1介绍
从Linux 2.6内核开始,内核就自身带有IPSec模块,配合IPSec-Tools,能很好的实现Linux的IPSec功能。
IPSec-Tools主要包含libipsec、setkey、racoon和racoonctl这4个模块,setkey主要用于配置SAD(安全关联数据库)和SPD(安全策略数据库),racoon用于IKE协商。
本文采用最简单的网络配置(2台PC互联,操作系统均为:Linux 2.6.27)介绍IPSec-Tools的IKE配置和手工配置实现传输模式的IPSec。
默认情况下,IPSec-Tools的配置文件均放在/etc/racoon目录下,setkey.conf文件保存着sad和spd的配置信息,racoon.conf文件保存着IKE各个协商阶段各采用什么方式进行协商。
2拓扑图
3IKE配置
1)采用预共享密钥的方式,在/etc/racoon目录下产生psk.txt的文件;
在A机的psk.txt里填入:192.168.60.133 mekmitasdigoat。
在B机的psk.txt里填入:192.168.59.132 mekmitasdigoat。
产生psk.txt文件后,执行:chmod 600 psk.txt.
2)打开setkey.conf文件:
A机填入:
flush;
spdflush;
spdadd 192.168.59.132 192.168.60.133 any -P out ipsec esp/transport//require;
spdadd 192.168.60.133 192.168.59.132 any -P in ipsec esp/transport//require;
B机填入:
flush;
spdflush;
spdadd 192.168.59.132 192.168.60.133 any -P in ipsec esp/transport//require;
spdadd 192.168.60.133 192.168.59.132 any -P out ipsec esp/transport//require;
3)打开A、B两机的racoon.conf文件,均填写以下内容:
path include "/etc/racoon"; #配置文件位置
path pre_shared_key "/etc/racoon/psk.txt"; #共享密钥文件
path certificate "/etc/racoon/cert"; #证书文件目录
log notify;
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
adminsock "/var/run/racoon/racoon.sock" "root" "users" 660;
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous #阶段一协商
{
exchange_mode main; #main:主模式,aggressive:野蛮模式
lifetime time 24 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 1;
}
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 1;
}
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 1;
}
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 1;
}
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 1;
}
}
sainfo anonymous #阶段二协商
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
4)执行/usr/sbin/racoon -f /etc/racoon/racoon.conf,运行IKE协商程序;
5)A机执行ping B机,在中间转包可以看到IKE协商包,协商完成以后会出现ESP包,并且能够ping通。
4 手工配置
1)Setkey.conf设置:
在A机的setkey.conf中填入:
flush; spdflush; add 192.168.59.132 192.168.60.133 esp 24501 -E 3des-cbc "123456789012123456789012"; add 192.168.60.133 192.168.59.132 esp 24502 -E 3des-cbc "123456789012123456789012"; spdadd 192.168.59.132 192.168.60.133 any -P out ipsec esp/transport//require; spdadd 192.168.60.133 192.168.59.132 any -P in ipsec esp/transport//require; 在B机的setkey.conf中填入: flush; spdflush; add 192.168.59.132 192.168.60.133 esp 24501 -E 3des-cbc "123456789012123456789012"; add 192.168.60.133 192.168.59.132 esp 24502 -E 3des-cbc "123456789012123456789012"; spdadd 192.168.59.132 192.168.60.133 any -P in ipsec esp/transport//require; spdadd 192.168.60.133 192.168.59.132 any -P out ipsec esp/transport//require;
2)执行setkey –f /etc/raccoon/setkey.conf;
3)A机执行ping B机,在中间转包可以看到ESP包,并且能够ping通。
5 其它
Setkey –D:查看SAD信息;
Setkey –DP:查看SPD信息。