centos 6.4安装openswan -----IPSEC

linux下构建ipsec

内核版本：2.6

系统版本：centos 6.4

安装环境包：

yum -y install gcc-c++ flex autoconf zlib curl zlib-devel bzip2 bzip2-devel ncurses-devel libjpg-devel libpng-devel libtiff-devel freetype-devel pam-devel

配置环境变量：

[root@huayindisitai openswan-2.6.38]# sysctl -a | egrep "ipv4.*(accept|send)_redirects"| awk -F"=" '{print $1"=0"}'

net.ipv4.conf.all.accept_redirects =0

net.ipv4.conf.all.send_redirects =0

net.ipv4.conf.default.accept_redirects =0

net.ipv4.conf.default.send_redirects =0

net.ipv4.conf.lo.accept_redirects =0

net.ipv4.conf.lo.send_redirects =0

net.ipv4.conf.eth0.accept_redirects =0

net.ipv4.conf.eth0.send_redirects =0

net.ipv4.conf.eth1.accept_redirects =0

net.ipv4.conf.eth1.send_redirects =0

把以上内容附加到/etc/sysctl.conf最后

使用

sysctl -a | egrep "ipv4.*(accept|send)_redirects"| awk -F"=" '{print $1"=0"}' >>/etc/sysctl.conf

即可直接附加到/etc/sysctl.conf最后，不过建议先看一下内容

然后将：

net.ipv4.ip_forward = 0

net.ipv4.conf.default.rp_filter =1

更改成：

net.ipv4.ip_forward =1

net.ipv4.conf.default.rp_filter =0

修改完成后执行sysctl -p 使配置生效

安装ipsec基础环境以及工具

yum -y install gmp gmp-devel gawk flex bison

安装openswan：

首先下载openswan：

可以自行去openswan官网下载最新版本（https://download.openswan.org/openswan/）：

wget http://www.openswan.org/download/old/openswan-2.6/openswan-2.6.24.tar.gz --no-check-certificate

我在centos 6.4下编译openswan-2.6.39版本时遇到一个不可逆的错误，导致无法编译，更换版本为2.6.38之后正常，具体版本请查看官方说明。

注：2.6.26和xd存在严重兼容性 bug

下载完成后进入到openswan的目录:

cd openswan-2.6.38

执行make programs编译

通过后执行make install 安装

验证安装：

如果make install成功无报错

执行ipsec --version

如果程序正确安装，此命令将显示：

[root@huayindisitai openswan-2.6.38]# ipsec --version

Linux Openswan U2.6.38/K(no kernel code presently loaded)

See `ipsec --copyright' for copyright information.

[root@huayindisitai openswan-2.6.38]#

这里并没有加载任何的IPsec stack，当启动IPsec后悔自动加载系统自带的netkey。

启动ipsec

[root@huayindisitai openswan-2.6.38]# /etc/init.d/ipsec start

ipsec_setup: Starting Openswan IPsec 2.6.38...

ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey

ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY

查看ipsec状态

[root@huayindisitai openswan-2.6.38]# /etc/init.d/ipsec status

IPsec running  - pluto pid: 37093

pluto pid 37093

No tunnels up

[root@huayindisitai openswan-2.6.38]#

检查系统环境：

[root@huayindisitai openswan-2.6.38]# ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                             [OK]

Linux Openswan U2.6.38/K2.6.32-358.el6.x86_64 (netkey)

Checking for IPsec support in kernel                        [OK]

SAref kernel support                                       [N/A]

NETKEY:  Testing XFRM related proc values                  [OK]

[OK]

[OK]

Checking that pluto is running                              [OK]

Pluto listening for IKE on udp 500                         [OK]

Pluto listening for NAT-T on udp 4500                      [OK]

Two or more interfaces found, checking IP forwarding        [FAILED]

Checking NAT and MASQUERADEing                              [OK]

Checking for 'ip' command                                   [OK]

Checking /bin/sh is not /bin/dash                           [OK]

Checking for 'iptables' command                             [OK]

Opportunistic Encryption Support                            [DISABLED]

[root@huayindisitai openswan-2.6.38]#