目的: 实现WinXP和FreeBSD的IPSec通信
设备: 笔记本-WinXP 172.16.0.199
台式机-FreeBSD4.7 172.16.0.21
步骤:
一.服务器设置:(FreeBSD4.7)
1. 编译内核,加入IPSec支持.
Options IPSEC
Options IPSEC_ESP
Options IPSEC_DEBUG #产生大量调试信息,有信心的话,可以不加,建议加上
2.安装并配置IKE (ISAKMP/Oakley) key management daemon软件
(1)升级ports
(2)安装:
#/usr/ports/security/racoon/make install clean
(3)配置:
文件位置:/usr/local/etc/racoon/
使用pre-shared-key认证方式
编辑psk.txt
对端IP 预共享密码
--------------------------------------
172.16.0.199 thisiseliumao
--------------------------------------
其它内容删掉.
编辑racoon.conf
----------------------------------------------------------------
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug; #可以根据需要选择注释
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
isakmp 172.16.0.21 [500]; #可以注释掉,让racoon自动选择
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec; #由于我是LAN连接,发现改动以下两行,没有
phase2 15 sec; #什么影响
}
#这一大段是设置phase 1的各项参数的
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
#这一段是关于CA认证方法的,这里用不到
#my_identifier address;
#my_identifier user_fqdn "sakane@kame.net";
#peers_identifier user_fqdn "sakane@kame.net";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
lifetime time 60 min; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
#这一大段是设置phase 2的各项参数的
sainfo anonymous
{
pfs_group 1;
lifetime time 24 hour;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
-------------------------------------------------------------------
(4)运行racoon
#racoon -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log
(5)加入安全策略
#setkey -c <<EOF
spdadd 172.16.0.21 172.16.0.199 any -P out ipsec
esp/transport/172.16.0.21-172.16.0.199/require;
spdadd 172.16.0.199 172.16.0.21 any -P in ipsec
esp/transport/172.16.0.199-172.16.0.21/require;
EOF
这里用的是transport模式,可以改成tunnel模式,只要修改上面相应的单词.
二. 客户端设置:(WinXP)
在控制台中添加IP安全策略管理,创建IP安全策略.
具体参数参照服务器端设置.
还可以再添加IP安全监视器,监视加密连接.
三. 连通实验
1. 在XP下
c:\>ping 172.16.0.21
成功
2. 访问172.16.0.21的www服务
成功
3 访问172.16.0.21的ftp服务
成功
4 验证是否通过IPSEC连接
在FreeBSD下
#tcpdump src or dst 172.16.0.199
类似如下输出
11:25:54.638472 eliumao1 > 172.16.0.199: ESP(spi=0x248fabee,seq=0x22c) (DF) [tos 0x8]
11:25:54.638732 eliumao1 > 172.16.0.199: ESP(spi=0x248fabee,seq=0x22d) (DF) [tos 0x10]
11:25:54.641258 eliumao1 > 172.16.0.199: ESP(spi=0x248fabee,seq=0x22e) (DF) [tos 0x10]
11:25:54.641371 eliumao1 > 172.16.0.199: ESP(spi=0x248fabee,seq=0x22f) (DF) [tos 0x8]
除广播外,应看不到其它协议
#setkey -D
连接成功后,会出现SA pair
具体请看 man setkey
四. 结果
各种协议连接速度均很快,基本感觉不到IPSec的存在