Configuring IPSec VPN Connection Between Free…
2009-05-13 15:25:19来源:未知 阅读 ()
General Information
Although there are some good tutorials on setting
[url=javascript:;]VPN[/url]
connections using
[url=javascript:;]IPSec[/url]
in FreeBSD-to-FreeBSD or OpenBSD-to-OpenBSD configurations, only tutorials on setting FreeBSD-to-OpenBSD IPSec tunnels are at least partly outdated, mostly due to changes introduced in OpenBSD 3.8.
In this tutorial I'll demonstrate how to configure such a VPN connection (tunneling mode) using racoon and isakmpd IKE daemons along with x509 certificates. The IP addresses used throughout this tutorial are:
- gateway A running
[url=javascript:;]FreeBSD[/url]
with internal IP address: 192.168.0.1, and external IP: 10.0.0.1,
- gateway B running OpenBSD with internal IP address: 192.168.1.1, and external IP: 10.0.0.2.
For the purpose of this tutorial I have used FreeBSD 6.2-RELEASE and OpenBSD 4.1-RELEASE operating systems, but the configuration covered here should be applicable in any reasonably recent version as well.
Requirements
[url=javascript:;]Root[/url]
access to both FreeBSD and OpenBSD machines.
Recompiled FreeBSD
[url=javascript:;]kernel[/url]
with IPSec support according to FreeBSD Handbook.
IPsec-Tools port (/usr/ports/security/ipsec-tools) installed on FreeBSD host.
Installation
As written above, further in this tutorial I'll assume that you have an IPSec enabled FreeBSD along with /security/ipsec-tools port installed already. If not, please refer to FreeBSD Handbook on doing so.
As the ipsec-tools port doesn't create configuration directory in /usr/local/etc subtree, you'll have to create it manually:
# mkdir -p /usr/local/etc/racoon/certs
OpenBSD already contain required applications and IPSec support compiled into the GENERIC kernel, so there's no need to install anything.
Configuration
x509 Certificates
The first step toward setting the VPN over IPSec is to generate x509 certificates. In the following example I have generated all the keys and certificates on gateway B -- the OpenBSD box -- and copied to appropriate hosts afterwards. If you'll decide to generate them on FreeBSD box instead, please make sure that you have a ''x509v3.conf'' file.
Creating CA (Certificate Authority) and generating peer certificates is quite simple. The OpenBSD's isakmpd(8) manual page contains some very useful informations on doing so.
1. Create self-signed CA certificate:
# openssl req -x509 -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/ca.key -out /etc/ssl/ca.crt
2. Generate private key for the gateway A:
#
# cd /etc/ssl
openssl genrsa -out 10.0.0.1.key 1024
3. Create Certificate Signing Request for the new key:
# openssl req -new -key 10.0.0.1.key -out 10.0.0.1.csr
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
- Freebsd oracle 10g 2009-05-13
- KDE/FreeBSD 测试 QT-4.5.1. 2009-05-13
- OpenBSD 4.5下安装Gnome 2.24成功! 2009-05-13
- OpenBSD 4.5 2009-05-13
- DragonFly BSD 2.2.1发布 2009-05-13
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash