linux ipsec racoon工具移动客户端模式详细配置

简单的英文，很容易懂，写得很清楚。

The only known IP address is the one from the gateway which is defined as “192.168.1.1” in this scenario. The gateway should act as a VPN server which only responses to connection requests. The gateway should be configured IP address independent to the client side. Therefore it is also impossible to pre-define security policies for any of the clients like it was done before.

First of all “racoon.conf” needs to be altered on the VPN gateway to accept requests from unknown or anonymous clients.

VPN gateway configuration: racoon.conf

There are some major points which have to be configured for a roadwarrior scenario:

· racoon should generate the security policy at runtime depending on the clients IP address which is connecting to the VPN gateway. This is done with the directive “generate_policy_on”. Therefore a setkey.conf is not necessary at all (except it is used to flush the databases)

· racoon should define proposals for anonymous clients which is done by the “remote anonymous” section.

· racoon should define security associations for anonymous clients. This is done by the “sainfo anonymous” section.

A basic racoon configuration may look like this. This example also shows some additional configurations compared to the previous examples. The explanation of the new commands is written within the configuration in italic style. These commands are not part of the configuration file itself.

path certificate "/etc/certs";

remote anonymous

No specific client is defined in the remote section. It has been anonymized to apply to all VPN-Clients.

{

exchange_mode aggressive,main;
The gateway accepts connections with phase 1 aggressive or main.

certificate_type X.509 "HostA.public" "HostA.private";

my_identifier asn1dn;

peers_identifier asn1dn;

proposal_check claim;

Compares lifetime and key length of initiator and responder and will choose the value from the initiator or responder which has a shorter lifetime or longer keylength.

generate_policy on;

This is very important for a roadwarrior configuration. racoon will generate Security Policies at runtime which will match to the connection requests of the roadwarrior clients.

nat_traversal off;

Defines whether NAT-Traversal is supported or not

ike_frag on;

If set to on, racoon will advertise itself as being capable of receiving packets split by IKE fragmentation [racoon_manual_06].

verify_cert off;

passive on;

Defines if a negotiation may be initiated or not.

proposal

{

encryption_algorithm aes;

hash_algorithm md5;

authentication_method rsasig;

dh_group 2;

}

The proposal section remains unchanged.

sainfo anonymous

Like the remote section also the sainfo section must be altered to match security associations of anonymous clients.

{

pfs_group 2;

lifetime time 1 hour;

Defines how long a security association will be used.

encryption_algorithm aes;

authentication_algorithm hmac_md5;

compression_algorithm deflate;

}

VPN gateway configuration: setkey.conf

Like mentioned before, the VPN gateway should generate the SPD entries at runtime. Therefore setkey is obsolete.

VPN client configuration: racoon.conf

The client configuration only needs few modifications because in most cases the IP address of the VPN gateway is defined static and will not change. This does not apply to the “sainfo” section because usually it consists of the IP addresses of both peers. Because of the clients IP address being “unknown” the “sainfo” section must also be anonymized.

The client configuration may look like this:

path certificate "/etc/certs";

remote 192.168.1.1

{

exchange_mode aggressive;

In this scenario aggressive mode is initiated by the client for testing purposes.

certificate_type X.509 "HostB.public" "HostB.private";

my_identifier asn1dn;

peers_identifier asn1dn;

proposal_check obey;

The responder will obey the initiator anytime.

nat_traversal off;

ike_frag on;

verify_cert off;

proposal

{

encryption_algorithm aes;

hash_algorithm md5;

authentication_method rsasig;

dh_group 2;

}

sainfo anonymous

{

pfs_group 2;

lifetime time 1 hour;

encryption_algorithm aes;

authentication_algorithm hmac_md5;

compression_algorithm deflate;

}

VPN client configuration: setkey.conf

In a roadwarrior scenario the client initiates the VPN connection. Therefore certain security policies must pre-exist which will cause the kernel to trigger racoon to establish a secure connection between client and VPN gateway. Like shown earlier this is done by entries in the SPD with the help of the “setkey” command. Usually source and destination IP addresses are written to the database but in this scenario the IP address of the client is unknown. Therefore it has to be set to its actual IP address dynamically or configured with a “blank” IP address to accept all possible IP addresses.

A complete configuration of the Security Policy Database for transport mode may be configured with setkey like this:

#!/usr/sbin/setkey -f

# Flush SAD and SPD

flush;

spdflush;

#SP for racoon

spdadd 192.168.1.1 0.0.0.0 any -P in IPsec

esp/transport//require;

spdadd 0.0.0.0 192.168.1.1 any -P out IPsec

esp/transport//require;

Test of racoon roadwarrior connection.

First of all the VPN gateway racoon daemon is started. As shown below no Security Policy Database entries exist on the VPN gateway.

After this the client’s SPD is written and racoon is started. For testing purposes the clients IP address is changed[1] from 192.168.1.2 to 192.1.1.5 to prove that the server will establish a connection to an unknown IP address.

The first ICMP request ends up in an error displaying that the route to the destination Network (192.168.1.0) is unknown to the client because the client itself is configured being in the 192.1.1.0 network. Therefore a route must be set on the client’s side. This is done by the “route” command as follows:

# route add –net 192.168.1.0 netmask 255.255.255.0 eth1

In this rather basic scenario it is no problem to add this route permanently. In other scenarios, where a client needs different route because of different network communications the routes may be added dynamically at runtime. racoon itself has no option to add these routes automatically but has the capability to execute shell scripts at connection state “up” or “down”. This may also come in handy when SPD’s need to be generated or deleted at runtime.

After adding the route racoon established successfully the security associations between VPN gateway and client and encrypted the ICMP packets like shown as follows:

On the gateway side racoon adds the Security Policy Database entries to the SPD:

Changing an IP address is easily done by the “ifconfig” command which may be used as follows:
# ifconfig eth1 192.1.1.5 netmask 255.255.255.0 up
(eth1 is the active network adapter of the VM-Ware Client)

linux ipsec racoon工具移动客户端模式详细配置相关推荐

Linux日志切割工具logrotate原理和配置详解
前言: 对于Linux系统安全来说,日志文件是及其重要的工具一.logrotate概念 1.1 概念 logrotate 程序是一个日志文件管理工具.用于分割日志文件,删除旧的日志文件,并创建新的 ...
IDea 工具debug模式详细说明
Debug用来追踪代码的运行流程,通常在程序运行过程中出现异常,启用Debug模式可以分析定位异常发生的位置,以及在运行过程中参数的变化.通常我们也可以启用Debug模式来跟踪代码的运行流程去学习三方 ...
linux网卡速率和双工模式的配置
改变网络接口的速度和协商方式的工具miitool 和ethtool 通过mii-tool和ethtool工具来调整网卡的速度.双工等,这样能提高网卡的效率: mii-tool 配置网络设备协商方式的工 ...
前端构建工具gulp超详细配置, 使用教程(图文)
原文地址:http://www.cnblogs.com/2050/p/4198792.html, 我在原文中做了修改了一些错误和添加一些新的东西. 流程 1. 输入命令(可以使用git bash或者命 ...
利用Xshell修改Linux默认SSH端口号等详细配置
这篇博客,介绍CentOS7.6下如何修改默认SSH端口,新建用户并授权,禁止root远程ssh直接登录,用户名和主机名显示修改. Xshell(家庭版)的下载: https://www. ...
ssd linux 分区工具,Linux自动分区工具的示例详细介绍
注意:由于相关操作可能会导致数据丢失. 所以,执行操作之前,请务必确保已经通过快照等手段对数据进行有效备份,或明确相关数据丢失无影响. 普通云磁盘适用系统:兼容线上所有非 IO 优化实例的普通云盘的 ...
yum mysql的安装目录在哪_linux下yum安装 mysql 及详细配置及修改mysql默认目录
linux下yum安装 mysql 及详细配置及修改mysql默认目录. 一.[root@sample ~]# yum -y install mysql-server ← 安装MySQL -..略 I ...
LINUX 下open*** 详细配置
LINUX 下open*** 配置一 ×××基础讲解 1.1什么是××× IP机制仿真出一个私有的广域网"是通过私有的隧道技术在公共数据网络上仿真一条点到点的专线技术.所谓虚拟,是指用户不 ...
Linux编译内核的详细配置
分类: Linux内核 2005-03-12 10:58 4492人阅读评论(0) 收藏举报 linux网络idedoswindowsdocumentation 前言之前言:谁是这篇文章的读者? ...
spark HA 模式搭建《加入hbase依赖》（2018【改进红色字体】详细配置）《转载》
一.准备服务器环境 1.1.服务器规划 ZooKeeper Cluster Host IP zookeeper1 192.168.50.228 zookeeper2 192.168.50.229 zo ...

linux ipsec racoon工具移动客户端模式详细配置

linux ipsec racoon工具移动客户端模式详细配置相关推荐

最新文章

热门文章