荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: jjk (○kernel○), 信区: Linux
标 题: IPSEC VPN TUNNEL ON FreeBSD 4.x[fwd]
发信站: 荔园晨风BBS站 (Sun Mar 24 14:37:21 2002), 转信
【 以下文字转载自 jjk 的信箱 】
【 原文由 jjksam@smth.org 所发表 】
发信人: yeah (落叶), 信区: FreeBSD
标 题: IPSEC VPN TUNNEL ON FreeBSD 4.x[fwd]
发信站: BBS 水木清华站 (Wed Nov 7 14:11:22 2001)
IPSEC VPN TUNNEL ON FreeBSD 4.x
--------------------------------------------------------------
Draft ipsec version 0.06
--------------------------------------------------------------
Node A Cablemodem 1.2.3.4 internet interface
private range 10.10.1.0/24 intranet interface 10.10.1.1
Node B Cablemodem 5.6.7.8 internet interface
private range 10.0.1.0/24 intranet interface 10.0.1.1
The Intranet's are not the same! otherwise it would not work!
Script A on Node A
/usr/local/etc/rc.d/ipsec.sh
--
#!/bin/sh
# make a tunnel interface
gifconfig gif0 1.2.3.4 5.6.7.8
#
ifconfig gif0 10.10.1.1 10.0.1.1 netmask 0xffffffff
# Make a static route!!!
route add -net 10.0.1.0/24 10.0.1.1
# read in the config
setkey -f /etc/ipsec.conf
---
/etc/ipsec.conf
-------------
# This is the test if the network connection will work
flush;
spdflush;
add 1.2.3.4 5.6.7.8 esp 9991 -E blowfish-cbc
"AAAABBBBZZZZZZZZZZZZZZZZZGGGGGGGGGGGGG111111111111";
add 5.6.7.8 1.2.3.4 esp 9992 -E blowfish-cbc
"1111119999999990000000000000000ERBBBBAAAA";
spdadd 10.10.1.0/24 10.0.1.0/24 any -P out ipsec
esp/tunnel/1.2.3.4-5.6.7.8/require;
spdadd 10.0.1.0/24 10.10.1.0/24 any -P in ipsec
esp/tunnel/5.6.7.8-1.2.3.4/require;
-----------------------
Script B on Node B
/usr/local/etc/rc.d/ipsec.sh
-----
#!/bin/sh
gifconfig gif0 5.6.7.8 1.2.3.4
ifconfig gif0 10.0.1.1 10.10.1.1 netmask 0xffffffff
route add -net 10.10.1.0/24 10.10.1.1
setkey -f /etc/ipsec.conf
--
/etc/ipsec.conf
--
flush;
spdflush;
# Note that the add rules are the same as on Node A!
add 1.2.3.4 5.6.7.8 esp 9991 -E blowfish-cbc
"AAAABBBBZZZZZZZZZZZZZZZZZGGGGGGGGGGGGG111111111111";
add 5.6.7.8 1.2.3.4 esp 9992 -E blowfish-cbc
"1111119999999990000000000000000ERBBBBAAAA";
spdadd 10.0.1.0/24 10.10.1.0/24 any -P out ipsec
esp/tunnel/5.6.7.8-1.2.3.4/require;
spdadd 10.10.1.0/24 10.0.1.0/24 any -P in ipsec
esp/tunnel/1.2.3.4-5.6.7.8/require;
--
Use this parameters to test if the tunnel is working.
You should be able to ping or whatever to any host on the other side.
On both FreeBSD 4.2-STABLE machine's ipnat is working fine.
--------------------------------------------------------------------------------
If this is working we can use racoon.
Remove the add lines from the ipsec.conf, leave the spdadd intact.
cd /usr/ports/security/racoon ; make all install clean
cd /usr/local/etc/racoon
On Node A
psk.txt
--
5.6.7.8 AAAAAAAAAAABBBBSECRET
--
racoon.conf
--
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log info;
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
lifetime time 2 hour; # sec,min,hour
lifetime byte 50 MB; # B,KB,GB
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour;
lifetime byte 50000 KB;
encryption_algorithm 3des,des,cast128,blowfish;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate ;
}
-----------------------------------------------------------
On Node B
psk.txt
--
1.2.3.4 AAAAAAAAAAABBBBSECRET
--
racoon.conf
See node A
-----------------------------------------------------------
Restart setkey with setkey -f /etc/ipsec.conf
Start racoon and check /var/log/racoon.log
Use setkey -D to check if it is working
If nothing is working check if
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG
pseudo-device gif 4
sysctl -w net.inet.ip.forwarding=1 # do not forget to set the forwarding on!
is in your Kernel :-)
Henk Wevers 5 Jan 2001
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
References
http://www.mutex.org/aaron/tips/ipsec
http://asherah.dyndns.org/~josh/ipsec-howto.txt
http://www.geocrawler.com/archives/3/165/2000/11/0/4670748/
http://www.freebsddiary.org/ipsec.html
http://www.kame.net/newsletter/19980626/
http://www.netbsd.org/Documentation/network/ipsec/
http://www.freebsd.org/handbook/ipsec.html
man setkey
home
--
※ 来源:·BBS 水木清华站 smth.org·[FROM: 210.52.69.39]
--
※ 转载:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.0.146]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店