OpenSWAN可以在Linux环境下搭建IPSecVPN。我自己动手在CentOS系统下安装OpenSWAN,现将过程记录下来。
软件
VMware-workstation-7.1
CentOS-6.3-i386-bin-DVD1.iso
openswan-2.6.38.tar.gz
在虚拟机中先将CentOS装好,这里就不详细说明了。
这里需要注意的是需要将机器连到互联网好下载安装一些辅助工具包。IP地址为手动配置好后,发现ping ip可以成功,但是ping某个域名却显示ping: unknown host ***。这是因为没有设置域名服务器的原因。
# ping baidu.com
ping: unknown host baidu.com
解决方法如下:
# vi /etc/resolv.conf
#增加以下两行,具体IP请按实际填写
nameserver 208.67.222.222
nameserver 208.67.220.220
CentOS安装gcc–RPM
#yum install gcc-c++
#yum install flex autoconf zlib curl zlib-devel curl-devel bzip2 bzip2-devel ncurses-devel libjpeg-devel libpng-devel libtiff-devel freetype-devel pam-devel
安装相应 ipsec 套件工具和基础软件环境
#yum -y install gmp gmp-devel gawk flex bison
配置环境变量
#sysctl -a | egrep “ipv4.*(accept|send)_redirects” | awk -F “=” ‘{print $1″= 0″}’
执行上面的命令,把结果添加到/etc/ sysctl.conf的结尾。
并且把
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
修改成
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
保存后,执行sysctl -p,使其修改后的参数生效。
# cat /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.conf.bond1.send_redirects = 0
net.ipv4.conf.bond1.accept_redirects = 0
net.ipv4.conf.bond0.send_redirects = 0
net.ipv4.conf.bond0.accept_redirects = 0
net.ipv4.conf.eth4.send_redirects = 0
net.ipv4.conf.eth4.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
安装OpenSWAN
#tar zxvf openswan-2.6.38.tar.gz
#cd openswan-2.6.38
#make programs
#make install
验证安装
执行下面的命令验证OpenSWan是否正确安装
#ipsec –version
如果程序正确安装,此命令将显示
Linux Openswan U2.6.38/K(no kernel code presently loaded)
See `ipsec –copyright’ for copyright information.
这里没有加载任何的IPsec stack,当启动IPsec后会自动加载系统自带的netkey。
启动ipsec
#/etc/init.d/ipsec start
检查ipsec状态
#/etc/init.d/ipsec status
检查系统环境
#ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K2.6.32-279.el6.i686 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for ‘ip’ command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for ‘iptables’ command [OK]
Opportunistic Encryption Support [DISABLED]
至此安装过程完成了,感觉还是很顺畅的。下面就进入比较复杂的配置阶段,我将在下篇把我验证的过程描述出来。