发信人: weekend(笨刚)
整理人: zhcharles(2002-01-30 15:59:42), 站内信件
|
用vtund在FreeBSD上配置VPN(转贴)
没空翻译了,自己凑合着看吧。
From [email protected] Fri Dec 15 11:43:20 2000
Date: Mon, 4 Dec 2000 13:08:20 -0800 (PST)
From: Philip Hallstrom
To: Per Tore Larsen
Cc: "'[email protected]'"
Subject: Re: Vtund documentation
网络结构:
___________ ___________
| | | |
10.0.0.1- gw1 -111.111.111.111 <---> 222.222.222.222- gw2 -10.1.0.1
(LAN) | | (Internet) (Internet) | | (LAN)
|_________| |_________|
| |
10.2.0.1 <------------ encrypted -------------> 10.2.0.2
(tunnel) (tunnel)
在gw1上, vtund.conf 的配置类似下面这样,用"vtund -s"来启动:
-----------------------------------------------------------------------------
options {
port 5555;
persist yes;
timeout 60;
ppp /usr/sbin/pppd;
ifconfig /sbin/ifconfig;
route /sbin/route;
firewall /sbin/ipfw;
}
gw2 {
passwd somesecretpassphrase;
type tun;
device tun0;
proto udp;
compress no;
speed 0;
encrypt yes;
keep-alive yes;
up {
ifconfig "%% 10.2.0.1 10.2.0.2 netmask 255.255.255.0";
route "add -net 10.1.0.0 -netmask 255.255.255.0 10.2.0.2";
};
down {
route "delete -net 10.1.0.0";
ifconfig "%% down";
};
}
-----------------------------------------------------------------------------
在gw2上, vtund.conf象下面这样,用"vtund gw2 111.111.111.111"来启动:
-----------------------------------------------------------------------------
options {
port 5555;
persist yes;
timeout 60;
ppp /usr/sbin/pppd;
ifconfig /sbin/ifconfig;
route /sbin/route;
firewall /sbin/ipfw;
}
gw2 {
passwd somesecretpassphrase;
type tun;
device tun0;
proto udp;
compress no;
speed 0;
encrypt yes;
keep-alive yes;
up {
ifconfig "%% 10.2.0.2 10.2.0.1 netmask 255.255.255.0";
route "add -net 10.0.0.0 -netmask 255.255.255.0
10.2.0.1";
};
down {
route "delete -net 10.0.0.0";
ifconfig "%% down";
};
}
-----------------------------------------------------------------------------
有防火墙的话,要加入相应的规则,让VPN的包通过,如IPFW的话,类似于下面这样:
add 4000 pass tcp from any to 111.111.111.111 5555 #gw1 only
add 4000 pass udp from any to 111.111.111.111 5555 #gw1 only
add 4000 pass ip from any to any via tun0
That should do it.
-philip
Configuring a VPN on FreeBSD using pipsecd
I've had to setup two secure VPN's between FreeBSD boxes now. The first time I didn't document my steps -- figuring I'd remember :) -- which I didn't. I just finished setting up the second one and as it happened I also noticed several posts to c.u.b.f.m asking about setting up secure VPN's using FreeBSD so I thought I'd write up what I did. So, here it is:
A VPN (virtual private network) allows you to treat two physically separate networks as though they were on the same network. At least that's how I understand it. What's cool about this is that it allows my home network and my office network to appear to be one contiguous network allowing me to work from one or the other without a lot of differences.
I'm going to use the following fictitious networks to illustrate my steps. Below we have two separate networks whose gateways (or routers, or firewall/natd boxes ,etc.) are gw1 and gw2. Our goal is to make it appear to the machines on either LAN that it is one seamless network. Additionally we want any data that is transferred between the two networks to be secure (encrypted). We do that by setting up a secure tunnel.
(Note: In my case, gw1 is 3.4 and gw2 is 4.0. I believe there are other ways to do this using an all 4.0 solution, but that doesn' work for me)
___________ ___________
| | | |
10.0.0.1- gw1 -111.111.111.111 <---> 222.222.222.222- gw2 -10.1.0.1
(LAN) | | (Internet) (Internet) | | (LAN)
|_________| |_________|
| |
10.2.0.1 <------------ encrypted -------------> 10.2.0.2
(tunnel) (tunnel)
Steps:
Make sure that you have at least one tunnel device compiled into the kernel on both gw1 and gw2. In particular you want to make sure your kernel config has the following:
pseudo-device tun 1
If you're going to have multiple vlans (perhaps the office server will provide vlans for multiple employee's home networks) then you should increase 1 to something larger. Build the new kernel, install it, and make the devices.
Install the pipsecd port on both machines. FreeBSD-3.4 will also install OpenSSL, 4.0 won't since it's already there. Nothing special needs to be done besides a "make install".
On gw1 create /usr/local/etc/rc.d/pipsecd.sh with the following:
#!/bin/sh
/usr/local/sbin/pipsecd &
#
# For some reason 4.0 complains if we access the tun device
# to soon after calling pipsecd. Sleeping for a bit fixes that.
#
sleep 3
/sbin/ifconfig tun0 10.2.0.1 10.2.0.2 netmask 255.255.255.0
/sbin/route add -net 10.1.0.0 -netmask 255.255.255.0 10.2.0.2
On gw2 create /usr/local/etc/rc.d/pipsecd.sh with the following:
#!/bin/sh
/usr/local/sbin/pipsecd &
#
# For some reason 4.0 complains if we access the tun device
# to soon after calling pipsecd. Sleeping for a bit fixes that.
#
sleep 3
/sbin/ifconfig tun0 10.2.0.2 10.2.0.1 netmask 255.255.255.0
/sbin/route add -net 10.0.0.0 -netmask 255.255.255.0 10.2.0.1
On gw1 create /usr/local/etc/ipsec/pipsecd.conf with the following. 'CCCCC', 'DDDDD', 'AAAAA', 'BBBBB' can be changed to any string of characters consisting of valid hex (ie. 0123456789ABCDEF) as long as you change them in both files.
sa ipesp spi=1000 auth=hmac-md5-96 akey=CCCCC enc=blowfish_cbc ekey=AAAAA dest=222.222.222.222
sa ipesp spi=1000 auth=hmac-md5-96 akey=DDDDD enc=blowfish_cbc ekey=BBBBB
if /dev/tun0 local_spi=1000 remote_spi=1000
On gw2 create /usr/local/etc/ipsec/pipsecd.conf with the following:
sa ipesp spi=1000 auth=hmac-md5-96 akey=CCCCC enc=blowfish_cbc ekey=AAAAA
sa ipesp spi=1000 auth=hmac-md5-96 akey=DDDDD enc=blowfish_cbc ekey=BBBBB dest=111.111.111.111
if /dev/tun0 local_spi=1000 remote_spi=1000
That's it. Now, on both machines, start pipsecd by typing (as root):
sh /usr/local/etc/rc.d/pipsecd.sh
At this point machines on either LAN should be able to connect to machines on the other LAN -- that is, host 10.0.0.2 should be able to ping 10.1.0.2 provided that they are both on.
For some reason the gateways themselves will not be able to talk to each other. When I setup my first VPN they could, but I must have changed something by accident and now they can't. But it's not that big of a deal because you shouldn't be connecting from/to your gateways very much anyway.
注意:
如果你的LAN里有Firewall,你需要添加一些规则. 下面的例子是用IPFW的(ipfw在gw1上,外部网卡名ed0):
add 8000 allow 50 from 222.222.222.222 to 111.111.111.111 in recv ed0
add 8000 allow ip from any to any via tun0
我的硬件:
办公室 - FreeBSD 3.4, P120, 64RAM, 512K DSL connection
Home 1 - FreeBSD 3.4, P133, 32RAM, 512K DSL connection
Home 2 - FreeBSD 4.0, P120, 64RAM, 512K DSL connection
I max out the 512K DSL connection easily transferring b/n these servers (encryption and all). "Home 1" 还运行了 Apache, Samba, netatalk, mysql, DNS, SMTP, POP, firewall, natd, and dhcp 没有任何问题。
也就是说,你不需要什么顶级的硬件。
---- Best Regards,
Weekend
[email protected]
icq: 2499593 |
|