centos安装openswan

1. 开启路由和转发

egrep "ip_forward|rp_filter" /etc/sysctl.conf

确保如下结果

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 0

2. 禁用icmp重定向

sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >>/etc/sysctl.conf

sysctl -p

3. 关闭selinux

sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config

setenforce 0

getenforce

关闭iptables或者开启iptables必要端口，注意要保存iptables配置

iptables -A INPUT -p udp --dport 500 -j ACCEPT

iptables -A INPUT -p udp --dport 4500 -j ACCEPT   

iptables -A INPUT -p tcp --dport 4500 -j ACCEPT

/etc/init.d/iptables save

4. 安装openswan

yum install openswan lsof -y

ipsec --version

启动ipsec

/etc/init.d/ipsec start

chkconfig ipsec --level 35 on

检查状态

ipsec verify

5.认证和配置

使用pre-shared方式

修改left psk秘钥文件

vim /etc/ipsec.secrets

添加

#leftIP rightIP: PSK "123456"

192.168.20.211 192.168.20.212: PSK "123456"

修改right psk秘钥文件

vim /etc/ipsec.secrets

添加

#leftIP rightIP: PSK "123456"

192.168.20.212 192.168.20.211: PSK "123456"

修改left配置

vim /etc/ipsec.conf

添加

version 2.0
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
oe=off

conn net-net
authby=secret
auto=start
ike=3des-md5
## phase 1 ##
keyexchange=ike
## phase 2 ##
phase2=esp
phase2alg=3des-md5
compress=no
pfs=yes
type=tunnel

left=192.168.20.211
leftsourceip=192.168.20.211
leftsubnet=10.1.1.0/24
leftnexthop=%defaultroute
right=192.168.20.212
rightsubnet=10.1.2.0/24

修改right配置（根据left的配置文件进行修改）

vim /etc/ipsec.conf

6. 重启ipsec并查看状态

/etc/init.d/ipsec restart

/etc/init.d/ipsec status

ipsec status

ipsec eroute

tail -f /var/log/pluto.log

查看当前ipsec协商状态，是否建立的链接等

ipsec look

该文档以下部分目前还未验证通过，暂不使用

1. 安装epel

rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
2. 安装软件包

yum -y install openswan xl2tpd ppp

3. 编辑/etc/sysctl.conf文件

vim /etc/sysctl.conf

修改

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 0

执行sysctl -p 使它生效

4.配置ipsec

cp /etc/ipsec.conf /etc/ipsec.conf.bak

vim /etc/ipsec.conf

添加

conn %default

        forceencaps=yes

conn L2TP-PSK-NAT

        rightsubnet=vhost:%no,%priv

        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

        authby=secret

        pfs=no

        auto=add

        keyingtries=3

        rekey=no

        ikelifetime=8h

        keylife=1h

        type=transport

        left=服务器公网IP

        leftid=服务器公网IP

        leftprotoport=17/1701

        right=%any

        rightid=%any

        rightprotoport=17/%any

设置PSK共享密钥

vim /etc/ipsec.secrets

添加

服务器的公网ip  %any: PSK "共享密钥"

5. 调整网络策略

vim /usr/local/reset_redirects.sh

添加

#!/bin/bash

for each in /proc/sys/net/ipv4/conf/*

do

    echo 0 > $each/accept_redirects

    echo 0 > $each/send_redirects

done

chmod 755 /usr/local/reset_redirects.sh

/usr/local/reset_redirects.sh

echo "/usr/local/reset_redirects.sh" >> /etc/rc.local

6. 添加iptables规则

iptables --table nat --append POSTROUTING --jump MASQUERADE

/etc/init.d/iptables save

/etc/init.d/iptables status

7. 配置xl2tpd

vim  /etc/xl2tpd/xl2tpd.conf

修改

ipsec saref = no

[lns default]

ip range = 192.168.199.128-192.168.199.254

local ip = 192.168.199.1

8. 检查一下OPENSWAN是否正常工作

/etc/init.d/ipsec restart

/etc/init.d/xl2tpd restart

ipsec verify

ipsec whack --status

9. 配置ppp

vim /etc/ppp/chap-secrets

添加用户名密码

zhao   *   abc123456ymn   *

/etc/init.d/xl2tpd restart

重启服务器

chkconfig iptables --level 35 on

chkconfig ipsec --level 35 on

chkconfig xl2tpd --level 35 on

reboot

virtual_private=%v4:10.0.0.0/8,%v4:192.168.140.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10

virtual_private=%v4:10.0.0.0/8,%v4:192.168.140.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10

参考
http://www.simlinux.com/archives/342.html