[精彩] 基于freebsd,openbsd,linux的ipsec-vpn和pptpd三个实例 |
|---|
|
| 来源 chinaunix.net 酷勤网整理 |
基于freebsd,openbsd,linux的ipsec-vpn和pptpd三个实例
经常有人问来问去的,烦的很,本人没多少时间去一一解答
现在全部贴出来,实在想不明白的再来问我或留言,有点tcp/ip知识的做个vpn是
很简单的事情
有些是摘抄的
Freebsd下基于ipsec的vpn和拨号服务器mpd的实现
一 net----net的vpn
192.168.1.0/24—office网关机-------------------home网关机---10.5.21.0/24
office的内ip : 192.168.1.1
office的外ip: 131.107.3.1
home的内ip: 131.107.3.2
home的外ip: 10.5.21.3
1. 编译内核mykernel
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG
#/usr/sbin/config mykernel
#cd ../compile/mykernel
#make depend all install
2修改rc.conf
对office机如下
gif_interfaces="gif0"
gifconfig_gif0="131.107.3.1 131.107.3.2"
ifconfig_gif0="gif0 192.168.1.1 10.5.21.3 netmask 255.255.255.0"
gateway_enable="YES"
ipsec_enable="YES"
defaultrouter="131.107.3.9" #为电信网关
对home主机如下
gif_interfaces="gif0"
gifconfig_gif0="131.107.3.2 131.107.3.1"
ifconfig_gif0="gif0 10.5.21.3 192.168.1.1 netmask 255.255.255.0"
defaultrouter="131.107.3.9" #为电信网关
gateway_enable="YES"
2 安装racoon
#cd /usr/ports/security/raccoon
#make install clean
#cd /usr/local/etc/raccoon
我们采用IKE预共享模式
编辑psk.txt
对office机如下
131.107.3.2 my_shared_secret
对home机如下
131.107.3.1 my_shared_secret
编辑racoon.conf
cp raccoon.conf.dist racoon.conf
对office机做如下修改
将此三行注释
#path certificate "/usr/local/etc/cert"
#my_identifier user_fqdn "sakane@kame.net";
#peers_identifier
打开此行的注释
my_identifier address;
将listen {}中的isakmp这行修改为
isakmp 131.107.3.1 [500];
对home机如下
将此三行注释
#path certificate "/usr/local/etc/cert"
#my_identifier user_fqdn "sakane@kame.net";
#peers_identifier
打开此行的注释
my_identifier address;
将listen {}中的isakmp这行修改为
isakmp 131.107.3.2 [500];
2 编辑/etc/ipsec.conf
flush;
spdflush;
spdadd 192.168.1.0/24 10.5.21.0/24 any -P out ipsec esp/tunnel/131.107.3.1-131.107.3.2/require;
spdadd 10.5.21.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/131.107.3.2-131.107.3.1/require;
编写启动脚本
home机:
/usr/local/etc/rc.d/ipsec.sh如下
#!/bin/sh
setkey -F -FP
setkey -f /etc/ipsec.conf
/usr/local/etc/rc.d/raccoon.sh
raccoon.sh为racoon自动生成
office机与此相同
添加vpn的路由
对home机
rc.local 加入
route add -net 192.168.1.0/24 192.168.1.1
对office机
rc.local 加入
route add -net 10.5.21.0/24 10.5.21.3
二 做拨号服务器
重编内核mpd作pptp server 配置第一步
測試 實驗的第一步就是看這個 mpd 究竟能發揮多大的做用
上一次 在 freebsd 5.1 上 裝vpn 遇到很多哭笑不得的問題 花了 四五天的時間也搞成
這次 剛安裝好 freebsd 4.10 後 就安裝mpd 隻花幾個步揍就完成了 初步的目標
首先在內配置文件中加入
# for mpd pptp server
options NETGRAPH #netgraph(4) system
options NETGRAPH_ASYNC
options NETGRAPH_BPF
options NETGRAPH_ECHO
options NETGRAPH_ETHER
options NETGRAPH_HOLE
options NETGRAPH_IFACE
options NETGRAPH_KSOCKET
options NETGRAPH_LMI
# MPPC compression requires proprietary files (not included)
#options NETGRAPH_MPPC_COMPRESSION
options NETGRAPH_MPPC_ENCRYPTION
options NETGRAPH_PPP
options NETGRAPH_PPTPGRE
options NETGRAPH_RFC1490
options NETGRAPH_SOCKET
options NETGRAPH_UI
#end
這幾句 完整復制過去 保存
然後
cd /usr/etc
make kernel KERNCONF=內核名稱
編譯內核
第二步要ports 安裝mpd
ports/net/mpd
下面
make install
到 /usr/local/etc/mpd下面
裡面的配置文件不要管它
vi mpd.conf
把下面的話復制在裡面
default:
load client1
load client2
load client3
load client4
load client5
client1:
new -i ng0 pptp1 pptp1
set ipcp ranges 192.168.1.20/32 192.168.1.100/32
load client_standard
#
client2:
new -i ng1 pptp2 pptp2
set ipcp ranges 192.168.1.20/32 192.168.1.100/32
load client_standard
#
client3:
new -i ng2 pptp3 pptp3
set ipcp ranges 192.168.1.20/32 192.168.1.100/32
load client_standard
#
client4:
new -i ng3 pptp4 pptp4
set ipcp ranges 192.168.1.20/32 192.168.1.100/32
load client_standard
#
client5:
new -i ng4 pptp5 pptp5
set ipcp ranges 192.168.1.20/32 192.168.1.100/32
load client_standard
#
client_standard:
set iface disable on-demand
#set iface enable proxy-arp
#set iface idle 1800
set bundle enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
#set link mtu 1460
set link mtu 1260
set link keep-alive 10 60
set ipcp yes vjcomp
set ipcp dns 61.145.117.164
# set ipcp nbns 172.16.120.4
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set ccp yes mpp-stateless
#end of mpd.conf
保存
vi mpd.links
把下面一段復制在裡面
#bengin of mpd.links
pptp1:
set link type pptp
set pptp self 0.0.0.0
set pptp enable incoming
set pptp disable originate
#
pptp2:
set link type pptp
set pptp self 192.168.0.20
set pptp enable incoming
set pptp disable originate
#
pptp3:
set link type pptp
set pptp self 192.168.0.20
set pptp enable incoming
set pptp disable originate
#
pptp4:
set link type pptp
set pptp self 192.168.0.20
set pptp enable incoming
set pptp disable originate
#
pptp5:
set link type pptp
set pptp self 192.168.0.20
set pptp enable incoming
set pptp disable originate
#
#end of mpd.links
保存
vi mpd.secret
在裡面添加幾個五個用戶
当然我们还要修改一下mpd.secret文件
这个文件定义了拨入用户的用户名和密码
用户名写在前面,密码写在后面用引号引起来,就像下面这样
fred "fred-pw"
当然还可以指定这个用户必须从那个地址或者网段来拨入,就像下面的例子:
joe "foobar" 192.168.1.1
bob "\x34\"foo\n" 192.168.1.10/24
重新啟動系統
後 mpd -b
一共可以接受五個並發連接的 vpn server 就建成
看一下結果
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST>; mtu 1500
ppp0: flags=8010<POINTOPOINT,MULTICAST>; mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST>; mtu 552
faith0: flags=8002<BROADCAST,MULTICAST>; mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST>; mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
inet 127.0.0.1 netmask 0xff000000
ng0: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST>; mtu 1500
ng1: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST>; mtu 1500
ng2: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST>; mtu 1500
ng3: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST>; mtu 1500
ng4: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST>; mtu 1500
成功了
當然做了 這些並不能在實際中應用 因為本來還可以連上 Internet 的系統 撥上這個vpn server厚反而不能 上網了
還有一個問題就是 控制 遠程撥號用戶 對網絡裡面資源共享 的實現和 訪問控制
還有一個問題 就是要裝一個防火牆 :(
yanyp 回复于:2005-06-19 01:03:58
openbsd的ipsec vpn配置实例及pptpd拨号服务器(手动密钥和自动密钥两种)
拓扑图如下
clientA---gate_west--------- ---------internet-------------- gate_east-----clientB
clientA为gate_west内部lan 192.168.1.0/24中的一台机
clientB为gate_east内部lan 10.5.21.0/24中的一台机
gate_west的内ip为192.168.1.1
gate_west的外ip为131.107.3.1
gate_east的内ip为10.5.21.2
gate_east的外ip为131.107.3.2
gate_west的/etc/mygate为131.107.3.9 #即为外部网关
gate_east的/etc/mygate为131.107.3.9 #即为外部网关
假如你要手动密要模式的
一 手动密钥
1.在gate_west和gate_east做
在/etc/rc.local下加入以下三行
sysctl -w net.inet.esp.enable=1
sysctl -w net.inet.ah.enable=1
sysctl -w net.inet.ip.forwarding=1
2. 生成密钥
在gate_west上做:
#cd /etc
# openssl rand 24 | hexdump -e '24/1 "%02x"' >; enc_key
# openssl rand 20 | hexdump -e '20/1 "%02x"' >; auth_key
cp到gate_east机上
scp /etc/enc_key gate_east:/etc
scp /etc/auth_key gate_east:/etc
3. 编写ipsec.sh脚本
在gate_west上
#cd /etc
#vi /etc/ipsec.sh
我的如下:
#!/bin/sh
/sbin/ipsecadm new esp -src 131.107.3.1 -dst 131.107.3.2 -forcetunnel -spi 1000 -enc 3des -auth sha1 -keyfile enc_key -authkeyfile auth_key
/sbin/ipsecadm new esp -src 131.107.3.2 -dst 131.107.3.1 -forcetunnel -spi 1001 -enc 3des -auth sha1 -keyfile enc_key -authkeyfile auth_key
/sbin/ipsecadm flow -out -require -proto esp -src 131.107.3.1 -dst 131.107.3.2 -addr 192.168.1.0/24 10.5.21.0/24
/sbin/ipsecadm flow -in -require -proto esp -src 131.107.3.1 -dst 131.107.3.2 -addr 10.5.21.0/24 192.168.1.0/24
chmod 755 /etc/ipsec.sh
在gate_east上
#cd /etc
#vi /etc/ipsec.sh
我的如下:
#!/bin/sh
/sbin/ipsecadm new esp -src 131.107.3.1 -dst 131.107.3.2 -forcetunnel -spi 1000 -enc 3des -auth sha1 -keyfile enc_key -authkeyfile auth_key
/sbin/ipsecadm new esp -src 131.107.3.2 -dst 131.107.3.1 -forcetunnel -spi 1001 -enc 3des -auth sha1 -keyfile enc_key -authkeyfile auth_key
/sbin/ipsecadm flow -out –require -proto esp -src 131.107.3.2 -dst 131.107.3.1 -addr 10.5.21.0/24 192.168.1.0/24
/sbin/ipsecadm flow -in -require -proto esp -src 131.107.3.2 -dst 131.107.3.1 -addr 192.168.1.0/24 10.5.21.0/24
chmod 755 /etc/ipsec.sh
4. 将ipsec.sh加入到/etc/rc.local中
假如你要自动密钥模式的
二 自动密钥(预共享)
1.在gate_west和gate_east做
在/etc/rc.local下加入以下三行
sysctl -w net.inet.esp.enable=1
sysctl -w net.inet.ah.enable=1
sysctl -w net.inet.ip.forwarding=1
2生成/etc/isakmpd/isakmpd.conf和/etc/isakmpd/isakmpd.policy
在gate_west上做:
#cp /usr/share/ipsec/isakmpd/VPN-west.conf /etc/isakmpd/isakmpd.conf
#cp /usr/share/ipsec/isakmpd/policy /etc/isakmpd/isakmpd.policy
对/etc/isakmpd/isakmpd.conf作修改, 我的如下
[Phase 1]
131.107.3.2= ISAKMP-peer-east
[Phase 2]
Connections= IPsec-west-east
[ISAKMP-peer-east]
Phase= 1
Transport= udp
Address= 131.107.3.2
Configuration= Default-main-mode
Authentication= mekmitasdigoat # yoursharedsecret
[IPsec-west-east]
Phase= 2
ISAKMP-peer= ISAKMP-peer-east
Configuration= Default-quick-mode
Local-ID= Net-west
Remote-ID= Net-east
[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 10.5.21.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA,BLF-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
对/etc/isakmpd/isakmpd.policy作修改, 我的如下
KeyNote-Version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" ->; "true";
在gate_east上做:
#cp /usr/share/ipsec/isakmpd/VPN-west.conf /etc/isakmpd/isakmpd.conf
#cp /usr/share/ipsec/isakmpd/policy /etc/isakmpd/isakmpd.policy
对/etc/isakmpd/isakmpd.conf作修改, 我的如下
[Phase 1]
131.107.3.1= ISAKMP-peer-west
[Phase 2]
Connections= IPsec-east-west
[ISAKMP-peer-west]
Phase= 1
Transport= udp
Address= 131.107.3.1
Configuration= Default-main-mode
Authentication= mekmitasdigoat # yoursharedsecret
[IPsec-east-west]
Phase= 2
ISAKMP-peer= ISAKMP-peer-west
Configuration= Default-quick-mode
Local-ID= Net-east
Remote-ID= Net-west
[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 10.5.21.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA,BLF-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
对/etc/isakmpd/isakmpd.policy作修改, 我的如下
KeyNote-Version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" ->; "true";
3 修改isakmpd.conf和isakmpd.policy的属性
chmod 400 /etc/isakmpd/isakmpd.conf
chmod 400 /etc/isakmpd/isakmpd.policy
4 启动isakmpd
#/sbin/isakmpd –d
如要显示出更多的调试信息
#/sbin/isakmpd –d –DA=99
openbsd3.4下的pptpd拨号服务器的建立
#cd /usr/ports/net/poptop
#make install clean
#cd /usr/ports/distfiles/poptop-1.1.4/samples
#cp pptpd.conf /etc/
#cp options.pptpd /etc/ppp/
#cp options /etc/ppp/
#cp chap-secrets /etc/ppp/
/etc/pptpd.conf文件如下:
option /etc/ppp/options.pptpd
localip 192.168.0.1
remoteip 192.168.0.234-238,192.168.0.245
在/etc/ppp/ppp.conf追加以下几行:
pptp:
set escape 0xff
set timeout 0
enable proxy
accept dns
enable MSChapV2
enable mppe
disable pap
disable chap
disable mschap
set mppe * stateless
set dns 192.168.0.254
set ifaddr 192.168.0.254 192.168.0.250-192.168.0.253 255.255.255.255
/etc/ppp/options.pptpd文件如下:
lock
name pptpd
proxyarp
bsdcomp 0
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
auth
在/etc/ppp/ppp.secret文件里添加用户
test 123456
yyy qwertyuiop
wwww 67890
在/etc/sysctl.conf里添加以下几行:
net.inet.gre.allow=1
net.inet.gre.wccp=1
net.inet.mobileip.allow=1
yanyp 回复于:2005-06-19 01:04:46
Fedora3的vpn-ipsec-x509及pptpd拨号服务器的建立
vpn-ipsec-x509
网络拓扑图
clientA---gate2------internet------gate1---clientB
clientA:192.168.1.12
gate2内ip:192.168.1.1
gate2外ip:131.107.3.1
gate2网关:131.107.3.9 #为外部网关
clientB:10.5.21.12
gate1内ip:10.5.21.131
gate1外ip:131.107.3.2
gate1网关:131.107.3.9 #为外部网关
一: 申请证书及签署证书请求
在gate1上申请证书
#openssl req -new -nodes –newkey rsa:1024 –sha1 –keyform PEM -keyout gate1.private -outform PEM –out request.pem
根据自己的情况填写
我们现在自己签署这个请求
#openssl x509 –req –in request.pem –signkey gate1.private –out gate1.public
现在request这个文件已经没有用了,可以删除
在你需要证书的每台机器上都重复上述过程.你现在就可以放心地发布你的”*.public”文件了,但是一定要保证*.private是保密的
gate1和gate2交换*.public文件
用openssl的digest命令校验*.public,以保证*.public没被其他人修改过
#openssl dgst gate1.public
二 : 配置racoon.con
我的gate1的racoon.conf如下:
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen { isakmp 131.107.3.2 [500] ; }
remote 131.107.3.1
{
exchange_mode aggressive,main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "gate1.public" "gate1.private";
peers_certfile "gate2.public";
lifetime time 24 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5 ;
compression_algorithm deflate ;
}
我的gate2的racoon.conf如下:
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
#path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen { isakmp 131.107.3.1 [500]; }
remote 131.107.3.2
{
exchange_mode aggressive,main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "gate2.public" "gate2.private";
peers_certfile "gate1.public";
lifetime time 24 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5 ;
compression_algorithm deflate ;
}
三: 编写SA policy
gate1的ipsec.sh如下
#!/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;
# Create policies for racoon
spdadd 10.5.21.0/24 192.168.1.0/24 any -P out ipsec
esp/tunnel/131.107.3.2-131.107.3.1/require;
spdadd 192.168.1.0/24 10.5.21.0/24 any -P in ipsec
esp/tunnel/131.107.3.1-131.107.3.2/require;
gate2的ipsec.sh如下
#!/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;
# Create policies for racoon
spdadd 192.168.1.0/24 10.5.21.0/24 any -P out ipsec
esp/tunnel/131.107.3.1-131.107.3.2/require;
spdadd 10.5.21.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/131.107.3.2-131.107.3.1/require;
四: 开启转发和修改racoon属性
net.ipv4.ip_forward = 1
在/etc/racoon下
#chmod 0600 certs
#chmod 600 racoon.conf
五 若要打开NAT,参考以下脚本
#iptables -t nat -A POSTROUTING -s 10.5.21.0/24 -o eth0 -j MASQUERADE
iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -d \! 10.5.21.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.5.21.0/24 -o eth0 -j MASQUERADE
pptpd拨号服务器的建立
如果是fedora2则下载:
dkms-1.12-2.noarch.rpm
kernel_ppp_mppe-0.0.4-2dkms.noarch.rpm
pptpd-1.1.4-b4.i386.rpm
如果是fedora3则下载:
dkms-2.0.2-1.noarch.rpm
kernel_ppp_mppe-0.0.4-3dkms.noarch.rpm
pptpd-1.1.4-b4.i386.rpm
以feora3为例
1 . 先安装
dkms-2.0.2-1.noarch.rpm
kernel_ppp_mppe-0.0.4-3dkms.noarch.rpm
pptpd-1.1.4-b4.i386.rpm
2. pptpd.conf的配置
option /etc/ppp/options.pptpd
bcrelay eth1
localip 192.168.0.1
remoteip 192.168.0.234-238,192.168.0.245
3. /etc/ppp/options.pptpd的配置
lock
name pptpd
proxyarp
bsdcomp 0
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
4. 添加用户
/usr/bin/vpnuser add test 123456
在win2000 cleint上测试
fjxiaoye 回复于:2005-06-19 20:18:48
谢谢分享。。。
ligang_f 回复于:2005-06-24 16:25:09
ddddddddddddddddd
|
 |
原文链接:http://bbs.chinaunix.net/viewthread.php?tid=564442
转载请注明作者名及原文出处
|
|
|