FreeBSD下配置IPSec:WinXP------FreeBSD

目的: 实现WinXP和FreeBSD的IPSec通信 设备: 笔记本-WinXP 172.16.0.199 台式机-FreeBSD4.7 172.16.0.21 步骤: 一.服务器设置:(FreeBSD4.7) 1. 编译内核,加入IPSec支持. Options IPSEC Options IPSEC_ESP Options IPSEC_DEBUG #产生大量调试信息,有信心的话,可以不加,建议加上 2.安装并配置IKE (ISAKMP/Oakley) key management daemon软件 (1)升级ports (2)安装: #/usr/ports/security/racoon/make install clean (3)配置: 文件位置:/usr/local/etc/racoon/ 使用pre-shared-key认证方式 编辑psk.txt 对端IP 预共享密码 -------------------------------------- 172.16.0.199 thisiseliumao -------------------------------------- 其它内容删掉. 编辑racoon.conf ---------------------------------------------------------------- path include '/usr/local/etc/racoon' ; path pre_shared_key '/usr/local/etc/racoon/psk.txt' ; log debug; #可以根据需要选择注释 # 'padding' defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specifIEd, racoon will listen to all # available interface addresses. listen { #isakmp ::1 [7000]; isakmp 172.16.0.21 [500]; #可以注释掉,让racoon自动选择 #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; #由于我是LAN连接,发现改动以下两行,没有 phase2 15 sec; #什么影响 } #这一大段是设置phase 1的各项参数的 remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #这一段是关于CA认证方法的,这里用不到 #my_identifier address; #my_identifier user_fqdn 'sakane@kame.net'; #peers_identifier user_fqdn 'sakane@kame.net'; #certificate_type x509 'mycert' 'mypriv'; nonce_size 16; lifetime time 60 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 2 ; } } #这一大段是设置phase 2的各项参数的 sainfo anonymous { pfs_group 1; lifetime time 24 hour; encryption_algorithm 3des ; authentication_algorithm hMac_md5; compression_algorithm deflate ; } ------------------------------------------------------------------- (4)运行racoon #racoon -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log (5)加入安全策略 #setkey -c <<EOF spdadd 172.16.0.21 172.16.0.199 any -P out ipsec esp/transport/172.16.0.21-172.16.0.199/require; spdadd 172.16.0.199 172.16.0.21 any -P in ipsec esp/transport/172.16.0.199-172.16.0.21/require; EOF 这里用的是transport模式,可以改成tunnel模式,只要修改上面相应的单词. 二. 客户端设置:(WinXP) 在控制台中添加IP安全策略管理,创建IP安全策略. 具体参数参照服务器端设置. 还可以再添加IP安全监视器,监视加密连接. 三. 连通实验 1. 在XP下 c:>ping 172.16.0.21 成功 2. 访问172.16.0.21的www服务 成功 3 访问172.16.0.21的ftp服务 成功 4 验证是否通过IPSEC连接 在FreeBSD下 #tcpdump src or dst 172.16.0.199 类似如下输出 11:25:54.638472 eliumao1 > 172.16.0.199: ESP(spi=0x248fabee,seq=0x22c) (DF) [tos 0x8] 11:25:54.638732 eliumao1 > 172.16.0.199: ESP(spi=0x248fabee,seq=0x22d) (DF) [tos 0x10] 11:25:54.641258 eliumao1 > 172.16.0.199: ESP(spi=0x248fabee,seq=0x22e) (DF) [tos 0x10] 11:25:54.641371 eliumao1 > 172.16.0.199: ESP(spi=0x248fabee,seq=0x22f) (DF) [tos 0x8] 除广播外,应看不到其它协议 #setkey -D 连接成功后,会出现SA pair 具体请看 man setkey 四. 结果 各种协议连接速度均很快,基本感觉不到IPSec的存在