2008年3月25日 星期二

openswan 雜記

开源Linux VPN解决方案 - OpenSWan安装配置指南
HOWTO OpenSwan 2.6 kernel


Configure-NETKEY

Networking --->
Networking Options --->
(M) PF_KEY sockets
(M) IP: AH transformations
(M) IP: ESP transformations
(M) IP: IPComp transformations
(M) IP: tunnel transformations
(M) IPsec user configuration interface
Cryptographic options --->
<*> MD5 digest algorithm
<*> SHA1 digest algorithm
<*> DES and Triple DES EDE cipher algorithms
<*> AES cipher algorithms
Cryptographic options要注意,否則後來出問題的時候根本看不出來是沒有選的原因:
pluto[12237]: ASSERTION FAILED at kernel_alg.c:264: buflen>0
看source code也看不出個所以然,google了才知道

Configure-OCF-linux
Cryptographic options  --->
[*] Cryptographic API
[*] HMAC support
OCF Configuration --->
<*> OCF (Open Cryptograhic Framework)
<*> cryptodev (user space support)
<*> cryptosoft (software crypto engine)
<*> safenet (HW crypto engine)

openswan psk config
ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5


version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
plutodebug=all
nat_traversal=yes
interfaces="%defaultroute"

# Add connections here

# sample VPN connection
conn test
authby=secret
left=172.20.6.2
leftsubnet=192.168.2.0/24
right=172.20.6.3
rightsubnet=192.168.3.0/24
auto=add
#Disable Opportunistic Encryption
#include /etc/openswan/ipsec.d/examples/no_oe.conf
include /etc/ipsec.d/examples/no_oe.conf
ipsec.secrets
: PSK "1234567890"

/etc/init.d/ipsec start
ipsec auto --up <config_name>
ipsec auto --status

script
host=a;
or
host=b;

/etc/init.d/ipsec stop;rmmod ipsec ;
eth0=eth0
eth1=eth1
case "$host" in
l|L|left|LEFT|a|1)
a=2;b=3;echo host a config...;;
r|R|right|RIGHT|b|2)
a=3;b=2;echo host b config...;;
*)
esac

echo 1 > /proc/sys/net/ipv4/ip_forward
ifconfig $eth0 down
ifconfig $eth1 down
ifconfig $eth0 hw ether 00:$a$a:$a$a:$a$a:$a$a:00
ifconfig $eth1 hw ether 00:$a$a:$a$a:$a$a:$a$a:1

while [ $? = 0 ] ; do route del default 1>/dev/null 2>&1; done

ifconfig $eth1 172.200.6.$a
ifconfig $eth0 192.168.$a.1
route add default gw 172.200.6.$b

/etc/init.d/ipsec start

generate key by /dev/urandom, faster than /dev/random
ipsec rsasigkey --verbose --random /dev/urandom 2192 >> /tmp/k

沒有留言: