利用OpenSwan构建基于IPsec的VPN实现局域网互联.docVIP

利用OpenSwan实现两端局域网互联#ipsec --version inux Openswan U2.6.32/K(no kernel code presently loaded) See `ipsec --copyright for copyright information. 如果显示如上,则说明安装成功，但是没有加载任何IPsec stack。然后(出于安全的考虑，请选择=2.6.37版本): #wget /openswan/openswan-2.6.38.tar.gz进行编译安装： #tar xzf openswan-2.6.38.tar.gz #cd openswan-2.6.38 #make programs #make install #uname -r #ll /usr/src/kernels/ #export KERNELSRC= /usr/src/kernels/2.6.32-220.17.1.el6.x86_64/ #根据以上信息判断，不同的系统此命令不一样。 #make module make minstall #depmod -a modprobe ipsec #echo 1 /proc/sys/net/ipv4/ip_forward echo 0 /selinux/enforce # sed -i 9 a\protostack=klips /etc/ipsec.conf #使ipsec的原栈为klips，默认可能为netkey #ipsec --version Linux Openswan U2.6.32/K2.6.38 (klips) See `ipsec --copyright for copyright information. 如果显示如上,则说明内核模块加载成功。 3.设置系统相关参数(左右两端命令一样)： 3.1)、修改Linux 内核参数： #sed -i s/net\.ipv4\.ip_forward = 0/net\.ipv4\.ip_forward = 1/g /etc/sysctl.conf #sed -i s/\.conf\.default\.rp_filter = 1/\.conf\.default\.rp_filter = 0/g /etc/sysctl.conf #sysctl -p 3.2)、禁用icmp： # Disable send redirects echo 0 /proc/sys/net/ipv4/conf/all/send_redirects echo 0 /proc/sys/net/ipv4/conf/default/send_redirects echo 0 /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 /proc/sys/net/ipv4/conf/eth1/send_redirects echo 0 /proc/sys/net/ipv4/conf/lo/send_redirects # Disable accept redirects echo 0 /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 /proc/sys/net/ipv4/conf/default/accept_redirects echo 0 /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0 /proc/sys/net/ipv4/conf/eth1/accept_redirects echo 0 /proc/sys/net/ipv4/conf/lo/accept_redirects echo 1 /proc/sys/net/core/xfrm_larval_drop 4. 生成key(左右两端命令一样)： #mv /dev/random /dev/random.bak #ln -s /dev/urandom /dev/random #ipsec newhostkey --output /etc/ipsec.secrets 5.认证配置(基于RSA认证)： a.//左网络端主机 [root@ophneu ~]# cat /etc/ipsec.conf |grep -v # config setup protostack=klips klipsdebug=none interfaces=%defaultroute nat_traversal=yes virtual