CentOS7.3 下 ipsec

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CentOS7.3 下 ipsec相关的知识,希望对你有一定的参考价值。

1.yum install -y wget

2.wget http://download.strongswan.org/strongswan.tar.gz

3.tar zxvf strongswan*

4.cd strongswan*

5.yum install -y make gcc gmp-devel openssl openssl-devel

6.make && sudo make install

7../configure --sysconfdir=/etc --disable-sql --disable-mysql --disable-ldap --enable-dhcp --enable-eap-identity --enable-eap-mschapv2 -enable-md4 --enable-xauth-eap --enable-eap-peap --enable-eap-md5 --enable-openssl --enable-shared --enable-unity --enable-eap-tls --enable-eap-ttls --enable-eap-tnc --enable-eap-dynamic --enable-addrblock --enable-radattr --enable-nat-transport --enable-kernel-netlink --enable-kernel-libipsec

8.vi /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        uniqueids = no

# Add connections here.

# Sample ××× connections

conn IPsec_xauth_psk
     keyexchange=ikev1
     left=192.168.0.8
     leftauth=psk
     leftsubnet=0.0.0.0/0
     right=%any
     rightauth=psk
     rightauth2=xauth
     rightsourceip=10.0.0.0/24
     auto=add

conn %default
     keyexchange=ikev1
     dpdaction=hold
     dpddelay=600s
     dpdtimeout=5s
     lifetime=24h
     ikelifetime=240h
     rekey=no
     left=192.168.0.8
     leftsubnet=0.0.0.0/0
     leftcert=***HostCert.pem   ###***被过滤的,自行脑补
     leftsendcert=always
     right=%any
     rightdns=8.8.8.8
     rightsourceip=10.0.0.0/24

其中的两处left=192.168.0.8需要修改为你的服务器IP地址

9.vi /etc/ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file
: PSK "SECRET"      ##SECRET 为Secret 的密码
username : XAUTH "userpassword"

10.检查防火墙配置
vi /usr/lib/firewalld/services/ipsec.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>IPsec</short>
  <description>Internet Protocol Security (IPsec) incorporates security for network transmissions directly into the Internet Protocol (IP). IPsec provides methods for both encrypting data and authentication for the host or network it sends to. If you plan to use a ***c server or FreeS/WAN, do not disable this option.</description>
  <port protocol="ah" port=""/>
  <port protocol="esp" port=""/>
  <port protocol="udp" port="500"/>
  <port protocol="udp" port="4500"/>
</service>
~

11.firewall-cmd --permanent --add-service=ipsec
12.firewall-cmd --permanent --add-masquerade
13.firewall-cmd --reload

-

-
技术图片

以上是关于CentOS7.3 下 ipsec的主要内容,如果未能解决你的问题,请参考以下文章

两台华为USG2210如何用WEB设置ipsec,两端均为固定IP,如果一端下挂二级路由,如何使用二级路由链接

ipsec隧道影不影响流量

IKEV2 ipsec 在ubuntu18.04下配置过程(一)

IPSec NAT-T穿越技术

如果机器在NAT防火墙后面,可以在传输模式下使用使用AH的IPSEC吗?

玩转华为ENSP模拟器系列 | 同一VdPdNd实例场景下配置IPSec VdPdNd