一、软件说明
1、Openswan简介
Openswan是Linux下IPsec的最佳实现方式,其功能强大,最大程度地保证了数据传输中的安全性、完整性问题。 openswan支持2.0、2.2、2.4以及2.6内核,可以运行在不同的系统平台下,包括X86、X86_64、IA64、MIPS以及ARM。
Openswan是开源项目FreeS/WAN停止开发后的后继分支项目,其分裂为两个项目,Openswan与 Strongswan,Openswan由三个主要组件构成:配置工具(ipsec命令脚本)、Key管理工具(pluto)、内核组件(KLIPS/26sec)26sec使用2.6内核内建模块Netkey,用来替代Openswan开发的KLIPS模块,2.4及以下版本内核无Netkey模块支持,只能使用KLIPS。如果你用的是2.6.9以上的内核,推荐使用26sec,可以不用给内核打Nat-T补丁就可以使用NAT,2.6.9以下版本内核的NETKEY存在Bug,推荐使用KLIPS。IPSec差不多是最老的×××标准了,她的依然很安全,当然是在配置好以后。言下之意,她的配置比较麻烦。本文下面将做说明。
因为FreeS/WAN已经在2004年三月停止开发,所以我们使用她的后继项目Openswan来做我们的IPSec实验。其相比FreeS/WAN有个好处,如果使用 26sec 的时候,Openswan不用打补丁,就可以用nat。
2、Openswan的安装
因为IPSec工作在网络层,所以需要系统内核态的支持,上面说过,有两个选择,用自带(26sec)的或用Openswan(KLIPS)的,为了方便(如何打补丁和编译内核不是本文讨论的重点),本文使用CentOS源中编译好的Openswan来进行实验。# yum install openswan 如果你想从源码安装,到http://www.openswan.org/code 下载软件包,然后按照包中的说明安装。由于我们使用26sec,所以只要make programs;make install就可以搞定。值得注意的是,现在的Openswan已经内建些个好用的补丁,比如x.509和NAT Traversal的支持,使用起来非常的方便。你也可以用下面的命令来检验你的安装。
# ipsec verify
3、Openswan的认证方式
Openswan支持许多不同的认证方式,包括 :
RSA keys、 (RSA Signature比较简单)
pre-shared keys、
xauth或x.509证书方式。.
4、Openswan的连接方式:
1) Network-To-Network方式 本文重点是以此来完成企业需求的
Network-To-Network方式是把两个网络连接成一个虚拟专用网络。当连接建立后,每个子网的主机都可透明地访问远程子网的主机。
要实现此种连接方式,要满足以下两个条件:
I. 每个子网各自拥有一台安装有OpenSWan的主机作为其子网的出口网关或者路由;
II.每个子网的IP段不能有叠加
(2)Road Warrior方式
当使用Network-To-Network方式时,作为每个子网网关的主机(openswan server)不能像子网内部主机那样透明访问远程子网的主机,也就是说:如果你是一个使用LClient的移动用户,经常出差或是在不同的地点办公,你的LClient将不能用Network-To-Network方式与公司网络进行连接。Road Warrior方式正是为这种情况而设计的,连接建立后,你的LClient就可以连接到远程的网络了。(或者使用SSL ***的开源产品open***来实现出差时候,远程拨号访问的需求)
更多详情请参见OpenSWan项目主页:http://www.openswan.org
5、本文将从以下几点进行测试
net-to-net模型 **********
1)基于pre-shared keys认证方式(PSK)
2)基于RSA Signature认证方式(RSA数字签名)
3)基于数字证书认证方式(x.509证书)
4)基于XAUTH认证方式(IPSec/Xauth PSK)
RoadWarrior
5)基于pre-shared keys认证方式(PSK)
6)基于RSA Signature认证方式(RSA数字签名)
7)基于数字证书认证方式(x.509证书)
8)基于XAUTH认证方式(IPSec/Xauth PSK
二、环境说明
1、网络拓扑:
2、IP地址规划:
A机房:
×××A: eth0: 172.16.2.13/24 eth1: 192.168.10.10/24 服务器地址端: 192.168.10.0/24
B机房:
×××B: eth0: 172.16.2.14/24 eth1: 192.168.10.20/24 服务器地址端: 192.168.20.0/24
3、安装Openswan;×××A、×××B都要相同的操作
1)开启数据转发 # vim /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 2)关闭icm重定向 sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.conf 3)关闭iptables和selinux #/etc/init.d/iptables stop # setenforce 0 4)重新载入sysctl.conf # sysctl -p 5)安装Openswan # yum -y install openswan lsof 6)查看ipsec版本 # ipsec --version Linux Openswan U2.6.32/K2.6.32-504.el6.x86_64 (netkey) See `ipsec --copyright' for copyright information. 7)启动ipsec # /etc/init.d/ipsec start 8)对ipsec进行验证 # ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.32/K2.6.32-504.el6.x86_64 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Testing against enforced SElinux mode [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
4、在×××A上配置Openswan
[root@×××A ~]# cat /etc/ipsec.conf config setup protostack=netkey nat_traversal=yes virtual_private= oe=off conn net-to-net ike=aes256-sha2_256;modp2048 phase2alg=aes256-sha2_256;modp2048 authby=secret type=tunnel left=172.16.2.13 leftsubnet=192.168.10.0/24 leftid=@×××A leftnexthop=%defaultroute right=172.16.2.14 rightsubnet=192.168.20.0/24 rightid=@×××B rightnexthop=%defaultroute auto=start [root@×××A ~]# cat /etc/ipsec.secrets include /etc/ipsec.d/*.secrets 172.16.2.13 %any 0.0.0.0 : PSK "***" 这个文件的格式为:“Local Ip address” “remote ip address” : PSK “your key”
5、复制这/etc/ipsec.secrets和/etc/ipsec.conf配置文件到×××B,配置文件不需要做任何修改
[root@×××A ~]#scp /etc/ipsec.{conf,secrets} 172.16.2.14:/etc/ [email protected]'s password: ipsec.conf 100% 1078 1.1KB/s 00:00 ipsec.secrets 100% 71 0.1KB/s 00:00
6、重启两边的ipsec服务
# /etc/init.d/ipsec restart
7、查看ipsec运行状态
[root@×××A ~]# /etc/init.d/ipsec status IPsec running - pluto pid: 3050 pluto pid 3050 3 tunnels up \\已经完成***通道建立 some eroutes exist
8、查看自定义的net-to-net通道
# ipsec auto --up net-to-net 117 "net-to-net" #7: STATE_QUICK_I1: initiate 004 "net-to-net" #7: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x26da562e <0x1abe4413 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=none DPD=none}
9、到此***已经搭建成功,进行验证,在×××A服务器中找一台主机ping ×××B服务器,进行抓包分析
[root@Server ~]# ping 192.168.20.10 \\在A机房内网机器PING B机房内网机器 PING 192.168.20.10 (192.168.20.10) 56(84) bytes of data. 64 bytes from 192.168.20.10: icmp_seq=1 ttl=63 time=2.60 ms 64 bytes from 192.168.20.10: icmp_seq=2 ttl=63 time=1.30 ms 64 bytes from 192.168.20.10: icmp_seq=3 ttl=63 time=0.686 ms 64 bytes from 192.168.20.10: icmp_seq=4 ttl=63 time=1.57 ms 64 bytes from 192.168.20.10: icmp_seq=5 ttl=63 time=1.50 ms [root@×××A ~]# tcpdump -n -vv -i eth0 host 172.16.2.13 and host 172.16.2.14 \\在××× A服务器上抓包发现是×××A、×××B服务器之间的通信 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:31:54.466827 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length 156) 172.16.2.13 > 172.16.2.14: ESP(spi=0x566d1bc3,seq=0x3), length 136 14:31:54.467235 IP (tos 0x0, ttl 64, id 30568, offset 0, flags [none], proto ESP (50), length 156) 172.16.2.14 > 172.16.2.13: ESP(spi=0x38155c04,seq=0x3), length 136 14:31:59.466465 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.2.14 tell 172.16.2.13, length 28 14:31:59.466947 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.2.13 tell 172.16.2.14, length 46 14:31:59.466951 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.16.2.13 is-at 00:0c:29:f8:d4:88, length 28 14:31:59.466979 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.16.2.14 is-at 00:0c:29:5a:4f:48, length 46 14:32:02.059352 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length 156) 172.16.2.13 > 172.16.2.14: ESP(spi=0x566d1bc3,seq=0x4), length 136 14:32:02.059892 IP (tos 0x0, ttl 64, id 30569, offset 0, flags [none], proto ESP (50), length 156) 172.16.2.14 > 172.16.2.13: ESP(spi=0x38155c04,seq=0x4), length 136 14:32:03.061181 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length 156) 172.16.2.13 > 172.16.2.14: ESP(spi=0x566d1bc3,seq=0x5), length 136 14:32:03.061781 IP (tos 0x0, ttl 64, id 30570, offset 0, flags [none], proto ESP (50), length 156) 172.16.2.14 > 172.16.2.13: ESP(spi=0x38155c04,seq=0x5), length 136 [root@×××B ~]# tcpdump -n -vv -i eth0 icmp \\在××× B服务器上抓包,可以分析出是××× A内网服务器地址与××× B服务器内网地址通信 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:32:27.128004 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.11 > 192.168.20.10: ICMP echo request, id 8726, seq 26, length 64 14:32:28.130314 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.11 > 192.168.20.10: ICMP echo request, id 8726, seq 27, length 64 14:32:29.132584 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.11 > 192.168.20.10: ICMP echo request, id 8726, seq 28, length 64 14:32:30.134465 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.11 > 192.168.20.10: ICMP echo request, id 8726, seq 29, length 64 14:32:31.136288 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.11 > 192.168.20.10: ICMP echo request, id 8726, seq 30, length 64 14:32:32.139420 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.11 > 192.168.20.10: ICMP echo request, id 8726, seq 31, length 64
三、利用数字签名方式进行验证
1、生成RSA
[root@×××A ~]# mv /dev/random /dev/random.bak [root@×××A ~]# ln -s /dev/urandom /dev/random [root@×××A ~]# ipsec newhostkey --output /etc/ipsec.secrets \\在××× A上操作 [root@×××A ~]# ipsec showhostkey --left \\在××× A上操作 ipsec showhostkey nss directory showhostkey: /etc/ipsec.d ipsec showhostkey no secrets filename matched "/etc/ipsec.d/*.secrets" # rsakey AQOYQ2bio leftrsasigkey=0sAQOYQ2biosNB+4vCQMvFami4QTmeO/5NTeua1BIyWJ+QrtLYGmyRit5LtMpmfyvDmZYk6XvJ6sDMrt4rNB92T777+7mrfdfGgcoGx8KXwUKJLCmZk8otRzD8jbSsJ65toXbo6Kkm0LjmdVmGzIKHufJi14LL8ZBBB8KfQ7a7IhGtc6A3kL+eBphwRVBOhqhe+EJ0o9Ir9FaArj3FToyIflHjWOjQx6qNpFEFj5OPDIYEq2oEFr8WGGCzo98/cQ1rJVpr9IxxjqDS34amuG+kBwJIfV6g9WEhLcaThCXlehny8CqyUX2kabHk7oy2KJRqYEpkojve82PVFi22Mwi02s4JyWSr7E7kEIp32mqS5WnqArA6NhLFd28s9UiGE5sHUIwA470LACjU2D5ekVHQgwR0iQIv/bzcO1J2K+2qC+uLoY+f6tFNtVjMNwG9MUwfg4Hzh+AMoD19/+jgMk+N7LGFcYLwsvDnSsaZkTON5pQ/1svv3AVrVJuIQuufhWoiKFNkLjvoFSZayjZsb142LEymBPL2r/qDIBD6A9uuTa867lVo5zwwlGWDNUa5YRy+K9Dt8BEhbk1TcGuiZW9OANBqmJA/9P/N3eDeiRb8wPU= [root@×××B ~]# ipsec newhostkey --output /etc/ipsec.secrets \\在××× B上操作 [root@×××B ~]# ipsec showhostkey --right \\在××× B上操作 ipsec showhostkey nss directory showhostkey: /etc/ipsec.d ipsec showhostkey no secrets filename matched "/etc/ipsec.d/*.secrets" # rsakey AQO68HHSN rightrsasigkey=0sAQO68HHSNgYHGlTWBlx4C+DCxidbUPpmucu77v+E4P0n0pM1Dsft8DsX78c1hsBeXZpG19mgxnFuObpxZj0QjFnSPk/4ZesabS8X/7T3/Xb7mJz8dQUKSYuAthqX7UJPBzA9vRGyOg6TcevlMNTeXn78vwDixTrFmHgY6tZA/Lysyoaik4CfDg+xS+3TifyfXTThak7U0ymj+LKHeZW+NHYK+MxarkM7RHRCjKis7XOUCwac9p8orZmLuYMYewPK0+sZ4enSiFNhw2QEyyhES8bHdBX9OAQeY5MTAWvYW863x0ABwoXIKDXoQ61dfP7bWyLGYC/T0kvCLtRsxFentx4TzhOpsUuoljROLBxP6PWj3vHUIG4laJAF24Mg/IW3nMoubIQYKo0xZR57AvQ2c4+YEcTKSz1GFf0FIqc0CtXbXY6iJqO228wDveP/nHOxKJSgD57ozHVZiOWoDdxcCNsxwkWzhT69d8sSmLWjn6oaL/DwvoMQQzjvh/xtZDG6vfdVwrZaHDs7aT3syHT6gVZNWp+FUQMNZxst6hJKc+FmeIPvgGJceIeiVbWWn36GB8MqphmpyiThnLm2H+I2AL+ig2K1N0PaVugEpV09kiE=
2、修改/etc/ipsec.conf,在××× A上修改,内容如下:
[root@×××A ~]# vim /etc/ipsec.conf config setup protostack=netkey nat_traversal=yes virtual_private= oe=off conn net-to-net left=172.16.2.13 leftsubnet=192.168.10.0/24 leftid=@test1 leftnexthop=%defaultroute leftrsasigkey=0sAQOYQ2biosNB+4vCQMvFami4QTmeO/5NTeua1BIyWJ+QrtLYGmyRit5LtMpmfyvDmZYk6XvJ6sDMrt4rNB92T777+7mrfdfGgcoGx8KXwUKJLCmZk8otRzD8jbSsJ65toXbo6Kkm0LjmdVmGzIKHufJi14LL8ZBBB8KfQ7a7IhGtc6A3kL+eBphwRVBOhqhe+EJ0o9Ir9FaArj3FToyIflHjWOjQx6qNpFEFj5OPDIYEq2oEFr8WGGCzo98/cQ1rJVpr9IxxjqDS34amuG+kBwJIfV6g9WEhLcaThCXlehny8CqyUX2kabHk7oy2KJRqYEpkojve82PVFi22Mwi02s4JyWSr7E7kEIp32mqS5WnqArA6NhLFd28s9UiGE5sHUIwA470LACjU2D5ekVHQgwR0iQIv/bzcO1J2K+2qC+uLoY+f6tFNtVjMNwG9MUwfg4Hzh+AMoD19/+jgMk+N7LGFcYLwsvDnSsaZkTON5pQ/1svv3AVrVJuIQuufhWoiKFNkLjvoFSZayjZsb142LEymBPL2r/qDIBD6A9uuTa867lVo5zwwlGWDNUa5YRy+K9Dt8BEhbk1TcGuiZW9OANBqmJA/9P/N3eDeiRb8wPU= right=172.16.2.14 rightsubnet=192.168.20.0/24 rightid=@test2 rightnexthop=%defaultroute rightrsasigkey=0sAQO68HHSNgYHGlTWBlx4C+DCxidbUPpmucu77v+E4P0n0pM1Dsft8DsX78c1hsBeXZpG19mgxnFuObpxZj0QjFnSPk/4ZesabS8X/7T3/Xb7mJz8dQUKSYuAthqX7UJPBzA9vRGyOg6TcevlMNTeXn78vwDixTrFmHgY6tZA/Lysyoaik4CfDg+xS+3TifyfXTThak7U0ymj+LKHeZW+NHYK+MxarkM7RHRCjKis7XOUCwac9p8orZmLuYMYewPK0+sZ4enSiFNhw2QEyyhES8bHdBX9OAQeY5MTAWvYW863x0ABwoXIKDXoQ61dfP7bWyLGYC/T0kvCLtRsxFentx4TzhOpsUuoljROLBxP6PWj3vHUIG4laJAF24Mg/IW3nMoubIQYKo0xZR57AvQ2c4+YEcTKSz1GFf0FIqc0CtXbXY6iJqO228wDveP/nHOxKJSgD57ozHVZiOWoDdxcCNsxwkWzhT69d8sSmLWjn6oaL/DwvoMQQzjvh/xtZDG6vfdVwrZaHDs7aT3syHT6gVZNWp+FUQMNZxst6hJKc+FmeIPvgGJceIeiVbWWn36GB8MqphmpyiThnLm2H+I2AL+ig2K1N0PaVugEpV09kiE= auto=start
3、复制一份ipsec.conf文件到××× B服务器上
[root@×××A ~]# scp /etc/ipsec.conf node2:/etc ipsec.conf 100% 2247 2.2KB/s 00:00
4、重启ipsec服务
# /etc/init.d/ipsec restart ipsec_setup: Stopping Openswan IPsec... ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-504.el6.x86_64..
5、查看ipsec运行状态
[root@×××A ~]# /etc/init.d/ipsec status IPsec running - pluto pid: 4422 pluto pid 4422 1 tunnels up \\***隧道已经建立成功
6、测试***连接:
1)在A机房,找一台内网机器,ip地址为192.168.10.11,ping B机房的内网机器,ip地址为192.168.20.10,使用tcpdum抓包分析
[root@Server ~]# ping 192.168.20.10 \\A机房与B机房内网已经可以互通了 PING 192.168.20.10 (192.168.20.10) 56(84) bytes of data. 64 bytes from 192.168.20.10: icmp_seq=1 ttl=63 time=1.40 ms 64 bytes from 192.168.20.10: icmp_seq=2 ttl=63 time=1.35 ms 64 bytes from 192.168.20.10: icmp_seq=3 ttl=63 time=2.96 ms 64 bytes from 192.168.20.10: icmp_seq=4 ttl=63 time=3.96 ms 64 bytes from 192.168.20.10: icmp_seq=5 ttl=63 time=0.602 ms 64 bytes from 192.168.20.10: icmp_seq=6 ttl=63 time=17.0 ms 64 bytes from 192.168.20.10: icmp_seq=7 ttl=63 time=0.737 ms
[root@×××A ~]#tcpdump -n -vv -i eth0 host 172.16.2.13 and host 172.16.2.14 \\在××× A服务器上抓包,发现的icmp包是××× A服务器与××× B服务器之间的数据报文 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:31:54.466827 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length 156) 172.16.2.13 > 172.16.2.14: ESP(spi=0x566d1bc3,seq=0x3), length 136 14:31:54.467235 IP (tos 0x0, ttl 64, id 30568, offset 0, flags [none], proto ESP (50), length 156) 172.16.2.14 > 172.16.2.13: ESP(spi=0x38155c04,seq=0x3), length 136 14:31:59.466465 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.2.14 tell 172.16.2.13, length 28 14:31:59.466947 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.2.13 tell 172.16.2.14, length 46 14:31:59.466951 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.16.2.13 is-at 00:0c:29:f8:d4:88, length 28 14:31:59.466979 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.16.2.14 is-at 00:0c:29:5a:4f:48, length 46 14:32:02.059352 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length 156) 172.16.2.13 > 172.16.2.14: ESP(spi=0x566d1bc3,seq=0x4), length 136 14:32:02.059892 IP (tos 0x0, ttl 64, id 30569, offset 0, flags [none], proto ESP (50), length 156) 172.16.2.14 > 172.16.2.13: ESP(spi=0x38155c04,seq=0x4), length 136 14:32:03.061181 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length 156) 172.16.2.13 > 172.16.2.14: ESP(spi=0x566d1bc3,seq=0x5), length 136 14:32:03.061781 IP (tos 0x0, ttl 64, id 30570, offset 0, flags [none], proto ESP (50), length 156) 172.16.2.14 > 172.16.2.13: ESP(spi=0x38155c04,seq=0x5), length 136
[root@×××B ~]# tcpdump -n -vv -i eth0 icmp \\在××× B上抓包,发现的是B机房与A机房内网数据通信的数据包问 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:46:38.378193 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.11 > 192.168.20.10: ICMP echo request, id 26646, seq 1, length 64 15:46:39.380267 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.11 > 192.168.20.10: ICMP echo request, id 26646, seq 2, length 64 15:46:40.381832 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.11 > 192.168.20.10: ICMP echo request, id 26646, seq 3, length 64 15:46:41.383980 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.11 > 192.168.20.10: ICMP echo request, id 26646, seq 4, length 64 15:46:42.385912 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.11 > 192.168.20.10: ICMP echo request, id 26646, seq 5, length 64 15:46:43.386960 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.11 > 192.168.20.10: ICMP echo request, id 26646, seq 6, length 64
2)到此,在CentOS6.6上,利用Openswan已经成功搭建***,两个机房之间可以使用内网地址进行通信了