15.9.4. 在 FreeBSD 上配置 IPsec
作者Tom Rhodes.
开始需先从 Ports Collection 安装
security/ipsec-tools。
这个第三方软件提供了一些能够帮助配置的应用程序。
下一步是创建两个 gif(4)
伪设备用来在两个网络间传输数据包的 “隧道”。
使用 root 身份运行以下命令,
并用真实的内部外部网关替换命令中的
internal 和
external 项:
# ifconfig gif0 create
# ifconfig gif0 internal1 internal2
# ifconfig gif0 tunnel external1 external2
比如,公司 LAN 对外的
IP 地址是
172.16.5.4,
内部的 IP 地址为
10.246.38.1。
家庭 LAN 对外的
IP 地址是
192.168.1.12,
内部的 IP 地址为
10.0.0.5。
这看起来可能有些混乱,所以我们通过
ifconfig(8) 命令输出再回顾一下:
Gateway 1:gif0: flags=8051 mtu 1280tunnel inet 172.16.5.4 --> 192.168.1.12inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00Gateway 2:gif0: flags=8051 mtu 1280tunnel inet 192.168.1.12 --> 172.16.5.4inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4
一旦完成以后,两个私有的 IP
地址都应该能像下面 ping(8) 命令输出那样互相访问。
priv-net# ping 10.0.0.5PING 10.0.0.5 (10.0.0.5): 56 data bytes64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=42.786 ms64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=19.255 ms64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=20.440 ms64 bytes from 10.0.0.5: icmp_seq=3 ttl=64 time=21.036 ms--- 10.0.0.5 ping statistics ---4 packets transmitted, 4 packets received, 0% packet lossround-trip min/avg/max/stddev = 19.255/25.879/42.786/9.782 mscorp-net# ping 10.246.38.1PING 10.246.38.1 (10.246.38.1): 56 data bytes64 bytes from 10.246.38.1: icmp_seq=0 ttl=64 time=28.106 ms64 bytes from 10.246.38.1: icmp_seq=1 ttl=64 time=42.917 ms64 bytes from 10.246.38.1: icmp_seq=2 ttl=64 time=127.525 ms64 bytes from 10.246.38.1: icmp_seq=3 ttl=64 time=119.896 ms64 bytes from 10.246.38.1: icmp_seq=4 ttl=64 time=154.524 ms--- 10.246.38.1 ping statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms
正如预期的那样,两边都有从私有地址发送和接受
ICMP 数据包的能力。下面,
两个网关都必须配置路由规则以正确传输两边的网络流量。
下面的命令可以实现这个:
# corp-net# route add 10.0.0.0 10.0.0.5 255.255.255.0
# corp-net# route add net 10.0.0.0: gateway 10.0.0.5
# priv-net# route add 10.246.38.0 10.246.38.1 255.255.255.0
# priv-net# route add host 10.246.38.0: gateway 10.246.38.1
此刻,不论从网关还是网关后的机器都能访问内部的网络。
这很容易通过以下的例子确认:
corp-net# ping 10.0.0.8PING 10.0.0.8 (10.0.0.8): 56 data bytes64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=21.870 ms64 bytes from 10.0.0.8: icmp_seq=2 ttl=63 time=198.022 ms64 bytes from 10.0.0.8: icmp_seq=3 ttl=63 time=22.241 ms64 bytes from 10.0.0.8: icmp_seq=4 ttl=63 time=174.705 ms--- 10.0.0.8 ping statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/stddev = 21.870/101.846/198.022/74.001 mspriv-net# ping 10.246.38.107PING 10.246.38.1 (10.246.38.107): 56 data bytes64 bytes from 10.246.38.107: icmp_seq=0 ttl=64 time=53.491 ms64 bytes from 10.246.38.107: icmp_seq=1 ttl=64 time=23.395 ms64 bytes from 10.246.38.107: icmp_seq=2 ttl=64 time=23.865 ms64 bytes from 10.246.38.107: icmp_seq=3 ttl=64 time=21.145 ms64 bytes from 10.246.38.107: icmp_seq=4 ttl=64 time=36.708 ms--- 10.246.38.107 ping statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms
配置 “隧道” 是比较容易的部分。
配置一条安全链接则是个更加深入的过程。
下面的配置是使用 pre-shared (PSK)
RSA 密钥。除了
IP 地址外,两边的
/usr/local/etc/racoon/racoon.conf
也几乎相同。
path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key filelog debug; #log verbosity setting: set to 'notify' when testing and debugging is completepadding # options are not to be changed{ maximum_length 20; randomize off; strict_check off; exclusive_tail off;}timer # timing options. change as needed{ counter 5; interval 20 sec; persend 1;# natt_keepalive 15 sec; phase1 30 sec; phase2 15 sec;}listen # address [port] that racoon will listening on{ isakmp 172.16.5.4 [500]; isakmp_natt 172.16.5.4 [4500];}remote 192.168.1.12 [500]{ exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address 172.16.5.4; peers_identifier address 192.168.1.12; lifetime time 8 hour; passive off; proposal_check obey;# nat_traversal off; generate_policy off; proposal { encryption_algorithm blowfish; hash_algorithm md5; authentication_method pre_shared_key; lifetime time 30 sec; dh_group 1; }}sainfo (address 10.246.38.0/24 any address 10.0.0.0/24 any) # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp){ # $network must be the two internal networks you are joining. pfs_group 1; lifetime time 36000 sec; encryption_algorithm blowfish,3des,des; authentication_algorithm hmac_md5,hmac_sha1; compression_algorithm deflate;}
解释所有可用的选项,
连同这些例子里列出的都超越了这份文档的范围。
在 racoon
配置手册页中有着丰富的相关信息。
SPD 策略也需要配置一下,
这样 FreeBSD 和 racoon
就能够加密和解密主机间的网络流量了。
这可以通过在公司的网关上运行一个类似下面简单的
shell 脚本实现。保存到
/usr/local/etc/racoon/setkey.conf,
这个文件会被在系统初始化的时候用到。
flush;spdflush;# To the home networkspdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/172.16.5.4-192.168.1.12/use;spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-172.16.5.4/use;
一旦完成后,便使用下面的命令在两边的网关上都启动
racoon:
# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log
输出将会类似这样的:
corp-net# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.confForeground mode.2006-01-30 01:35:47: INFO: begin Identity Protection mode.2006-01-30 01:35:48: INFO: received Vendor ID: KAME/racoon2006-01-30 01:35:55: INFO: received Vendor ID: KAME/racoon2006-01-30 01:36:04: INFO: ISAKMP-SA established 172.16.5.4[500]-192.168.1.12[500] spi:623b9b3bd2492452:7deab82d54ff704a2006-01-30 01:36:05: INFO: initiate new phase 2 negotiation: 172.16.5.4[0]192.168.1.12[0]2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=28496098(0x1b2d0e2)2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=47784998(0x2d92426)2006-01-30 01:36:13: INFO: respond new phase 2 negotiation: 172.16.5.4[0]192.168.1.12[0]2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=124397467(0x76a279b)2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=175852902(0xa7b4d66)
确认一下 “隧道” 能正常工作,
切换到另外一个控制台用如下的 tcpdump(1)
命令查看网络流量。根据需要替换掉下面的
em0 网卡界面。
# tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12
控制台上能看到如下类似的输出。如果不是这样的话,
可能就有些问题了,调试的话需要用到返回的数据。
01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xa)01:47:33.022442 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xb)01:47:34.024218 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xc)
此刻,两个网络就好像是同一个网络的一部分一样。
而且这两个网络很可能也应该有防火墙的保护。
要使得这两个网络能互相访问,就需要添加一些进出包的规则。
就 ipfw(8) 来说,加入下面的几行进配置文件:
ipfw add 00201 allow log esp from any to anyipfw add 00202 allow log ah from any to anyipfw add 00203 allow log ipencap from any to anyipfw add 00204 allow log udp from any 500 to any
注意:
规则号可能需要根据现有机器上的配置做相应的修改。
对于 pf(4) 或者 ipf(8) 的用户,
下面的几行规则应该可行:
pass in quick proto esp from any to anypass in quick proto ah from any to anypass in quick proto ipencap from any to anypass in quick proto udp from any port = 500 to any port = 500pass in quick on gif0 from any to anypass out quick proto esp from any to anypass out quick proto ah from any to anypass out quick proto ipencap from any to anypass out quick proto udp from any port = 500 to any port = 500pass out quick on gif0 from any to any
最后,要允许机器初始化的时候开始
VPN 支持,在
/etc/rc.conf
中加入以下的几行:
ipsec_enable="YES"ipsec_program="/usr/local/sbin/setkey"ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on bootracoon_enable="yes"