說明
所需軟件及下載地址
CentOS 最穩定的linux服務器
ppptargzPPP主程序
opensslitargz生產證書的主程序
xltpdtargzFreeRadius服務器主程序
openswantargzIPSec主程序
實現過程及功能特性
我們的試驗網絡拓撲如下圖所示
我們采用VM虛擬機試驗VM中的網絡設置如下
在VMware提供的Virtual Network Editor中的Host Virtual Network Mapping選項卡中把VMNet設為Not bridged點擊右邊的>按鈕-subnetIP地址填入確定
VPNGateway虛擬機需要再添加一個網卡然後在Linux下按照下表設置各個網卡並在虛擬機設置中選擇網卡對應的網絡其中VPNGateway的網卡屬於VMNet網卡屬於VMNet網卡的默認網卡設為
另外XP本機自動位於VMNet不需要進行設置
機器名
網卡(eth)
網卡(eth)
默認網關
所屬網絡
角色說明
Windows
VMNet
XP Client
VPNGateway
VMNetVMNet
VPNGateway
Juniper
VMNet
私網中HTTP服務器
其中/網段模擬外網windows xp模擬外網撥號的VPN客戶機
/網段模擬內網Juniper為內網中一台機器作為企業內部的HTTP服務器
架設服務器
具體過程不再贅述相關配置文件如下
OpenSWan 主要配置文件
/etc/ipsecsecrets 用來保存private RSA keys 和 preshared secrets (PSKs)
/etc/ipsecconf 配置文件(settings options defaults connections)
OpenSWan 主要配置目錄
/etc/ipsecd/cacerts 存放X 認證證書(根證書-root certificates)
/etc/ipsecd/certs 存放X 客戶端證書(X client Certificates)
/etc/ipsecd/private 存放X 認證私鑰(X Certificate private keys)
/etc/ipsecd/crls 存放X 證書撤消列表(X Certificate Revocation Lists)
/etc/ipsecd/ocspcerts 存放X OCSP 證書(Online Certificate Status Protocol certificates)
/etc/ipsecd/passwd XAUTH 密碼文件(XAUTH password file)
/etc/ipsecd/policies 存放Opportunistic Encryption 策略組(The Opportunistic Encryption policy groups)
# cat /etc/ppp/chapsecrets # Secrets for authentication using CHAP #
client server secret IP addresses
test * test *
ltptest * ltptest
ltptest * ltptest *
# cat /etc/ipsecsecrets
RSA /etc/ipsecd/private/vpngatewaykey
# %any PSK
# cat /etc/ipsecconf
#version
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v/%v/%v/%v!/
conn %default
compress=yes
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
#conn roadwarrior
#left=
#leftcert=vpngatewaycert
#leftsubnet=/
#right=%any
#auto=add
conn ltpx
pfs=no auto=add
left=
leftcert=vpngatewaycert
leftprotoport=/
right=%any
rightca=%same
rightprotoport=/%any ############################################################################# #configure preshared secret authentication
#conn ltp
# authby=secret
# pfs=no
# auto=add
# type=transport
# left=
# leftprotoport=/
# right=%any
# rightprotoport=/%any ############################################################################# #include /etc/ipsecd/examples/no_oeconf
# cat /etc/ppp/optionsxltpd
ipcpacceptlocal
ipcpacceptremote
msdns
msdns
mswins
mswins
#noccp
auth
crtscts
idle
mtu
mru
nodefaultroute
debug
lock
proxyarp
connectdelay
logfile /var/log/ltpdlog
proxyarp
# cat /etc/xltpd/xltpdconf
listenaddr =
port =
auth file = /etc/ppp/chapsecrets
debug tunnel = yes
ip range =
local ip =
require chap = yes
refuse pap = yes
require authentication = yes
name = mm&#;s LTP VPN Server
ppp debug = yes
pppoptfile = /etc/ppp/optionsxltpd
length bit = yes
復制證書(在機器之間復制證書請確保安全性)
#cp cacertpem /etc/ipsecd/cacerts
#cp vpngatewaycert /etc/ipsecd/certs
#cp vpngatewaykey /etc/ipsecd/private
#cp crlpem /etc/ipsecd/crls/
CA工作目錄 /root/CA
# openssl req ‐x ‐days ‐newkey rsa ‐keyout cakeypem ‐out cacertpem
# mkdir newcerts
# touch indextxt
# echo > serial
# echo > crlnumber
# mkdir private
# cp cakeypem /private/
# openssl ca ‐gencrl ‐out crlpem
# openssl req ‐newkey rsa ‐keyout vpngatewaykey ‐out vpngatewayreqpem
# openssl ca ‐in /vpngatewayreqpem ‐days ‐out /vpngatewaycert ‐notext
# openssl pkcs ‐export ‐in cacertpem ‐inkey cakeypem ‐out demoCAp
下面產生windows的私鑰及證書
# openssl req ‐newkey rsa ‐keyout windowskey ‐out windowsreqpem
# openssl ca ‐in /windowsreqpem ‐days ‐out /windowscert ‐notext
# openssl pkcs ‐export ‐in windowscert ‐inkey windowskey ‐out windowsp
注意在導出P文件時輸入讀取CA密鑰的密碼然後再指定導出p文件中的證書需要
的密碼並進行二次確認
用戶名ltptest密碼ltptest進行撥號
可以看到獲得的IP 是/etc/ppp/chap‐secrets 文件中指定的那個IP
![<fp]()
src=http://imgeducitycn/img_///jpg border=>
![<fp]()
src=http://imgeducitycn/img_///jpg border=>
用戶名ltptest密碼ltptest進行撥號
可以看到獲得的IP 是從地址池中獲得的
![<fp]()
src=http://imgeducitycn/img_///jpg border=>
![<fp]()
src=http://imgeducitycn/img_///jpg border=>
一個完整的撥號連接信息如下
xltpd build_fdset closing down tunnel
xltpd get_call allocating new tunnel for host port
xltpd get_call allocating new tunnel for host port
xltpd control_finish Peer requested tunnel twice ignoring second one
xltpd build_fdset closing down tunnel
xltpd Connection established to Local Remote (ref=/)
LNS session is &#;default&#;
xltpd start_pppd I&#;m running
xltpd /usr/sbin/pppd
xltpd passive
xltpd ‐detach
xltpd
xltpd refuse‐pap
xltpd auth
xltpd require‐chap
xltpd name
xltpd mm&#;s LTP VPN Server
xltpd debug
xltpd file
xltpd /etc/ppp/optionsxltpd
xltpd /dev/pts/
xltpd Call established with Local Remote Serial
xltpd network_thread select timeout
xltpd network_thread select timeout
xltpd child_handler pppd exited for call with code
xltpd call_close Call to disconnected
xltpd control_finish Connection closed to port () Local
Remote
xltpd build_fdset closing down tunnel
xltpd Trustingly terminating pppd sending TERM signal to pid
xltpd pppd successfully terminated
關於LTP IPSec VPN 服務器的架設暫且學習到這裡其中還有很多細節需要學習和熟悉有待進一步的研究
From:http://tw.wingwit.com/Article/os/fwq/201405/30694.html
