux命令
- Linux驱动基础总结
- 【Linux】Ubuntu下录屏&&制作GIF
- Linux LVM过程问题
- Linux环境下stl库使用(map)
- Kali Linux 建立无线热点 · RTL8188CUS
- Linux常用命令
- linux设备驱动之总线、设备、驱动
- Linux用户空间与内核空间
- linux运维人员需要知道的重要/常用目录介绍
- 嵌入式linux按键驱动,同步互斥阻塞,linux进程六大状态
- Linux操作系统基础命令、快捷键
- Makefile自动生成,初级版本
- linux下的头文件 及C/C++头文件 一览表
- linux实用命令细节
- Linux Lock free