FREES / WAN 2.04 X509 (Redhat9.0 Kernel 2.4.20-8)
(Left lan = 192.168.0.0 / 24) - (Left gw == eth0 = 192.168.0.1 - Eth1 = 192.168.133.151) - 192.168.133.1
(Right Lan = 192.168.1.0 / 24) - (Right GW == Eth0 = 192.168.1.1 - eth1 = 192.168.133.47) - 192.168.133.1
When there is no tunnel connection, both sides GW interoperate, both sides are not connected to the GW, IP Forward: Echo 1> / Proc / Sys / Net / IPv4 / IP_Forward
Generate a certificate --- Do the following on the GW host of LEFT
Generate CA Root Certificate # / USR / Share / SSL / MISC / CA -NEWCA Direct Enter Password: 000000 (Custom) Enter the relevant information to generate the following files /usr/share/ssl/misc/democa/cacert.pem Root certificate /usr/share/ssl/misc/democa/private/cakey.pem root certificate private key
Copy the root certificate to the Work catalog of FreeESwan #CP /usR/share/ssl/misc/democa/cacert.perts/cacert.pem
Generate a certificate of Left host # / usr / share / ssl / misc / ca -newreq issued a private key input password: 111111 # / usr / share / ssl / misc / ca -sign issued a certificate with CA root
Generate the following files and copy it to the FREESWAN's working directory # mv newreq.peeswan-priv.d/private/freeswan-priv.pem private key # mv.com /etc/ipsec.d/FREESWAN-CERT.PEM Promulgated certificate
Let the FREES / WAN read the X509 format certificate, generate the /etc/x509cert.der file using the following commands OpenSSL X509 -IN /etc/ipsec.d/freeswan-cert.pem -outform der -Out /etc/x509cert.der
Generate a certificate of Right host # / usr / share / ssl / misc / ca -newreq issued a private key input password: 222222 # / usr / share / ssl / misc / ca -Sign issued a certificate with CA root
Generate the following files and copy it to the FREESWAN's working directory # mv newreq.pem /etc/ipsec.d/private/client-priv.pe 私 私 # # mv newcert.pe /etc/ipsec.d/client-cert.pem Promulgated certificate
Create CRLTO CREATE THE CA's Revocation List: make Sure the /etc/ipsec.d/crls Directory EXISTS WHEN EXECUTING THE FOLLOWING COMMAND. # OpenSSL CA -GENCRL -OUT / Etc/ipsec.d/crls/crl.pem
THIS CREATES An Empty Revocation List with a Validity That Is listed in openssl.cnf if you want to revoke a certificate you can do this as stock: #okeenssl ca -revoke certificate.pe
The Revocation List Has To Be Regenerated Using The Following Command: # OpenSSL CA -GENCRL-CRLDAYS XX -OUT /ETC/IPSec.d/crls/crl.pemwhere xx is the number of days. If for some reason, you want to View The Contents of the CRL THEN It Can Be listed with The Following Command: #okeenssl crl -in /etc/ipsec.d/crls/crl.pem -noout -text
The above-generated certificate part needs to be copied to the host of Right GW. # CP client-cert.pem /etc/ipsec.d/.# CP client-priv.pem /etc/ipsec.d/private/.# CP FreeES-CERT .pem /etc/ipsec.d/. // Optional # cp cacert.der /etc/ipsec.d/cacerts/.# cp crl.pem /etc/ipsec.d/crls/.
On the Right GW host, you also need to perform the following command openssl x509 -in /etc/ipsec.d/client-cert.pem -outform der -out /et / x509cert.der
Certificate release completion Start configuration IPsec.conf and ipsec.secrets
Left gw's ipsec.conf
Config setup interfaces = "ipsec0 = eth1" klipsdebug = none plutodebug = none uniqueids = yes
CONN% default keyingtries = 0 authby = rsasig
conn test1 left = 192.168.133.151 leftsubnet = 192.168.0.0 / 24 leftid=@test1.cnlx1.net leftcert = freeswan-cert.pem leftrsasigkey =% cert right = 192.168.133.49 rightsubnet = 192.168.1.0 / 24 rightid = @ test2. CNLX1.NET Rightcert = Client-cert.pem rightrsasigkey =% CERT AUTO = add compress = no
CONN block auto = ignore
CONN Private Auto = IGNORE
Conn private-or-clear auto = ignore
Conn clear-or-private auto = ignore
Conn Clear Auto = IGNORE
Conn packetdefault auto = ignore
Left gw's ipsec.secrets
192.168.133.151 192.168.133.47: RSA FREESWAN-Priv.PEM "111111"
Right GW 'ipsec.conf
Config setup interfaces = "ipsec0 = eth1" klipsdebug = none plutodebug = none uniqueids = yesconn% default keyingtries = 0 authby = rsasig
conn test1 left = 192.168.133.151 leftsubnet = 192.168.0.0 / 24 leftid=@test1.cnlx1.net right = 192.168.133.49 rightsubnet = 192.168.1.0 / 24 rightid=@test2.cnlx1.net rightcert = client-cert.pem auto = add compress = no
CONN block auto = ignore
CONN Private Auto = IGNORE
Conn private-or-clear auto = ignore
Conn clear-or-private auto = ignore
Conn Clear Auto = IGNORE
Conn packetdefault auto = ignore
Right GW's IPsec.secrets
192.168.133.151 192.168.133.47: RSA Client-Priv.pem "222222"
iptables rules Left gw's iptablesiptables -t nat -i postrouting -s 192.168.0.0/24 -d! 192.168.1.0/24 -j snat --to 192.168.133.151
Right GW's iptablesiptables -t nat -i postrouting -s 192.168.1.0/24 -d! 192.168.0.0/24 -j snat --to 192.168.133.47
