# uname -r
2.6.18-164.el5
一、下載openswan
從www.openswan.org官方網站下載當前最新版本2.6.28
# tar xzvf openswan-2.6.28.tar.gz
# cd openswan-2.6.28
二、安裝依賴包
在openswan源碼目錄下查看README
There a few packages required for Openswan to compile:
1. libgmp + libgmp-devel headers. (GNU Math Precision Library)
2. gawk, flex and bison (usually included in all distributions)
gawk, flex and bison幾個比較容易安裝,gawk系統已默認安裝,flex和bison可用yum安裝,libgmp有點麻煩。先是下載的gmp-5.0.1.tar.gz,但啟動openswan服務時會報錯(libgmp.so.10),只好刪了。後來在CentOS系統盤找到相應的RPM包.
# rpm -ivh gmp-4.1.4-10.el5.i386.rpm
Preparing... ########################################### [100%]
package gmp-4.1.4-10.el5.i386 is already installed
# rpm -ivh gmp-devel-4.1.4-10.el5.i386.rpm
Preparing... ########################################### [100%]
1gmp-devel ########################################### [100%]
三、安裝openswan
#make programs
#make install
安裝成功後,在/etc/目錄下生成ipsec.conf配置文件和ipsec.d目錄,同時在/usr/local/sbin下生成ipsec可執行程序、在/etc/initl.d/目錄下生成ipsec shell腳本
四、openswan基本操作
1. 查看當前openswan版本
# ipsec --version
Linux Openswan U2.6.28/K(no kernel code presently loaded)
See `ipsec --copyright' for copyright information.
2. ipsec服務
# service ipsec start
# service ipsec restart
# service ipsec stop
3.驗證openswan是否正確安裝
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.18-164.el5 (netkey)
Checking for IPsec support in kernel [OK]
Testing against enforced SElinux mode [FAILED]
SElinux is running in 'enforced' mode.
If you encounter network related SElinux errors, especially when using KLIPS,
try disabling SElinux using:
echo "0" > /selinux/enforce (or edit /etc/sysconfig/selinux)
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking that pluto is running [FAILED]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Two or more interfaces found, checking IP forwarding [FAILED]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
(1)disabe SELINUX
# vim /etc/sysconfig/selinux
設置 SELINUX=disabled
# setenforce 0
(2)disable ICMP send_redirects和accept_redirects
可編寫shell腳本將/proc/sys/net/ipv4/conf/*/send_redirects和/proc/sys/net/ipv4/conf/*/accept_redirects disable掉
(3)enable ip_forward
# vim /etc/sysctl.conf
修改net.ipv4.ip_forward = 0 -> net.ipv4.ip_forward = 1
# sysctl -p
4. 配置文件
(1)配置文件 (/etc/ipsec.conf)
查看ipsec.conf配置幫助
# man 5 ipsec.conf
(2)密鑰配置文件(/etc/ipsec.secrest)
查看ipsec.secrets配置幫助
# man 5 ipsec.secrets
