杨慎诗词:IPSec-Tools配置
来源:百度文库 编辑:中财网 时间:2024/05/03 00:47:54
IPSec-Tools配置
1 介绍
从Linux 2.6内核开始,内核就自身带有IPSec模块,配合IPSec-Tools,能很好的实现Linux的IPSec功能。IPSec-Tools主要包含libipsec、setkey、racoon和racoonctl这4个模块,setkey主要用于配置SAD(安全关联数据库)和SPD(安全策略数据库),racoon用于IKE协商。本文采用最简单的网络配置(2台PC互联,操作系统均为:Linux 2.6.27)介绍IPSec-Tools的IKE配置和手工配置实现传输模式的IPSec。 默认情况下,IPSec-Tools的配置文件均放在/etc/racoon目录下,setkey.conf文件保存着sad和spd的配置信息,racoon.conf文件保存着IKE各个协商阶段各采用什么方式进行协商。2 拓扑图3 IKE配置
1) 采用预共享密钥的方式,在/etc/racoon目录下产生psk.txt的文件;在A机的psk.txt里填入:192.168.59.133 mekmitasdigoat。 在B机的psk.txt里填入:192.168.59.132 mekmitasdigoat。产生psk.txt文件后,执行:chmod 600 psk.txt.2) 打开setkey.conf文件:A机填入:flush;spdflush;spdadd 192.168.59.132 192.168.59.133 any -P out ipsec esp/transport//require;spdadd 192.168.59.133 192.168.59.132 any -P in ipsec esp/transport//require;B机填入: flush;spdflush;spdadd 192.168.59.132 192.168.59.133 any -P in ipsec esp/transport//require;spdadd 192.168.59.133 192.168.59.132 any -P out ipsec esp/transport//require; 3) 打开A、B两机的racoon.conf文件,均填写以下内容:path include "/etc/racoon"; #配置文件位置path pre_shared_key "/etc/racoon/psk.txt"; #共享密钥文件path certificate "/etc/racoon/cert"; #证书文件目录log notify; # "padding" defines some parameter of padding. You should not touch these.padding{ maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet.} # if no listen directive is specified, racoon will listen to all# available interface addresses.listen{ #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. adminsock "/var/run/racoon/racoon.sock" "root" "users" 660;} # Specification of default various timer.timer{ # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec;} remote anonymous #阶段一协商{ exchange_mode main; #main:主模式,aggressive:野蛮模式 lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 1; } proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 1; } proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 1; } proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 1; } proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 1; } } sainfo anonymous #阶段二协商{ pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate ;} 4) 执行/usr/sbin/racoon -f /etc/racoon/racoon.conf,运行IKE协商程序;5) A机执行ping B机,在中间转包可以看到IKE协商包,协商完成以后会出现ESP包,并且能够ping通。 4 手工配置
1) Setkey.conf设置:在A机的setkey.conf中填入:flush;spdflush; add 192.168.59.132 192.168.59.133 esp 24501 -E 3des-cbc "123456789012123456789012";add 192.168.59.133 192.168.59.132 esp 24502 -E 3des-cbc "123456789012123456789012";spdadd 192.168.59.132 192.168.59.133 any -P out ipsec esp/transport//require;spdadd 192.168.59.133 192.168.59.132 any -P in ipsec esp/transport//require;在B机的setkey.conf中填入:flush;spdflush; add 192.168.59.132 192.168.59.133 esp 24501 -E 3des-cbc "123456789012123456789012";add 192.168.59.133 192.168.59.132 esp 24502 -E 3des-cbc "123456789012123456789012";spdadd 192.168.59.132 192.168.59.133 any -P in ipsec esp/transport//require;spdadd 192.168.59.133 192.168.59.132 any -P out ipsec esp/transport//require;2) 执行setkey –f /etc/raccoon/setkey.conf;3) A机执行ping B机,在中间转包可以看到ESP包,并且能够ping通。5 其它
Setkey –D:查看SAD信息;Setkey –DP:查看SPD信息。
1 介绍
从Linux 2.6内核开始,内核就自身带有IPSec模块,配合IPSec-Tools,能很好的实现Linux的IPSec功能。IPSec-Tools主要包含libipsec、setkey、racoon和racoonctl这4个模块,setkey主要用于配置SAD(安全关联数据库)和SPD(安全策略数据库),racoon用于IKE协商。本文采用最简单的网络配置(2台PC互联,操作系统均为:Linux 2.6.27)介绍IPSec-Tools的IKE配置和手工配置实现传输模式的IPSec。 默认情况下,IPSec-Tools的配置文件均放在/etc/racoon目录下,setkey.conf文件保存着sad和spd的配置信息,racoon.conf文件保存着IKE各个协商阶段各采用什么方式进行协商。2 拓扑图3 IKE配置
1) 采用预共享密钥的方式,在/etc/racoon目录下产生psk.txt的文件;在A机的psk.txt里填入:192.168.59.133 mekmitasdigoat。 在B机的psk.txt里填入:192.168.59.132 mekmitasdigoat。产生psk.txt文件后,执行:chmod 600 psk.txt.2) 打开setkey.conf文件:A机填入:flush;spdflush;spdadd 192.168.59.132 192.168.59.133 any -P out ipsec esp/transport//require;spdadd 192.168.59.133 192.168.59.132 any -P in ipsec esp/transport//require;B机填入: flush;spdflush;spdadd 192.168.59.132 192.168.59.133 any -P in ipsec esp/transport//require;spdadd 192.168.59.133 192.168.59.132 any -P out ipsec esp/transport//require; 3) 打开A、B两机的racoon.conf文件,均填写以下内容:path include "/etc/racoon"; #配置文件位置path pre_shared_key "/etc/racoon/psk.txt"; #共享密钥文件path certificate "/etc/racoon/cert"; #证书文件目录log notify; # "padding" defines some parameter of padding. You should not touch these.padding{ maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet.} # if no listen directive is specified, racoon will listen to all# available interface addresses.listen{ #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. adminsock "/var/run/racoon/racoon.sock" "root" "users" 660;} # Specification of default various timer.timer{ # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec;} remote anonymous #阶段一协商{ exchange_mode main; #main:主模式,aggressive:野蛮模式 lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 1; } proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 1; } proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 1; } proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 1; } proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 1; } } sainfo anonymous #阶段二协商{ pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate ;} 4) 执行/usr/sbin/racoon -f /etc/racoon/racoon.conf,运行IKE协商程序;5) A机执行ping B机,在中间转包可以看到IKE协商包,协商完成以后会出现ESP包,并且能够ping通。 4 手工配置
1) Setkey.conf设置:在A机的setkey.conf中填入:flush;spdflush; add 192.168.59.132 192.168.59.133 esp 24501 -E 3des-cbc "123456789012123456789012";add 192.168.59.133 192.168.59.132 esp 24502 -E 3des-cbc "123456789012123456789012";spdadd 192.168.59.132 192.168.59.133 any -P out ipsec esp/transport//require;spdadd 192.168.59.133 192.168.59.132 any -P in ipsec esp/transport//require;在B机的setkey.conf中填入:flush;spdflush; add 192.168.59.132 192.168.59.133 esp 24501 -E 3des-cbc "123456789012123456789012";add 192.168.59.133 192.168.59.132 esp 24502 -E 3des-cbc "123456789012123456789012";spdadd 192.168.59.132 192.168.59.133 any -P in ipsec esp/transport//require;spdadd 192.168.59.133 192.168.59.132 any -P out ipsec esp/transport//require;2) 执行setkey –f /etc/raccoon/setkey.conf;3) A机执行ping B机,在中间转包可以看到ESP包,并且能够ping通。5 其它
Setkey –D:查看SAD信息;Setkey –DP:查看SPD信息。
IPSEC是什么意思?
什么是IPSec,IPSec服务的作用
如何打开IPSEC文件
IPSEC服务无法启动
什么是IPSec交换集
IPSEC Services无法启动
什么是“安全策略IPSEC”
vpn ipsec方案
IPSEC.EXE占用CPU使用率
IPSEC VPN的常用软件和硬件产品
关于网络安全协议IPSEC的疑问
ipsec client服务启动不了,怎么办
如何清除ipsec(msdc32)木马?
ipsec(msdc32)木马到底要如何清楚??????
IPSEC Services 无法启动,求启动参数
IPSEC的两种工作模式是什么?
DAEMON Tools
daemon tools
daemon tools
DAEMON Tools
DAEMON Tools
daemon tools
Daemon Tools
daemon tools