我想要做的是在我的网络和我朋友的网络之间创建一个站点到站点的IPsec VPN.我们在每台路由器上都有一台路由器和两台计算机,所有计算机都运行
Linux.所以我猜拓扑看起来像这样
[myPC1 myPC2] — myRouter —— internet —– hisRouter — [hisPC1 hisPC2]
两个路由器都很便宜,因此它们没有像OpenWRT那样的东西.
所以配置 – 我想这应该在Linux的双方都完成.
到目前为止,我们已尝试使用带有RSA密钥和PSK的openSwan但是在命令之后
ipsec auto --up net-to-net
我们要么得到错误“没有连接名为net-to-net”或错误“我们无法识别自己与此连接的任何一端.”
我想我们正在配置错误的ipsec.conf文件.有人可以解释我们应该如何正确配置它来实现这种拓扑吗?
编辑…
以下是一些可以帮助您更好地理解我的案例的事实.
这些都来自我们测试的PSK示例.
我的ifconfig:
eth0 Link encap:Ethernet HWaddr 00:0C:29:1B:F5:1C inet addr:192.168.1.78 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe1b:f51c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:829 errors:0 dropped:0 overruns:0 frame:0 TX packets:704 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1213737 (1.1 MiB) TX bytes:57876 (56.5 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:53 errors:0 dropped:0 overruns:0 frame:0 TX packets:53 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3664 (3.5 KiB) TX bytes:3664 (3.5 KiB)
他的ifconfig
Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:4 errors:0 dropped:0 overruns:0 frame:0 TX packets:4 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:240 (240.0 b) TX bytes:240 (240.0 b) p2p1 Link encap:Ethernet HWaddr 08:00:27:2A:F1:F5 inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe2a:f1f5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:21104 errors:0 dropped:0 overruns:0 frame:0 TX packets:12458 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:16079321 (15.3 MiB) TX bytes:1012204 (988.4 KiB)
在ipsec.conf文件中,我们都使用完全相同的文件,我们也将它放在/etc/init.d中
version 2.0
config setup
protostack=netkey
nat_traversal=yes
#virtual_private=
oe=off
conn net-to-net
authby=secret # Key exchange method
left=212.251.112.115 # Public Internet IP address of the
leftsubnet=10.0.2.0/24 # Subnet protected by the LEFT VPN device
leftnexthop=%defaultroute # correct in many situations
right=79.103.7.114 # Public Internet IP address of
rightsubnet=192.168.1.0/24 # Subnet protected by the RIGHT VPN device
rightnexthop=%defaultroute # correct in many situations
auto=start # authorizes and starts this connection
我们也使用了完全相同的ipsec.secrets,我们都放在/etc/init.d中
212.251.112.115 79.103.7.114 : PSK "123"
我们用curl ifconfig.me获得了这些IP
完成配置后,我们运行:
service ipsec restart ipsec verify
我们在send_redirects中收到了相同的失败消息,拒绝更改为0
Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.37/K3.1.0-7.fc16.x86_64 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing XFRM related proc values [Failed] Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects! [Failed] Please disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will accept bogus ICMP redirects! [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
然后我们继续
ipsec auto --up net-to-net
我们都得到了
022 "net-to-net": We cannot identify ourselves with either end of this connection.
我不知道它是否有帮助,也许你已经注意到了什么是错的,但这是最后一件事,ipsec的状态:
ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 192.168.1.78 000 interface eth0/eth0 192.168.1.78 000 %myid = (none) 000 debug none 000 000 virtual_private (%priv): 000 - allowed 0 subnets: 000 - disallowed 0 subnets: 000 WARNING: Either virtual_private= is not specified,or there is a Syntax 000 error in that line. 'left/rightsubnet=vhost:%priv' will not work! 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have 000 private address space in internal use,it should be excluded! 000 000 algorithm ESP encrypt: id=2,name=ESP_DES,ivlen=8,keysizemin=64,keysizemax=64 000 algorithm ESP encrypt: id=3,name=ESP_3DES,keysizemin=192,keysizemax=192 000 algorithm ESP encrypt: id=6,name=ESP_CAST,keysizemin=40,keysizemax=128 000 algorithm ESP encrypt: id=7,name=ESP_BLOWFISH,keysizemax=448 000 algorithm ESP encrypt: id=11,name=ESP_NULL,ivlen=0,keysizemin=0,keysizemax=0 000 algorithm ESP encrypt: id=12,name=ESP_AES,keysizemin=128,keysizemax=256 000 algorithm ESP encrypt: id=13,name=ESP_AES_CTR,keysizemin=160,keysizemax=288 000 algorithm ESP encrypt: id=14,name=ESP_AES_CCM_A,keysizemax=256 000 algorithm ESP encrypt: id=15,name=ESP_AES_CCM_B,keysizemax=256 000 algorithm ESP encrypt: id=16,name=ESP_AES_CCM_C,keysizemax=256 000 algorithm ESP encrypt: id=18,name=ESP_AES_GCM_A,keysizemax=256 000 algorithm ESP encrypt: id=19,name=ESP_AES_GCM_B,keysizemax=256 000 algorithm ESP encrypt: id=20,name=ESP_AES_GCM_C,keysizemax=256 000 algorithm ESP encrypt: id=22,name=ESP_CAMELLIA,keysizemax=256 000 algorithm ESP encrypt: id=252,name=ESP_SERPENT,keysizemax=256 000 algorithm ESP encrypt: id=253,name=ESP_TWOFISH,keysizemax=256 000 algorithm ESP auth attr: id=1,name=AUTH_ALGORITHM_HMAC_MD5,keysizemax=128 000 algorithm ESP auth attr: id=2,name=AUTH_ALGORITHM_HMAC_SHA1,keysizemax=160 000 algorithm ESP auth attr: id=5,name=AUTH_ALGORITHM_HMAC_SHA2_256,keysizemin=256,keysizemax=256 000 algorithm ESP auth attr: id=6,name=AUTH_ALGORITHM_HMAC_SHA2_384,keysizemin=384,keysizemax=384 000 algorithm ESP auth attr: id=7,name=AUTH_ALGORITHM_HMAC_SHA2_512,keysizemin=512,keysizemax=512 000 algorithm ESP auth attr: id=8,name=AUTH_ALGORITHM_HMAC_RIPEMD,keysizemax=160 000 algorithm ESP auth attr: id=9,name=AUTH_ALGORITHM_AES_CBC,keysizemax=128 000 algorithm ESP auth attr: id=251,name=(null),keysizemax=0 000 000 algorithm IKE encrypt: id=0,blocksize=16,keydeflen=131 000 algorithm IKE encrypt: id=5,name=OAKLEY_3DES_CBC,blocksize=8,keydeflen=192 000 algorithm IKE encrypt: id=7,name=OAKLEY_AES_CBC,keydeflen=128 000 algorithm IKE hash: id=1,name=OAKLEY_MD5,hashsize=16 000 algorithm IKE hash: id=2,name=OAKLEY_SHA1,hashsize=20 000 algorithm IKE dh group: id=2,name=OAKLEY_GROUP_MODP1024,bits=1024 000 algorithm IKE dh group: id=5,name=OAKLEY_GROUP_MODP1536,bits=1536 000 algorithm IKE dh group: id=14,name=OAKLEY_GROUP_MODP2048,bits=2048 000 algorithm IKE dh group: id=15,name=OAKLEY_GROUP_MODP3072,bits=3072 000 algorithm IKE dh group: id=16,name=OAKLEY_GROUP_MODP4096,bits=4096 000 algorithm IKE dh group: id=17,name=OAKLEY_GROUP_MODP6144,bits=6144 000 algorithm IKE dh group: id=18,name=OAKLEY_GROUP_MODP8192,bits=8192 000 algorithm IKE dh group: id=22,name=OAKLEY_GROUP_DH22,bits=1024 000 algorithm IKE dh group: id=23,name=OAKLEY_GROUP_DH23,bits=2048 000 algorithm IKE dh group: id=24,name=OAKLEY_GROUP_DH24,bits=2048 000 000 stats db_ops: {curr_cnt,total_cnt,maxsz} :context={0,0} trans={0,0} attrs={0,0} 000 000 "net-to-net": 10.0.2.0/24===212.251.112.115<212.251.112.115>[+S=C]---192.168.1.254...192.168.1.254---79.103.7.114<79.103.7.114>[+S=C]===192.168.1.0/24; unrouted; eroute owner: #0 000 "net-to-net": myip=unset; hisip=unset; 000 "net-to-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "net-to-net": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: ; 000 "net-to-net": newest ISAKMP SA: #0; newest IPsec SA: #0;
还有一个问题是,如果有必要,NETKEY [失败]问题是如何解决的!
解决方法
我的话,你确实已经完成了你的工作.好;这是一个大纲的入门读物,因为目前你的基本原理错误,细节无关紧要.
在其他任何事情之前,你没有为每个互联网连接获得静态公共地址的事实是一个问题. IPSec在这种配置中不容易支持隧道[1],因此每当你的任何一个地址发生变化时,你最终都会编辑你的ipsec.conf.好?
现在,当我问你每个OpenSWAN端点是否有一个公共IP地址,并且你自信地说“是”时,事实证明 – 我怀疑 – 你错了.您的ifconfig输出显示一端的地址为192.168.1.78,另一端的地址为10.0.2.15.您还告诉我,一端(当前)位于公共IP地址212.251.112.115之后,另一端位于79.103.7.114之后.你不说哪个是哪个,所以我假设192.168.1.78落后于212.251.112.115而10.0.2.15落后于79.103.7.114.如果这是错的,只需反转通信.我还会把前一对称为左对,后一对称为右对.它没有区别,但它会帮助我们保持思维直接,这对于现在来说是一个非常好的主意.
您需要在两端设置公共路由器,以将UDP / 500和协议50和51(仅用于完整性)转发到每个公共地址内的OpenSWAN端点.如果您无法管理两个协议穿透,那么也可以在NAT遍历上调查doco并转发UDP / 4500.
首先,要求每个端在配置中找到自己的IP地址,这样每个端都可以知道它在启动时的左侧和右侧.所以左边需要有一个包含的ipsec.conf
conn net-to-net
authby=secret
left=192.168.1.78
leftsubnet=192.168.1.0/24
leftnexthop=%defaultroute
right=79.103.7.114
rightsubnet=10.0.2.0/24
和一个ipsec.secrets说
192.168.1.78 79.103.7.114: PSK "123"
右边必须有一个包含的ipsec.conf
conn net-to-net
authby=secret
left=212.251.112.115
leftsubnet=192.168.1.0/24
right=10.0.2.15
rightsubnet=10.0.2.0/24
rightnexthop=%defaultroute
和一个ipsec.secrets说
10.0.2.15 212.251.112.115: PSK "123"
每一端都需要知道它到底是谁,同时它可以假装它并不关心远程端是否在NAT后面.你有看到?
此外,您需要在每端配置所有客户端,以便它们通过本地OpenSWAN端点具有到远程RFC1918网络的路由.您需要检查每个端点上的/ proc / sys / net / ipv4 / ip_forward是否设置为1.至少就目前而言,关闭两个端点上的任何防火墙是一个非常好的主意.您可能还需要激活一些配置变量,这些变量告诉每个端点不要关心远程端点认为它具有与本地端点认为的IP地址不同的IP地址;从内存来看,这些都是leftid =和rightid =,但是你必须为自己解决这个问题.
这就是基础知识.如果您获得了基本的拓扑和概念,那么其余的只是调试细节.祝你好运.
[1]这不完全正确. SWAN实现支持机会主义IPSec加密,但这要求您在两端控制反向DNS,而我猜你没有.如果您想了解更多相关信息,请再次阅读手册页.
