1. The type of VPN is about how to form a VPN, and some companies pay for special software, and some companies use their own routers to real
Now, because many routers are embedded in VPN function. These VPNs can be as simple as the SSH tunnel. All programs have a common point, that is, you must create a virtual secure tunnel in unsafe interconnects. . VPN mainly has the following types:
* Ipsec
* VPND
* SSH
* Such as some Cisco routers (embedded VPN feature)
2. I recommend the options for FreeS / WAN
So much better, why do I choose FREES / WAN (IPSec) to implement VPN on Linux?
Because of current application, FREES / WAN is currently the implementation on Linux in Linux. It is based on 3DES and other encryption algorithms. In addition, the test indicates that SSH and VPND schemes lack certain features of FREES / WAN, and IPSec is More and more other software support, afterward compatibility. For example, Nai's PGPNET works very well. However, I think the truly important thing is that it is free (Linux is also Free), this for our domestic users, do not have to spend a big price to buy specialized software, you only need to pay a little online fee to ISP, you can form your own cheap VPN.
3. Its use
* Connect 2 or more offices through the Internet (of course, the kind of separation of two);
* Allow a staff member of the company to log in to the company within a thousand miles away;
* On the Internet, the data is propagated in a virtual security channel;
4. Install and configure IPSec and FREES / WAN1.5
(1) Install;
If your kernel version is less than 2.2.14, then I strongly recommend that you upgrade to 2.2.14; you can download it from http://www.kernel.org/. Follow your own requirements to compile the kernel, start it is best not to IPsec support (Do it later).
Then to http://www.freeeswan.org/ upload freewan-1.5.tar.gz (the latest version of July No. 2), put this file in / usr / src / directory, run TAR ZXVF FreeESwan- 1.5.Tar.gz unopened, this time there will be a new directory /usr/src/freeswan-1.5/, all FREESWAN source code and various files are in this directory.
At this time, I remember that the current directory is /usr/src/freeswan-1.5/, running make Menugo; in the network section, determine all IPsec parts are selected. Exit the menu, save the new kernel settings, pay attention !!! Even if you Nor did it change, you must also save, otherwise IPSec will not start.
Now you need to start with new kernels, run
Cp /usr/src/linux-2.2.14/Arch/i386/boot/bzimage /boot/vmlinuz-2.2.14 Move BZIMAGE to
/ Boot directory. Then run the cp /usr/src/linux-2.2.14/system.map /boot/system.map-2.2.14 to create
Building a new System.map file. Finally run Make Modules under /usr/src/linux-2.2.14; make
Modules_install. Edit /etc/lilo.conf, put the new core to the forefront, running Lilo to take effect.
Restart, you will see
IPSec Running Under Frees / WAN 1.5 Will Start Up
IPsec0 Start Up
Wait until the words, if not, the installation is incorrect, you need to reinstall it.
(2). VPN configuration
l ipsec.conf file (/etc/ipsec.conf)
Now IPsec is already installed, we need to use it to configure VPN. Typically, we need two gateways, do not have to
Caring that is the left, that is right, just remember that they are pair, just like two clones. Let us see the following example:
Left Net ===== Left Gate --------------------------- Right Gate ===== Right NetInternet
The relevant information is as follows:
Left Net: 192.168.1.0/24
Left Gate (Internal): 192.168.1.1
Left Gate (External): 100.100.100.100
Left name: north
Right Net: 192.168.2.0/24
Right Gate (Internal): 192.168.2.254
Right Gate (External): 200.200.200.200
Right Name: SOUTH
Now you need to create a connection in the IPsec.conf file. Note that there are many cases: Net to Net, Left
Gate to Right Net, LEFT NET TO Right Gate, And Gate To Gate. Every case must have a connection
Negative access. I recommend that you can reflect communication situation when naming these connections. This example requires 5
Connection, is% default, Northnet-SouthNet, Northgate-SouthNet, Northnet-SouthGate, and
Northgate-SouthGate. Note that there is no space in the name. Add the following:
Note that% Default already exists in the file, which illustrates the encryption or authentication algorithm used in the next connection, and the key and SPI, the general key needs to be changed. As follows
# Defaults for Subsequent Connection Descriptions
CONN% Default
# How Persistent To BE in (Re) Keying Negotiations (0 means very).
Keyingtries = 0
# Parameters for manual-keying Testing (Don't use operationally).
SPI = 0x200
ESP = 3DES-MD5-96
Espenckey = 0x01234567_89ABCDEF_02468ACE_13579BDF_12345678_9ABCDEF0
ESPAUTHKEY = 0x12345678_9ABCDEF0_2468ACE0_13579BDF
Then add the new connection below
Conn Northnet-SouthNet
LEFT = 100.100.100.100
Leftsubnet = 192.168.1.0 / 24
Leftfirewall = yes
Right = 200.200.200.200
Rightsubnet = 192.168.2.0 / 24
RightfireWall = YES
Conn Northgate-SouthNet
LEFT = 100.100.100.100
Right = 200.200.200.200
Rightsubnet = 192.168.2.0 / 24
RightfireWall = YES
Conn Northnet-SouthGate
LEFT = 100.100.100.100
Leftsubnet = 192.168.1.0 / 24
Leftfirewall = yes
Right = 200.200.200.200
Conn Southgate-Northgate
LEFT = 100.100.100.100
Right = 200.200.200.200
Note that the firewall is set in the two gateways in this document, which should be, almost no VPN does not need firewall.
Now we determine if the variable settings in the config.setup section are correct, it is as follows
Config setupinterfaces =% defaultroute
Klipsdebug = none
Plutodebug = none
Interfaces option When using the IPsec sending and receiving packets, if set to% Default, it will be taken according to the routing table in the machine's routing table. Of course, you can also specify the network interface, for example
Interfaces = "IPSEC0 = Eth1" (set to the second block of NIC, is not taken from the first block).
KlipsDebug and Plutodebug are used to open or close debug options, which is the problem to add an error message to / var / log / messages.
Very important one !!! The content of the IPsec.conf of the two gateways must be exactly consistent (except if there is a difference between the Config Setup section, such as the NIC selection, the conn * part must be cloned), otherwise IPSec cannot handle.
* ipsec.secrets file
It is a key to a symmetric encryption algorithm between two gateways. This file of the two gateways must be exactly the same. How to
The transfer key is transmitted between the two gateways, which is a bit like a chicken and egg, but don't worry, mathematicians invented the more advanced encryption algorithm (asymmetric encryption, RSA), which is their own private key and common Public key (bad guys can know the public key), but both sides don't know the other's private key, the bad guys do not know. When transferring the key, encrypt the private key and public key, the other party's private key Decrypts the public key. Do not believe, look at the RSA algorithm. Of course, there can be other methods, the management of the A land is tested to the small plate, sent to B, but it is a bit ridiculous.
This file should look like this:
100.100.100.100 200.200.200.200 "JXJ52SJRMUUUUU3NVW521WU135R5K44UU5LR2V3KUJT24U1LVUMWSKT52TU11W
VNM1VU25LV52K4 "
Don't explain, you can see how to configure it.
* Firewall settings
Assume that use ipchains, below is an example of the left gateway:
Ipchains -a INPUT -S 100.100.100.100 -D 0/0 -j ACCEPT
Ipchains -a INPUT -S 100.100.100.100 -D 192.168.2.0/24 -j ACCEPT
Ipchains -a input -s 192.168.1.0/24 -d 192.168.2.0/24 -j accept
It allows packets to be sent to the Internet and right subnets from ourselves, while allowing the packets to the right subnet from the left subnet.
Note that IPsec.secrets and ipsec.conf must be set to only root readable, ordinary users cannot access,
ensure safety.
(3) Test
The automatic key encryption method will be said later.
First start our connection, as follows
[root @ Tiger / etc] # ipsec manual --up northgate-southgate
[root @ Tiger / etc] # ipsec manual --up northgate-Southnet
[root @ Tiger / etc] # ipsec manual --up Northnet-SouthGate
[root @ Tiger / etc] # ipsec manual --up Northnet-SouthNet
Do it above, then run the following command:
[root @ Tiger / etc] # ipsec Look Take a look at its output, if it is correct, there is a problem.
. cs.mynet.net WED JULY 8 22:51:45 GAT 2000 -------------------------
192.168.1.0/24 -> 192.168.2.0/24 => tun0x200@192.168.2.254 ESP0X202@192.168.2.254
-------------------------
Tun0x200@192.168.2.254 ipv4_encapsulation: dir = OUT 192.168.1.1 -> 192.168.2.254
ESP0X203@192.168.1.1 3Des-md5-96_encryption: Dir = IV = 0xc2cbca5ba42ffbb6 seq = 0 bit = 0x00000000 WIN = 0 flags = 0x0 <>
ESP0X202@192.168.2.254 3DES-MD5-96_ENCRYPTION: DIR = OUT IV = 0xC2CBCA5BA42FFB6 SEQ = 0 bit = 0x00000000 WIN = 0 flags = 0x0 <>
Destination Gateway Genmask Flags MSS WINDOW IRTT IFACE
192.0.0.0 0.0.0.0 255.255.255.0 U 1500 0 0 Eth1
192.168.2.0 192.168.2.254 255.255.255.0 UG 1404 0 0 ipsec0
Want to know more, run the IPsec Barf to see.
Now to detect our work: Use TCPDUMP to see the case IPSec0 with TCPDump through the machine of the internal network of the ping.
Suppose we implement ping 192.168.1.25 on 192.168.2.15, display
64 bytes from 192.168.1.25: ICMP_SEQ = 0 TTL = 127 TIME = 45.7 MS
64 bytes from 192.168.1.25: ICMP_SEQ = 1 TTL = 127 TIME = 45.2 ms
64 bytes from 192.168.1.25: ICMP_SEQ = 2 TTL = 127 TIME = 45.5 ms
64 bytes from 192.168.1.25: ICMP_SEQ = 3 TTL = 127 TIME = 43.0 MS
......
Netmatically explained.
TCPDUMP -I IPSec0 on 200.200.200.200
TCPDUMP: LISTENING ON IPSEC0
21: 02: 52.873587> 200.200.200.200> 192.168.1.25: ICMP: Echo Request
21: 02: 52.921596 <192.168.1.25> 200.200.200.200: ICMP: Echo reply
21: 02: 53.890317> 200.200.200.200> 192.168.1.25: ICMP: Echo Request
21: 02: 53.935618 <192.168.1.25> 200.200.200.200: ICMP: Echo reply
21: 02: 54.890277> 200.200.200.200> 192.168.1.25: ICMP: Echo Request
21: 02: 54.936592 <192.168.1.25> 200.200.200.200: ICMP: Echo reply
21: 02: 55.890284> 200.200.200.200> 192.168.1.25: ICMP: Echo Request
21: 02: 55.934099 <192.168.1.25> 200.200.200.200: ICMP: Echo reply
......
If this is, you can make further tests, you can do a further test, such as a web server on a gateway, access on the internal network of the other, and tries to intercept the packet on the Internet. See if the content is encrypted.
(4) Start connection when starting the machine
Because we set up VPN, I hope that IPSec connection is started automatically in the gateway. Very simple, you only need it
Add below: ipsec.conf part of the following lines:
PLUTO = YES
PLUTOLOAD = "northgate-southgate northgate-Southnet Northnet-SouthGate Northnet-SouthNet"
Plutostart = "northgate-southgate northgate-soutnet northet-southgate northet-Southnet"
PlutoWait = NO
Pluto is the daemon of FreeESwan.
After joining these lines, running IPsec Setup Restart takes effect, as shown below:
IPsec_setup: stopping frees / wan ipsec ... ipsec_setup: Shutting Down Pluto:
IPsec_setup: Taking IPsec0 Down: IPSec_setup: Misc Cleanout:
Ipsec_setup: ... FreeS / WAN IPsec Stopped
IPsec_setup: Starting Frees / WAN IPSec 1.5 ... ipsec_setup: Klips Debug `None '
IPsec_setup: Klips IPsec0 on Eth0 200.200.200.200/255.255.255.0 Broadcast 200.200.200.255
IPsec_Setup: Disabling Core Dumps:
IPsec_setup: Starting Pluto (Debug `None '):
IPsec_setup: Loading Pluto Database `Northgate-SouthGate Northgate-SouthNet Northnet-SouthGate Northnet-SouthNet ':
IPsec_Setup: Enabling Pluto Negotiation:
IPsec_setup: Routing for Pluto Conns `Northgate-SouthGate Northgate-SouthNet Northnet-SouthGate Northnet-SouthNet ':
IPsec_setup: Initiating Pluto Tunnel `Northgate-SouthGate '(asynchronously):
IPsec_setup: Initiating Pluto Tunnel `Nortgate-SouthNet '(asynchronously):
IPsec_Setup: Initiating Pluto Tunnel `Northnet-SouthGate '(asynchronously):
Ipsec_setup: Initiating Pluto Tunnel `Northnet-SouthNet ':
IPsec_setup: ... FreeS / WAN IPsec Started
If so, then it has been successful. When the PLUTO daemon is started, the connection is automatically started.
(5) Generate a key to the truly available
The front is an unsafe test for KEY, which is very unsafe. Therefore, this key must change after the test. A program called RanBits generates a random string, running as follows: [root @ Tiger / ETC] # ipsec ranbits 192 >> IPsec.secrets
It produces a 192-character string, then add the address of the two gateways in IPsec.secrets.
5. Reference
1) FREES / WAN Documentation
http://www.freeeswan.org/freeswan_trees/freeswan-1.5/doc/
2) O'Reilly Virtual Private Networks 2nd Edition
Charlie Scott, Paul Wolfe & Mike Erwin
3) Linux-ipsec mailing list
http://www.freeswan.org/mail.html
6. Note
This article is for forwarding, but it is best to contact WWW.LINUXAID.COM.CN Engineers Unix_Guo. Thank you.
My email unix_guo@netese.com
