Libreswan ××× 安装(该软件的前身是openswan ×××)
1.安装epel的yum源
yum install epel-release.noarch -y
2.安装libreswan
yum install libreswan -y
3.使用rpm -ql 查看相关配置信息
注意:通过上述两个配置文件可知,启动ipsec.service服务时,实际上是先读取上述两个配置文件,在分别读取/etc/ipsec.d/*.conf、/etc/ipsec.d/*.secrets等配置文件
4.优化内核参数,在/etc/sysctl.conf中添加如下内容,注意执行“sysctl -p”使其配置立即生效
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
Libreswan ×××场景应用:
公司分支机构与分支机构局域网互连
1.分别登录到×××01、×××02,新增/etc/ipsec.d/ipsec.conf文件,其内容如下:
config setup
protostack=netkey
nat_traversal=yes
conn net-to-net
authby=secret
type=tunnel
left=192.168.199.128
leftsubnet=192.168.11.0/24
leftid=@test1
leftnexthop=%defaultroute
right=192.168.199.129
rightsubnet=192.168.12.0/24
rightid=@test2
rightnexthop=%defaultroute
ike=aes256-sha2_256;modp2048
phase2alg=aes256-sha2_256;modp2048
auto=start
2.分别登录到×××01、×××02,新增/etc/ipsec.d/ipsec.secrets文件,内容如下
192.168.199.128 %any : PSK "Foxconn99"
注意,该文件的填写格式为:
3.分别启动×××01、×××02上的ipsec.service服务
systemctl start ipsec.service
systemctl enable ipsec.service
systemctl status ipsec.service
4.分别登录到×××03、×××04测试网络
