部署 RSA Ipsec | Chronos's Blog

安装 Libreswan

yum install -y libreswan

systemctl start ipsec
systemctl enable ipsec

重新初始化数据库

1
2
3

rm -rf /etc/ipsec.d/*.db    # 删除初始数据库

ipsec initnss               # 新建ipsec数据库

检查 Ipsec 状态

命令

1	ipsec verify

Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.25 (netkey) on 3.10.0-957.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

         ICMP default/accept_redirects                  [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Two or more interfaces found, checking IP forwarding    [FAILED]
Checking rp_filter                                      [ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
 /proc/sys/net/ipv4/conf/ens33/rp_filter                [ENABLED]
 /proc/sys/net/ipv4/conf/ens37/rp_filter                [ENABLED]
 /proc/sys/net/ipv4/conf/ip_vti0/rp_filter              [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options                [OBSOLETE KEYWORD]
warning: could not open include filename: '/etc/ipsec.d/*.conf'

ipsec verify: encountered 15 errors - see 'man ipsec_verify' for help

解决方法

# ICMP default/send_redirects                    [NOT DISABLED]
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
# ICMP default/accept_redirects                  [NOT DISABLED]
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
# Two or more interfaces found, checking IP forwarding    [FAILED]
echo 1 > /proc/sys/net/ipv4/ip_forward
# /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
# /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
# /proc/sys/net/ipv4/conf/ens33/rp_filter                [ENABLED]
echo 0 > /proc/sys/net/ipv4/conf/ens33/rp_filter
# /proc/sys/net/ipv4/conf/ens37/rp_filter                [ENABLED]
echo 0 > /proc/sys/net/ipv4/conf/ens37/rp_filter
# /proc/sys/net/ipv4/conf/ip_vti0/rp_filter              [ENABLED]
echo 0 > /proc/sys/net/ipv4/conf/ip_vti0/rp_filter

生成 RSA 密钥

双方个生成一个 RSA 密钥

1 2	ipsec newhostkey --configdir /etc/ipsec.d \ --output /etc/ipsec.d/text.secrets

查看密钥获得RSAID

1	ipsec showhostkey --list

选定 left,right 主机

执行获取 RSAID

1	ipsec showhostkey --list

结果

1	< 1> RSA keyid: AwEAAbUXf ckaid: 4f7a48ca8003f3adf0b6730f4130bbe00748faea

left 操作

1	ipsec showhostkey --left --rsaid AwEAAbUXf

right 操作

1	ipsec showhostkey --right --rsaid AwEAAbUXf