close

Topology  

 

 site1  (211.1.1.20 )--------------------------------------------site 2  (211.1.1.30)

on Site 1 :

1.cd /etc/ssl/

2.產生 ca certificate  & server certificate

   Create self-signed CA certificate:

# openssl req -x509 -days 365 -newkey rsa:1024 -keyout ca.key -out ca.crt

快速產生 server 憑證 請求

# openssl req -new -keyout 211.1.1.20.key -out 211.1.1.20.req

 

新增

x509.conf

加入

[ v3_ipaddr ]

subjectAltName=IP:$ENV::CERTIP

用CA簽發證書

env CERTIP=211.1.1.20 openssl x509 -req -days 365 \
-in 211.1.1.20.req -CA ca.crt -CAkey ca.key \
-CAcreateserial -extfile x509.cnf -extensions v3_IPAddr \
-out 211.1.1.20.crt

查看證書

# openssl x509 -text -noout -in 211.1.1.20.crt


You should be looking for something like this:
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:211.1.1.20

================================================

新增 211.1.1.30 server 憑證,並由 ca 簽名 後傳到到 211.1.1.30 上 ,連同 211.1.1.20.crt 證書 共三張

================================================

編輯 racoon.conf 檔

path certificate "/usr/local/etc/racoon/cert";

 

remote anonymous
{
exchange_mode main;
doi ipsec_doi;
situation identity_only;

# my_identifier address 211.1.1.20;
certificate_type x509 "211.1.1.20.crt" "211.1.1.20.key";
# peers_identifier address 211.1.1.30;
peers_certfile x509 "211.1.1.30.crt";
nonce_size 16;
initial_contact on;
proposal_check strict; # obey, strict, or claim

proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
# authentication_method pre_shared_key;
authentication_method rsasig;
dh_group 2;
}
}

#sainfo address 211.1.1.20 any address 211.1.1.10 any
sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

 

 

#執行 setkey 

vi ipsec.conf

#!/bin/sh
LOCAL=211.1.1.20 # IP address of this machine
#GATEWAY=192.168.199.2 # IP address of network gateway
REMOTE=211.1.1.30 # IP address of VPN server

#ifconfig gif0 destroy
#ifconfig gif0 create
#ifconfig gif0 $INTERNAL_ADDR4 $INTERNAL_ADDR4
#ifconfig gif0 tunnel $LOCAL $REMOTE
setkey -FP
setkey -c << EOT
spdadd $LOCAL $REMOTE any -P out ipsec esp/transport//require;
spdadd $REMOTE $LOCAL any -P in ipsec esp/transport//require;

EOT

# sh ipsec.sh

# 執行 racoon  

#racoon -f racoon.conf -F

 

reference  : http://www.bsdguides.org/2007/configuring-ipsec-vpn-connection-between-freebsd-and-openbsd/

 

 

 

 

 

 

 

 

 

 

 

 

 

 

arrow
arrow
    全站熱搜
    創作者介紹
    創作者 yves2005 的頭像
    yves2005

    YvEs2005

    yves2005 發表在 痞客邦 留言(0) 人氣()

    E-mail轉寄