Libreswan ××× 安装(该软件的前身是openswan ×××

1.安装epelyum

yum install epel-release.noarch -y

2.安装libreswan

yum install libreswan -y

3.使用rpm -ql 查看相关配置信息

    

注意:通过上述两个配置文件可知,启动ipsec.service服务时,实际上是先读取上述两个配置文件,在分别读取/etc/ipsec.d/*.conf/etc/ipsec.d/*.secrets等配置文件

4.优化内核参数,在/etc/sysctl.conf中添加如下内容,注意执行“sysctl -p”使其配置立即生效

 

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 0

net.ipv4.conf.eth0.rp_filter = 0

net.ipv4.conf.eth1.rp_filter = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0

net.ipv4.conf.eth0.send_redirects = 0

net.ipv4.conf.eth1.accept_redirects = 0

net.ipv4.conf.eth1.send_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.lo.send_redirects = 0

 

 

 

 

Libreswan ×××场景应用:

 

                                                            公司分支机构与分支机构局域网互连

 

 

 

1.分别登录到×××01×××02,新增/etc/ipsec.d/ipsec.conf文件,其内容如下:

 

config setup

        protostack=netkey

        nat_traversal=yes

 

conn net-to-net

        authby=secret

        type=tunnel

        left=192.168.199.128

        leftsubnet=192.168.11.0/24

        leftid=@test1

        leftnexthop=%defaultroute

        right=192.168.199.129

        rightsubnet=192.168.12.0/24

        rightid=@test2

        rightnexthop=%defaultroute

        ike=aes256-sha2_256;modp2048

        phase2alg=aes256-sha2_256;modp2048

        auto=start

 

 

2.分别登录到×××01×××02,新增/etc/ipsec.d/ipsec.secrets文件,内容如下

 

192.168.199.128         %any    :       PSK "Foxconn99"

 

注意,该文件的填写格式为:

    

 

 

 

3.分别启动×××01×××02上的ipsec.service服务

systemctl start ipsec.service

systemctl enable ipsec.service

systemctl status ipsec.service

 

4.分别登录到×××03×××04测试网络

 

 

Crootavin04 ip addr 1: 10: , mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback OO:OO:OO:OO:OO:OO brd OO:OO:OO:OO:OO:OO inet 127. O. 0.1/8 scope host 10 valid_lft forever preferred_lft forever inet6 : :1/128 scope host valid_lft forever preferred_lft forever etho: <BROADCAST , mtu 1500 disc pfifo_fast state up glen 1000 link/ether 00:0c:2g:30:d4:83 brd ff:ff -inet 192.168.12.129/24 brd 192.168.12. 255 scope global etho valid_lft forever valid_lft forever preferred_lft forever inet6 fe80: scope link preferred_lft forever Croota***04 Croota***04 Croota***04 Croota***04 —]# ping 192. 168. 11. 129 PING 192.168.11.129 (192.168.11.129) 56(84) bytes of data. 64 bytes from 192.168.11.129: icmp_seq=l tt1=62 time—O. 893 ms 64 bytes from 192.168.11.129: icmp_seq=2 tt1=62 time—I. 92 ms 64 bytes from 192.168.11.129: icmp_seq=3 tt1=62 time—I. 52 ms 64 bytes from 192.168.11.129: icmp_seq4 tt1=62 time—O. 890 ms 64 bytes from 192.168.11.129: icmp_seq=5 tt1=62 time—O. 873 ms 192.168.11.129 ping statistics - 5 packets transmitted, 5 received, 0% packet loss, time 4004ms rtt mi n/avg/max/mdev — O. 873/1. 220/1. 922/0.431 ms Croota***04