1) 在192.168.88.55、192.168.88.56上安装rh9,内核版本为2.4.20-8,下载http://download.freeswan.ca/freeswan-2.02.tar.gz,到/usr/src路径下,tar xvzf freeswan*。
2) cd /usr/src/linux ; make menuconfig ; make dep
3) cd ../freeswan* ; make menugo #确保关于ipsec的选项都被选中,并保存。如果没有错误,往下进行
4) cp /usr/src/linux/arch/i386/boot/bzImage /boot/vmlinuz-ipsec ; cp /usr/src/linux/System.map /boot/System.map-ipsec
5) 编辑lilo,用新编的内核启动,启动时应当有start ipsec [OK]的信息。
6) 停止ipsec,service ipsec stop
7) cd /usr/local/libexec/ipsec,编辑verify,修改236行附近的ipsec showhostkey,将192.168.88.55机器的改成ipsec showhostkey –left,将192.168.88.56机器改成ipsec showhostkey –right。 将305行去掉192.168.*.*
8) 编辑/etc/ipsec.conf,并且两台服务器的配置必须相同。配置如下:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces="ipsec0=eth0"
klipsdebug=all
plutodebug=all
pluto=yes
# Add connections here.
conn %default
keyingtries=0
spi=0x200
esp=3des-md5-96
espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf
conn NorthNet-SouthNet
left=192.168.88.55
leftsubnet=192.168.80.0/24
leftfirewall=no
right=192.168.88.56
rightsubnet=192.168.81.0/24
rightfirewall=no
conn NorthGate-SouthNet
left=192.168.88.55
right=192.168.88.56
rightsubnet=192.168.81.0/24
rightfirewall=no
conn NorthNet-SouthGate
left=192.168.88.55
leftsubnet=192.168.80.0/24
right=192.168.88.56
leftfirewall=no
conn NorthGate-SouthGate
left=192.168.88.55
right=192.168.88.56
9) 重新启动ipsec,service ipsec start。执行ipsec verify,结果应当类似下面:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux FreeS/WAN 2.02
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Opportunistic Encryption DNS checks:
Looking for TXT in forward map: s50 [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse map: 55.88.168.192.in-addr.arpa. [MISSING]
Looking for TXT in reverse map: 55.80.168.192.in-addr.arpa. [MISSING]
执行ipsec manual –up NorthNet-SouthNet
