今天终于搞定.回头写文档 哈哈…
openbsd4.6发布了,准备用这个和netscreen 25做基于策略的VPN
1.先配置netscreen
netscreen25的untrust ip 192.168.2.3/24 dmz 172.16.31.2/24
set interface “ethernet1” zone “Trust”
set interface “ethernet2” zone “DMZ”
set interface “ethernet3” zone “Untrust”
unset interface vlan1 ip
set interface ethernet2 ip 172.16.31.2/24
set interface ethernet2 nat
set interface ethernet3 ip 192.168.2.3/24
set interface ethernet3 route
set ike gateway “openbsd” address 192.168.2.95 Main outgoing-interface “ethernet3”
preshare “JnQiywTGNRRsyjsNepC+xjw31VnlFxVwcOJNKuaizhP93Opy3Q0wtpE=” proposal “pre-g2-3des-sha”
set vpn “openbsd” gateway “openbsd” replay tunnel idletime 0 proposal “g2-esp-3des-sha”
set vpn “openbsd” monitor
set policy id 6 from “DMZ” to “Untrust” “172.16.31.0/24” “172.16.2.0/24” “ANY” tunnel vpn “openbsd” id 3 pair-policy 5 log
set policy id 6
exit
set policy id 5 from “Untrust” to “DMZ” “172.16.2.0/24” “172.16.31.0/24” “ANY” tunnel vpn “openbsd” id 3 pair-policy 6 log
set policy id 5
exit
2.配置openbsd
开启虚拟机准备环境 openbsd 外网 192.168.2.3/24 内网 172.16.2.2/24 ,windows 172.16.16.2.3/24 网关172.16.2.2
2.1系统配置:
cat /etc/hostname.em0
inet 172.16.2.2 255.255.255.0
cat /etc/hostname.em1
inet 192.168.2.95 255.255.255.0
cat /etc/mygate
192.168.2.254
in /etc/sysctl.conf. these should be enabled:
net.inet.esp.enable Enable the ESP IPsec protoc ol
net.inet.ah.enable Enable the AH IPsec protocol
net.inet.ip.forwarding
net.inet6.ip6.forwarding
2.2准备好openbsd的pf配置:
set skip on lo
ext_if=”em1″
int_if=”em0″
set skip on lo0
nat on $ext_if from $int_if:network to any -> ($ext_if)
pass out on $int_if proto tcp from 172.16.2.0/24 to any modulate state flags S/SA
pass out on $int_if proto { udp, icmp } from 172.16.2.0/24 to any keep state
pass in on ext_if proto udp from 192.168.2.3 to 192.168.2.95 port {500, 4500}
pass out on ext_if proto udp from 192.168.2.95 to 192.168.2.3 port {500, 4500}
pass in on ext_if proto esp from 192.168.2.3 to 192.168.2.95
pass out on ext_if proto esp from 192.168.2.95 to 192.168.2.3
pass in on int_if proto ipencap from 192.168.2.3 to 192.168.2.95 keep state (if-bound)
pass out on int_if proto ipencap from 192.168.2.95 to 192.168.2.3 keep state (if-bound)
pass in on int_if from 172.16.31.0/24 to 172.16.2.0/24 keep state (if-bound)
pass out on int_if from 172.16.2.0/24 to 172.16.31.0/24 keep state (if-bound)
3.学习ipsec.conf
http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec.conf&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
只要仔细看了文档 想不会都困难。先说几个关键点:
3.1需要启动isakmpd
The keying daemon, isakmpd(8), can be enabled to run at boot time via the
isakmpd_flags variable in rc.conf.local(8). Note that it will probably
need to be run with at least the -K option, to avoid keynote(4) policy
checking.
3.2 ipsec.conf的配置
cat /etc/ipsec.conf
ike active esp tunnel from 172.16.2.0/24 to 172.16.31.0/24
peer 192.168.2.3 main auth hmac-sha1 enc 3des group modp1024
quick auth hmac-sha1 enc 3des group modp1024 psk openbsdtonetscreen
3.3 启动openbsd的VPN
isakmpd -Kd &
ipsecctl -f /etc/ipsec.conf
- 测试
从172.16.2.3 ping 172.16.31.2 通… 访问 172.16.31.0/24内的windows机器各项服务均正常。
防火墙上的日志
2009-10-21 19:10:39
info
IKE<192.168.2.95> Phase 2 msg ID <a7b0b0e3>: Completed negotiations with SPI <0a388e6e>, tunnel ID <3>, and lifetime <1200> seconds/<0> KB.
2009-10-21 19:10:39
info
IKE<192.168.2.95> Phase 2 msg ID <a7b0b0e3>: Responded to the peer’s first message.
2009-10-21 19:01:46
info
IKE<192.168.2.95> Phase 1: Completed Main mode negotiations with a <28800>-second lifetime.
2009-10-21 19:01:46
info
IKE<192.168.2.95> Phase 1: Responder starts MAIN mode negotiations.
2009-10-21 18:51:44
info
IKE<192.168.2.95> Phase 2 msg ID <5181666e>: Completed negotiations with SPI <0a388e6d>, tunnel ID <3>, and lifetime <1200> seconds/<0> KB.
2009-10-21 18:51:44
info
IKE<192.168.2.95> Phase 2 msg ID <5181666e>: Responded to the peer’s first message.
5.遗留问题
vpn协商时间是 lifetime <1200> 文档上没有提到协商时间的问题 需要修改为3600 或者 2880
openbsd支持防火墙双机模式,同时注意到文档中提到:
-S This option is used for setups using sasyncd(8) and carp(4) to
provide redundancy. isakmpd starts in passive mode and will not
initiate any connections or process any incoming traffic until
sasyncd has determined that the host is the carp master. Addi-
tionally, isakmpd will not delete SAs on shutdown by sending
delete messages to all peers.
转载请注明:Kermit的网站 » openbsd和netscreen做VPN