四、下面我们给出使用RoadWarrior和使用证书的配置
#RoadWarrior(right)conn road
left=192.168.32.30
leftnexthop=%defaultroute
leftcert=vpn.pem
leftid=@vpn
right=192.168.32.29
rightcert=ora92.pem
rightsubnet=172.16.50.0/24
rightid=@ora92
pfs=yes
auto=start
#Host(ora92)conn road
left=192.168.32.29
leftcert=ora92.pem
leftsubnet=172.16.50.0/24
leftid=@ora92
rightnexthop=%defaultroute
right=%any
rightcert=vpn.pem
rightid=@vpn
pfs=yes
auto=start使用上面的配制后在right主机上vpn#ping 172.16.50.18
五、基于预共享密钥认证方式Net-to-Net配置
1、配置/etc/ipsec.conf(左右网关的ipsec.conf配置一样)
version 2.0
config setup
nat_traversal=yes
nhelpers=0
include /etc/ipsec.d/examples/no_oe.conf
conn net
auto=start
right=192.168.32.30
compress=no
pfs=no
left=192.168.32.29
authby=secret
ikelifetime=3600
keylife=28800
dpddelay=30
dpdtimeout=120
dpdaction=restart
rekey=yes
keyingtries=0
rightsubnet=172.16.40.0/24
leftsubnet=172.16.50/24
2、修改/etc/ipsec.secrets,左右网关上均加入如下行:
192.168.32.29 192.168.32.30 : PSK “123456″
123456:为预共享密钥
六、Ipsec和l2tp配合使用
1、修改/etc/ipsec.conf加入
conn L2TP
auto=start
right=192.168.32.29
rightnexthop=%defaultroute
compress=no
pfs=no
left=%any
authby=secret
ikelifetime=3600
keylife=28800
dpddelay=30
dpdtimeout=120
dpdaction=restart
rekey=yes
keyingtries=0
rightprotoport=UDP/0
leftprotoport=UDP/1701
2、修改/etc/ipsec.secrets加入如下一行:
192.168.32.29 %any : PSK “abcd1234″
abcd1234:预共享密钥
3、新建文件/etc/ppp/options.l2tp,加入如下:
ipcp-accept-local
ipcp-accept-remote
#ms-dns 202.106.0.20
#ms-dns 202.106.196.115
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
nologfd
4、修改/etc/ppp/chap-secrets加入:
# Secrets for authentication using CHAP
# client??????? server? secret????????????????? IP addresses
netsword??????? *?????? xiaobai???? *
5、修改/etc/l2tp/l2tp.conf加入:
[global]
auth file = /etc/ppp/chap-secrets
[lns default]
exclusive = yes
ip range = 172.16.51.100-172.16.51.110? #拨入后分配的网址
local ip = 192.168.32.29
length bit = yes
require chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/options.l2tp
6、启动ipsec和l2tp服务
#ipsec setup start
#/usr/local/bin/l2tp七.Windows客户端的配置让windows客户端可以连接上Linux的IPSec网关是很有用的,毕竟桌面还是Windows比较的多。1)当然是让Openswan的主机运行正常运行起来,我们这里使用,上文最接近的那个road和road-net配置。同时要注意Windows的IPSec服务已经运行。2)生成证书生成新的主机密钥对win.pem和win.key,然后,我们需要把她转化成Windows可以识别的p12格式:~/ca$ openssl pkcs12 -export -in win.pem -inkey win.key -certfile demoCA/cacert.pem -out win.p12获得根证书的信息,记下来,下面要用到subject= /C=CN/ST=Fujian/L=Xiamen/O=Jimei University/OU=Chengyi College/CN=jianqiu/emailAddress=jianqiu414@stu.jmu.edu.cn3)所需工具http://vpn.ebootis.de/package.zip下载Marcus Müller的ipsec.exe工具,解压到一个目录中,本例使用d:\ipsec~/ca$ openssl x509 -in demoCA/cacert.pem -noout -subject得到如下的信息4)创建需要的控制台运行mmc->添加删除管理单元->添加->IP安全策略管理->选择本地计算机->完成;添加删除管理单元->添加->证书->计算机账户->本地计算机->完成。5)添加证书在刚才我们新建的工作台的证书上,选择个人->所以任务->导入,然后把win.p12导入即可。6)安装IPSec工具首先需要安装ipsecpol.exe(Windows 2000)或ipseccmd.exe(Windows XP,在Windows安装光盘的UPPORT\TOOLS目录下,setup选择完全安装),在http://support.microsoft.com/default.aspx?scid=kb;en-us;838079还有一片关于XP SP2的这些个附加工具的说明。随后编辑d:\ipsec\ipsec.conf文件,把我们上面得到的证书的信息填入rightca,也可以用mmc的证书页面查看,编辑好的ipsec.conf看起来是这个样子的。conn roadwarriorleft=%anyright=192.168.49.2rightca=”C=CN,S=Fujian,L=Xiamen,O=Jimei University,OU=Chengyi College,CN=jianqiu,E=jianqiu414@stu.jmu.edu.cn”network=autoauto=startpfs=yes
conn roadwarrior-netleft=%anyright=192.168.49.2rightsubnet=192.168.183.0/44rightca=”C=CN,S=Fujian,L=Xiamen,O=Jimei University,OU=Chengyi College,CN=jianqiu,E=jianqiu414@stu.jmu.edu.cn”network=autoauto=startpfs=yes如果,你想要加密所有和192.168.49.2的连接
conn roadwarrior-allleft=%anyright=192.168.49.2rightsubnet=*rightca=”C=CN,S=Fujian,L=Xiamen,O=Jimei University,OU=Chengyi College,CN=jianqiu,E=jianqiu414@stu.jmu.edu.cn”network=autoauto=startpfs=yes
注意rightca不要写错,可以通过我们刚才的控制台,依次打开,“IP安全策略,在本地计算机”->FreeSwan-> “roadwarrior-Host filter list”->“身份验证方法”->“使用由此证书颁发机构(CA)颁发的证书”里的字段。
然后到d:\tools目录下,运行ipsec
IPSec Version 2.2.0 (c) 2001-2003 Marcus MuellerGetting running Config …Microsoft’s Windows XP identifiedUsage: Ipsec [-off] [-delete] [-debug] [-nosleep]
D:\Tools\ipsec>ipsecIPSec Version 2.2.0 (c) 2001-2003 Marcus MuellerGetting running Config …Microsoft’s Windows XP identifiedSetting up IPSec …
Deactivating old policy…Removing old policy…
Connection roadwarrior:MyTunnel???? : 192.168.49.1MyNet????????: 192.168.49.1/255.255.255.255PartnerTunnel: 192.168.49.2PartnerNet?? : 192.168.49.2/255.255.255.255CA (ID)??????: C=CN,S=Fujian,L=Xiamen,O=Jimei University,OU=Cheng…PFS??????????: yAuto???????? : startAuth.Mode????: MD5Rekeying???? : 3600S/50000KActivating policy…
Connection roadwarrior-net:MyTunnel???? : 192.168.49.1MyNet????????: 192.168.49.1/255.255.255.255PartnerTunnel: 192.168.49.2PartnerNet?? : 192.168.183.0/255.255.255.0CA (ID)??????: C=CN,S=Fujian,L=Xiamen,O=Jimei University,OU=Cheng…PFS??????????: yAuto???????? : startAuth.Mode????: MD5Rekeying???? : 3600S/50000KActivating policy…d:\ipsec>ping 192.168.49.2看到Negotiating IP Security.后有回复,说明连接成功。
如果ipsec工具在你的系统上运行有问题,请确认你的rightca有没有填错。也可以尝试到sourceforge.net下载Linsys IPSec Tool项目的lsipsectool.exe。另外,如果系统是Windows XP SP2,还要注意NAT-T的问题。具体Windows运行IPsec客户端的注意事项可以查阅http://wiki.openswan.org/index.php/Win2K。
