CentOS6.4 安装openswan

标签：centos6.4 安装openswan

一、环境

系统：CentOS 6.4x64最小化安装

R-Server    eth0    192.168.3.72

        eth1    10.1.1.72

R-Client    eth0    10.1.1.74

L-Server    eth0    192.168.3.71

        eth1    172.16.10.71

L-Client    eth0    172.16.10.74

注：所有在R-Client和L-Client都通过各自的网关ssh过去进行操作

二、R-Server和L-Server配置epel源和ntp时间同步

R-Server：

[root@R-Server ~]# rpm -ivh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Retrieving http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
warning: /var/tmp/rpm-tmp.xTUJx4: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing...                ########################################### [100%]
   1:epel-release           ########################################### [100%]
[root@R-Server ~]# sed -i ‘s@#b@b@g‘ /etc/yum.repos.d/epel.repo
[root@R-Server ~]# sed  -i ‘s@mirrorlist@#mirrorlist@g‘ /etc/yum.repos.d/epel.repo
[root@R-Server ~]# yum -y install ntp

三、安装前系统初始化

R-Server和L-Server执行同样的操作

开启路由转发

[root@R-Server ~]# egrep "ip_forward|rp_filter" /etc/sysctl.conf 
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0    #确保这里的值是正确的

禁用icmp重定向

[root@R-Server ~]# sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" ‘{print $1"= 0"}‘ >>/etc/sysctl.conf 
[root@R-Server ~]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.send_redirects = 0

四、安装openswan

R-Server:

[root@R-Server ~]# yum install openswan lsof -y

#执行下面的命令，确认安装正确
[root@R-Server ~]# ipsec --version
Linux Openswan U2.6.32/K(no kernel code presently loaded)
See `ipsec --copyright‘ for copyright information.

#启动ipsec
[root@R-Server ~]# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.el6.x86_64...

#检查状态
[root@R-Server ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan U2.6.32/K2.6.32-358.el6.x86_64 (netkey)
Checking for IPsec support in kernel                        	[OK]
 SAref kernel support                                       	[N/A]
 NETKEY:  Testing for disabled ICMP send_redirects          	[OK]
NETKEY detected, testing for disabled ICMP accept_redirects 	[OK]
Checking that pluto is running                              	[OK]
 Pluto listening for IKE on udp 500                         	[OK]
 Pluto listening for NAT-T on udp 4500                      	[OK]
Two or more interfaces found, checking IP forwarding        	[OK]
Checking NAT and MASQUERADEing                              	[OK]
Checking for ‘ip‘ command                                   	[OK]
Checking /bin/sh is not /bin/dash                           	[OK]
Checking for ‘iptables‘ command                             	[OK]
Opportunistic Encryption Support                            	[DISABLED]

L-Server:

[root@L-Server ~]# yum install openswan lsof -y
[root@L-Server ~]# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.el6.x86_64...
[root@L-Server ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan U2.6.32/K2.6.32-358.el6.x86_64 (netkey)
Checking for IPsec support in kernel                        	[OK]
 SAref kernel support                                       	[N/A]
 NETKEY:  Testing for disabled ICMP send_redirects          	[OK]
NETKEY detected, testing for disabled ICMP accept_redirects 	[OK]
Checking that pluto is running                              	[OK]
 Pluto listening for IKE on udp 500                         	[OK]
 Pluto listening for NAT-T on udp 4500                      	[OK]
Two or more interfaces found, checking IP forwarding        	[OK]
Checking NAT and MASQUERADEing                              	[OK]
Checking for ‘ip‘ command                                   	[OK]
Checking /bin/sh is not /bin/dash                           	[OK]
Checking for ‘iptables‘ command                             	[OK]
Opportunistic Encryption Support                            	[DISABLED]

五、配置ipsec

编辑文件/etc/ipsec.conf

[root@R-Server ~]# egrep -v "^$|^#" /etc/ipsec.conf 
version	2.0	# conforms to second version of ipsec.conf specification
config setup
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	# klipsdebug=none
	# plutodebug="control parsing"
	# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
	protostack=netkey
	nat_traversal=yes
	virtual_private=
	oe=off
	# Enable this if you see "failed to find any available worker"
	nhelpers=0
conn net-to-net
	authby=secret
	type=tunnel
	ike=aes256-sha2_256;modp2048
	phase2alg=aes256-sha2_256;modp2048
	left=192.168.3.71
	leftsubnet=172.16.10.0/24
	right=192.168.3.72
	rightsubnet=10.1.1.0/24
	forceencaps=yes
	dpddelay=1
	dpdtimeout=3
	dpdaction=restart
	auto=start

编辑文件/etc/ipsec.secrets

本文出自 “ly36843运维” 博客，请务必保留此出处http://ly36843.blog.51cto.com/3120113/1658387

CentOS6.4 安装openswan

标签：centos6.4 安装openswan

原文地址：http://ly36843.blog.51cto.com/3120113/1658387