记录日常工作关于系统运维,虚拟化云计算,数据库,网络安全等各方面问题。
 
0

Redhat Linux 9.0系统中搭建VPN服务器
发表者:分类:网络安全2011-10-31 13:14:07 阅读[3291]

在Redhat Linux 9.0系统中搭建VPN服务器



###################################################
系统环境:Redhat Linux 9.0 [ 2.4.20-8 ]
软件版本:
freeswan-2.06.tar.gz
目标功能:
网络拓扑:
ClientA[eth0]--->[eth0]ServerA[eth1]--->==Internet==[eth0]ClientB
网络环境[简化实验配置]:
Client A:
eth0: 172.17.17.20/24 Gateway:172.17.17.1
Server A:
eth0: 172.17.17.1
eth1: 20.0.0.1/8 Gateway:20.0.0.1
Server B:
eth0: 192.168.3.1/24
eth1: 20.0.0.2/8 Gateway:20.0.0.2
Client B:
eth0: 192.168.3.33/24 Gateway:192.168.3.1
#########################################################################################
一、编译内核[为下一步打ipsec内核补丁提供环境,如果已经有编译过的内核残码,可直接进入第二步]
# make mrproper
# cp /boot/config-2.4.20-8 /usr/src/linux-2.4.20-8/.config //不对内核配置作太多细节调整,偷个懒直接使用旧的.config
# cd /usr/src/linux-2.4.20-8
# make dep && make bzImage && make modules && make modules_install
二、编译安装freeswan
# tar zxvf freeswan-2.06.tar.gz -C /usr/src/
# cd /usr/src/freeswan-2.06
# make menugo
# make kinstall
# reboot //重启后选择使用新内核进入系统
三、配置VPN
1、Server A
1> # /usr/local/sbin/ipsec showhostkey --left | tail -1 > leftrsasigkey //在20.0.0.1上生成leftrsasigkey
2> //在20.0.0.2上生成rightrsasigkey
3> # vi /etc/ipsec.conf //加入leftrsasigkey和rightrsasigkey两个密钥内容,文件详细内容见文末
# vi /etc/ipsec.d/policies/block //使用block文件可以限制某些客户机器使用VPN网关,如不需要可以跳过此步
172.17.17.200/24
4> //复制Server A的ipsec.conf文件到Server B
5> # vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o eth1 -s 172.17.17.0/24 -j SNAT --to 20.0.0.1 //其它防火墙安全策略此处略过
6> # chkconfig --level 2345 ipsec on
# /etc/init.d/ipsec restart
2、Server B
2> # /usr/local/sbin/ipsec showhostkey --right | tail -1 > rightrsasigkey //在20.0.0.2上生成rightrsasigkey
4> //复制Server A的ipsec.conf文件到Server B
5> # vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o eth1 -s 192.168.3.0/24 -j SNAT --to 20.0.0.2 //其它防火墙安全策略此处略过
6> # chkconfig --level 2345 ipsec on
# /etc/init.d/ipsec restart
3、Client A
[略]
4、Client B
[略]
四、测试
1、在Server A、Server B上
# ipsec whack --status //查看链接隧道
# route -n //检查路由表是否有到对端子网络的ipsec0路由记录
192.168.3.0 20.0.0.2 255.255.255.0 U 0 0 0 ipsec0
# ping 192.168.3.200 //ping监测到对端子网络的连通性
# ipsec auto --up lnet-rnet //手动建立隧道连接
# ipsec auto --up lnet-rgate
# ipsec auto --up lgate-rnet
# ipsec auto --up lgate-rgate
2、在Client A上ping检测到Client B的连通性
#######################################################################
附录: /etc/ipsec.conf文件
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $
# This file: /usr/local/share/doc/freeswan/ipsec.conf-sample
# Examples:
#
http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/examples

version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=辠aultroute
conn lnet-rnet
left=20.0.0.1
leftsubnet=172.17.17.0/24

[email=leftid=@20.0.0.1]leftid=@20.0.0.1[/email]
leftrsasigkey=0sAQOATQFrFTMs3n1jm/K 7xqKMOjXKlKQQeZvE22gsju5GjeACh57tQ2zcJxtR7ilqNgRXhHFMTfJYC5N5qvuCPfIGl490JBaRqkkEiUI13sJAvktKtYdd8wY3Yy3EmTsF60XUZO6n8Pw76gyAq lxxT0e0HO0UftNC4q500JvNvzNDVlf3JaengKUlLiw1Q14jVaRd7blDyHqw486bFvX816dQfR8ZXbXieE7TL1k7DlJ4IkHSoXLCg4SYy ZFCM2FfycOJ4iwujucI7JBm90N6qo100nd0QIMoNcNxr4z85eyIBRsXzHqqYac8IQVV/cvAeufFJ3Alk AmzkFlekAiNzu5g6ApOefGdh1hdWTSC7oxAK6RbGGbwiww2Ig2m6ASewe2RPTjTAFm06Dgjgop07FfzpaRWg1f1dnRX5FyieIFq2SQWrEQrk7SYzwJ/kxq1yCAq6Bwu/nMqnoxkHISIleWXoG qgkDt9G9PkRZVUqC9IJLB s2WuBN7H/Vu9sXn NLNgstleQ==
leftnexthop=辠aultroute
right=20.0.0.2
rightsubnet=192.168.3.0/24

[email=rightid=@20.0.0.2]rightid=@20.0.0.2[/email]
rightrsasigkey=0sAQOx5W62vJqET4F8aPHo OLavUfB1UfvRSCyJSd356BNxXxMsmCnKerLact2IqwKMcCZ7WJ/x1g4Lr66t9JGjgRbSmakW87zU6bGR/nUyJJNwA7VnyuXj0xoBgTgChB91Sl65rosbaQv s1qB4j/nRGtov/0BrRwUGLBCyCTON69aZfb3Sh/ZjmQQirVb9d8Co83GhSmlX f3pK/pBNnYu4FuRynrc TkV kSFKqleHwOW5jDBNDzudXNNP3hMVZ3fpmuPySSsC4KL/V3OlVtzKRyF2QEc/q/rRZginV2Mk8WBnkoRu8MNFFWL0nvM8vJMm4D4dsZBk69/COt2xMTT/8PTO5HV4y5lcfalKGF5Evd/fI9n3/ypRG9oFmv/EF9I4wMOdw1OpoCbV5zCeCLHf8Uy2dm4ClA5SqIAa3aHCexrrod9FljpBvTIyzMR dp649TUWVIJfvGTB7fN0UYoaqpT1tWWF0vRj0KLopAI hEF8nlgmGpsn0vsPG4KeUTiHdGo8gB3aaUgCbD6yV2qBgOHKtaOz3sJI3MaruiQlC/Miqrk4nLpe 64s5lwGxnNuE/21uUQ/stryrafJjOsNVqeyK4eDn11YFJgb6PjReeAg41Rf6yLwDF KLFbyeoWMcUDWH22mzfA95K8=
rightnexthop=辠aultroute
auto=static
conn lgate-rnet
left=20.0.0.1

[email=leftid=@20.0.0.1]leftid=@20.0.0.1[/email]
leftrsasigkey=0sAQOATQFrFTMs3n1jm/K 7xqKMOjXKlKQQeZvE22gsju5GjeACh57tQ2zcJxtR7ilqNgRXhHFMTfJYC5N5qvuCPfIGl490JBaRqkkEiUI13sJAvktKtYdd8wY3Yy3EmTsF60XUZO6n8Pw76gyAq lxxT0e0HO0UftNC4q500JvNvzNDVlf3JaengKUlLiw1Q14jVaRd7blDyHqw486bFvX816dQfR8ZXbXieE7TL1k7DlJ4IkHSoXLCg4SYy ZFCM2FfycOJ4iwujucI7JBm90N6qo100nd0QIMoNcNxr4z85eyIBRsXzHqqYac8IQVV/cvAeufFJ3Alk AmzkFlekAiNzu5g6ApOefGdh1hdWTSC7oxAK6RbGGbwiww2Ig2m6ASewe2RPTjTAFm06Dgjgop07FfzpaRWg1f1dnRX5FyieIFq2SQWrEQrk7SYzwJ/kxq1yCAq6Bwu/nMqnoxkHISIleWXoG qgkDt9G9PkRZVUqC9IJLB s2WuBN7H/Vu9sXn NLNgstleQ==
right=20.0.0.2

[email=rightid=@20.0.0.2]rightid=@20.0.0.2[/email]
rightrsasigkey=0sAQOx5W62vJqET4F8aPHo OLavUfB1UfvRSCyJSd356BNxXxMsmCnKerLact2IqwKMcCZ7WJ/x1g4Lr66t9JGjgRbSmakW87zU6bGR/nUyJJNwA7VnyuXj0xoBgTgChB91Sl65rosbaQv s1qB4j/nRGtov/0BrRwUGLBCyCTON69aZfb3Sh/ZjmQQirVb9d8Co83GhSmlX f3pK/pBNnYu4FuRynrc TkV kSFKqleHwOW5jDBNDzudXNNP3hMVZ3fpmuPySSsC4KL/V3OlVtzKRyF2QEc/q/rRZginV2Mk8WBnkoRu8MNFFWL0nvM8vJMm4D4dsZBk69/COt2xMTT/8PTO5HV4y5lcfalKGF5Evd/fI9n3/ypRG9oFmv/EF9I4wMOdw1OpoCbV5zCeCLHf8Uy2dm4ClA5SqIAa3aHCexrrod9FljpBvTIyzMR dp649TUWVIJfvGTB7fN0UYoaqpT1tWWF0vRj0KLopAI hEF8nlgmGpsn0vsPG4KeUTiHdGo8gB3aaUgCbD6yV2qBgOHKtaOz3sJI3MaruiQlC/Miqrk4nLpe 64s5lwGxnNuE/21uUQ/stryrafJjOsNVqeyK4eDn11YFJgb6PjReeAg41Rf6yLwDF KLFbyeoWMcUDWH22mzfA95K8=
rightsubnet=192.168.3.0/24
auto=static
conn lnet-rgate
left=20.0.0.1

[email=leftid=@20.0.0.1]leftid=@20.0.0.1[/email]
leftrsasigkey=0sAQOATQFrFTMs3n1jm/K 7xqKMOjXKlKQQeZvE22gsju5GjeACh57tQ2zcJxtR7ilqNgRXhHFMTfJYC5N5qvuCPfIGl490JBaRqkkEiUI13sJAvktKtYdd8wY3Yy3EmTsF60XUZO6n8Pw76gyAq lxxT0e0HO0UftNC4q500JvNvzNDVlf3JaengKUlLiw1Q14jVaRd7blDyHqw486bFvX816dQfR8ZXbXieE7TL1k7DlJ4IkHSoXLCg4SYy ZFCM2FfycOJ4iwujucI7JBm90N6qo100nd0QIMoNcNxr4z85eyIBRsXzHqqYac8IQVV/cvAeufFJ3Alk AmzkFlekAiNzu5g6ApOefGdh1hdWTSC7oxAK6RbGGbwiww2Ig2m6ASewe2RPTjTAFm06Dgjgop07FfzpaRWg1f1dnRX5FyieIFq2SQWrEQrk7SYzwJ/kxq1yCAq6Bwu/nMqnoxkHISIleWXoG qgkDt9G9PkRZVUqC9IJLB s2WuBN7H/Vu9sXn NLNgstleQ==
leftsubnet=172.17.17.0/24
right=20.0.0.2

[email=rightid=@20.0.0.2]rightid=@20.0.0.2[/email]
rightrsasigkey=0sAQOx5W62vJqET4F8aPHo OLavUfB1UfvRSCyJSd356BNxXxMsmCnKerLact2IqwKMcCZ7WJ/x1g4Lr66t9JGjgRbSmakW87zU6bGR/nUyJJNwA7VnyuXj0xoBgTgChB91Sl65rosbaQv s1qB4j/nRGtov/0BrRwUGLBCyCTON69aZfb3Sh/ZjmQQirVb9d8Co83GhSmlX f3pK/pBNnYu4FuRynrc TkV kSFKqleHwOW5jDBNDzudXNNP3hMVZ3fpmuPySSsC4KL/V3OlVtzKRyF2QEc/q/rRZginV2Mk8WBnkoRu8MNFFWL0nvM8vJMm4D4dsZBk69/COt2xMTT/8PTO5HV4y5lcfalKGF5Evd/fI9n3/ypRG9oFmv/EF9I4wMOdw1OpoCbV5zCeCLHf8Uy2dm4ClA5SqIAa3aHCexrrod9FljpBvTIyzMR dp649TUWVIJfvGTB7fN0UYoaqpT1tWWF0vRj0KLopAI hEF8nlgmGpsn0vsPG4KeUTiHdGo8gB3aaUgCbD6yV2qBgOHKtaOz3sJI3MaruiQlC/Miqrk4nLpe 64s5lwGxnNuE/21uUQ/stryrafJjOsNVqeyK4eDn11YFJgb6PjReeAg41Rf6yLwDF KLFbyeoWMcUDWH22mzfA95K8=
auto=static

conn lgate-rgate
left=20.0.0.1

[email=leftid=@20.0.0.1]leftid=@20.0.0.1[/email]
leftrsasigkey=0sAQOATQFrFTMs3n1jm/K 7xqKMOjXKlKQQeZvE22gsju5GjeACh57tQ2zcJxtR7ilqNgRXhHFMTfJYC5N5qvuCPfIGl490JBaRqkkEiUI13sJAvktKtYdd8wY3Yy3EmTsF60XUZO6n8Pw76gyAq lxxT0e0HO0UftNC4q500JvNvzNDVlf3JaengKUlLiw1Q14jVaRd7blDyHqw486bFvX816dQfR8ZXbXieE7TL1k7DlJ4IkHSoXLCg4SYy ZFCM2FfycOJ4iwujucI7JBm90N6qo100nd0QIMoNcNxr4z85eyIBRsXzHqqYac8IQVV/cvAeufFJ3Alk AmzkFlekAiNzu5g6ApOefGdh1hdWTSC7oxAK6RbGGbwiww2Ig2m6ASewe2RPTjTAFm06Dgjgop07FfzpaRWg1f1dnRX5FyieIFq2SQWrEQrk7SYzwJ/kxq1yCAq6Bwu/nMqnoxkHISIleWXoG qgkDt9G9PkRZVUqC9IJLB s2WuBN7H/Vu9sXn NLNgstleQ==
right=20.0.0.2

[email=rightid=@20.0.0.2]rightid=@20.0.0.2[/email]
rightrsasigkey=0sAQOx5W62vJqET4F8aPHo OLavUfB1UfvRSCyJSd356BNxXxMsmCnKerLact2IqwKMcCZ7WJ/x1g4Lr66t9JGjgRbSmakW87zU6bGR/nUyJJNwA7VnyuXj0xoBgTgChB91Sl65rosbaQv s1qB4j/nRGtov/0BrRwUGLBCyCTON69aZfb3Sh/ZjmQQirVb9d8Co83GhSmlX f3pK/pBNnYu4FuRynrc TkV kSFKqleHwOW5jDBNDzudXNNP3hMVZ3fpmuPySSsC4KL/V3OlVtzKRyF2QEc/q/rRZginV2Mk8WBnkoRu8MNFFWL0nvM8vJMm4D4dsZBk69/COt2xMTT/8PTO5HV4y5lcfalKGF5Evd/fI9n3/ypRG9oFmv/EF9I4wMOdw1OpoCbV5zCeCLHf8Uy2dm4ClA5SqIAa3aHCexrrod9FljpBvTIyzMR dp649TUWVIJfvGTB7fN0UYoaqpT1tWWF0vRj0KLopAI hEF8nlgmGpsn0vsPG4KeUTiHdGo8gB3aaUgCbD6yV2qBgOHKtaOz3sJI3MaruiQlC/Miqrk4nLpe 64s5lwGxnNuE/21uUQ/stryrafJjOsNVqeyK4eDn11YFJgb6PjReeAg41Rf6yLwDF KLFbyeoWMcUDWH22mzfA95K8=
auto=static
################################## The End ##############################################


转载请标明出处【Redhat Linux 9.0系统中搭建VPN服务器】。

《www.micoder.cc》 虚拟化云计算,系统运维,安全技术服务.

Tags:Linux,VPN服务器 [阅读全文...]
网站已经关闭评论