服务器评测
# uname -r
2.6.18-164.el5
一、下载openswan
从www.openswan.org官方网站下载当前最新版本2.6.28
# tar xzvf openswan-2.6.28.tar.gz
# cd openswan-2.6.28
二、安装依赖包
在openswan源码目录下查看README
There a few packages required for Openswan to compile:
1. libgmp + libgmp-devel headers. (GNU Math Precision Library)
2. gawk, flex and bison (usually included in all distributions)
gawk, flex and bison几个比较容易安装,gawk系统已默认安装,flex和bison可用yum安装,libgmp有点麻烦。先是下载的gmp-5.0.1.tar.gz,但启动openswan服务时会报错(libgmp.so.10),只好删了。后来在CentOS系统盘找到相应的RPM包.
# rpm -ivh gmp-4.1.4-10.el5.i386.rpm
Preparing… ########################################### [100%]
package gmp-4.1.4-10.el5.i386 is already installed
# rpm -ivh gmp-devel-4.1.4-10.el5.i386.rpm
Preparing… ########################################### [100%]
1gmp-devel ########################################### [100%]
三、安装openswan
#make programs
#make install
安装成功后,在/etc/目录下生成ipsec.conf配置文件和ipsec.d目录,同时在/usr/local/sbin下生成ipsec可执行程序、在/etc/initl.d/目录下生成ipsec shell脚本
四、openswan基本操作
1. 查看当前openswan版本
# ipsec –version
Linux Openswan U2.6.28/K(no kernel code presently loaded)
See `ipsec –copyright’ for copyright information.
2. ipsec服务
# service ipsec start
# service ipsec restart
# service ipsec stop
3.验证openswan是否正确安装
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.18-164.el5 (netkey)
Checking for IPsec support in kernel [OK]
Testing against enforced SElinux mode [FAILED]
SElinux is running in ‘enforced’ mode.
If you encounter network related SElinux errors, especially when using KLIPS,
try disabling SElinux using:
echo “0” > /selinux/enforce (or edit /etc/sysconfig/selinux)
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking that pluto is running [FAILED]
whack: Pluto is not running (no “/var/run/pluto/pluto.ctl”)
Two or more interfaces found, checking IP forwarding [FAILED]
whack: Pluto is not running (no “/var/run/pluto/pluto.ctl”)
Checking for ‘ip’ command [OK]
Checking for ‘iptables’ command [OK]
Opportunistic Encryption Support [DISABLED]
(1)disabe SELINUX
# vim /etc/sysconfig/selinux
设置 SELINUX=disabled
# setenforce 0
(2)disable ICMP send_redirects和accept_redirects
可编写shell脚本将/proc/sys/net/ipv4/conf/*/send_redirects和/proc/sys/net/ipv4/conf/*/accept_redirects disable掉
(3)enable ip_forward
# vim /etc/sysctl.conf
修改net.ipv4.ip_forward = 0 -> net.ipv4.ip_forward = 1
# sysctl -p
4. 配置文件
(1)配置文件 (/etc/ipsec.conf)
查看ipsec.conf配置帮助
# man 5 ipsec.conf
(2)密钥配置文件(/etc/ipsec.secrest)
查看ipsec.secrets配置帮助
# man 5 ipsec.secrets
