测试vpn的基本功能

1） 在192.168.88.55、192.168.88.56上安装rh9，内核版本为2.4.20-8，下载http://download.freeswan.ca/freeswan-2.02.tar.gz，到/usr/src路径下，tar xvzf freeswan*。

2） cd /usr/src/linux ; make menuconfig ; make dep

3） cd ../freeswan* ; make menugo #确保关于ipsec的选项都被选中，并保存。如果没有错误，往下进行

4） cp /usr/src/linux/arch/i386/boot/bzImage /boot/vmlinuz-ipsec ; cp /usr/src/linux/System.map /boot/System.map-ipsec

5） 编辑lilo，用新编的内核启动，启动时应当有start ipsec [OK]的信息。

6） 停止ipsec，service ipsec stop

7） cd /usr/local/libexec/ipsec，编辑verify，修改236行附近的ipsec showhostkey，将192.168.88.55机器的改成ipsec showhostkey –left，将192.168.88.56机器改成ipsec showhostkey –right。 将305行去掉192.168.*.*

8） 编辑/etc/ipsec.conf，并且两台服务器的配置必须相同。配置如下：

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration

config setup

interfaces="ipsec0=eth0"

klipsdebug=all

plutodebug=all

pluto=yes

# Add connections here.

conn %default

keyingtries=0

spi=0x200

esp=3des-md5-96

espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0

espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf

conn NorthNet-SouthNet

left=192.168.88.55

leftsubnet=192.168.80.0/24

leftfirewall=no

right=192.168.88.56

rightsubnet=192.168.81.0/24

rightfirewall=no

conn NorthGate-SouthNet

left=192.168.88.55

right=192.168.88.56

rightsubnet=192.168.81.0/24

rightfirewall=no

conn NorthNet-SouthGate

left=192.168.88.55

leftsubnet=192.168.80.0/24

right=192.168.88.56

leftfirewall=no

conn NorthGate-SouthGate

left=192.168.88.55

right=192.168.88.56

9） 重新启动ipsec，service ipsec start。执行ipsec verify，结果应当类似下面：

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path [OK]

Linux FreeS/WAN 2.02

Checking for KLIPS support in kernel [OK]

Checking for RSA private key (/etc/ipsec.secrets) [OK]

Checking that pluto is running [OK]

Two or more interfaces found, checking IP forwarding [OK]

Checking NAT and MASQUERADEing [N/A]

Opportunistic Encryption DNS checks:

Looking for TXT in forward map: s50 [MISSING]

Does the machine have at least one non-private address? [OK]

Looking for TXT in reverse map: 55.88.168.192.in-addr.arpa. [MISSING]

Looking for TXT in reverse map: 55.80.168.192.in-addr.arpa. [MISSING]

执行ipsec manual –up NorthNet-SouthNet