开源Linux VPN解决方案 - OpenSWan安装配置指南
HOWTO OpenSwan 2.6 kernel
Configure-NETKEY
Cryptographic options要注意,否則後來出問題的時候根本看不出來是沒有選的原因:Networking --->
Networking Options --->
(M) PF_KEY sockets
(M) IP: AH transformations
(M) IP: ESP transformations
(M) IP: IPComp transformations
(M) IP: tunnel transformations
(M) IPsec user configuration interface
Cryptographic options --->
<*> MD5 digest algorithm
<*> SHA1 digest algorithm
<*> DES and Triple DES EDE cipher algorithms
<*> AES cipher algorithms
看source code也看不出個所以然,google了才知道pluto[12237]: ASSERTION FAILED at kernel_alg.c:264: buflen>0
Configure-OCF-linux
Cryptographic options --->
[*] Cryptographic API
[*] HMAC support
OCF Configuration --->
<*> OCF (Open Cryptograhic Framework)
<*> cryptodev (user space support)
<*> cryptosoft (software crypto engine)
<*> safenet (HW crypto engine)
openswan psk config
ipsec.conf
ipsec.secrets# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
plutodebug=all
nat_traversal=yes
interfaces="%defaultroute"
# Add connections here
# sample VPN connection
conn test
authby=secret
left=172.20.6.2
leftsubnet=192.168.2.0/24
right=172.20.6.3
rightsubnet=192.168.3.0/24
auto=add
#Disable Opportunistic Encryption
#include /etc/openswan/ipsec.d/examples/no_oe.conf
include /etc/ipsec.d/examples/no_oe.conf
: PSK "1234567890"
/etc/init.d/ipsec start
ipsec auto --up <config_name>
ipsec auto --status
script
host=a;
or
host=b;
/etc/init.d/ipsec stop;rmmod ipsec ;
eth0=eth0
eth1=eth1
case "$host" in
l|L|left|LEFT|a|1)
a=2;b=3;echo host a config...;;
r|R|right|RIGHT|b|2)
a=3;b=2;echo host b config...;;
*)
esac
echo 1 > /proc/sys/net/ipv4/ip_forward
ifconfig $eth0 down
ifconfig $eth1 down
ifconfig $eth0 hw ether 00:$a$a:$a$a:$a$a:$a$a:00
ifconfig $eth1 hw ether 00:$a$a:$a$a:$a$a:$a$a:1
while [ $? = 0 ] ; do route del default 1>/dev/null 2>&1; done
ifconfig $eth1 172.200.6.$a
ifconfig $eth0 192.168.$a.1
route add default gw 172.200.6.$b
/etc/init.d/ipsec start
generate key by /dev/urandom, faster than /dev/random
ipsec rsasigkey --verbose --random /dev/urandom 2192 >> /tmp/k
沒有留言:
張貼留言