RSA认证方式

    ( net-to-net 连接方式

        网络环境

         Left network ß---àleft GateWay ß-----|------à Right Gatewayß----àRight network

        192.168.1.0/24    eth0:192.168.1.1         eth0:172.16.1.1     172.16.1.0

        GW192.168.1.1    eth1:1.1.1.1             eth1:1.1.1.2       GW:172.16.1.1

                         GW:1.1.1.2             GW:1.1.1.2

                         

       除了以上IP地址信息外,还应该为每个网关设置一个用于IPSEC协商中用以却分彼此的标识,可以用网关自身的FWDN,或者其他的名字,@left,当然这些名字完全是可以由自己编写

  2  获取rsasigkey,并把获取的rsa 保存

     Left  Gateway 上获取rsasigkey

     #ipsec showhostkey  --letf

     Right  Gateway 上获取rsasigkey

     #ipsec showhostkey   --right

  Left GateWay上配置openswan 的主配置文件/etc/ipsec.conf 末尾

添加新定义的连接,并保证left GATEWAY right GATEWAY 中配置文件相同

#vim  /etc/ipsec.conf 

 #Add  connection  here

   conn net-to-net

      left=1.1.1.1   #左网关

      # rsakey AQNYfk+V8  #左网关的公钥,也是在上面获取的RSA

     leftrsasigkey=0sAQNYfk+V851n9R3vrwNcZFGRqYyuhjRaRyYKIIE0RvBGjHot6JWS1SQINXPy/i+TKTkte3BY104SkV+fd1GH2kZD6UjLQGq85M6waDVteVlxPBsr8+W2XRJVu9REkqT211y85N4HsCMoNDf/B9bjne11hHKsJQCu/DSgt89MSnmvuIHDggz2rs/00awBrg5SOTbi5P6YDncQNx2iU05TD8JY3QqkWyyqWxrthkV/WRpsFtAvW55B5pO0Ply+5heNcWPKSIExw7nfCzJqeaQV/pPVpZt9Kbl4IsqE1SV6BN9MqHPh2ady+avsn6SfXOImrDyp2DZ2+czJEiVrnntnzmU3mT3Wy3WAoiZOPNcYS3yJQpsz

      leftsubnet=192.168.1.0/24  #左网关所在内网的网段

      leftid=@left              #左网标识

      leftnexthop=%defaultroute  #指定做网关的下一条为默认路由

      right=1.1.1.2              #右网关外网IP地址

      # rsakey AQNYfk+V8        #右网关公钥

     rightrsasigkey=0sAQNYfk+V851n9R3vrwNcZFGRqYyuhjRaRyYKIIE0RvBGjHot6JWS1SQINXPy/i+TKTkte3BY104SkV+fd1GH2kZD6UjLQGq85M6waDVteVlxPBsr8+W2XRJVu9REkqT211y85N4HsCMoNDf/B9bjne11hHKsJQCu/DSgt89MSnmvuIHDggz2rs/00awBrg5SOTbi5P6YDncQNx2iU05TD8JY3QqkWyyqWxrthkV/WRpsFtAvW55B5pO0Ply+5heNcWPKSIExw7nfCzJqeaQV/pPVpZt9Kbl4IsqE1SV6BN9MqHPh2ady+avsn6SfXOImrDyp2DZ2+czJEiVrnntnzmU3mT3Wy3WAoiZOPNcYS3yJQpsz

      rightsubnet=172.16.1.0/24   #右网关所在内网的网段

      rightid=@right             #右网关的标识

      rightnexthop=%defaultroute  #右网关的下一跳指定为默认路由地址

      auto=start                 #添加这个链接,启动时自动连接

分别在左右网关上配置iptables

  I  在做网关上配置如下

    #iptables –t nat  -A  POSTROUTING –o  eth1  -s  192.168.1.0/24 –d ! 172.16.1.0/24 –j MASQUERADE

  II  在右网关上配置iptables 

     #iptables –t  nat  -A  POSTROUTING –o  eth1  -s 172.16.1.0/24   -d  ! 192.168.1.0/24  -j  MASQUERADE

启动ipsec并启动连接

  #service  ipsec  start

  #ipsec  verify

    Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                [OK]

Linux Openswan U2.6.34/K2.6.18-164.el5 (netkey)

Checking for IPsec support in kernel                               [OK]

 SAref kernel support                                               [N/A]

 NETKEY:  Testing XFRM related proc values                      [OK]

          [OK]

          [OK]

Checking that pluto is running                                   [OK]

 Pluto listening for IKE on udp 500                                 [OK]

 Pluto listening for NAT-T on udp 4500                             [OK]

Two or more interfaces found, checking IP forwarding           [OK]

Checking NAT and MASQUERADEing                              

Checking for 'ip' command                                           [OK]

Checking /bin/sh is not /bin/dash                                 [OK]

Checking for 'iptables' command                               [OK]

Opportunistic Encryption Support                              [DISABLED]

  #ipsec  auto  --up  net-to-net

    如果最后的输出行中出现 IPsec SA established,说明连接成功

 

  6  测试连接

       在左侧的内网中的clinet ping

     ping 172.16.1.2

在左侧网关上执行下列命令

  #tcpdump  -I  eth1 –n  host  1.1.1.1 and  1.1.1.2

 

  20:13:32.485925 IP 1.1.1.2 > 1.1.1.1: ESP(spi=0x5dd784dd,seq=0x16b), length

100

20:13:33.484953 IP 1.1.1.1 > 1.1.1.2: ESP(spi=0x6b26c2e7,seq=0x16c), length

100

20:13:33.487009 IP 1.1.1.2 > 1.1.1.1: ESP(spi=0x5dd784dd,seq=0x16c), length

100

20:13:34.486172 IP 1.1.1.1 > 1.1.1.2: ESP(spi=0x6b26c2e7,seq=0x16d), length

100

20:13:34.488086 IP 1.1.1.2 > 1.1.1.1: ESP(spi=0x5dd784dd,seq=0x16d), length

100

20:13:35.487436 IP 1.1.1.1 > 1.1.1.2: ESP(spi=0x6b26c2e7,seq=0x16e), length

100

20:13:35.489995 IP 1.1.1.2 > 1.1.1.1: ESP(spi=0x5dd784dd,seq=0x16e), length

100

20:13:36.488668 IP 1.1.1.1 > 1.1.1.2: ESP(spi=0x6b26c2e7,seq=0x16f), length

100

20:13:36.490382 IP 1.1.1.2 > 1.1.1.1: ESP(spi=0x5dd784dd,seq=0x16f), length

100

20:13:37.489973 IP 1.1.1.1 > 1.1.1.2: ESP(spi=0x6b26c2e7,seq=0x170), length

100

20:13:37.492400 IP 1.1.1.2 > 1.1.1.1: ESP(spi=0x5dd784dd,seq=0x170), length

100

这种方式只能建立net-to-net 间的连接,并不能确保gateway-gateway 之间的连接或者gateway-subnet 之间的连接.如果你要使用此种连接,比如一方的网关还是一个文件服务器时,那么还需要额外建立其他的连接

 

()  Road Warrior

  1  网络环境

     Left networkß---àLeft GateWayß------à laptop(Linux系统)

   192.168.1.0/24     eth0:192.168.1.1      eth1:1.1.1.2

                     eth1:1.1.1.1          GW 1.1.1.2

                     GW:1.1.1.2

 

同样需要获取对方的公钥,laptop 为右,配置的方法和net-to-net 类似

 

road 主配置文件中末尾添加如下

  #vim   /etc/ipsec.conf

     conn road

      left=1.1.1.1

      leftid=@***server

      leftsubnet=192.168.1.0/24

      # rsakey AQOebBxva

     leftrsasigkey=0sAQOebBxvanOwfLdEF3xuAt8M1JaY0OxtQq/B5x93pZrI6h9U4wWxNpWwOh6kcm1K8ylqtd8upzcbL/PaU+OKmIA4MwXgAextJ+jGtNfU13eKHENerSgt5QkmCJe86j2hq2UvSFO6q/v4tWI/SA2zt2r9UIT5J7oKfkyGesY7dUS/Oc/bFN84y72yZVyJ9TETaASY9OYOY0A6wHXsgG5ULyQMMLVfHViNNZLjJklQDd/+vb7etAOAt4QAp/U6dE4/L+5Fe95baTdsnSxISCVlXZiOr2v8szQ6lLikPlBDAKpSdpaEsDunvTVajbdl0L25ilCgt4h6sPeqFd8uZCTyn19FIRNNOBceSQFc5VW8JtiBEbjt

 

 #     leftnexthop=%defaultroute

      right=%any

      rightid=@laptop

      # rsakey AQOebBxva

     rightrsasigkey=0sAQOebBxvanOwfLdEF3xuAt8M1JaY0OxtQq/B5x93pZrI6h9U4wWxNpWwOh6kcm1K8ylqtd8upzcbL/PaU+OKmIA4MwXgAextJ+jGtNfU13eKHENerSgt5QkmCJe86j2hq2UvSFO6q/v4tWI/SA2zt2r9UIT5J7oKfkyGesY7dUS/Oc/bFN84y72yZVyJ9TETaASY9OYOY0A6wHXsgG5ULyQMMLVfHViNNZLjJklQDd/+vb7etAOAt4QAp/U6dE4/L+5Fe95baTdsnSxISCVlXZiOr2v8szQ6lLikPlBDAKpSdpaEsDunvTVajbdl0L25ilCgt4h6sPeqFd8uZCTyn19FIRNNOBceSQFc5VW8JtiBEbjt

      #rightnexthop=%defaultroute

      auto=start

laptop 上主配置文件中添加以下内容

   #vim  /etc/ipsec.conf 

     conn road

      left=%defaultroute

      # rsakey AQNYfk+V8

     leftrsasigkey=0sAQNYfk+V851n9R3vrwNcZFGRqYyuhjRaRyYKIIE0RvBGjHot6JWS1SQINXPy/i+TKTkte3BY104SkV+fd1GH2kZD6UjLQGq85M6waDVteVlxPBsr8+W2XRJVu9REkqT211y85N4HsCMoNDf/B9bjne11hHKsJQCu/DSgt89MSnmvuIHDggz2rs/00awBrg5SOTbi5P6YDncQNx2iU05TD8JY3QqkWyyqWxrthkV/WRpsFtAvW55B5pO0Ply+5heNcWPKSIExw7nfCzJqeaQV/pPVpZt9Kbl4IsqE1SV6BN9MqHPh2ady+avsn6SfXOImrDyp2DZ2+czJEiVrnntnzmU3mT3Wy3WAoiZOPNcYS3yJQpsz

      right=1.1.1.1

#      leftsubnet=192.168.1.0/24

      leftid=@laptop

#      leftnexthop=%defaultroute

      rightsubnet=192.168.1.0/24

      rightid=@***server

      # rsakey AQNYfk+V8

     rightrsasigkey=0sAQNYfk+V851n9R3vrwNcZFGRqYyuhjRaRyYKIIE0RvBGjHot6JWS1SQINXPy/i+TKTkte3BY104SkV+fd1GH2kZD6UjLQGq85M6waDVteVlxPBsr8+W2XRJVu9REkqT211y85N4HsCMoNDf/B9bjne11hHKsJQCu/DSgt89MSnmvuIHDggz2rs/00awBrg5SOTbi5P6YDncQNx2iU05TD8JY3QqkWyyqWxrthkV/WRpsFtAvW55B5pO0Ply+5heNcWPKSIExw7nfCzJqeaQV/pPVpZt9Kbl4IsqE1SV6BN9MqHPh2ady+avsn6SfXOImrDyp2DZ2+czJEiVrnntnzmU3mT3Wy3WAoiZOPNcYS3yJQpsz

      auto=start

 

5  启动ipsec 并进

   #service  ipsec  start

   Road  Worrior 连接要在laptop 端进行

   #ipsec auto  --up road

  测试连接

   laptop ,ping 远程网关后的人一节点进行测试,注意不要ping网关本身

     19:15:20.978391 IP 1.1.1.2 > 1.1.1.1: ESP(spi=0x0cbb5cbf,seq=0x313), length 132

19:15:20.979030 IP 1.1.1.1 > 1.1.1.2: ESP(spi=0x46fa942f,seq=0x313), length 132