Connect two local area networks with freebsd ipsec tunnel

xiaoxiao2021-03-06  107

Shi Yong new compilation, originally introduced from: http://www.freebsdiary.org/ipsec-tunnel.php In actual work, it is often encountered in need of two local area networks that need to be in different locations. The freebsd ipsec tunnel can easily connect two local area networks and have good security. Here, in this way, how to connect two local area networks in this way. It is assumed that the following network structure:

Both FreeBSD machines are configured as the firewall of two subnets, and add IPSec support for kernel configuration. The relevant kernel configuration parameters are as follows:

# Ip security (Crypto; Define W / IPSec)

Options IPsec

Options ipsec_esp

Options ipsec_debug

# Generic Tunnel Interface

Pseudo-Device GIF 4

# Berkeley Packet Filter Used by DHCP Server.

Pseudo-Device BPF 4

# FireWall Flags

Options ipfirewall

Options ipdivert

Options ipfilter

Options ipfilter_log

Rebate the kernel.

To start the firewall function, the following configuration options are added to / etc / rc.conf:

Gateway_enable = "yes"

DEFAULTROUTER = "172.x.1.110") provided by the access service provider

FireWall_enable = "YES"

FireWall_Type = "open"

NATD_ENABLE = "YES"

NATD_INTERFACE = "rl0" "determined according to the machine network card configuration

Named_enable = "yes"

To perform an automatic IPSec key exchange between two FreeBSD machines, you must install Port /usR/ports/.security/racoon, the configuration file is stored in /usr/local/etc/racoon/racoon.conf, thekey file is stored in / USR / local / etc / racoon / psk.txt. Start / usr / local / sbin / racoon during system startup.

You don't need to modify the configuration file, just modify the KEY file, as follows:

# /usr/local/etc/racoon/psk.txt

# Ipv4 / v6 Addresses

#

192.168.1.1 foobar

192.168.2.1 foobar

The key file must be set to 0600, otherwise Racoon cannot run;

#Chown root.wheel /usr/local/etc/racoon/psk.txt

#CHMOD 0600 /usR/local/etc/raccoon/psk.txt

In order to establish an IPsec tunnel connection at startup and add two internal networks, you can use the following shell script, stored in /usr/local/etc/rc.d/tunnel.sh

#! / bin / sh

#

BSD1_IP = "192.168.1.1"

BSD1_PUB_IP = "172.16.1.254"

BSD1_Net = "192.168.1.0/24"

BSD2_IP = "192.168.2.1"

BSD2_PUB_IP = "172.17.1.254"

BSD2_NET = "192.168.2.0/24" gif0 = "gif0 inet"

Gifconfig = "/ usr / sbin / gifconfig"

Ifconfig = "/ sbin / ifconfig"

Hostname = `/ bin / hostname`

Netmask = "255.255.255.0"

echo "/ nstarting ipsec tunnel ..."

Case $ hostname in

BSD1.test.com)

$ GIFCONFIG $ GIF0 $ BSD1_PUB_IP $ BSD2_PUB_IP

$ IFCONFIG $ GIF0 $ BSD1_IP $ bsd2_ip netmask $ netmask

/ usr / sbin / setKey-fp

/ usr / sbin / setKey -f

/ usr / sbin / setKey -c << EOF

SPDADD $ BSD1_NET $ BSD2_NET Any -P OUT IPSec

ESP / TUNNEL / $ {BSD1_PUB_IP} - $ {BSD2_PUB_IP} / Require

SPDADD $ BSD2_NET $ BSD1_NET ANY -P in IPSec

ESP / Tunnel / $ {BSD2_PUB_IP} - $ {BSD1_PUB_IP} / Require

EOF

/ SBIN / ROUTE ADD $ BSD2_NET $ BSD1_IP

;

BSD2.test.com)

$ GIFCONFIG $ GIF0 $ BSD2_PUB_IP $ BSD1_PUB_IP

$ IFCONFIG $ GIF0 $ BSD2_IP $ bsd1_ip netmask $ netmask

/ usr / sbin / setKey-fp

/ usr / sbin / setKey -f

/ usr / sbin / setKey -c << EOF

SPDADD $ BSD2_NET $ BSD1_NET Any -P Out IPSec

ESP / Tunnel / $ {BSD2_PUB_IP} - $ {BSD1_PUB_IP} / Require

SPDADD $ BSD1_NET $ BSD2_NET Any -P in ipsec

ESP / TUNNEL / $ {BSD1_PUB_IP} - $ {BSD2_PUB_IP} / Require

EOF

/ SBIN / ROUTE ADD $ BSD1_NET $ BSD2_IP

;

ESAC

The basic configuration is completed. This is automatically swapped when the system is started, and Tunnel is established.

转载请注明原文地址:https://www.9cbs.com/read-124687.html

New Post(0)