# uname -r2.6.18-164.el5
一、下载openswan从官方网站下载当前最新版本2.6.28
# tar xzvf openswan-2.6.28.tar.gz# cd openswan-2.6.28
二、安装依赖包在openswan源码目录下查看READMEThere a few packages required for Openswan to compile:
1. libgmp + libgmp-devel headers. (GNU Math Precision Library)
2. gawk, flex and bison (usually included in all distributions)
gawk, flex and bison几个比较容易安装,gawk系统已默认安装,flex和bison可用yum安装,libgmp有点麻烦。先是下载的gmp-5.0.1.tar.gz,但启动openswan服务时会报错(libgmp.so.10),只好删了。后来在CentOS系统盘找到相应的RPM包.
# rpm -ivh gmp-4.1.4-10.el5.i386.rpmPreparing… ########################################### [100%] package gmp-4.1.4-10.el5.i386 is already installed
# rpm -ivh gmp-devel-4.1.4-10.el5.i386.rpmPreparing… ########################################### [100%] 1gmp-devel ########################################### [100%]
三、安装openswan
#make programs#make install
安装成功后,,在/etc/目录下生成ipsec.conf配置文件和ipsec.d目录,同时在/usr/local/sbin下生成ipsec可执行程序、在/etc/initl.d/目录下生成ipsec shell脚本
四、openswan基本操作
1. 查看当前openswan版本# ipsec –versionLinux Openswan U2.6.28/K(no kernel code presently loaded)See `ipsec –copyright’ for copyright information.
2. ipsec服务# service ipsec start
# service ipsec restart
# service ipsec stop
3.验证openswan是否正确安装# ipsec verify
Checking your system to see if IPsec got installed and started correctly:Version check and ipsec on-path [OK]Linux Openswan U2.6.28/K2.6.18-164.el5 (netkey)Checking for IPsec support in kernel [OK]Testing against enforced SElinux mode [FAILED]
SElinux is running in ‘enforced’ mode. If you encounter network related SElinux errors, especially when using KLIPS, try disabling SElinux using:
echo “0” > /selinux/enforce (or edit /etc/sysconfig/selinux)
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will accept bogus ICMP redirects!
Checking that pluto is running [FAILED] whack: Pluto is not running (no “/var/run/pluto/pluto.ctl”)Two or more interfaces found, checking IP forwarding [FAILED] whack: Pluto is not running (no “/var/run/pluto/pluto.ctl”)Checking for ‘ip’ command [OK]Checking for ‘iptables’ command [OK]Opportunistic Encryption Support [DISABLED]
(1)disabe SELINUX# vim /etc/sysconfig/selinux设置 SELINUX=disabled
# setenforce 0
(2)disable ICMP send_redirects和accept_redirects可编写shell脚本将/proc/sys/net/ipv4/conf/*/send_redirects和/proc/sys/net/ipv4/conf/*/accept_redirects disable掉
(3)enable ip_forward# vim /etc/sysctl.conf修改net.ipv4.ip_forward = 0 -> net.ipv4.ip_forward = 1
# sysctl -p
4. 配置文件(1)配置文件 (/etc/ipsec.conf)查看ipsec.conf配置帮助 # man 5 ipsec.conf
(2)密钥配置文件(/etc/ipsec.secrest)查看ipsec.secrets配置帮助 # man 5 ipsec.secrets
理想的路总是为有信心的人预备着