freebsd点到点的ipsec ***

使用 FreeBSD 网关在两个被 Internet 分开的网络之间架设 ×××,以实现两个网络通过×××通道互访，IPsec 是一种建立在 Internet 协议 (IP) 层之上的协议，它能够让两个或更多主机以安全的方式来通讯，IPsec 既

可以用来直接加密主机之间的网络通讯 (也就是传输模式)；也可以用来在两个子网之间建造 “虚拟隧道” 用于两个网络之间的安全通讯 (也就是隧道模式)。后一种更多的被称为是虚拟专用网 (×××)。

1、编译内核
-------------------------------
#要把 IPsec 支持放进内核，应该在配置文件中加入下面的选项：

options   IPSEC        #IP security
options   IPSEC_ESP
device    crypto

#如果需要 IPsec 的调试支持，还应增加：

options IPSEC_DEBUG #debug for IP security
device gif # IPv6 and IPv4 tunneling

#编译内核

2、×××配置
---------------------------------
#security/ipsec-tools安装

server1# tar -zxvf ipsec-tools-0.8-alpha20090422.tar.bz2
server1# cd ipsec-tools-0.8-alpha20090422
server1# ./configure
server1# make;make install

server1:
server1# ifconfig gif0 create
server1# ifconfig gif0 222.11.33.23 222.11.34.56
server1# ifconfig gif0 tunnel 10.10.10.100 172.16.16.100

server2:
server2# ifconfig gif0 create
server2# ifconfig gif0 222.11.34.56 222.11.33.23
server2# ifconfig gif0 tunnel 172.16.16.100 10.10.10.100

#一旦完成以后，两个私有的 IP 地址都应该能像下面ping命令输出那样互相访问
server1# ping 172.16.16.100
PING 172.16.16.100 (172.16.16.100): 56 data bytes
64 bytes from 172.16.16.100: icmp_seq=0 ttl=64 time=7.140 ms
64 bytes from 172.16.16.100: icmp_seq=1 ttl=64 time=7.268 ms
64 bytes from 172.16.16.100: icmp_seq=2 ttl=64 time=7.070 ms
64 bytes from 172.16.16.100: icmp_seq=3 ttl=64 time=7.020 ms
^C
--- 172.16.16.100 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 7.020/7.125/7.268/0.093 ms

server2# ping 10.10.10.100
PING 10.10.10.100 (10.10.10.100): 56 data bytes
64 bytes from 10.10.10.100: icmp_seq=0 ttl=64 time=7.186 ms
64 bytes from 10.10.10.100: icmp_seq=1 ttl=64 time=7.079 ms
64 bytes from 10.10.10.100: icmp_seq=2 ttl=64 time=7.001 ms
64 bytes from 10.10.10.100: icmp_seq=3 ttl=64 time=7.064 ms
64 bytes from 10.10.10.100: icmp_seq=4 ttl=64 time=6.989 ms
^C
--- 10.10.10.100 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.989/7.064/7.186/0.070 ms

#配置路由规则使两边私有地址都能相互访问
server1:
server1# route add 172.16.16.0 172.16.16.100 255.255.255.0
server1# route add net 172.16.16.0: gateway 172.16.16.100

server2:
server2# route add 10.10.10.0 10.10.10.100 255.255.255.0
server2# route add net 10.10.10.0: gateway 10.10.10.100

#这样配置后，不论从网关还是网关后的机器都能访问内部的网络
server1# ping 172.16.16.23
PING 172.16.16.23 (172.16.16.23): 56 data bytes
64 bytes from 172.16.16.23: icmp_seq=0 ttl=64 time=7.140 ms
64 bytes from 172.16.16.23: icmp_seq=1 ttl=64 time=7.268 ms
64 bytes from 172.16.16.23: icmp_seq=2 ttl=64 time=7.070 ms
64 bytes from 172.16.16.23: icmp_seq=3 ttl=64 time=7.020 ms
^C
--- 172.16.16.23 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 7.020/7.125/7.268/0.093 ms

server2# ping 10.10.10.16
PING 10.10.10.100 (10.10.10.16): 56 data bytes
64 bytes from 10.10.10.16: icmp_seq=0 ttl=64 time=7.186 ms
64 bytes from 10.10.10.16: icmp_seq=1 ttl=64 time=7.079 ms
64 bytes from 10.10.10.16: icmp_seq=2 ttl=64 time=7.001 ms
64 bytes from 10.10.10.16: icmp_seq=3 ttl=64 time=7.064 ms
64 bytes from 10.10.10.16: icmp_seq=4 ttl=64 time=6.989 ms
^C
--- 10.10.10.16 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.989/7.064/7.186/0.070 ms

3、通道的加密传输
------------------------------------------------------
#使用 pre-shared（PSK）RSA 密钥对通道进行加密，保证数据的安全传输
#安装security/ipsec-tools
server1#
server1# vi /usr/local/etc/racoon/racoon.conf //两边文件差不多一样，只做稍许修改

path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete

padding # options are not to be changed
{
        maximum_length 20;
        randomize       off;
        strict_check    off;
        exclusive_tail off;
}

timer   # timing options. change as needed
{
        counter         5;
        interval        20 sec;
        persend         1;
#       natt_keepalive 15 sec;
        phase1          30 sec;
        phase2          15 sec;
}

listen # address [port] that racoon will listening on
{
isakmp 222.11.33.23 [500];
isakmp_natt 222.11.33.23 [4500];
}

remote 222.11.34.56 [500]
{
        exchange_mode   main,aggressive;
        doi             ipsec_doi;
        situation       identity_only;
        my_identifier   address 222.11.33.23;
        peers_identifier        address 222.11.34.56;
        lifetime        time 8 hour;
        passive         off;
        proposal_check obey;
#       nat_traversal   off;
        generate_policy off;

proposal {
                                encryption_algorithm    blowfish;
                                hash_algorithm          md5;
                                authentication_method   pre_shared_key;
                                lifetime time           30 sec;
                                dh_group                1;
                        }
}

sainfo (address 10.10.10.0/24 any address 172.16.16.0/24 any)    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
{                               # $network must be the two internal networks you are joining.
        pfs_group       1;
        lifetime        time    36000 sec;
        encryption_algorithm    blowfish,3des,des;
        authentication_algorithm        hmac_md5,hmac_sha1;
        compression_algorithm   deflate;
}

server1# vi /usr/local/etc/racoon/setkey.conf

flush;
spdflush;
# To the home network
spdadd 10.10.10.0/24 172.16.16.0/24 any -P out ipsec esp/tunnel/222.11.33.23-222.11.34.56/use;
spdadd 172.16.16.0/24 10.10.10.0/24 any -P in ipsec esp/tunnel/222.11.34.56-222.11.33.23/use;

#一旦完成后，便使用下面的命令在两边的网关上都启动 racoon
server1# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf
server2# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf

#确认一下“隧道”是否正常工作
server1# tcpdump -i em0 host 222.11.33.23 and dst 222.11.34.56

4、防火墙设置
------------------------------------------------
#ipfw设置

ipfw add 00201 allow log esp from any to any
ipfw add 00202 allow log ah from any to any
ipfw add 00203 allow log ipencap from any to any
ipfw add 00204 allow log udp from any 500 to any

#pf设置

pass in quick proto esp from any to any
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any port = 500 to any port = 500
pass in quick on gif0 from any to any
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any port = 500 to any port = 500
pass out quick on gif0 from any to any

#允许机器初始化的时候开始 ××× 支持

server1# vi /etc/rc.conf

ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="yes"

转载于:https://blog.51cto.com/kerry/239106

freebsd点到点的ipsec ***相关推荐

ensp模拟器使用USG6000V防火墙模拟搭建点到点的IPSec 隧道（web网页版）
ensp模拟器使用USG6000V防火墙模拟搭建点到点的IPSec 隧道(web网页版) 关于IPSec技术的基本原理及使用场景请参考: IPSec技术的基本原理详解及应用场景本文主要是使用ensp ...
网络信息安全——网络阶段笔记总结--jf
网络信息安全--网络阶段笔记总结基础知识: OSI七层模型: 应用层-表示层-会话层-传输层-网络层数据链路层-物理层 tcp/ip四层模型:应用层-传输层-网络层-网络接口层 tcp/ip五层模型 ...
Cisco GETVPN
目录 GET VPN简介 GETVPN的优势 GETVPN技术分为以下几个核心组件: 实验验证 GET VPN简介 CISCO的组加密传输VPN提出了一个名叫信任组的概念,不再使用点到点隧道来承载路 ...
IPSEC实验（IPSECVPN点到点，DSVPN,IPSECVPN旁挂）
目录一.复现实验 1.防火墙的IPSECVPN点到点实验 -1,拓扑图的搭建 -2,配置IP,开通ping,并且设置策略 -3,在网络中的IPSEC进行配置第一阶段:发出的UDP500流量第二阶 ...
安全防御--IPsec VPN点到点的实验
1,什么是数据认证 ,有什么作用,有哪些实现的技术手段? 在计算机和网络安全领域中,数据认证是指验证数据在传输和存储过程中的完整性.真实性和合法性的过程.数据在传输和存储过程中容易受到数据篡改.损坏或 ...
点到点 Ipsec *** 从一端能正常发起，另一端发起不成功的解决过程
集团总部用的cisco 5540防火墙,上面配置了2个动态***,若干L2L***.集团总部到各分公司直接用lan to lan ipsce ***连接,部分分公司到集团总部的***能够双向发起,部分 ...
juniper SSG防火墙与飞塔防火墙配置点到点IPSEC ***
背景:公司办公区的网关防火使用的是飞塔防火墙,公司IDC机房使用的juniper SSG550M防火墙,现在想在办公网和机房生产网中间创建一条ipsec ***用于公司用户访问机房网络,公司网段为19 ...
华为点到点IPSec 虚拟专用网配置
配置相关接口IP地址及区域 [FW1-GigabitEthernet1/0/0]ip add 10.1.1.1 24 [FW1-GigabitEthernet1/0/0]service-manage ...
SSL ×××与IPSec ×××特点比较
首先让我们从SSL ×××和IPSec ×××两个阵营出发做一个比较. 1 SSL ×××相对于IPSec ×××的优势 1.1 SSL ×××比IPSec ×××部署.管理成本低首先我们先认识一下 ...

freebsd点到点的ipsec ***

freebsd点到点的ipsec ***相关推荐

最新文章

热门文章