neutron-vpnaas之openswan下IPSec-VPN的手工配置指南
来源:互联网 发布:卫生巾政治环境知乎 编辑:程序博客网 时间:2024/06/10 01:40
openswan支持许多不同的认证方式,包括RSA keys、pre-shared keys或x.509证书方式。
neutron-vpnnas默认采用psk认证方式,下面我们基于neutron-vpnaas自动配置psk认证方式,通过修改已建立的ipsec.conf文件,将已经建立的ipsec-vpn连接的认证方式由psk修改为RSA数字签名认证,以及X.509电子证书认证方式,重新启动后保证连接重新协商成功。
neutron-vpnaas中ipsec-vpn是基于虚拟路由器建立隧道,ipsec.conf配置在router_id相关的ipsec文件夹中,具体在/opt/stack/data/neutron/ipsec/$router_id/中
1.Openswan主要配置文件
/etc/ipsec.secrets 用来保存private RSA keys 和 pre shared secrets(PSKs)/etc/ipsec.conf OpenSWan主要配置文件(settings, options, defaults, connections)/etc/ipsec.d/cacerts存放CA机构X.509认证证书/etc/ipsec.d/certs存放客户端或服务端X.509证书/etc/ipsec.d/crls存放X.509证书撤销文件/etc/ipsec.d/private存放X.509认证私钥/etc/ipsec.d/ocspcerts存放X.509 OCSP证书/etc/ipsec.d/policies存放Opportunistic Encryption 策略组
2.RSA signature(RSA数字签名)认证的配置
配置RSA Signature比较简单,主要是修改ipsec.secrets,以及ipsec.conf文件
我先介绍下所要使用的命令
生成一个新的RSA密钥对ipsec newhostkey --output /opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/etc/ipsec.secert相同的操作为另外一个router生成RSA密钥对ipsec newhostkey --output /opt/stack/data/neutron/ipsec/b45c944d-4fae-411c-9e40-f5a71c0e6690/etc/ipsec.secert
然后修改ipsec.conf的配置文件
config setup interfaces=%defaultroute nat_traversal=yesconn %default authby=rsasig ###这里由secret修改为rsasig compress=yesconn 67acd96e-95c9-48ea-8650-5aae7201436f left=192.168.30.40 leftsubnet=192.168.10.0/24 leftid=192.168.30.40 ###这里的id可以不用填写 leftnexthop=%defaultroute right=192.168.30.44 rightsubnet=192.168.20.0/24 rightid=192.168.30.44 ###这里的id可以不用填写 rightnexthop=%defaultroute # RSA 2192 bits melin Mon May 29 03:42:49 2006 leftrsasigkey=0sAQ...(###这里的key填写本端06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb:对应ipsec.secret的私钥) # RSA 2192 bits right Wed May 31 22:11:59 2006 rightrsasigkey=0sAQ...(###这里的key填写对端b45c944d-4fae-411c-9e40-f5a71c0e6690:对应ipsec.secret的私钥) auto=start
修改另外一个router的ipsec.conf文件,方法类似
然后重启pluto进程,重新建立ipsec连接,具体命令如下:
ip netns exec qrouter-06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb ipsec whack --ctlbase /opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/var/run/pluto --statusip netns exec qrouter-06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb ipsec whack --ctlbase /opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/var/run/pluto --name 67acd96e-95c9-48ea-8650-5aae7201436f/0x1 --terminateip netns exec qrouter-06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb ipsec whack --ctlbase /opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/var/run/pluto --shutdownip netns exec qrouter-06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb /usr/lib/ipsec/pluto --ctlbase /opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/var/run/pluto --ipsecdir /opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/etc --use-netkey --uniqueids --nat_traversal --debug-all --secretsfile /opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/etc/ipsec.secrets --virtual_private %v4:192.168.10.0/24,%v4:192.168.20.0/24ip netns exec qrouter-06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb ipsec addconn --ctlbase /opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/var/run/pluto.ctl --defaultroutenexthop 192.168.30.44 --config /opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/etc/ipsec.conf 67acd96e-95c9-48ea-8650-5aae7201436fip netns exec qrouter-06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb ipsec whack --ctlbase /opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/var/run/pluto --listenip netns exec qrouter-06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb ipsec whack --ctlbase /opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/var/run/pluto --name 67acd96e-95c9-48ea-8650-5aae7201436f --asynchronous --initiateip netns exec qrouter-b45c944d-4fae-411c-9e40-f5a71c0e6690 ipsec whack --ctlbase /opt/stack/data/neutron/ipsec/b45c944d-4fae-411c-9e40-f5a71c0e6690/var/run/pluto --statusip netns exec qrouter-b45c944d-4fae-411c-9e40-f5a71c0e6690 ipsec whack --ctlbase /opt/stack/data/neutron/ipsec/b45c944d-4fae-411c-9e40-f5a71c0e6690/var/run/pluto --name 7849b027-f0e9-4dda-9dd8-cdaa9937afc6/0x1 --terminateip netns exec qrouter-b45c944d-4fae-411c-9e40-f5a71c0e6690 ipsec whack --ctlbase /opt/stack/data/neutron/ipsec/b45c944d-4fae-411c-9e40-f5a71c0e6690/var/run/pluto --shutdownip netns exec qrouter-b45c944d-4fae-411c-9e40-f5a71c0e6690 /usr/lib/ipsec/pluto --ctlbase /opt/stack/data/neutron/ipsec/b45c944d-4fae-411c-9e40-f5a71c0e6690/var/run/pluto --ipsecdir /opt/stack/data/neutron/ipsec/b45c944d-4fae-411c-9e40-f5a71c0e6690/etc --use-netkey --uniqueids --nat_traversal --debug-all --secretsfile /opt/stack/data/neutron/ipsec/b45c944d-4fae-411c-9e40-f5a71c0e6690/etc/ipsec.secrets --virtual_private %v4:192.168.20.0/24,%v4:192.168.10.0/24ip netns exec qrouter-b45c944d-4fae-411c-9e40-f5a71c0e6690 ipsec addconn --ctlbase /opt/stack/data/neutron/ipsec/b45c944d-4fae-411c-9e40-f5a71c0e6690/var/run/pluto.ctl --defaultroutenexthop 192.168.30.40 --config /opt/stack/data/neutron/ipsec/b45c944d-4fae-411c-9e40-f5a71c0e6690/etc/ipsec.conf 7849b027-f0e9-4dda-9dd8-cdaa9937afc6 ip netns exec qrouter-b45c944d-4fae-411c-9e40-f5a71c0e6690 ipsec whack --ctlbase /opt/stack/data/neutron/ipsec/b45c944d-4fae-411c-9e40-f5a71c0e6690/var/run/pluto --listenip netns exec qrouter-b45c944d-4fae-411c-9e40-f5a71c0e6690 ipsec whack --ctlbase /opt/stack/data/neutron/ipsec/b45c944d-4fae-411c-9e40-f5a71c0e6690/var/run/pluto --name 7849b027-f0e9-4dda-9dd8-cdaa9937afc6 --asynchronous --initiate
最后发现协商成功,ipsec-vpn隧道建立成功,子网间通信正常
3.x.509证书认证的配置
电子证书生成如下:
1)自制CA机构电子证书
1.创建私钥openssl genrsa -out ca/ca-key.pem 10242.创建证书请求openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:hubeiLocality Name (eg, city) []:wuhanOrganization Name (eg, company) [Internet Widgits Pty Ltd]:fhOrganizational Unit Name (eg, section) []:it Common Name (eg, YOUR name) []:root Email Address []:zczhu3.自签署证书openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650
2)生成server证书,该证书作为其中一个虚拟路由06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb的证书
1.创建私钥openssl genrsa -out server/server-key.pem 1024 2.创建证书请求 : openssl req -new -out server/server-req.csr -key server/server-key.pem ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:hubei Locality Name (eg, city) []:wuhan Organization Name (eg, company) [Internet Widgits Pty Ltd]:fh Organizational Unit Name (eg, section) []:it Common Name (eg, YOUR name) []:192.168.30.40 ##:这个参数比较重要,一定要写网关所在ip地址,我以router外网网关命名 Email Address []:zczhu 3.自签署证书 : openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
3)生成client证书,该证书作为其中一个虚拟路由b45c944d-4fae-411c-9e40-f5a71c0e6690的证书
1.创建私钥 : openssl genrsa -out client/client-key.pem 1024 2.创建证书请求 : openssl req -new -out client/client-req.csr -key client/client-key.pem ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:hubei Locality Name (eg, city) []:wuhan Organization Name (eg, company) [Internet Widgits Pty Ltd]:fh Organizational Unit Name (eg, section) []:itCommon Name (eg, YOUR name) []:192.168.30.44 Email Address []:zczhu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:tsing 3.自签署证书 : openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
neutron-vpnaas中ipsec-vpn实现对服务端和客户端没有没有明显的区分,每个router即可以是服务端也可以是发起端.
4)以上过程将生成如下配置文件
ca-cert.pem ca-key.pemserver-cert.pem 拷贝到ipsec目录两个router_id下 例如:/opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/etc/ipsec.d/certs/server-key.pem 拷贝到ipsec目录两个router_id下 例如: /opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/etc/ipsec.d/private/client-cert.pem 拷贝到ipsec目录两个router_id下 例如: /opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/etc/ipsec.d/certsclient-key.pem 拷贝到ipsec目录两个router_id下 例如:/opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/etc/ipsec.d/private/
修改ipsec.conf和ipsec.secrets文件如下:
192.168.30.40端如下:
ipsec.secrets# Configuration for vpn1#192.168.30.40 192.168.30.44 : PSK "321": RSA /opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/etc/ipsec.d/private/server-key.pem "pass"ipsec.conf # Configuration for vpn1config setup nat_traversal=yesconn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert keyingtries=%forever ikelifetime=480m keylife=60mconn 67acd96e-95c9-48ea-8650-5aae7201436f # NOTE: a default route is required for %defaultroute to work... leftnexthop=%defaultroute rightnexthop=%defaultroute left=192.168.30.40 #leftid=192.168.30.40 leftcert=/opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/etc/ipsec.d/certs/server-cert.pem pfs=yes leftsendcert=yes|always auto=start # NOTE:REQUIRED # [subnet] leftsubnet=192.168.10.0/24 # [updown] # What "updown" script to run to adjust routing and/or firewalling when # the status of the connection changes (default "ipsec _updown"). # "--route yes" allows to specify such routing options as mtu and metric. leftupdown="ipsec _updown --route yes" ###################### # ipsec_site_connections ###################### # [peer_address] right=192.168.30.44 #rightid=192.168.30.44 # [peer_id] rightcert=/opt/stack/data/neutron/ipsec/06d2d670-8796-4ee5-beb1-d0ae1cf0e9bb/etc/ipsec.d/certs/client-cert.pem # [peer_cidrs] rightsubnets={ 192.168.20.0/24 } # rightsubnet=networkA/netmaskA, networkB/netmaskB (IKEv2 only) # [mtu] mtu=1500 # [dpd_action] dpdaction=hold # [dpd_interval] dpddelay=30 # [dpd_timeout] dpdtimeout=120 # [auth_mode] ###################### # IKEPolicy params ###################### #ike version ikev2=never # [encryption_algorithm]-[auth_algorithm]-[pfs] ike=aes128-sha1;modp1536 # [lifetime_value] ikelifetime=3600s # NOTE: it looks lifetime_units=kilobytes can't be enforced (could be seconds, hours, days...) ########################## # IPsecPolicys params ########################## # [transform_protocol] auth=esp # [encryption_algorithm]-[auth_algorithm]-[pfs] phase2alg=aes128-sha1;modp1536 # [encapsulation_mode] type=tunnel # [lifetime_value] lifetime=3600s # lifebytes=100000 if lifetime_units=kilobytes (IKEv2 only)
相同的操作配置另一个router相关的ipsec.conf和ipsec.secrets,然后安装上面相同的方法重新启动pluto建立ipsec-vpn连接,完成协商过程。
4.参考
用OpenSWAN做Linux下的IPSec VPN的详细配置指南
使用openssl生成|CA证书的步骤
原始链接,欢迎学习指正
- neutron-vpnaas之openswan下IPSec-VPN的手工配置指南
- neutron-vpnaas之ipsec-vpn学习总结
- 用OpenSWAN做Linux下的IPSec VPN的详细配置指南
- 用OpenSWAN做Linux下的IPSec VPN的详细配置指南
- 在Linux下使用Openswan配置IPSec VPN环境
- CentOS 6.3下基于Openswan IPSec VPN的实现
- 使用openswan在Linux下构建IPSec VPN过程
- 使用openswan搭建ipsec vpn
- openswan-ipsec.conf的配置说明
- 快速配置openswan VPN
- Windows XP环境下IPSec VPN的配置
- GNS下ASA配置ipsec VPN 实验
- 基于openswan klips的IPsec VPN实现分析(一)数据发送
- 基于openswan klips的IPsec VPN实现分析(二)数据接收
- 基于openswan klips的IPsec VPN实现分析(三)安全协议
- 基于openswan klips的IPsec VPN实现分析(四)应用层和内核通信(1)
- 基于openswan klips的IPsec VPN实现分析(五)应用层和内核通信(2)
- 基于openswan klips的IPsec VPN实现分析(六)应用层SADB操作
- String(StringBuilder)
- mysql字段每个类型长度大小与建表的类型长度
- DOS下进行文本编辑的方法
- axios使用知识点总结
- mysql报错大法
- neutron-vpnaas之openswan下IPSec-VPN的手工配置指南
- 移动端 使用X5 内核 html自动播放视频
- hexo 添加百度站长推送
- elasticsearch——Java API的使用
- date.js
- 58 同城 iOS 客户端搜索模块组件化实践
- A Pub/Sub based HTTP communication method in complex network environments
- ucos-iii学习之循环轮转调度及调度的内部实现
- jquery-ul-li实现分页功能