指采用IPSec协议来实现远程接入的一种***技术,IPSec全称为Internet Protocol Security,是由Internet Engineering Task Force (IETF) 定义的安全标准框架,在公网上为两个私有网络提供安全通信通道,通过加密通道保证连接的安全——在两个公共网关间提供私密数据封包服务


实验环境

centos6.5_x64


实验软件

xd-1.3.8-1.el6.x86_64

ppp-2.4.5-11.el6_10.x86_64


软件安装

yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof

yum install -y openswan ppp xd


cp -pv /etc/ipsec.conf  /etc/ipsec.conf.bak

cat /etc/ipsec.conf

config setup

    nat_traversal=yes

    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

    oe=off

    protostack=netkey

 

conn L2TP-PSK-NAT

    rightsubnet=vhost:%priv

    also=L2TP-PSK-noNAT

 

conn L2TP-PSK-noNAT

    authby=secret

    pfs=no

    auto=add

    keyingtries=3

    rekey=no

    ikelifetime=8h

    keylife=1h

    type=transport

    left=192.168.10.16

    leftprotoport=17/1701

    right=%any

    rightprotoport=17/%any

cp -pv /etc/ipsec.secrets /etc/ipsec.secrets.bak

cat /etc/ipsec.secrets

include /etc/ipsec.d/*.secrets

192.168.10.16 %any: PSK "123456"


cp -pv /etc/sysctl.conf  /etc/sysctl.conf.bak

tail -n10 /etc/sysctl.conf

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.all.log_martians = 0

net.ipv4.conf.default.log_martians = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.icmp_ignore_bogus_error_responses = 1

sysctl -p

echo "0" >  /proc/sys/net/ipv4/conf/lo/rp_filter

echo "0" >  /proc/sys/net/ipv4/conf/eth0/rp_filter


ipsec setup restart

ipsec verify

Verifying installed system and configuration files


Version check and ipsec on-path                    [OK]

Libreswan 3.15 (netkey) on 2.6.32-696.el6.x86_64

Checking for IPsec support in kernel              [OK]

 NETKEY: Testing XFRM related proc values

         ICMP default/send_redirects              [OK]

         ICMP default/accept_redirects            [OK]

         XFRM larval drop                          [OK]

Pluto ipsec.conf syntax                            [OK]

Hardware random device                            [N/A]

Checking rp_filter                                [OK]

Checking that pluto is running                    [OK]

 Pluto listening for IKE on udp 500                [OK]

 Pluto listening for IKE/NAT-T on udp 4500        [OK]

 Pluto ipsec.secret syntax                        [OK]

Checking 'ip' command                              [OK]

Checking 'iptables' command                        [OK]

Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options          [OK]

Opportunistic Encryption                          [DISABLED]


cp -pv /etc/xd/xd.conf /etc/xd/xd.conf.bak

cat /etc/xd/xd.conf

[global]

listen-addr = 192.168.10.16 ;


[lns default]

ip range = 172.16.37.2-172.16.37.254 ;

local ip = 172.16.37.1 ;

refuse chap = yes

refuse pap = yes

require authentication = yes

ppp debug = yes

pppoptfile = /etc/ppp/options.xd

length bit = yes


cp -pv /etc/ppp/options.xd /etc/ppp/options.xd.bak

cat /etc/ppp/options.xd 

require-mschap-v2

ms-dns 8.8.8.8

ms-dns 8.8.4.4

asyncmap 0

auth

crtscts

lock

hide-password

modem

debug

name d

proxyarp

lcp-echo-interval 30

lcp-echo-failure 4


cp -pv /etc/ppp/chap-secrets /etc/ppp/chap-secrets.bak

cat /etc/ppp/chap-secrets

# Secrets for authentication using CHAP

# client server secret IP addresses

  test      *       123456          *

  

service xd restart && chkconfig --level 35 xd on

service ipsec restart  && chkconfig --level 35 ipsec on


netstat -tuplna | grep xd

udp        0      0 192.168.10.16:1701          0.0.0.0:*                               1524/xd  


ip addr | grep ppp

4: ppp0: mtu 1400 qdisc pfifo_fast state UNKNOWN qlen 3

    link/ppp 

    inet 172.16.37.1 peer 172.16.37.2/32 scope global ppp0


ipsec ***_第1张图片


ipsec ***_第2张图片