最新消息:
    你的位置:Kermit的网站 > 技术相关 > openbsd和netscreen做VPN

    openbsd和netscreen做VPN

    技术相关 admin 2280浏览

    今天终于搞定.回头写文档 哈哈…
     openbsd4.6发布了,准备用这个和netscreen 25做基于策略的VPN
    1.先配置netscreen
    netscreen25的untrust ip 192.168.2.3/24  dmz 172.16.31.2/24
    set interface “ethernet1” zone “Trust”
    set interface “ethernet2” zone “DMZ”
    set interface “ethernet3” zone “Untrust”
    unset interface vlan1 ip
    set interface ethernet2 ip 172.16.31.2/24
    set interface ethernet2 nat
    set interface ethernet3 ip 192.168.2.3/24
    set interface ethernet3 route
    set ike gateway “openbsd” address 192.168.2.95 Main outgoing-interface “ethernet3”
    preshare “JnQiywTGNRRsyjsNepC+xjw31VnlFxVwcOJNKuaizhP93Opy3Q0wtpE=” proposal “pre-g2-3des-sha”
    set vpn “openbsd” gateway “openbsd” replay tunnel idletime 0 proposal “g2-esp-3des-sha”
    set vpn “openbsd” monitor
    set policy id 6 from “DMZ” to “Untrust”  “172.16.31.0/24” “172.16.2.0/24” “ANY” tunnel vpn “openbsd” id 3 pair-policy 5 log
    set policy id 6
    exit
    set policy id 5 from “Untrust” to “DMZ”  “172.16.2.0/24” “172.16.31.0/24” “ANY” tunnel vpn “openbsd” id 3 pair-policy 6 log
    set policy id 5
    exit
    2.配置openbsd
    开启虚拟机准备环境   openbsd 外网  192.168.2.3/24  内网 172.16.2.2/24 ,windows 172.16.16.2.3/24  网关172.16.2.2
    2.1系统配置:

    cat /etc/hostname.em0                                                                                                           

    inet 172.16.2.2 255.255.255.0

    cat /etc/hostname.em1

    inet 192.168.2.95 255.255.255.0

    cat /etc/mygate      

    192.168.2.254
    in /etc/sysctl.conf.  these should be enabled:
    net.inet.esp.enable    Enable the ESP IPsec protoc ol
    net.inet.ah.enable     Enable the AH IPsec protocol
    net.inet.ip.forwarding
    net.inet6.ip6.forwarding
    2.2准备好openbsd的pf配置:
    set skip on lo
    ext_if=”em1″
    int_if=”em0″
    set skip on lo0
    nat on $ext_if from $int_if:network to any -> ($ext_if)
    pass out on $int_if proto tcp from 172.16.2.0/24 to any   modulate state flags S/SA
    pass out on $int_if proto { udp, icmp } from 172.16.2.0/24 to any   keep state
    pass  in on ext_if proto udp from 192.168.2.3 to 192.168.2.95  port {500, 4500}
    pass out on ext_if proto udp from 192.168.2.95 to 192.168.2.3  port {500, 4500}
    pass  in on ext_if proto esp from 192.168.2.3 to 192.168.2.95
    pass out on ext_if proto esp from 192.168.2.95 to 192.168.2.3
    pass  in on int_if proto ipencap from 192.168.2.3 to 192.168.2.95 keep state (if-bound)
    pass out on int_if proto ipencap from 192.168.2.95 to 192.168.2.3 keep state (if-bound)
    pass  in on int_if from 172.16.31.0/24 to 172.16.2.0/24 keep state (if-bound)
    pass out on int_if from 172.16.2.0/24 to 172.16.31.0/24 keep state (if-bound)
    3.学习ipsec.conf
    http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec.conf&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
    只要仔细看了文档 想不会都困难。先说几个关键点:
    3.1需要启动isakmpd
    The keying daemon, isakmpd(8), can be enabled to run at boot time via the
         isakmpd_flags variable in rc.conf.local(8).  Note that it will probably
         need to be run with at least the -K option, to avoid keynote(4) policy
         checking.
    3.2 ipsec.conf的配置
    cat /etc/ipsec.conf
    ike active esp tunnel from 172.16.2.0/24 to 172.16.31.0/24
                peer 192.168.2.3  main auth  hmac-sha1 enc 3des group  modp1024
         quick auth hmac-sha1 enc 3des  group  modp1024   psk openbsdtonetscreen
    3.3 启动openbsd的VPN
    isakmpd -Kd &
    ipsecctl -f /etc/ipsec.conf

    1. 测试
      从172.16.2.3 ping 172.16.31.2 通… 访问 172.16.31.0/24内的windows机器各项服务均正常。
      防火墙上的日志

    2009-10-21 19:10:39
    info
    IKE<192.168.2.95> Phase 2 msg ID <a7b0b0e3>: Completed negotiations with SPI <0a388e6e>, tunnel ID <3>, and lifetime <1200> seconds/<0> KB.

    2009-10-21 19:10:39
    info
    IKE<192.168.2.95> Phase 2 msg ID <a7b0b0e3>: Responded to the peer’s first message.

    2009-10-21 19:01:46
    info
    IKE<192.168.2.95> Phase 1: Completed Main mode negotiations with a <28800>-second lifetime.

    2009-10-21 19:01:46
    info
    IKE<192.168.2.95> Phase 1: Responder starts MAIN mode negotiations.

    2009-10-21 18:51:44
    info
    IKE<192.168.2.95> Phase 2 msg ID <5181666e>: Completed negotiations with SPI <0a388e6d>, tunnel ID <3>, and lifetime <1200> seconds/<0> KB.

    2009-10-21 18:51:44
    info
    IKE<192.168.2.95> Phase 2 msg ID <5181666e>: Responded to the peer’s first message.

    5.遗留问题
    vpn协商时间是 lifetime <1200> 文档上没有提到协商时间的问题 需要修改为3600 或者 2880
    openbsd支持防火墙双机模式,同时注意到文档中提到:
    -S      This option is used for setups using sasyncd(8) and carp(4) to
                 provide redundancy.  isakmpd starts in passive mode and will not
                 initiate any connections or process any incoming traffic until
                 sasyncd has determined that the host is the carp master.  Addi-
                 tionally, isakmpd will not delete SAs on shutdown by sending
                 delete messages to all peers.

    转载请注明:Kermit的网站 » openbsd和netscreen做VPN

    与本文相关的文章