Shulou(Shulou.com)06/01 Report--

I. Software description

1. Introduction to Openswan

Openswan is the best way to implement IPsec under Linux. It has powerful functions and ensures the security and integrity of data transmission to the greatest extent. Openswan supports 2.0,2.2,2.4 and 2.6 kernels and can run on different system platforms, including X86, X86, IA64, MIPS, and ARM.

Openswan is a subsequent branch of the open source project FreeS/WAN after stopping development, it is divided into two projects, Openswan and Strongswan,Openswan are composed of three main components: configuration tool (ipsec command script), Key management tool (pluto), kernel component (KLIPS/26sec) 26sec uses 2.6kernel built-in module Netkey, used to replace the KLIPS module developed by Openswan, version 2.4 and below kernel does not have Netkey module support, can only use KLIPS. If you are using a kernel of 2.6.9 or above, it is recommended to use 26sec. You can use the NETKEY Bug of the kernel below NAT,2.6.9 without patching the kernel with Nat-T. KLIPS is recommended. IPSec is almost the oldest standard, hers is still very safe, of course, after the configuration. The implication is that her configuration is troublesome. It is explained below in this article.

Since FreeS/WAN stopped development in March 2004, we used her successor project, Openswan, to do our IPSec experiment. One advantage over FreeS/WAN is that if you use 26sec, Openswan can use nat without patching it.

2. Installation of Openswan

Because IPSec works in the network layer, it needs kernel support in the system. As mentioned above, there are two choices: with its own (26sec) or with Openswan (KLIPS). For convenience (how to patch and compile the kernel is not the focus of this article), this paper uses the compiled Openswan in the CentOS source to experiment. # yum install openswan if you want to install from the source code, download the package from http://www.openswan.org/code, and then follow the instructions in the package. Since we use 26sec, we can do it with make programs;make install. It is worth noting that some useful patches have been built into Openswan, such as x.509 and NAT Traversal support, which are very easy to use. You can also use the following command to verify your installation.

# ipsec verify

3. Authentication method of Openswan

Openswan supports many different authentication methods, including:

RSA keys, (RSA Signature is relatively simple)

Pre-shared keys 、

Xauth or x.509 certificate. .

4. The connection method of Openswan:

1) the focus of this article is to complete the requirements of the enterprise in Network-To-Network mode.

The Network-To-Network method is to connect two networks into a virtual private network. When the connection is established, the hosts in each subnet can access the hosts in the remote subnet transparently.

To achieve this connection, the following two conditions must be met:

i. Each subnet has a host with OpenSWan installed as the egress gateway or route for its subnet

ii. The IP segment of each subnet cannot be overlaid

(2) Road Warrior mode

When using Network-To-Network mode, the host (openswan server) as the gateway of each subnet cannot access the host of the remote subnet as transparently as the host inside the subnet, that is to say: if you are a mobile user using LClient, travel frequently or work in different locations, your LClient will not be able to connect with the corporate network in Network-To-Network mode. Road Warrior is designed for this situation. Once the connection is established, your LClient can connect to a remote network. (or use SSL's open source product open*** to meet the need for remote dial-up access when traveling)

For more details, see the OpenSWan project home page: http://www.openswan.org

5. This article will test from the following points

Net-to-net model *

1) based on pre-shared keys authentication (PSK)

2) based on RSA Signature authentication (RSA digital signature)

3) based on digital certificate authentication (x.509 certificate)

4) based on XAUTH authentication (IPSec/Xauth PSK)

RoadWarrior

5) based on pre-shared keys authentication (PSK)

6) based on RSA Signature authentication (RSA digital signature)

7) based on digital certificate authentication (x.509 certificate)

8) based on XAUTH authentication (IPSec/Xauth PSK)

II. Environmental description

1. Network topology

2. Purpose of the experiment

The purpose of this use is to realize the interworking of different subnets in two different regions of client1 and client2. That is, the communication between intranet machines in different computer rooms and different network segments

3. Introduction of experimental environment.

Device name

IP address information

Belong to the computer room

Beijing * server1 public network eth0 192.168.2.48 bridging intranet eth2 192.168.183.1 VMnet1 gateway 192.168.2.1 Shanghai * server2 extranet eth0 192.168.2.111 bridging intranet eth2 192.168.233.1 VMnet2 gateway 192.168.2.1client1-Beijing eth0 192.168.183.44 VMnet gateway 192.168.183.1 description I use the gateway route pattern through which client machines communicate with client2-Shanghai eth0 192.168.233.44 VMnet4 gateway 192.168.233.1

My local network is 192.168.2.0 Server 24 network segment, in order to allow × × Server to access the Internet, I set the eht0 of × × xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

III. Deployment of Openswan environment

1. Enable data forwarding # vim / etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 02, disable icmp redirection # sysctl-a | egrep "ipv4.* (accept | send) _ redirects" | awk-F "=" {print$1 "= 0"}'> > / etc/sysctl.conf# sysctl-p3, close SELinux# setenforce 04, Install openswan (both * serve have the same operation # yum install openswan lsof-y # rpm-ql openswan / / to see which files are installed. # ipsec-- version / / View the version of ipsec [root@***server1 etc] # ipsec-- version Linux Openswan U2.6.32/K2.6.32-431.el6.x86_64 (netkey) See `ipsec-- copyright' for copyright information. There is no IPsec stack loaded here, and the netkey that comes with the system will be loaded automatically when IPsec is started. [root@***server1 etc] # service ipsec start [root@***server1 etc] # ipsec verify / / verify a pair of ipsec (the same operation is performed on both * serve)

#

Important note: if the previous steps do not complete the installation documentation, report the error, resulting in the next unknown error

[root@localhost ~] # ipsec verifyChecking your system to see if IPsec got installed and started correctly:Version check and ipsec on-path [OK] Linux Openswan U2.6.32 no kernel code presently loaded K (no kernel code presently loaded) Checking for IPsec support in kernel [FAILED] SAref kernel support [Nameba A] Checking that pluto is running [FAILED] whack: Pluto is not running (no "/ var/run/pluto/pluto.ctl") Two or more interfaces found Checking IP forwarding [FAILED] whack: Pluto is not running (no "/ var/run/pluto/pluto.ctl") Checking NAT and MASQUERADEing [OK] Checking for 'ip' command OK] Checking / bin/sh is not / bin/dash [OK] Checking for' iptables' command [OK] cat: / etc/ipsec.d/examples/no_oe.conf: No such file or directorycat: / etc/ipsec.d/examples/no_oe.conf: No such file or directoryOpportunistic Encryption Support

So, make sure that the results of the ipsec verify are as shown in the figure before continuing with the configuration

We can see that openswan listens on ports 500 and 4500 of UDP, of which 500 is used for IKE key exchange negotiation and 4500 of NAT-T is nat traversing

IV. Openswan configuration (network-to-network)

1. Pre-shared keys-based authentication (PSK)

Make the following changes in * server1 (). There are many configuration parameters. You can refer to the explanation # vim / etc/ipsec.conf [root@melin etc] # grep-Ev'# ^ $'ipsec.conf.psk config setup protostack=netkey nat_traversal=yes virtual_private= oe=offconn net-to-net ike=aes256-sha2_256;modp2048 phase2alg=aes256-sha2_256 in man ipsec.conf. Modp2048 authby=secret type=tunnel left=192.168.2.48 leftsubnet=192.168.183.0/24 leftid=@test1 leftnexthop=%defaultroute right=192.168.2.111 rightsubnet=192.168.233.0/24 rightid=@test2 rightnexthop=%defaultroute auto=add / add represents just adding, but does not connect, and start means starting an automatic connection.

Also configure the same configuration file as * sever1 on another * server2.

That is: scp ipsec.conf 192.168.2.111:/etc/ (the ipsec.conf configuration file on the two * serve is the same)

[root@***server1 etc] # vim / etc/ipsec.secrets192.168.2.48% any 0.0.0.0: PSK "123The format of this file is:" Local Ip address "" remote ip address ": PSK" your key "modified above 192.168.2.111 (* server2) to the following [root@***server2 etc] # vim / etc/ipsec.secrets192.168.2.111% any 0.0.0.0: PSK Restart two * * services # service ipsec restart and then start our con# ipsec auto-up net-to-net (here due to auto=add in ipsec.conf So you need to add it manually)

When we see ipsec sa estabilished, it proves that we have successfully connected, and we can also see some encryption methods and key exchange parameters. We can also add the following information to the configuration file to modify it. (remember to keep synchronizing to * server2)

Ike=aes256-sha2_256;modp2048

Phase2alg=aes256-sha2_256;modp2048

Then, if you ping the devices in the opposite subnet on the clinet1, you can see the following, but × × Server cannot ping the devices in the other subnet.

Actions on client1:

Route add default gw 192.168.183.1

We can grab packets and view data information on any × × Server gateway.

# tcpdump-I eth2-nn

# tcpdump-I eth0-nn

ESP (Encapsulating Security Payload) is the encryption of data.

Echo request

Echo reply

Indicates that you can either send a request or receive a response packet

After the test passes, you can configure the connection in auto=add

Change to: auto=start

This makes it possible to connect automatically when Openswan starts.

At this point, our net-to-net based on psk mode has been successfully built.

#

Second, based on RSA Signature authentication (RSA digital signature)

Note: because I followed the above experiment, there has been a problem can not be solved, and then reinstalled, the installation of the following process is successful.

The installation of openswan is the same as at the beginning of this article, and we will focus on the different configurations below.

The L-Server mentioned below refers to 192.168.2.. 48 (× × Server1), and R-Server refers to 192.168.2.111 (× × Server2). Do the following on L-Server to generate a new RSA key pair # ipsec newhostkey-- output / etc/ipsec.secrets (you can not do it first) because the generation process is too slow Let's use the following to accelerate the generation of # rm-rf / dev/random# ln-s / dev/urandom / dev/random# ipsec newhostkey-- output / etc/ipsec.secrets execute # rm-rf / dev/random# ln-s / dev/urandom / dev/random# ipsec newhostkey on R-Server-- output / etc/ipsec.secrets execute ipsec showhostkey-- left on L-Server to get the public key of L-Server # ipsec showhostkey-- left

Execute ipsec showhostkey on R-Server-- right to get the public key of R-Server

# ipsec showhostkey-right

Please remember these two key, which will be used later, or you can use redirection to add to the configuration file.

L-Sserver:

Edit / etc/ipsec.conf file

# vim / etc/ipsec.conf

# scp / etc/ipsec.conf 192.168.2.111:/etc (synchronized to R-server)

# service ipsec restart

# ipsec auto-up net-to-net

When we see ipsec sa estabilished, it proves that we are connected successfully.

After the test passes, you can configure the connection in auto=add

Change to: auto=start

# service ipsec restart

Test:

Client1 at one end goes to the client client2 at the other end of the ping, and then we grab the packet on the * server and check it out.

We can grab packets and view data information on any × × Server1 gateway.

# tcpdump-I eth2-nn

# tcpdump-I eth0-nn

At this time, after all the tests are successful,

# chkconfig ipsec on

Based on RSA Signature authentication (RSA digital signature), the system has been built.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.