使用 FreeBSD 網關在兩個被 Internet 分開的網絡之間架設 ×××,以實現兩個網絡通過×××通道互訪，IPsec 是一種建立在 Internet 協議 (IP) 層之上的協議，它能夠讓兩個或更多主機以安全的方式來通訊，IPsec 既 可以用來直接加密主機之間的網絡通訊 (也就是 傳輸模式)； 也可以用來在兩個子網之間建造 “虛擬隧道” 用于兩個網絡之間的安全通訊 (也就是 隧道模式)。 后一種更多的被稱為是 虛擬專用網 (×××)。 1、編譯內核
-------------------------------
#要把 IPsec 支持放進內核， 應該在配置文件中加入下面的選項： options?? IPSEC??????? #IP security
options?? IPSEC_ESP
device??? crypto
????
#如果需要 IPsec 的調試支持， 還應增加： options?? IPSEC_DEBUG? #debug for IP security
device??? gif????????? # IPv6 and IPv4 tunneling #編譯內核 2、×××配置
---------------------------------
#security/ipsec-tools安裝 server1# tar -zxvf ipsec-tools-0.8-alpha20090422.tar.bz2
server1# cd ipsec-tools-0.8-alpha20090422
server1# ./configure
server1# make;make install server1:
server1# ifconfig gif0 create
server1# ifconfig gif0 222.11.33.23 222.11.34.56
server1# ifconfig gif0 tunnel 10.10.10.100 172.16.16.100 server2:
server2# ifconfig gif0 create
server2# ifconfig gif0 222.11.34.56 222.11.33.23
server2# ifconfig gif0 tunnel 172.16.16.100 10.10.10.100 #一旦完成以后，兩個私有的 IP 地址都應該能像下面ping命令輸出那樣互相訪問
server1# ping 172.16.16.100
PING 172.16.16.100 (172.16.16.100): 56 data bytes
64 bytes from 172.16.16.100: icmp_seq=0 ttl=64 time=7.140 ms
64 bytes from 172.16.16.100: icmp_seq=1 ttl=64 time=7.268 ms
64 bytes from 172.16.16.100: icmp_seq=2 ttl=64 time=7.070 ms
64 bytes from 172.16.16.100: icmp_seq=3 ttl=64 time=7.020 ms
^C
--- 172.16.16.100 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 7.020/7.125/7.268/0.093 ms
server2# ping 10.10.10.100
PING 10.10.10.100 (10.10.10.100): 56 data bytes
64 bytes from 10.10.10.100: icmp_seq=0 ttl=64 time=7.186 ms
64 bytes from 10.10.10.100: icmp_seq=1 ttl=64 time=7.079 ms
64 bytes from 10.10.10.100: icmp_seq=2 ttl=64 time=7.001 ms
64 bytes from 10.10.10.100: icmp_seq=3 ttl=64 time=7.064 ms
64 bytes from 10.10.10.100: icmp_seq=4 ttl=64 time=6.989 ms
^C
--- 10.10.10.100 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.989/7.064/7.186/0.070 ms #配置路由規則使兩邊私有地址都能相互訪問
server1:
server1# route add 172.16.16.0 172.16.16.100 255.255.255.0
server1# route add net 172.16.16.0: gateway 172.16.16.100 server2:
server2# route add 10.10.10.0 10.10.10.100 255.255.255.0
server2# route add net 10.10.10.0: gateway 10.10.10.100 #這樣配置后，不論從網關還是網關后的機器都能訪問內部的網絡
server1# ping 172.16.16.23
PING 172.16.16.23 (172.16.16.23): 56 data bytes
64 bytes from 172.16.16.23: icmp_seq=0 ttl=64 time=7.140 ms
64 bytes from 172.16.16.23: icmp_seq=1 ttl=64 time=7.268 ms
64 bytes from 172.16.16.23: icmp_seq=2 ttl=64 time=7.070 ms
64 bytes from 172.16.16.23: icmp_seq=3 ttl=64 time=7.020 ms
^C
--- 172.16.16.23 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 7.020/7.125/7.268/0.093 ms server2# ping 10.10.10.16
PING 10.10.10.100 (10.10.10.16): 56 data bytes
64 bytes from 10.10.10.16: icmp_seq=0 ttl=64 time=7.186 ms
64 bytes from 10.10.10.16: icmp_seq=1 ttl=64 time=7.079 ms
64 bytes from 10.10.10.16: icmp_seq=2 ttl=64 time=7.001 ms
64 bytes from 10.10.10.16: icmp_seq=3 ttl=64 time=7.064 ms
64 bytes from 10.10.10.16: icmp_seq=4 ttl=64 time=6.989 ms
^C
--- 10.10.10.16 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.989/7.064/7.186/0.070 ms 3、通道的加密傳輸
------------------------------------------------------
#使用 pre-shared（PSK）RSA 密鑰對通道進行加密，保證數據的安全傳輸
#安裝security/ipsec-tools
server1#
server1# vi /usr/local/etc/racoon/racoon.conf???????? //兩邊文件差不多一樣，只做稍許修改 path??? pre_shared_key? "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log???? debug;? #log verbosity setting: set to 'notify' when testing and debugging is complete padding # options are not to be changed
{
??????? maximum_length? 20;
??????? randomize?????? off;
??????? strict_check??? off;
??????? exclusive_tail? off;
} timer?? # timing options. change as needed
{
??????? counter???????? 5;
??????? interval??????? 20 sec;
??????? persend???????? 1;
#?????? natt_keepalive? 15 sec;
??????? phase1????????? 30 sec;
??????? phase2????????? 15 sec;
} listen? # address [port] that racoon will listening on
{
??????? isakmp????????? 222.11.33.23 [500];
??????? isakmp_natt???? 222.11.33.23 [4500];
} remote? 222.11.34.56 [500]
{
??????? exchange_mode?? main,aggressive;
??????? doi???????????? ipsec_doi;
??????? situation?????? identity_only;
??????? my_identifier?? address 222.11.33.23;
??????? peers_identifier??????? address 222.11.34.56;
??????? lifetime??????? time 8 hour;
??????? passive???????? off;
??????? proposal_check? obey;
#?????? nat_traversal?? off;
??????? generate_policy off; proposal {
??????????????????????????????? encryption_algorithm??? blowfish;
??????????????????????????????? hash_algorithm????????? md5;
??????????????????????????????? authentication_method?? pre_shared_key;
??????????????????????????????? lifetime time?????????? 30 sec;
??????????????????????????????? dh_group??????????????? 1;
??????????????????????? }
} sainfo? (address 10.10.10.0/24 any address 172.16.16.0/24 any)??? # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
{?????????????????????????????? # $network must be the two internal networks you are joining.
??????? pfs_group?????? 1;
??????? lifetime??????? time??? 36000 sec;
??????? encryption_algorithm??? blowfish,3des,des;
??????? authentication_algorithm??????? hmac_md5,hmac_sha1;
??????? compression_algorithm?? deflate;
}
server1# vi /usr/local/etc/racoon/setkey.conf flush;
spdflush;
# To the home network
spdadd 10.10.10.0/24 172.16.16.0/24 any -P out ipsec esp/tunnel/222.11.33.23-222.11.34.56/use;
spdadd 172.16.16.0/24 10.10.10.0/24 any -P in ipsec esp/tunnel/222.11.34.56-222.11.33.23/use; #一旦完成后，便使用下面的命令在兩邊的網關上都啟動 racoon
server1# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf
server2# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf #確認一下“隧道”是否正常工作
server1# tcpdump -i em0 host 222.11.33.23 and dst 222.11.34.56 4、防火墻設置
------------------------------------------------
#ipfw設置 ipfw add 00201 allow log esp from any to any
ipfw add 00202 allow log ah from any to any
ipfw add 00203 allow log ipencap from any to any
ipfw add 00204 allow log udp from any 500 to any
#pf設置 pass in quick proto esp from any to any
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any port = 500 to any port = 500
pass in quick on gif0 from any to any
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any port = 500 to any port = 500
pass out quick on gif0 from any to any
#允許機器初始化的時候開始 ××× 支持 server1# vi /etc/rc.conf ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="yes"
?

轉載于:https://blog.51cto.com/kerry/239106

創作挑戰賽新人創作獎勵來咯，堅持創作打卡瓜分現金大獎

總結

以上是生活随笔為你收集整理的freebsd点到点的ipsec ***的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。