→ server2 ←—→ client2
10.2 22.210(10.1) 22.199(20.1) 20.2
安装openswan ipsec在server:
vim/etc/sysctl.conf#开启转发net.ipv4.ip_forward=1net.ipv4.conf.default.rp_filter=0sysctl-a|egrep”ipv4.*(accept|send)_redirects”|awk-F”=”‘{print$1″=0″}’>>/etc/sysctl.conf#禁用ICMP重定向/sbin/sysctl-psetenforce0yuminstallopenswanlsof#ipsec–versionLinuxOpenswanU2.6.32/K(nokernelcodepresentlyloaded)See`ipsec–copyright’forcopyrightinformation.#serviceipsecstartipsec_setup:StartingOpenswanIPsecU2.6.32/K2.6.32-431.el6.x86_64…#ipsecverifyCheckingyoursystemtoseeifIPsecgotinstalledandstartedcorrectly:Versioncheckandipsecon-path[OK]LinuxOpenswanU2.6.32/K2.6.32-431.el6.x86_64(netkey)CheckingforIPsecsupportinkernel[OK]SArefkernelsupport[N/A]NETKEY:TestingfordisabledICMPsend_redirects[OK]NETKEYdetected,testingfordisabledICMPaccept_redirects[OK]Checkingthatplutoisrunning[OK]PlutolisteningforIKEonudp500[OK]PlutolisteningforNAT-Tonudp4500[OK]Twoormoreinterfacesfound,checkingIPforwarding[OK]CheckingNATandMASQUERADEing[OK]Checkingfor’ip’command[OK]Checking/bin/shisnot/bin/dash[OK]Checkingfor’iptables’command[OK]OpportunisticEncryptionSupport[DISABLED]
配置ipsec
#vim/etc/ipsec.confversion2.0configsetupprotostack=netkeynat_traversal=yesvirtual_private=oe=offnhelpers=0connnet-to-netauthby=secrettype=tunnelike=aes256-sha2_256;modp2048phase2alg=aes256-sha2_256;modp2048left=192.168.22.210leftsubnet=192.168.10.1/24right=192.168.22.199rightsubnet=192.168.20.1/24forceencaps=yesdpddelay=1dpdtimeout=3dpdaction=restartauto=start#sha2_truncbug=yes请打开窗口,让我的灵魂与你的灵魂相拥。
