\u4eca\u5929\u7ec8\u4e8e\u641e\u5b9a.\u56de\u5934\u5199\u6587\u6863 \u54c8\u54c8…
\n\u00a0openbsd4.6\u53d1\u5e03\u4e86,\u51c6\u5907\u7528\u8fd9\u4e2a\u548cnetscreen 25\u505a\u57fa\u4e8e\u7b56\u7565\u7684VPN
\n1.\u5148\u914d\u7f6enetscreen
\nnetscreen25\u7684untrust ip 192.168.2.3\/24 \u00a0dmz 172.16.31.2\/24
\nset interface “ethernet1” zone “Trust”
\nset interface “ethernet2” zone “DMZ”
\nset interface “ethernet3” zone “Untrust”
\nunset interface vlan1 ip
\nset interface ethernet2 ip 172.16.31.2\/24
\nset interface ethernet2 nat
\nset interface ethernet3 ip 192.168.2.3\/24
\nset interface ethernet3 route
\nset ike gateway “openbsd” address 192.168.2.95 Main outgoing-interface “ethernet3”
\npreshare “JnQiywTGNRRsyjsNepC+xjw31VnlFxVwcOJNKuaizhP93Opy3Q0wtpE=” proposal “pre-g2-3des-sha”
\nset vpn “openbsd” gateway “openbsd” replay tunnel idletime 0 proposal “g2-esp-3des-sha”
\nset vpn “openbsd” monitor
\nset policy id 6 from “DMZ” to “Untrust”\u00a0 “172.16.31.0\/24” “172.16.2.0\/24” “ANY” tunnel vpn “openbsd” id 3 pair-policy 5 log
\nset policy id 6
\nexit
\nset policy id 5 from “Untrust” to “DMZ”\u00a0 “172.16.2.0\/24” “172.16.31.0\/24” “ANY” tunnel vpn “openbsd” id 3 pair-policy 6 log
\nset policy id 5
\nexit
\n2.\u914d\u7f6eopenbsd
\n\u5f00\u542f\u865a\u62df\u673a\u51c6\u5907\u73af\u5883\u00a0\u00a0 openbsd \u5916\u7f51\u00a0 192.168.2.3\/24\u00a0 \u5185\u7f51\u00a0172.16.2.2\/24 ,windows 172.16.16.2.3\/24\u00a0 \u7f51\u5173172.16.2.2
\n2.1\u7cfb\u7edf\u914d\u7f6e:<\/p>\n
inet 172.16.2.2 255.255.255.0<\/p>\n
inet 192.168.2.95 255.255.255.0<\/p>\n
192.168.2.254 2009-10-21 19:10:39 2009-10-21 19:10:39 2009-10-21 19:01:46 2009-10-21 19:01:46 2009-10-21 18:51:44 2009-10-21 18:51:44 5.\u9057\u7559\u95ee\u9898 \u8f6c\u8f7d\u8bf7\u6ce8\u660e\uff1aKermit\u7684\u7f51\u7ad9<\/a> » openbsd\u548cnetscreen\u505aVPN<\/a><\/p>","protected":false},"excerpt":{"rendered":" \u4eca\u5929\u7ec8\u4e8e\u641e\u5b9a.\u56de\u5934\u5199\u6587\u6863 \u54c8\u54c8… \u00a0openbsd4.6\u53d1\u5e03\u4e86,\u51c6\u5907\u7528\u8fd9\u4e2a\u548cnetscreen 25\u505a\u57fa\u4e8e\u7b56\u7565\u7684VPN 1.\u5148\u914d\u7f6enetscreen netscreen25\u7684untrust ip 192.168.2.3\/24 \u00a0dmz 1 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-141","post","type-post","status-publish","format-standard","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/posts\/141"}],"collection":[{"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/comments?post=141"}],"version-history":[{"count":0,"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/posts\/141\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/media?parent=141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/categories?post=141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.houquner.com\/index.php\/wp-json\/wp\/v2\/tags?post=141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nin \/etc\/sysctl.conf.\u00a0 these should be enabled:
\nnet.inet.esp.enable\u00a0\u00a0\u00a0 Enable the ESP IPsec protoc ol
\nnet.inet.ah.enable\u00a0\u00a0\u00a0\u00a0 Enable the AH IPsec protocol
\nnet.inet.ip.forwarding
\nnet.inet6.ip6.forwarding
\n2.2\u51c6\u5907\u597dopenbsd\u7684pf\u914d\u7f6e\uff1a
\nset skip on lo
\next_if=”em1″
\nint_if=”em0″
\nset skip on lo0
\nnat on $ext_if from $int_if:network to any -> ($ext_if)
\npass out on $int_if proto tcp from 172.16.2.0\/24 to any\u00a0\u00a0 modulate state flags S\/SA
\npass out on $int_if proto { udp, icmp } from 172.16.2.0\/24 to any\u00a0\u00a0 keep state
\npass\u00a0 in on ext_if proto udp from 192.168.2.3 to 192.168.2.95\u00a0 port {500, 4500}
\npass out on ext_if proto udp from 192.168.2.95 to 192.168.2.3\u00a0 port {500, 4500}
\npass\u00a0 in on ext_if proto esp from 192.168.2.3 to 192.168.2.95
\npass out on ext_if proto esp from 192.168.2.95 to 192.168.2.3
\npass\u00a0 in on int_if proto ipencap from 192.168.2.3 to 192.168.2.95 keep state (if-bound)
\npass out on int_if proto ipencap from 192.168.2.95 to 192.168.2.3 keep state (if-bound)
\npass\u00a0 in on int_if from 172.16.31.0\/24 to 172.16.2.0\/24 keep state (if-bound)
\npass out on int_if from 172.16.2.0\/24 to 172.16.31.0\/24 keep state (if-bound)
\n3.\u5b66\u4e60ipsec.conf
\nhttp:\/\/www.openbsd.org\/cgi-bin\/man.cgi?query=ipsec.conf&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html<\/a>
\n\u53ea\u8981\u4ed4\u7ec6\u770b\u4e86\u6587\u6863 \u60f3\u4e0d\u4f1a\u90fd\u56f0\u96be\u3002\u5148\u8bf4\u51e0\u4e2a\u5173\u952e\u70b9\uff1a
\n3.1\u9700\u8981\u542f\u52a8isakmpd
\nThe keying daemon, isakmpd(8), can be enabled to run at boot time via the
\n\u00a0\u00a0\u00a0\u00a0 isakmpd_flags variable in rc.conf.local(8).\u00a0 Note that it will probably
\n\u00a0\u00a0\u00a0\u00a0 need to be run with at least the -K option, to avoid keynote(4) policy
\n\u00a0\u00a0\u00a0\u00a0 checking.
\n3.2 ipsec.conf\u7684\u914d\u7f6e
\ncat \/etc\/ipsec.conf
\nike active esp tunnel from 172.16.2.0\/24 to 172.16.31.0\/24
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 peer 192.168.2.3\u00a0 main auth\u00a0 hmac-sha1 enc 3des group\u00a0 modp1024
\n\u00a0\u00a0\u00a0\u00a0 quick auth hmac-sha1 enc 3des\u00a0 group\u00a0 modp1024\u00a0\u00a0 psk openbsdtonetscreen
\n3.3 \u542f\u52a8openbsd\u7684VPN
\nisakmpd -Kd &
\nipsecctl -f \/etc\/ipsec.conf<\/p>\n\n
\n\u4ece172.16.2.3 ping 172.16.31.2 \u901a… \u8bbf\u95ee 172.16.31.0\/24\u5185\u7684windows\u673a\u5668\u5404\u9879\u670d\u52a1\u5747\u6b63\u5e38\u3002
\n\u9632\u706b\u5899\u4e0a\u7684\u65e5\u5fd7<\/li>\n<\/ol>\n
\ninfo
\nIKE<192.168.2.95> Phase 2 msg ID <a7b0b0e3>: Completed negotiations with SPI <0a388e6e>, tunnel ID <3>, and lifetime <1200> seconds\/<0> KB.<\/p>\n
\ninfo
\nIKE<192.168.2.95> Phase 2 msg ID <a7b0b0e3>: Responded to the peer’s first message.<\/p>\n
\ninfo
\nIKE<192.168.2.95> Phase 1: Completed Main mode negotiations with a <28800>-second lifetime.<\/p>\n
\ninfo
\nIKE<192.168.2.95> Phase 1: Responder starts MAIN mode negotiations.<\/p>\n
\ninfo
\nIKE<192.168.2.95> Phase 2 msg ID <5181666e>: Completed negotiations with SPI <0a388e6d>, tunnel ID <3>, and lifetime <1200> seconds\/<0> KB.<\/p>\n
\ninfo
\nIKE<192.168.2.95> Phase 2 msg ID <5181666e>: Responded to the peer’s first message.<\/p>\n
\nvpn\u534f\u5546\u65f6\u95f4\u662f lifetime <1200> \u6587\u6863\u4e0a\u6ca1\u6709\u63d0\u5230\u534f\u5546\u65f6\u95f4\u7684\u95ee\u9898 \u9700\u8981\u4fee\u6539\u4e3a3600 \u6216\u8005 2880
\nopenbsd\u652f\u6301\u9632\u706b\u5899\u53cc\u673a\u6a21\u5f0f,\u540c\u65f6\u6ce8\u610f\u5230\u6587\u6863\u4e2d\u63d0\u5230:
\n-S\u00a0\u00a0\u00a0\u00a0\u00a0 This option is used for setups using sasyncd(8) and carp(4) to
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 provide redundancy.\u00a0 isakmpd starts in passive mode and will not
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 initiate any connections or process any incoming traffic until
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sasyncd has determined that the host is the carp master.\u00a0 Addi-
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 tionally, isakmpd will not delete SAs on shutdown by sending
\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 delete messages to all peers.<\/p>\n