FreeS/WAN
建置Net-to-Net
前題:於內部網路測式
Fedora Linux 2.4.22-1.2115.nptl
套件: freeswan-module-2.06_2.4.22_1.2115.nptl-0.i386.rpm
freeswan-userland-2.06_2.4.22_1.2115.nptl-0.i386.rpm
架構:
Local Remote
Firewall 、 Nat:
Get Key
1. 取Left的Key
ipsec showhostkey –left
取整個 “leftrsasigkey=xxx”值
2. 取Right的Key
ssh right
ipsec showhostkey –right
取整個 “rightrsasigkey=xxx”值
編輯設定檔 (Left與Right的設定檔內容相同)
vi /etc/ipsec.conf
啟動連線
ipsec auto –up net
開機時啟動連線
設定檔為auto=start
遇到問題:
1. 當interfaces=”ipsec0=eht0”,沒加這設定時,啟動ipsec時,內部PC(10.2.2.2)是無ping到外面(如168.95.1.1)的。
2. 而當我加了interfaces=”ipsec0=eht0”時,ipsec啟動,內部PC可ping到 外面(如168.95.1.1),但vpn卻無法啟動,出現021 no connection named "net"訊息, 原因在於leftnexthop設成defaultroute,必須把它設成gateway ip(192.168.1.254)。
加入interfaces=”ipsec0=eht0”,routing table的情況。
沒加入interfaces=”ipsec0=eht0”,routing table的情況。
測式:
互ping 10.1.1.0/24 和 10.2.2.0/24 內部PC,如10.1.1.2 or 10.2.2.2互ping。
解說:
10.1.1.0/24 # left subnet
|
10.1.1.254
Left-gateway
202.133.227.30 # left
|
202.133.227.25 # left next hop
Internet
211.23.5.33 # right next hop
|
211.23.5.62 # right
Right-gateway
192.168.1.254
|
192.168.1.0/24 # right subnet
附註1:
# Do not MASQ or NAT packets to be tunneled
iptables –t nat –A POSTROUTING –s 10.1.1.0/24 –d ! 192.168.1.0/24 –j MASQUERADE
此規則必在 nat rule 的最上方
附註2:
內部的gateway實際上是可ping的到的。
[Q1:] [root@localhost freeswan-2.06]# make programs
make[1]: Entering directory `/root/freeswan-2.06/doc'
make[1]: Nothing to be done for `programs'.
make[1]: Leaving directory `/root/freeswan-2.06/doc'
make[1]: Entering directory `/root/freeswan-2.06/lib'
make[2]: Entering directory `/root/freeswan-2.06/lib/libfreeswan'
cc -I. -I../../linux/net/ipsec -I../../linux/include -I../.. -g -O3 -Wall -Wpointer-arith -Wcast-qual -Wstrict-prototypes -Wbad-function-cast -c -o pfkey_v2_parse.o ../../linux/net/ipsec/pfkey_v2_parse.c
In file included from ../../linux/net/ipsec/pfkey_v2_parse.c:64:
../../programs/pluto/defs.h:92:17: gmp.h: No such file or directory
In file included from ../../linux/net/ipsec/pfkey_v2_parse.c:64:
../../programs/pluto/defs.h:94: error: syntax error before '*' token
../../programs/pluto/defs.h:94: warning: function declaration isn't a prototype
../../programs/pluto/defs.h:95: warning: type defaults to `int' in declaration of `MP_INT'
../../programs/pluto/defs.h:95: error: syntax error before '*' token
../../programs/pluto/defs.h:95: warning: function declaration isn't a prototype
make[2]: *** [pfkey_v2_parse.o] Error 1
make[2]: Leaving directory `/root/freeswan-2.06/lib/libfreeswan'
make[1]: *** [programs] Error 1
make[1]: Leaving directory `/root/freeswan-2.06/lib'
make: *** [programs] Error 1
[A1:] Apt-get install gmp-devel
[Q2:] ipsec showhostkey –left
ipsec showhostkey: file `/etc/ipsec.secrets' does not exist
[A3:] ipsec newhostkey > /etc/ipsec.secrets
chmod 600 /etc/ipsec.secrets
[Q4:] ipsec_setup: WARNING: setkey not found.
[A5:]
the setkey command from the ipsec-tools package is
required. It is available from
http://sourceforge.net/projects/ipsec-tools/
In order to compile and install the userland programs, change into the
FreeS/WAN top source directory and type
make programs
followed by
make install.
With the introduction of the protocol and port selectors in version 0.9.16
it is now also necessary to recompile the kernel part of FreeS/WAN. If
you want to build KLIPS as a module then you can do this with the command
make module
After successful module compilation, copy the module
/usr/src/linux/net/ipsec/ipsec.o
into the directory
/lib/modules/<kernel version>/kernel/net
As a last step you must restart IPsec to enable the X.509 features
ipsec setup restart
留言