Shulou(Shulou.com)06/01 Report--

Most people do not understand the knowledge points of this article "how to install OpenSWan under Linux", so the editor summarizes the following content, detailed content, clear steps, and has a certain reference value. I hope you can get something after reading this article. Let's take a look at this "how to install OpenSWan under Linux" article.

OpenSWan is a good implementation scheme for linux to choose Ipsec and I2tp protocols. He supports most of the extensions (RFC+IETF drafts) related to ipsec. The Openswan project originated from the FreeS/WAN 2.04. the function of the project is very powerful, which can largely ensure the security and integrity of data in cross-network transmission, especially through it, ele.oh can not well realize the LAN interconnection solution across computer rooms or remote offices. If you cooperate with openvpn tools, you can achieve multi-room visits and various powerful solutions that will be injected into the portal site.

System environment

In this paper, VMWare is used to build five virtual Linux hosts for experiments. Operating system: CentOS 4.4 kernel version: 2.6.9-42 host network parameter setting: unless otherwise specified, the subnet mask is 255.255.255.0

Host name Network Card eth0 Network Card eth2 default Gateway usage LServer192.168.1.103192.168.2.1192.168.1.1Left Gateway RServer192.168.1.104192.168.3.1192.168.1.1Right Gateway LClient192.168.1.113192.168.2.2192.168.2.1Left client RClient192.168.1.114192.168.3.2192.168.3.1Right client Laptop192.168.1.105

192.168.1.1Laptop client installation setup operating system

It is recommended to use CentOS 4.4, a free upgradeable stand-alone distribution version of the Linux operating system based on RedHat Enterprise AS 4.4 security enhancements. The installation process is not detailed. It is important to note that when installing, make sure that the development package is selected, as well as the libgmp package (gmp, gmp-devel), gawk, flex, bison. The following steps only need to be performed on LServer, RServer and Laptop. After the system has been installed according to the above parameters, execute the following command in LServer and RServer:

Sysctl-a | egrep "ipv4.* (accept | send) _ redirects" | awk-F "="'{print $1 "= 0"}'> > / etc/sysctl.conf

Edit / etc/sysctl.conf

Vi / etc/sysctl.conf

Put the following two items:

Net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1

Change to:

Net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0

Execute the following command to make the settings take effect:

Sysctl-p

On LServer, execute the following command to set up NAT:

Iptables-t nat-A POSTROUTING-o eth0-s 192.168.2.0 MASQUERADE 24-d! 192.168.3.0 MASQUERADE

On RServer, execute the following command to set up NAT:

Iptables-t nat-A POSTROUTING-o eth0-s 192.168.3.0 MASQUERADE 24-d! 192.168.2.0 MASQUERADE

Install OpenSWan\ 1. Download the source package

Cd ~ wget http://www.openswan.org/download/openswan-2.4.7.tar.gz

\ 2. Decompress the source package

Tar zxvf openswan-2.4.7.tar.gz

\ 3. Install UserLand

Cd openswan-2.4.7 make programs make install

\ 4. Install KLIPS IPstack (optional, but not if you use 26sec) 1) install NAT-Traversal kernel patch export KERNELSRC=/usr/src/kernels/2.6.9-42.EL-i686make nattpatch > / usr/src/openswan-ipsec-natt.patchcd $KERNELSRCcat / usr/src/openswan-ipsec-natt.patch | patch-p1-smake cleanmake oldconfig when executing the make oldconfig command, due to the addition of the Nat-t patch The following prompt appears: IPSEC NAT-Traversal (KLIPS compatible) (IPSEC_NAT_TRAVERSAL) [N _ Unix?] (NEW) press y key to confirm and continue to complete the make oldconfig command continue to execute the following command to recompile and install the kernel makemake modules_installmake install compile and install the new kernel restart the system to enable the new kernel 2) install KLIPS

Cd ~ / openswan-2.4.7 make KERNELSRC=/lib/modules/uname-r/build module minstall depmod-a

You must uninstall the KLIPS module before loading the NETKEY module

Rmmod xfrmuser af_key esp4 ah5 ipcomp xfrm4_tunnel

Execute the following command to load KLIPS

Modprobe ipsec

\ 5. Verify the installation execute the following command to verify that OpenSWan is installed correctly

Ipsec-version

If the program is installed correctly, this command displays the following three possible results: if the loaded IPsec stack is NETKEY, it is shown as follows

Linux Openswan U2.4.7/K2.6.9-42.EL (netkey) See `ipsec-copyright' for copyright information.

If the loaded IPsec stack is KLIPS, it is shown as follows

Linux Openswan 2.4.7 (klips) See `ipsec-copyright' for copyright information.

If no IPsec stack is loaded, it is shown as follows

Linux Openswan U2.4.7Compact K (no kernel code presently loaded) See `ipsec-copyright' for copyright information.

\ 6. In particular, if both NETKEY and KLIPS modules exist in the system, OpenSWan loads one of them according to the following rules: usually, OpenSWan starts with the loaded modules; if both NETKEY and KLIPS are loaded, OpenSWan cannot be started; if no modules are loaded, OpenSWan preferred to load NETKEY; if NETKEY loading failed, OpenSWan loading KLIPS; if both could not load normally, OpenSWan startup failed.

5. Configure OpenSWan\ 1. OpenSWan main configuration file

/ etc/ipsec.secrets is used to save private RSA keys and preshared secrets (PSKs) / etc/ipsec.conf configuration files (settings, options, defaults, connections)

\ 2. OpenSWan main configuration directory

/ etc/ipsec.d/cacerts store X.509 certificate (root certificate-"root certificates") / etc/ipsec.d/certs store X.509 client certificate (X.509 client Certificates) / etc/ipsec.d/private store X.509 authentication private key (X.509 Certificate private keys) / etc/ipsec.d/crls store X.509 certificate revocation list (X.509 Certificate Revocation Lists) / etc/ipsec.d/ocspcerts store X.509 certificate revocation list. 500 OCSP Certificate (Online Certificate Status Protocol certificates) / etc/ipsec.d/passwd XAUTH password File (XAUTH password file) / etc/ipsec.d/policies holds Opportunistic Encryption Policy Group (The Opportunistic Encryption policy groups)

\ 3. OpenSWan connection method OpenSWan has two connection methods:\ 1) Network-To-Network mode, as the name implies, Network-To-Network method is to connect two networks into a virtual private network. When the connection is established, the hosts in each subnet can access the hosts in the remote subnet transparently. In order to realize this connection, the following two conditions must be met: I. Each subnet has a host installed with OpenSWan as the egress gateway of its subnet; II. The IP segment of each subnet cannot be overlaid.\ 2) when using the Network-To-Network method, the host as the gateway of each subnet cannot access the host of the remote subnet as transparently as the host within the subnet. In other words, if you are a mobile user using Laptop, travel frequently or work in different locations, your Laptop will not be able to connect with the corporate network in Network-To-Network mode. Road Warrior is designed for this situation. Once the connection is established, your Laptop can connect to a remote network. \ 4. OpenSWan authentication method Openswan supports many different authentication methods, including RSA keys, pre-shared keys, XAUTH, x.509 certificate method\ 5. Configure OpenSWan using RSA digital signature (RSASIG) authentication\ 1) generate new hostkey on LServer, RServer and Laptop

Ipsec newhostkey-output / etc/ipsec.secrets

Continue with the following 2-4 steps to configure the Network-To-Network mode link between LServer-RServer:\ 2) execute the following command on LServer to get leftrsasigkey (that is, LServer's public key Pulic Key)

Ipsec showhostkey-left

The output format of this command is as follows:

# RSA 2192 bits LServer.FoxBB.Com Sat Mar 3 15:45:00 2007 leftrsasigkey=0sAQOBIJFmj.

\ 3) execute the following command on RServer to get rightrsasigkey (that is, the public key Pulic Key of RServer)

Ipsec showhostkey-right

The output format of this command is as follows:

# RSA 2192 bits RServer.FoxBB.Com Sat Mar 3 15:51:56 2007 rightrsasigkey=0sAQNZZZjj.

\ 4) Edit / etc/ipsec.conf on LServer and RServer

Vi / etc/ipsec.conf

Add the following at the end (replace the leftrsasigkey and rightrsasigkey lines with the values obtained in the previous 2 and 3 steps)

Conn net-to-net left=192.168.1.103 # LServer public network IP address leftsubnet=192.168.2.0/24 # LServer private network IP segment leftid=@LServer.FoxBB.Com # LServer identity leftrsasigkey=0sAQOBIJFmj … The next hop of the public key leftnexthop=%defaultroute # LServer of # LServer is specified as the default routing address right=192.168.1.104 # RServer external network IP address rightsubnet=192.168.3.0/24 # RServer private network IP segment rightid=@RServer.FoxBB.Com # RServer identity rightrsasigkey=0sAQNZZZjj... # Rserver's public key rightnexthop=%defaultroute # RServer's next hop is specified as the default routing address auto=add # add this link, but does not automatically connect when OpenSWan starts

Show details

Continue with the following 5-10 steps to configure the Road Warrior mode between LServer-Laptop:\ 5) execute the following command on LapTop to get leftrsasigkey (that is, the public key Pulic Key of Laptop)

Ipsec showhostkey-left

The output format of this command is as follows:

# RSA 2192 bits Laptop.FoxBB.Com Sun Mar 11 09:14:25 2007 leftrsasigkey=0sAQOa8tu4E.

\ 6) execute the following command on LServer to get rightrsasigkey (that is, the public key Pulic Key of LServer)

Ipsec showhostkey-right

The output format of this command is as follows:

# RSA 2192 bits LServer.FoxBB.Com Sat Mar 3 15:45:00 2007 rightrsasigkey=0sAQOBIJFmj.

\ 7) Edit / etc/ipsec.conf on Laptop

Vi / etc/ipsec.conf

Add the following at the end (replace the leftrsasigkey and rightrsasigkey lines with the values obtained in the previous 5 and 6 steps)

Conn road left=%defaultroute # gets the identity leftrsasigkey=0sAQOa8tu4E of Laptop's IP leftid=@Laptop.FoxBB.Com # Laptop through the default route. # Laptop's public key right=192.168.1.103 # LServer public network IP rightsubnet=192.168.2.0/24 # LServer private network IP segment rightid=@LServer.FoxBB.Com # LServer ID rightrsasigkey=0sAQOBIJFmj... # LServer's public key auto=add # add this link, but do not connect automatically when OpenSWan starts

\ 8) execute the following command on LServer to get leftrsasigkey (that is, the public key Pulic Key of LServer)

Ipsec showhostkey-left

The output format of this command is as follows:

# RSA 2192 bits LServer.FoxBB.Com Sat Mar 3 15:45:00 2007 leftrsasigkey=0sAQOBIJFmj.

\ 9) execute the following command on Laptop to get rightrsasigkey (that is, the public key Pulic Key of Laptop)

Ipsec showhostkey-right

The output format of this command is as follows:

# RSA 2192 bits Laptop.FoxBB.Com Sun Mar 11 09:14:25 2007 rightrsasigkey=0sAQOa8tu4E.

10) Edit / etc/ipsec.conf on LServer

Vi / etc/ipsec.conf

Add the following at the end (replace the leftrsasigkey and rightrsasigkey lines with the values obtained in the previous 8 and 9 steps)

The logo of conn road left=192.168.1.103 # LServer public network IP leftid=@LServer.FoxBB.Com # LServer leftsubnet=192.168.2.0/24 # LServer intranet IP segment leftrsasigkey=0sAQOBIJFmj … The public key of # LServer, rightnexthop=%defaultroute # correct in many situations right=%any # Laptop's public network IP, may use dynamic IP, so replace the identity rightrsasigkey=0sAQOa8tu4E of any IP rightid=@Laptop.FoxBB.Com # Laptop with% any. # Laptop's public key auto=add # add this link, but do not connect automatically when OpenSWan starts

Note: in Network-To-Network mode, the link configuration in the gateway / etc/ipsec.conf on both sides is the same, that is, left and right are the same, while the link configuration on Laptop and gateway in Road Warrior mode is different, that is, left refers to the local host being configured, and right refers to the remote host corresponding to the local host.

11) execute the following command on LServer, RServer, and Laptop to start OpenSWan

Service ipsec start

12) execute the following command on LServer and RServer to verify that OpenSWan is running properly

Ipsec verify

If OpenSWan is running properly, you will get output similar to the following

Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.4.7/K2.6.9-42.EL (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking for RSA private key (/ etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Two or more interfaces found Checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'ip' command [OK] Checking for' iptables' command [OK] Opportunistic Encryption Support [DISABLED]

Show details

13) execute the following command on LServer or RServer to make a Network-To-Network connection between LServer-RServer

Ipsec auto-up net-to-net

You will get output similar to the following (if IPsec SA established appears in the last output line, the connection is successful)

104 "net-to-net" # 1: STATE_MAIN_I1: initiate 003 "net-to-net" # 1: received Vendor ID payload [Openswan (this version) 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR] 003 "net-to-net" # 1: received Vendor ID payload [Dead Peer Detection] 003 "net-to-net" # 1: received Vendor ID payload [RFC 3947] method set to=110 106 "net-to-net" # 1: STATE_MAIN_I2: sent MI2 Expecting MR2 003 "net-to-net" # 1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected 108 "net-to-net" # 1: STATE_MAIN_I3: sent MI3 Expecting MR3 004 "net-to-net" # 1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536} 117 "net-to-net" # 2: STATE_QUICK_I1: initiate 004 "net-to-net" # 2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP= > 0xa329d030

Show details

14) execute the following command on Laptop to make a Road Warrior connection between Laptop-LServer

Ipsec auto-up road

You will get output similar to the following (if IPsec SA established appears in the last output line, the connection is successful)

104 "road" # 1: STATE_MAIN_I1: initiate 003 "road" # 1: received Vendor ID payload [Openswan (this version) 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR] 003 "road" # 1: received Vendor ID payload [Dead Peer Detection] 003 "road" # 1: received Vendor ID payload [RFC 3947] method set to=110 106 "road" # 1: STATE_MAIN_I2: sent MI2 Expecting MR2 003 "road" # 1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected 108 "road" # 1: STATE_MAIN_I3: sent MI3, expecting MR3 004 "road" # 1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536} 117 "road" # 2: STATE_QUICK_I1: initiate 004 "road" # 2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP= > 0x070f9aae

Show details

15) the test IPSEC link is executed on LClient

Ping 192.168.3.2

Or execute on RClient

Ping 192.168.2.2

Execute on LServer or RServer during ping command execution

Tcpdump-I eth0

If LClient and RClient can ping each other, tcpdump has an output similar to the following, indicating that IPSEC in Network-To-Network mode has been successfully connected

13 ESP 28 IP 09.931263 IP 192.168.1.104 > 192.168.1.104 > 192.168.1.103 > 192.168.1.103: ESP (spi=0xa329d030,seq=0x126) 1328Visual09.935244 IP 192.168.1.103 > 192.168.1.104: ESP (spi=0xae29b36c,seq=0x126) 1328MAV spi=0xae29b36c,seq=0x127 10.818461 IP 192.168.1.104 > 192.168.1.103: ESP (spi=0xa329d030,seq=0x127) 1328 IP 192.168.1.103 > 192.168.1.104: ESP (spi=0xae29b36c,seq=0x127)

16) after setting the automatic connection test, you can configure the connection in the

Auto=add

Change to:

Auto=start

So that when OpenSWan starts, it can connect automatically.

The above is about the content of this article on "how to install OpenSWan under Linux". I believe we all have a certain understanding. I hope the content shared by the editor will be helpful to you. If you want to know more about the relevant knowledge, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.