zoukankan      html  css  js  c++  java
  • 【转载】IPSec-Tools配置

    来源:https://blog.csdn.net/zt698/article/details/4811604

    1       介绍
    从Linux 2.6内核开始,内核就自身带有IPSec模块,配合IPSec-Tools,能很好的实现Linux的IPSec功能。

    IPSec-Tools主要包含libipsec、setkey、racoon和racoonctl这4个模块,setkey主要用于配置SAD(安全关联数据库)和SPD(安全策略数据库),racoon用于IKE协商。

    本文采用最简单的网络配置(2台PC互联,操作系统均为:Linux 2.6.27)介绍IPSec-Tools的IKE配置和手工配置实现传输模式的IPSec。

    默认情况下,IPSec-Tools的配置文件均放在/etc/racoon目录下,setkey.conf文件保存着sad和spd的配置信息,racoon.conf文件保存着IKE各个协商阶段各采用什么方式进行协商。

    2       拓扑图

    3       IKE配置
    1)        采用预共享密钥的方式,在/etc/racoon目录下产生psk.txt的文件;

    在A机的psk.txt里填入:192.168.59.133  mekmitasdigoat。

    在B机的psk.txt里填入:192.168.59.132  mekmitasdigoat。

    产生psk.txt文件后,执行:chmod 600 psk.txt.

    2)        打开setkey.conf文件:

    A机填入:

    flush;

    spdflush;

    spdadd 192.168.59.132 192.168.59.133 any -P out ipsec esp/transport//require;

    spdadd 192.168.59.133 192.168.59.132 any -P in ipsec esp/transport//require;

    B机填入:

      flush;

    spdflush;

    spdadd 192.168.59.132 192.168.59.133 any -P in ipsec esp/transport//require;

    spdadd 192.168.59.133 192.168.59.132 any -P out ipsec esp/transport//require;

    3)        打开A、B两机的racoon.conf文件,均填写以下内容:

    path include "/etc/racoon";                                     #配置文件位置

    path pre_shared_key "/etc/racoon/psk.txt";                  #共享密钥文件

    path certificate "/etc/racoon/cert";                                 #证书文件目录

    log notify;

    # "padding" defines some parameter of padding.  You should not touch these.

    padding

    {

          maximum_length 20;    # maximum padding length.

          randomize off;              # enable randomize length.

          strict_check off;    # enable strict check.

          exclusive_tail off;  # extract last one octet.

    }

    # if no listen directive is specified, racoon will listen to all

    # available interface addresses.

    listen

    {

          #isakmp ::1 [7000];

          #isakmp 202.249.11.124 [500];

          #admin [7002];            # administrative's port by kmpstat.

          #strict_address;   # required all addresses must be bound.

          adminsock "/var/run/racoon/racoon.sock" "root" "users" 660;

    }

    # Specification of default various timer.

    timer

    {

          # These value can be changed per remote node.

          counter 5;             # maximum trying count to send.

          interval 20 sec;     # maximum interval to resend.

          persend 1;            # the number of packets per a send.

          # timer for waiting to complete each phase.

          phase1 30 sec;

          phase2 15 sec;

    }

    remote anonymous                   #阶段一协商

    {

         

             exchange_mode main;    #main:主模式,aggressive:野蛮模式

                 lifetime time 24 hour;

                 proposal {

                         encryption_algorithm 3des;

                         hash_algorithm sha1;

                         authentication_method pre_shared_key;

                         dh_group 1;

                 }

                 proposal {

                    encryption_algorithm 3des;

                    hash_algorithm md5;

                    authentication_method pre_shared_key;

                    dh_group 1;

            }

            proposal {

                    encryption_algorithm 3des;

                    hash_algorithm sha1;

                    authentication_method pre_shared_key;

                    dh_group 1;

            }

            proposal {

                    encryption_algorithm 3des;

                    hash_algorithm md5;

                    authentication_method pre_shared_key;

                    dh_group 1;

            }

            proposal {

                    encryption_algorithm 3des;

                    hash_algorithm sha1;

                    authentication_method pre_shared_key;

                    dh_group 1;

            }

           

    }

    sainfo anonymous                                                 #阶段二协商

    {

                 pfs_group 2;

                 lifetime time 12 hour ;

                 encryption_algorithm 3des;

                 authentication_algorithm hmac_sha1;

                 compression_algorithm deflate ;

    }

    4)        执行/usr/sbin/racoon -f /etc/racoon/racoon.conf,运行IKE协商程序;

    5)        A机执行ping B机,在中间转包可以看到IKE协商包,协商完成以后会出现ESP包,并且能够ping通。

    4 手工配置
    1)        Setkey.conf设置:

    在A机的setkey.conf中填入:

    flush;

    spdflush;

    add 192.168.59.132 192.168.59.133 esp 24501 -E 3des-cbc "123456789012123456789012";

    add 192.168.59.133 192.168.59.132 esp 24502 -E 3des-cbc "123456789012123456789012";

    spdadd 192.168.59.132 192.168.59.133 any -P out ipsec esp/transport//require;

    spdadd 192.168.59.133 192.168.59.132 any -P in ipsec esp/transport//require;

    在B机的setkey.conf中填入:

    flush;

    spdflush;

    add 192.168.59.132 192.168.59.133 esp 24501 -E 3des-cbc "123456789012123456789012";

    add 192.168.59.133 192.168.59.132 esp 24502 -E 3des-cbc "123456789012123456789012";

    spdadd 192.168.59.132 192.168.59.133 any -P in ipsec esp/transport//require;

    spdadd 192.168.59.133 192.168.59.132 any -P out ipsec esp/transport//require;

    2)        执行setkey –f /etc/raccoon/setkey.conf;

    3)        A机执行ping B机,在中间转包可以看到ESP包,并且能够ping通。

    5 其它
    Setkey –D:查看SAD信息;

    Setkey –DP:查看SPD信息。
    ---------------------
    作者:zt698
    来源:CSDN
    原文:https://blog.csdn.net/zt698/article/details/4811604
    版权声明:本文为博主原创文章,转载请附上博文链接!

  • 相关阅读:
    获取微信用户在微信小店的订单
    微信网页授权+获取用户基本信息+强制关注+JSSDK分享参数
    微信查询四六级成绩代码
    CURL SSL为6的由来
    阿里云虚拟主机安装禅道总结
    Android手机特殊软件配置
    微信支付参数一致性校验
    微信查询火星天气
    php下curl ssl常用问题
    群发技术-使用python3给微信好友群发消息
  • 原文地址:https://www.cnblogs.com/risunlee/p/10391851.html
Copyright © 2011-2022 走看看