FreeBSD ---- CISCO ASA 5540 (IPsec ××× 隧道模式)

FreeBSD配置

1、准备

系统:FreeBSD 9.0-RELEASE i386 (双网卡)

IPSec-tools

2、编译内核

1)freebsd内核默认不支持IPSec,需要手动添加,有几个选项:

options IPSEC #IP security

device crypto

如果需要IPSec的调试支持,还应增加:

options IPSEC_DEBUG #debug for IP security

2)内核选项添加以及编译安装

ls /usr/src/sys

ls: /usr/src/sys: No such file or directory证明我们并没有安装内核源代码,我们先把我们的FreeBSD的安装光盘放进光驱,然后在FreeBSD下执行以root身份执行/stand/sysinstall选择Configure,接着是Distributionssrcsys,回车后能开始安装了,一般只要几分钟就能安装好

cd /usr/src/sys/i386/conf/

cp GENERIC ××× # ××× is the machine's hostname, all capital letters

vi ×××

1)中的全部或前2项加入×××中,保存

cd /usr/src

make buildkernel KERNCONF=××× #10多分钟

make installkernel KERNCONF=×××

3、软件安装

tar zxvf ipsec-tools-0.8.0.tar.gz

cd ipsec-tools-0.8.0

./configure

make && make install

4、相关配置

1)服务器网卡以及网络互通配置

vi /etc/rc.conf

ifconfig_bge0=" inet 60.247.57.x netmask 255.255.255.x"

defaultrouter="60.247.57.x"

ifconfig_em0=" inet 192.168.190.20 netmask 255.255.255.0"

2)sp配置:setkey.conf

SP通过系统自带的setkey来设置。

首先是创建setkey.conf文件,其规则用来指定哪些IP之间的交互需要做加密,采用

tunnel方式而非transport方式;配置文件放于任何目录,本实验存放在/etc/racoon/

#flush SAD entries

flush;

#flush SPD entries

spdflush;

#add SA entries

#add SP entries

spdadd 192.168.190.20/32 10.1.5.0/24 any -P out ipsec esp/tunnel/60.247.57.x-61.49.29.x/use;

spdadd 10.1.5.0/24 192.168.190.20/32 any -P in ipsec esp/tunnel/61.49.29.x-60.247.57.x/use;

3)SA配置:racoon.conf

1 path pre_shared_key "/etc/racoon/psk.txt"; #location of pre-shared key file

2 log debug; #set to 'notify' when testing and debugging is complete

3 padding # options are not to be changed

4 {

5 maximum_length 20;

6 randomize off;

7 strict_check off;

8 exclusive_tail off;

9 }

10 timer # timing options. change as needed

11 {

12 counter 5;

13 interval 20 sec;

14 persend 1;

15 # natt_keepalive 15 sec;

16 phase1 30 sec;

17 phase2 15 sec;

18 }

19 listen # address [port] that racoon will listening on

20 {

21 isakmp 60.247.57.x [500];

22 # isakmp_natt 60.247.57.x [4500];

23 }

24 remote 61.49.29.x [500]

25 {

26 exchange_mode main;

27 doi ipsec_doi;

28 situation identity_only;

29 my_identifier address 60.247.57.x;

30 peers_identifier address 61.49.29.x;

31 lifetime time 8 hour;

32 passive off;

33 proposal_check obey;

34 # nat_traversal off;

35 generate_policy off;

36 proposal {

37 encryption_algorithm 3des;

38 hash_algorithm sha1;

39 authentication_method pre_shared_key;

40 lifetime time 30 sec;

41 dh_group 2;

42 }

43 }

44 sainfo (address 10.1.5.0/24 any address 192.168.190.20/32 any)

45 {

46 pfs_group 1;

47 lifetime time 28800 sec; (两端需一致)

48 encryption_algorithm 3des;

49 authentication_algorithm hmac_sha1;

50 compression_algorithm deflate;

51}

4)预共享KEY配置

配置共2列,第一列为对端IP地址,第二列地址为密钥key

vi /etc/racoon/psk.txt

61.49.29.x Umessage-***

5、相关操作

1)修改sysctl,允许包转发

Vi /etc/sysctl.conf

net.inet.ip.forwarding=1

2)设置预共享密钥不允许其他用户查看

chmod 700 /etc/raccoon/psk.txt

3)设置开机执行

vi /etc/rc.conf

setkey -f /etc/racoon/setkey.conf

4IPsec设置

/usr/local/sbin/racoon -F -f /etc/racoon/racoon.conf -l /var/log/racoon.log

setkey –D

setkey -PD