FreeBSD ---- CISCO ASA 5540 (IPsec ××× 隧道模式)
1、准备
系统:FreeBSD 9.0-RELEASE i386 (双网卡)
IPSec-tools:
2、编译内核
1)freebsd内核默认不支持IPSec,需要手动添加,有几个选项:
options IPSEC #IP security
device crypto
如果需要IPSec的调试支持,还应增加:
options IPSEC_DEBUG #debug for IP security
2)内核选项添加以及编译安装
ls /usr/src/sys
ls: /usr/src/sys: No such file or directory证明我们并没有安装内核源代码,我们先把我们的FreeBSD的安装光盘放进光驱,然后在FreeBSD下执行以root身份执行/stand/sysinstall,选择Configure,接着是Distributions、src、sys,回车后能开始安装了,一般只要几分钟就能安装好
cd /usr/src/sys/i386/conf/
cp GENERIC ××× # ××× is the machine's hostname, all capital letters
vi ×××
将1)中的全部或前2项加入×××中,保存
cd /usr/src
make buildkernel KERNCONF=××× #约10多分钟
make installkernel KERNCONF=×××
3、软件安装
tar zxvf ipsec-tools-0.8.0.tar.gz
cd ipsec-tools-0.8.0
./configure
make && make install
4、相关配置
1)服务器网卡以及网络互通配置
vi /etc/rc.conf
ifconfig_bge0=" inet 60.247.57.x netmask 255.255.255.x"
defaultrouter="60.247.57.x"
ifconfig_em0=" inet 192.168.190.20 netmask 255.255.255.0"
2)sp配置:setkey.conf
SP通过系统自带的setkey来设置。
首先是创建setkey.conf文件,其规则用来指定哪些IP之间的交互需要做加密,采用
tunnel方式而非transport方式;配置文件放于任何目录,本实验存放在/etc/racoon/
#flush SAD entries
flush;
#flush SPD entries
spdflush;
#add SA entries
#add SP entries
spdadd 192.168.190.20/32 10.1.5.0/24 any -P out ipsec esp/tunnel/60.247.57.x-61.49.29.x/use;
spdadd 10.1.5.0/24 192.168.190.20/32 any -P in ipsec esp/tunnel/61.49.29.x-60.247.57.x/use;
3)SA配置:racoon.conf
1 path pre_shared_key "/etc/racoon/psk.txt"; #location of pre-shared key file
2 log debug; #set to 'notify' when testing and debugging is complete
3 padding # options are not to be changed
4 {
5 maximum_length 20;
6 randomize off;
7 strict_check off;
8 exclusive_tail off;
9 }
10 timer # timing options. change as needed
11 {
12 counter 5;
13 interval 20 sec;
14 persend 1;
15 # natt_keepalive 15 sec;
16 phase1 30 sec;
17 phase2 15 sec;
18 }
19 listen # address [port] that racoon will listening on
20 {
21 isakmp 60.247.57.x [500];
22 # isakmp_natt 60.247.57.x [4500];
23 }
24 remote 61.49.29.x [500]
25 {
26 exchange_mode main;
27 doi ipsec_doi;
28 situation identity_only;
29 my_identifier address 60.247.57.x;
30 peers_identifier address 61.49.29.x;
31 lifetime time 8 hour;
32 passive off;
33 proposal_check obey;
34 # nat_traversal off;
35 generate_policy off;
36 proposal {
37 encryption_algorithm 3des;
38 hash_algorithm sha1;
39 authentication_method pre_shared_key;
40 lifetime time 30 sec;
41 dh_group 2;
42 }
43 }
44 sainfo (address 10.1.5.0/24 any address 192.168.190.20/32 any)
45 {
46 pfs_group 1;
47 lifetime time 28800 sec; (两端需一致)
48 encryption_algorithm 3des;
49 authentication_algorithm hmac_sha1;
50 compression_algorithm deflate;
51}
4)预共享KEY配置
配置共2列,第一列为对端IP地址,第二列地址为密钥key
vi /etc/racoon/psk.txt
61.49.29.x Umessage-***
5、相关操作
1)修改sysctl,允许包转发
Vi /etc/sysctl.conf
net.inet.ip.forwarding=1
2)设置预共享密钥不允许其他用户查看
chmod 700 /etc/raccoon/psk.txt
3)设置开机执行
vi /etc/rc.conf
setkey -f /etc/racoon/setkey.conf
4)IPsec设置
/usr/local/sbin/racoon -F -f /etc/racoon/racoon.conf -l /var/log/racoon.log
setkey –D
setkey -PD