分享
 
 
 

FreeBSD的配置

王朝system·作者佚名  2008-05-18
窄屏简体版  字體: |||超大  

配置网络:/etc/rc.conf

network_interface="dc0 lo0"

ifconfig_dc0="192.168.2.11"

defaultrouter="192.168.2.1"

远程登陆

FreeBSD远程登陆默认的是ssh,但是不能su到root,为了能su到root,打开/etc/group文件把你的用户名添加的wheel组中:

wheel:*:0:root,name

重新配置内核

#cd /usr/src/sys/i386/conf

#cp GENERIC MYKERNEL

编辑MYKERNEL加入

options IPSEC

options IPSEC_ESP

options IPSEC_DEBUG

然后

#/usr/sbin/config MYKERNEL

#cd ../compile/MYKERNEL

#make depend

#make

#make install

安装racoon

#cd /usr/ports/security/racoon

#make install clean

要确保你的/usr/ports/distfiles目录中有racoon-20021120a.tar.gz,没有的话就下一个吧。

3.创建证书

认证的方法选择证书的方法。利用OpenSSL来创建证书。

首先创建CA,然后为将要互连的两个计算机发放证书。先创建RSA公私钥对,然后创建子签名的证书。

创建CA

$ openssl genrsa -des3 -out ca.key 1024

warning, not much extra random data, consider using the -rand option

Generating RSA private key, 1024 bit long modulus

..............++++++

................++++++

e is 65537 (0x10001)

Enter PEM pass phrase: fearBeans

Verifying password - Enter PEM pass phrase: fearBeans

$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Using configuration from /etc/ssl/openssl.cnf

Enter PEM pass phrase: fearBeans

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Heilongjiang

Locality Name (eg, city) []:Daqing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linuxdevice

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:zhangp

Email Address []:zhangp@cy9.dq.cnpc.com.cn

为主机创建证书,首先创建RSA私钥,然后创建CA签名的证书。

$ openssl genrsa -out win2k.key 1024

warning, not much extra random data, consider using the -rand option

Generating RSA private key, 1024 bit long modulus

.....++++++

.....++++++

e is 65537 (0x10001)

$ openssl req -new -key win2k.key -out win2k.csr

Using configuration from /etc/ssl/openssl.cnf

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Heilongjiang

Locality Name (eg, city) []:Daqing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linuxdevice

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:win2k

Email Address []:win2k@cy9.dq.cnpc.com.cn

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

$ openssl x509 -req -days 182 -in win2k.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out win2k.crt

Signature ok

subject=/C=CN/ST=Heilongjiang/L=Daqing/O=Linuxdevice/

CN=win2k/Email=win2k@cy9.dq.cnpc.com.cn

Getting CA Private Key

Enter PEM pass phrase: 123456

类似的为主机freebsd创建证书。对于win2k的证书来说,还要做成PKCS12的格式。

$ openssl pkcs12 -export -inkey win2k.key -certfile ca.crt -in win2k.crt -out win2k.p12

Enter Export Password: 123456

Verifying password - Enter Export Password: 123456

配置FreeBSD

准备配置文件 /etc/ipsec.conf,其中192.168.2.11为FreeBSD,192.168.2.6为win2k:

spdadd 192.168.2.11/32 192.168.2.6/32 any -P out ipsec

esp/transport/192.168.2.11-192.168.2.6/require;

spdadd 192.168.2.6/32 192.168.2.11/32 any -P in ipsec

esp/transport/192.168.2.6-192.168.2.11/require;

在配置文件/etc/rc.conf中加入:

ipsec_enable="YES"

准备配置文件/usr/local/etc/racoon/racoon.conf:

# Directory in which we will store this, and other machines' certificates

path certificate "/usr/local/etc/racoon/certs" ;

log debug2;

# Padding values. These have been copied verbatim from the example.

padding

{

maximum_length 20; # maximum padding length.

randomize off; # enable randomize length.

strict_check off; # enable strict check.

exclusive_tail off; # extract last one octet.

}

# Timer values. I've bumped up the phase 1 & 2 timeouts.

timer

{

# These value can be changed per remote node.

counter 5; # maximum trying count to send.

interval 20 sec; # maximum interval to resend.

persend 1; # the number of packets per a send.

# timer for waiting to complete each phase.

phase1 90 sec;

phase2 60 sec;

}

remote anonymous

{

exchange_mode main,aggressive;

#exchange_mode aggressive,main;

doi ipsec_doi;

situation identity_only;

my_identifier user_fqdn "zhangp@cy9.dq.cnpc.com.cn";

peers_identifier user_fqdn "win2k@cy9.dq.cnpc.com.cn";

certificate_type x509 "freebsd.crt" "freebsd.key";

peers_certfile "win2k.crt";

nonce_size 16;

lifetime time 4 hour; # sec,min,hour

initial_contact on;

support_mip6 on;

proposal_check obey; # obey, strict or claim

# This is the same as one of the default proposals on Windows.

# 3DES, MD5 and RSA (certificate) authentication.

proposal {

encryption_algorithm 3des;

hash_algorithm md5;

authentication_method rsasig;

dh_group 2 ;

}

}

sainfo anonymous

{

pfs_group 1;

lifetime time 30 sec;

encryption_algorithm 3des,des ;

authentication_algorithm hmac_sha1,hmac_md5;

compression_algorithm deflate ;

}

把证书存储到/usr/local/etc/racoon/certs中:

#mkdir -m 0700 /usr/local/etc/racoon/certs

#cp freebsd.crt freebsd.key win2k.crt /usr/local/etc/racoon/certs

#chmod 0600 /usr/local/etc/racoon/certs/*

现在可以启动守护程序racoon了

#racoon

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有