使用 FreeBSD 網(wǎng)關(guān)在兩個(gè)被 Internet 分開的網(wǎng)絡(luò)之間架設(shè) ×××,以實(shí)現(xiàn)兩個(gè)網(wǎng)絡(luò)通過×××通道互訪，IPsec 是一種建立在 Internet 協(xié)議 (IP) 層之上的協(xié)議，它能夠讓兩個(gè)或更多主機(jī)以安全的方式來通訊，IPsec 既 可以用來直接加密主機(jī)之間的網(wǎng)絡(luò)通訊 (也就是 傳輸模式)； 也可以用來在兩個(gè)子網(wǎng)之間建造 “虛擬隧道” 用于兩個(gè)網(wǎng)絡(luò)之間的安全通訊 (也就是 隧道模式)。 后一種更多的被稱為是 虛擬專用網(wǎng) (×××)。 1、編譯內(nèi)核
-------------------------------
#要把 IPsec 支持放進(jìn)內(nèi)核， 應(yīng)該在配置文件中加入下面的選項(xiàng)： options?? IPSEC??????? #IP security
options?? IPSEC_ESP
device??? crypto
????
#如果需要 IPsec 的調(diào)試支持， 還應(yīng)增加： options?? IPSEC_DEBUG? #debug for IP security
device??? gif????????? # IPv6 and IPv4 tunneling #編譯內(nèi)核 2、×××配置
---------------------------------
#security/ipsec-tools安裝 server1# tar -zxvf ipsec-tools-0.8-alpha20090422.tar.bz2
server1# cd ipsec-tools-0.8-alpha20090422
server1# ./configure
server1# make;make install server1:
server1# ifconfig gif0 create
server1# ifconfig gif0 222.11.33.23 222.11.34.56
server1# ifconfig gif0 tunnel 10.10.10.100 172.16.16.100 server2:
server2# ifconfig gif0 create
server2# ifconfig gif0 222.11.34.56 222.11.33.23
server2# ifconfig gif0 tunnel 172.16.16.100 10.10.10.100 #一旦完成以后，兩個(gè)私有的 IP 地址都應(yīng)該能像下面ping命令輸出那樣互相訪問
server1# ping 172.16.16.100
PING 172.16.16.100 (172.16.16.100): 56 data bytes
64 bytes from 172.16.16.100: icmp_seq=0 ttl=64 time=7.140 ms
64 bytes from 172.16.16.100: icmp_seq=1 ttl=64 time=7.268 ms
64 bytes from 172.16.16.100: icmp_seq=2 ttl=64 time=7.070 ms
64 bytes from 172.16.16.100: icmp_seq=3 ttl=64 time=7.020 ms
^C
--- 172.16.16.100 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 7.020/7.125/7.268/0.093 ms
server2# ping 10.10.10.100
PING 10.10.10.100 (10.10.10.100): 56 data bytes
64 bytes from 10.10.10.100: icmp_seq=0 ttl=64 time=7.186 ms
64 bytes from 10.10.10.100: icmp_seq=1 ttl=64 time=7.079 ms
64 bytes from 10.10.10.100: icmp_seq=2 ttl=64 time=7.001 ms
64 bytes from 10.10.10.100: icmp_seq=3 ttl=64 time=7.064 ms
64 bytes from 10.10.10.100: icmp_seq=4 ttl=64 time=6.989 ms
^C
--- 10.10.10.100 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.989/7.064/7.186/0.070 ms #配置路由規(guī)則使兩邊私有地址都能相互訪問
server1:
server1# route add 172.16.16.0 172.16.16.100 255.255.255.0
server1# route add net 172.16.16.0: gateway 172.16.16.100 server2:
server2# route add 10.10.10.0 10.10.10.100 255.255.255.0
server2# route add net 10.10.10.0: gateway 10.10.10.100 #這樣配置后，不論從網(wǎng)關(guān)還是網(wǎng)關(guān)后的機(jī)器都能訪問內(nèi)部的網(wǎng)絡(luò)
server1# ping 172.16.16.23
PING 172.16.16.23 (172.16.16.23): 56 data bytes
64 bytes from 172.16.16.23: icmp_seq=0 ttl=64 time=7.140 ms
64 bytes from 172.16.16.23: icmp_seq=1 ttl=64 time=7.268 ms
64 bytes from 172.16.16.23: icmp_seq=2 ttl=64 time=7.070 ms
64 bytes from 172.16.16.23: icmp_seq=3 ttl=64 time=7.020 ms
^C
--- 172.16.16.23 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 7.020/7.125/7.268/0.093 ms server2# ping 10.10.10.16
PING 10.10.10.100 (10.10.10.16): 56 data bytes
64 bytes from 10.10.10.16: icmp_seq=0 ttl=64 time=7.186 ms
64 bytes from 10.10.10.16: icmp_seq=1 ttl=64 time=7.079 ms
64 bytes from 10.10.10.16: icmp_seq=2 ttl=64 time=7.001 ms
64 bytes from 10.10.10.16: icmp_seq=3 ttl=64 time=7.064 ms
64 bytes from 10.10.10.16: icmp_seq=4 ttl=64 time=6.989 ms
^C
--- 10.10.10.16 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.989/7.064/7.186/0.070 ms 3、通道的加密傳輸
------------------------------------------------------
#使用 pre-shared（PSK）RSA 密鑰對通道進(jìn)行加密，保證數(shù)據(jù)的安全傳輸
#安裝security/ipsec-tools
server1#
server1# vi /usr/local/etc/racoon/racoon.conf???????? //兩邊文件差不多一樣，只做稍許修改 path??? pre_shared_key? "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log???? debug;? #log verbosity setting: set to 'notify' when testing and debugging is complete padding # options are not to be changed
{
??????? maximum_length? 20;
??????? randomize?????? off;
??????? strict_check??? off;
??????? exclusive_tail? off;
} timer?? # timing options. change as needed
{
??????? counter???????? 5;
??????? interval??????? 20 sec;
??????? persend???????? 1;
#?????? natt_keepalive? 15 sec;
??????? phase1????????? 30 sec;
??????? phase2????????? 15 sec;
} listen? # address [port] that racoon will listening on
{
??????? isakmp????????? 222.11.33.23 [500];
??????? isakmp_natt???? 222.11.33.23 [4500];
} remote? 222.11.34.56 [500]
{
??????? exchange_mode?? main,aggressive;
??????? doi???????????? ipsec_doi;
??????? situation?????? identity_only;
??????? my_identifier?? address 222.11.33.23;
??????? peers_identifier??????? address 222.11.34.56;
??????? lifetime??????? time 8 hour;
??????? passive???????? off;
??????? proposal_check? obey;
#?????? nat_traversal?? off;
??????? generate_policy off; proposal {
??????????????????????????????? encryption_algorithm??? blowfish;
??????????????????????????????? hash_algorithm????????? md5;
??????????????????????????????? authentication_method?? pre_shared_key;
??????????????????????????????? lifetime time?????????? 30 sec;
??????????????????????????????? dh_group??????????????? 1;
??????????????????????? }
} sainfo? (address 10.10.10.0/24 any address 172.16.16.0/24 any)??? # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
{?????????????????????????????? # $network must be the two internal networks you are joining.
??????? pfs_group?????? 1;
??????? lifetime??????? time??? 36000 sec;
??????? encryption_algorithm??? blowfish,3des,des;
??????? authentication_algorithm??????? hmac_md5,hmac_sha1;
??????? compression_algorithm?? deflate;
}
server1# vi /usr/local/etc/racoon/setkey.conf flush;
spdflush;
# To the home network
spdadd 10.10.10.0/24 172.16.16.0/24 any -P out ipsec esp/tunnel/222.11.33.23-222.11.34.56/use;
spdadd 172.16.16.0/24 10.10.10.0/24 any -P in ipsec esp/tunnel/222.11.34.56-222.11.33.23/use; #一旦完成后，便使用下面的命令在兩邊的網(wǎng)關(guān)上都啟動(dòng) racoon
server1# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf
server2# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf #確認(rèn)一下“隧道”是否正常工作
server1# tcpdump -i em0 host 222.11.33.23 and dst 222.11.34.56 4、防火墻設(shè)置
------------------------------------------------
#ipfw設(shè)置 ipfw add 00201 allow log esp from any to any
ipfw add 00202 allow log ah from any to any
ipfw add 00203 allow log ipencap from any to any
ipfw add 00204 allow log udp from any 500 to any
#pf設(shè)置 pass in quick proto esp from any to any
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any port = 500 to any port = 500
pass in quick on gif0 from any to any
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any port = 500 to any port = 500
pass out quick on gif0 from any to any
#允許機(jī)器初始化的時(shí)候開始 ××× 支持 server1# vi /etc/rc.conf ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="yes"
?

轉(zhuǎn)載于:https://blog.51cto.com/kerry/239106

創(chuàng)作挑戰(zhàn)賽新人創(chuàng)作獎(jiǎng)勵(lì)來咯，堅(jiān)持創(chuàng)作打卡瓜分現(xiàn)金大獎(jiǎng)

總結(jié)

以上是生活随笔為你收集整理的freebsd点到点的ipsec ***的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。