ipsec-tools依赖于linux2.6版本内核,在安装ipsec-tools前需编译安装linux kernel 2.6,此处以2.6.34.1为例。
/usr/src/kernels/
mv linux-2.6.34.1.tar.bz2 /usr/src/kernels/
tar -jxvf linux-2.6.34.1.tar.bz2
make menuconfig
导入加解密模块。‘make menuconfig‘ requires the ncurses libraries.
原因:在终端连接主机的情况下进行GUI菜单配置,缺失必要的包ncurses。 yum install ncurses-devel
。 Networking support (NET) [Y/n/?] y
*
- Networking options
PF_KEY sockets (NET_KEY) [Y/n/m/?] y
IP: AH transformation (INET_AH) [Y/n/m/?] y
IP: ESP transformation (INET_ESP) [Y/n/m/?] y
IP: IPsec user configuration interface (XFRM_USER) [Y/n/m/?] y
Cryptographic API (CRYPTO) [Y/n/?] y
HMAC support (CRYPTO_HMAC) [Y/n/?] y
Null algorithms (CRYPTO_NULL) [Y/n/m/?] y
MD5 digest algorithm (CRYPTO_MD5) [Y/n/m/?] y
SHA1 digest algorithm (CRYPTO_SHA1) [Y/n/m/?] y
DES and Triple DES EDE cipher algorithms (CRYPTO_DES) [Y/n/m/?] y
AES cipher algorithms (CRYPTO_AES) [Y/n/m/?] y
make
gcc: error: elf_i386: No such file or directory
im arch/x86/vdso/Makefile
,找到DSO_LDFLAGS_vdso.lds = -m elf_x86_64
,将-m elf_x86_64
改为-m64
,找到VDSO_LDFLAGS_vdso32.lds = -m elf_i386
,将-m elf_i386
改为-m32
即可。drivers/net/igbvf/igbvf.h:129:15: error: duplicate member ‘page’
vim drivers/net/igbvf/igbvf.h
,将129行的struct page *page
改为struct page *pagep
,重新编译。Documentation/video4linux/v4lgrab.c:34:28: fatal error: linux/videodev.h: No such file or directory
缺失libv4l-devel
包。 libv4l-devel
包,yum install libv4l-devel
,修改内核源码vim Documentation/video4linux/v4lgrab.c
,将#include <linux/videodev.h>
改为#include <libv4l1-videodev.h>
,重新编译。make modules_install
make install
awk -F\‘ ‘$1=="menuentry " {print i++ " : " $2}‘ /etc/grub2.cfg
0 : CentOS Linux (2.6.34.1) 7 (Core)
1 : CentOS Linux (3.10.0-693.21.1.el7.x86_64) 7 (Core)
2 : CentOS Linux (3.10.0-514.el7.x86_64) 7 (Core)
3 : CentOS Linux (0-rescue-6c250481a09c4f48a0b2432ad5b4c8b8) 7 (Core)
出现CentOS Linux (2.6.34.1) 7 (Core)
表明内核安装成功。
ipsec-tools-0.7.3.tar.gz
并解压。configure
./configure --with-kernel-headers=/lib/modules/2.6.34.1/build/include/
configure: error: OpenSSL version must be 0.9.6 or higher. Aborting.
yum install openssl-devel
make
token.c:(.text+0xc6d): undefined reference to ‘yywrap‘
yum install flex flex-devel bison
,然后重新configure,make。ipsec_doi.c:1321:24: error: argument to ‘sizeof’ in ‘memset’ call is the same expression as the destination
vim src/racoon/ipsec_doi.c
,将1321行memset(pair, 0, sizeof(pair));
中的sizeof(pair)
改为sizeof(*pair)
,重新make。/usr/include/selinux/flask.h:5:2: error: #warning "Please remove any #include‘s of this header in your source code." [-Werror=cpp]
sed -i ‘5d‘ /usr/include/selinux/flask.h
,后面的warning错误,解决方法相同。make install
which setkey
/usr/local/sbin/setkey
which racoon
/usr/local/sbin/racoon
出现以上信息表示ipsec-tools安装成功
1.1.1.1 testkey
2.2.2.2 testkey
2、setkey.conf
主机A:
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 1.1.1.1/32[any] 2.2.2.1/32[any] any -P out ipsec
esp/tunnel/1.1.1.1-2.2.2.1/require;
spdadd 2.2.2.1/32[any] 1.1.1.1/32[any] any -P in ipsec
esp/tunnel/2.2.2.1-1.1.1.1/require;
主机B:
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 2.2.2.1/32[any] 1.1.1.1/32[any] any -P out ipsec
esp/tunnel/2.2.2.1-1.1.1.1/require;
spdadd 1.1.1.1/32[any] 2.2.2.1/32[any] any -P in ipsec
esp/tunnel/1.1.1.1-2.2.2.1/require;
3、racoon.conf
主机A:
#!/usr/local/bin/racoon
path pre_shared_key "/root/psk.txt";
listen {
isakmp 1.1.1.1 [500];
}
remote 2.2.2.1 {
exchange_mode main, aggressive;
my_identifier address 1.1.1.1;
peers_identifier address 2.2.2.1;
initial_contact on;
proposal_check obey;
proposal {
encryption_algorithm aes 256;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 1.1.1.1 any address 2.2.2.1 any{
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
sainfo address 2.2.2.1 any address 1.1.1.1 any{
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
主机B:
#!/usr/local/bin/racoon
path pre_shared_key "/root/psk.txt";
listen {
isakmp 2.2.2.1 [500];
}
remote 1.1.1.1 {
exchange_mode main, aggressive;
my_identifier address 2.2.2.1;
peers_identifier address 1.1.1.1;
initial_contact on;
proposal_check obey;
proposal {
encryption_algorithm aes 256;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 2.2.2.1 any address 1.1.1.1 any{
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
sainfo address 1.1.1.1 any address 2.2.2.1 any{
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
启动IPsec:
1、setkey setk.conf
此时使用setkey -DP
命令可以看到SPD数据
2、/usr/local/sbin/racoon -f racoon.conf -ddddddd -l /tmp/ipsec-log.txt -v
可以在/tmp/ipsec-log.txt中查看日志,方便调试
测试:
在主机A上 ping 主机B,并在主机B上抓取esp报文
主机B:tcpdump -i eth0 -n src 1.1.1.1 and esp
主机A能ping通主机B,且在主机B上抓取到来自主机A的esp报文,说明隧道成功建立。
原文:https://www.cnblogs.com/lolau/p/9026227.html