一、环境
系统:CentOS 6.4x64最小化安装
R-Server eth0 192.168.3.72
eth1 10.1.1.72
R-Client eth0 10.1.1.74
L-Server eth0 192.168.3.71
eth1 172.16.10.71
L-Client eth0 172.16.10.74
注:所有在R-Client和L-Client都通过各自的网关ssh过去进行操作
二、R-Server和L-Server配置epel源和ntp时间同步
R-Server:
[root@R-Server ~]# rpm -ivh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm Retrieving http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm warning: /var/tmp/rpm-tmp.xTUJx4: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY Preparing... ########################################### [100%] 1:epel-release ########################################### [100%] [root@R-Server ~]# sed -i ‘s@#b@b@g‘ /etc/yum.repos.d/epel.repo [root@R-Server ~]# sed -i ‘s@mirrorlist@#mirrorlist@g‘ /etc/yum.repos.d/epel.repo [root@R-Server ~]# yum -y install ntp
三、安装前系统初始化
R-Server和L-Server执行同样的操作
开启路由转发
[root@R-Server ~]# egrep "ip_forward|rp_filter" /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 #确保这里的值是正确的
禁用icmp重定向
[root@R-Server ~]# sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" ‘{print $1"= 0"}‘ >>/etc/sysctl.conf [root@R-Server ~]# sysctl -p net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.lo.send_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.eth1.accept_redirects = 0 net.ipv4.conf.eth1.send_redirects = 0
四、安装openswan
R-Server:
[root@R-Server ~]# yum install openswan lsof -y #执行下面的命令,确认安装正确 [root@R-Server ~]# ipsec --version Linux Openswan U2.6.32/K(no kernel code presently loaded) See `ipsec --copyright‘ for copyright information. #启动ipsec [root@R-Server ~]# service ipsec start ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.el6.x86_64... #检查状态 [root@R-Server ~]# ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.32/K2.6.32-358.el6.x86_64 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing [OK] Checking for ‘ip‘ command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for ‘iptables‘ command [OK] Opportunistic Encryption Support [DISABLED]
L-Server:
[root@L-Server ~]# yum install openswan lsof -y [root@L-Server ~]# service ipsec start ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.el6.x86_64... [root@L-Server ~]# ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.32/K2.6.32-358.el6.x86_64 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing [OK] Checking for ‘ip‘ command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for ‘iptables‘ command [OK] Opportunistic Encryption Support [DISABLED]
五、配置ipsec
编辑文件/etc/ipsec.conf
[root@R-Server ~]# egrep -v "^$|^#" /etc/ipsec.conf version 2.0 # conforms to second version of ipsec.conf specification config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="control parsing" # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey nat_traversal=yes virtual_private= oe=off # Enable this if you see "failed to find any available worker" nhelpers=0 conn net-to-net authby=secret type=tunnel ike=aes256-sha2_256;modp2048 phase2alg=aes256-sha2_256;modp2048 left=192.168.3.71 leftsubnet=172.16.10.0/24 right=192.168.3.72 rightsubnet=10.1.1.0/24 forceencaps=yes dpddelay=1 dpdtimeout=3 dpdaction=restart auto=start
编辑文件/etc/ipsec.secrets
本文出自 “ly36843运维” 博客,请务必保留此出处http://ly36843.blog.51cto.com/3120113/1658387
原文地址:http://ly36843.blog.51cto.com/3120113/1658387