FreeS/WAN
 
建置Net-to-Net

前題:於內部網路測式

Fedora Linux 2.4.22-1.2115.nptl

套件: freeswan-module-2.06_2.4.22_1.2115.nptl-0.i386.rpm
          freeswan-userland-2.06_2.4.22_1.2115.nptl-0.i386.rpm
 
架構:
                        Local                                                                       Remote

Firewall 、 Nat:

Get Key
1. 取Left的Key
      ipsec showhostkey –left
   取整個 “leftrsasigkey=xxx”值
 
2. 取Right的Key
      ssh right
      ipsec showhostkey –right
   取整個 “rightrsasigkey=xxx”值
 
編輯設定檔 (Left與Right的設定檔內容相同)
vi /etc/ipsec.conf

啟動連線
   ipsec auto –up net

開機時啟動連線
設定檔為auto=start

遇到問題:
1. 當interfaces=”ipsec0=eht0”,沒加這設定時,啟動ipsec時,內部PC(10.2.2.2)是無ping到外面(如168.95.1.1)的。
2. 而當我加了interfaces=”ipsec0=eht0”時,ipsec啟動,內部PC可ping到    外面(如168.95.1.1),但vpn卻無法啟動,出現021 no connection named "net"訊息,    原因在於leftnexthop設成defaultroute,必須把它設成gateway ip(192.168.1.254)。
 
加入interfaces=”ipsec0=eht0”,routing table的情況。

沒加入interfaces=”ipsec0=eht0”,routing table的情況。

測式:
互ping 10.1.1.0/24 和 10.2.2.0/24 內部PC,如10.1.1.2 or 10.2.2.2互ping。

解說:
10.1.1.0/24                        # left subnet
        |
10.1.1.254
Left-gateway
202.133.227.30                 # left
        |
202.133.227.25                 # left next hop
    Internet
211.23.5.33                       # right next hop
        |
211.23.5.62                       # right
Right-gateway
192.168.1.254
        |
192.168.1.0/24                  # right subnet

 

附註1:

# Do not MASQ or NAT packets to be tunneled

iptables –t nat –A POSTROUTING –s 10.1.1.0/24 –d ! 192.168.1.0/24 –j MASQUERADE

      此規則必在 nat rule 的最上方

附註2:
   內部的gateway實際上是可ping的到的。
 

[Q1:] [root@localhost freeswan-2.06]# make programs

make[1]: Entering directory `/root/freeswan-2.06/doc'
make[1]: Nothing to be done for `programs'.
make[1]: Leaving directory `/root/freeswan-2.06/doc'
make[1]: Entering directory `/root/freeswan-2.06/lib'
make[2]: Entering directory `/root/freeswan-2.06/lib/libfreeswan'
cc -I. -I../../linux/net/ipsec -I../../linux/include -I../.. -g -O3 -Wall -Wpointer-arith -Wcast-qual -Wstrict-prototypes -Wbad-function-cast -c -o pfkey_v2_parse.o ../../linux/net/ipsec/pfkey_v2_parse.c
In file included from ../../linux/net/ipsec/pfkey_v2_parse.c:64:
../../programs/pluto/defs.h:92:17: gmp.h: No such file or directory
In file included from ../../linux/net/ipsec/pfkey_v2_parse.c:64:
../../programs/pluto/defs.h:94: error: syntax error before '*' token
../../programs/pluto/defs.h:94: warning: function declaration isn't a prototype
../../programs/pluto/defs.h:95: warning: type defaults to `int' in declaration of `MP_INT'
../../programs/pluto/defs.h:95: error: syntax error before '*' token
../../programs/pluto/defs.h:95: warning: function declaration isn't a prototype
make[2]: *** [pfkey_v2_parse.o] Error 1
make[2]: Leaving directory `/root/freeswan-2.06/lib/libfreeswan'
make[1]: *** [programs] Error 1
make[1]: Leaving directory `/root/freeswan-2.06/lib'
make: *** [programs] Error 1

[A1:] Apt-get install gmp-devel

[Q2:] ipsec showhostkey –left

ipsec showhostkey: file `/etc/ipsec.secrets' does not exist

[A3:] ipsec newhostkey > /etc/ipsec.secrets
        chmod 600 /etc/ipsec.secrets
 
[Q4:] ipsec_setup: WARNING: setkey not found.
 
[A5:]

the setkey command from the ipsec-tools package is
required. It is available from
 
http://sourceforge.net/projects/ipsec-tools/
 
In order to compile and install the userland programs, change into the
FreeS/WAN top source directory and type
 
make programs
 
followed by
 
make install.
 
With the introduction of the protocol and port selectors in version 0.9.16
it is now also necessary to recompile the kernel part of FreeS/WAN. If
you want to build KLIPS as a module then you can do this with the command
 
make module
 
After successful module compilation, copy the module
 
/usr/src/linux/net/ipsec/ipsec.o
 
into the directory
 
/lib/modules/<kernel version>/kernel/net
 
As a last step you must restart IPsec to enable the X.509 features
 
ipsec setup restart
最後修改日期: 2006 年 11 月 14 日

作者

留言

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。