OpenBSD+PF+Isakmpd安装配置
本人是新手,学习BSD不过一个月,之前对AIX,LINUX,UX有过短盏的接触。希望大家一起来交流提高,望开源洪流越开越猛。
硬件配置:IBM-Eserver,p3-800+512M+20G
******************************************************************************************
1,安装
******************************************************************************************
启动电脑直到出现以下的提示:
(I)nstall, (U)pgrade or (S)hell?
其中(I)代表安装一个全新的系统,(U)代表升级原有的OpenBSD旧版本,(S)代表退出到命令行状态。
这里,我要重装OpenBSD所以选择(I)
Proceed with install?[n]
进行安装?选择y,回车
在一屏欢迎辞之后,系统询问使用什么终端类型:
Specify terminal type [vt220]:
默认回车
Do you wish to select a keyboard encoding table?[n]
默认回车
Available disks are:
sd0
Which disk is the root disk? [sd0]
选择安装硬盘,这里列出所有你机器上的硬盘,IDE硬盘为wd0,SCSI硬盘为sd0,这里默认回车
(中途取消,重启后有时会系统找不到硬盘,关闭电源一会再起就好了)
Do you want to use the *entire* disk for OpenBSD? [no]
这里让他做服务器,选择yes并回车
现在系统会进入fdisk(一个分区程序,输入?并回车可以获得使用帮助)。
>;?
M -show entire OpenBSD man page for disklable
e -edit drive prameeters
a[part] -add new partition
b -set OpenBSD disk boundaries
c[part] -change partition size
d[part] -delete partiton
D -set label to default
g[d|b] -Use [d]isk or ios geometry
m[part] -modify existing partition
n[part] -set the mount point for a partition
r -recalculate free space
u -undo last change
s[path] -save lable to file
w -write label to disk
q -quit and save changes
x -exit without saving changes
X -toggle expertmode
z -zero out partition table
?[cmnd] -this message or command specific help
>;p 察看硬盘资源情况
device: /dev/rwd0c
type: ESDI
disk: ESDI/IDE disk
label: ST310212A
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 16
sectors/cylinder: 1008
cylinders: 16383
total sectors: 200005650
free sectors: 1827
rpm: 3600
16 partitions:
# size offset fstype [fsize bsize cpg]
a: 20000862 63 unused 0 0
c: 20005650 0 unused 0 0
>; d a
删除a,重新分配
>; a a
offset: [63]
size: [8385867] 128M
Rounding to nearest cylinder: 262017
FS type: [4.2BSD]
mount point: [none] /
>; a b
offset: [262080]
size: [8123850] 512M
Rounding to nearest cylinder: 524160
FS type: [swap]
>; a d
offset: [786240]
size: [7599690] 128M
Rounding to nearest cylinder: 1048320
FS type: [4.2BSD]
mount point: [none] /root
>; a e
offset: [786240]
size: [7599690] 256M
Rounding to nearest cylinder: 1048320
FS type: [4.2BSD]
mount point: [none] /tmp
>; a f
offset: [1048320]
size: [7337610] 256M
Rounding to nearest cylinder: 1048320
FS type: [4.2BSD]
mount point: [none] /var
>; a g
offset: [2096640]
size: [6289290] 512M
Rounding to nearest cylinder: 4194288
FS type: [4.2BSD]
mount point: [none] /usr
>; a h
offset: [6290928]
size: [2095002]
FS type: [4.2BSD]
mount point: [none] /home
>;p
device: /dev/rwd0c
type: ESDI
disk: ESDI/IDE disk
label: ST310212A
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 16
sectors/cylinder: 1008
cylinders: 16383
total sectors: 20005650
free sectors:0
rpm: 3600
16 partitions:
# size offset fstype [fsize bsize cpg]
a: 262017 63 4.2BSD 1024 16384 16 # /
b: 524160 262080 swap
c: 20005650 0 unused 0 0
d: 262080 786240 4.2BSD 1024 16384 16 # /tmp
e: 1048320 1048320 4.2BSD 1024 16384 16 # /var
f: 4194288 2096640 4.2BSD 1024 16384 16 # /usr
g: 2095002 6290928 4.2BSD 1024 16384 16 # /home
>;w
>;q
The following partitions will be used for the root filesystem and swap:
sd0a /
sd0b swap
Mount point for wd0d (size=98967k) [/tmp, RET, none, or done]?
done并回车
系统询问是否进行格式化:
The next step will overwrite any existing data on:
sd0a sd0d sd0e sd0f sd0g sd0h
Are you really sure that you're ready to proceed? [n]
输入y并回车
网络配置
Configure the network? [yes]
Enter system hostname (short form): []openbsd37
Enter DNS domain name: []openbsd.nat
这里随便起,除非你有国际域名
You may configure the following network interfaces (the interfaces
marked with [X] have been succesfully configured):
[ ] fxp0
Configure which interface? (or, enter 'done') [fxp0]
选网卡,这里就一块,默认回车
IP address (or 'dhcp') ? []10.1.8.19
Symbolic (host) name? [openbsd37]
Netmask ? [255.255.255.0]
选好后回车
Your use of the network interface may require non-default
media directives. The default media is:
media: Ethernet autoselect (none)
This is a list of supported media:
media none
media 100baseTX mediaopt full-duplex
media 100baseTX
media 10baseT mediaopt full-duplex
media 10baseT
If the default is not satisfactory, and you wish to use another
media, copy that line from above (e.g. "media 100baseTX"
Media directives? []media autoselect
选择网卡类型,这里选择media autoselect
Enter IP address of default route: [none]
Enter IP address of primary nameserver: [none] 10.1.8.19
Would you like to use the nameserver now? [y]
这里是localhost的ip和路由,看自己需要了
设置管理员口令
Please enter the initial password that the root account will have.
Password(will not echo):
Password(again):
安装应用程序
Do you expect to run the X Window System? [y]
这里选择N
Install from (f)tp, (h)ttp, (t)ape, (C)D-ROM, (N)FS or local (d)isk?
选择C
The following CD-ROM devices are installed on your system;
please make
sure the CD is in the CD-ROM drive and select the device containing
the CD with the installation sets:
cd0
Which CD-ROM contains the installation media? [cd0]
默认回车
Enter the directory relative to the mount point that
contains the file. [3.1/i386]
确认安装文件所在目录,默认回车确认
The following sets are available for extraction.
Enter filename, `list', `all', or `done'.
You may de-select a set by prepending a '-' to its name.
[X] base31.tgz
[X] etc31.tgz
[X] misc31.tgz
[X] comp31.tgz
[X] man31.tgz
[X] game31.tgz
[ ] xbase31.tgz
[ ] xshare31.tgz
[ ] xfont31.tgz
[ ] xserv31.tgz
[X] bsd
File name? (or 'done') [xbase31.tgz]
输入-game36.tgz,取消游戏安装,确定只要装base31.tgz、etc31.tgz、comp31.tgz、man31.tgz以
及bsd。 确定好输入done
Ready to extract selected file sets? [y]
输入y,开始解压缩
Extract more sets? [n]
默认回车
设定时区
What timezone are you in? [`?' for list] [US/Pacific]
选择Asia/Shanghai
******************************************************************************************
2,新加网卡,开启FTP(为了今后上传方便)
******************************************************************************************
网卡监测
#ifconfig -a
fxp0
fxp1
编辑
#vi /etc/hostname.fxp1
加入inet 202.135.16.252 255.255.255.0 NONE
#vi hosts
202.135.16.252 openbsd3.openbsd37.nat openbsd3
重起后在观察是否成功
FTP服务
OpenBSD#mkdir /home/ftp
OpenBSD#groupadd ftp
OpenBSD#useradd ftp -g ftp
OpenBSD#mkdir /home/ftp/pub
OpenBSD#chmod 555 /home/ftp/pub
这个目录对所有人都是只读的,提供下载
OpenBSD#mkdir /home/ftp/incoming
OpenBSD#chmod 777 /home/ftp/incoming
这个目录对所有人都是可写的2,提供上传和下载
OpenBSD#vi etc/rc.conf
修改ftpd_flags="-DllUSA"
OpenBSD#vi etc/ftpwelcome
当用户使用ftp客户端软件连接到服务器后,显示的欢迎信息
OpenBSD#vi /etc/ftpwelcome
Welcome to Sunwaylove's FTP !
******************************************************************************************
3,配置PF
******************************************************************************************
方案
一块网卡接内网10.1.8.0/24.一块接外网202.135.16.252/32
在PF上设置防火墙规则
配置IP防火墙(只作些简单设置)
添加DNS
#vi /etc/resolv.conf
没有就加上,添加
nameserver 202.96.209.5
nameserver 202.96.209.133
lookup file bind
#vi /etc/rc.conf
加入
ipfilter=YES
ipnat=YES
#vi /etc/sysctl.conf
修改net.inet.ip.forwarding=1
建立网桥
#vi bridgename.bridge0
add fxp0 add fxp1 up
#ifconfig -a
bridge0: flags=41<UP,RUNNING>; mtu 1500
或者#ifconfig bridge0 create
#brconfig bridge0 add fxp0 add fxp1 up
#vi /etc/rc.conf
修改pf=YES,并使用pfctl(这个程序来打开pfctl –e和关闭pfctl –d
#vi /etc/pf.conf
# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#ext_if="ext0"
#int_if="int0"
#table <spamd>; persist
#table <spamd-white>; persist
#scrub in
#nat on $ext_if from !($ext_if) ->; ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp ->; 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp from <spamd>; to port smtp \
# ->; 127.0.0.1 port spamd
#rdr pass on $ext_if proto tcp from !<spamd-white>; to port smtp \
# ->; 127.0.0.1 port spamd
#block in
#pass out keep state
#pass quick on { lo $int_if }
#antispoof quick for { lo $int_if }
#pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
#pass in on $ext_if proto tcp to ($ext_if) port >; 49151 user proxy keep state
#pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state
#======================= START =============================#
#===================set environment=========================#
ext_if = "fxp1"
int_if = "fxp0"
int_net = "10.1.8.0/24"
ext_net = "202.135.16.252/32"
loop = "lo0"
tcp_service = "{22,113}"
icmp_types = "echoreq"
#priv_nets="{127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8}"
#===================open port===============================#
InServicesTCP = "{ssh,auth}"
#===================interface statistics====================#
set loginterface $ext_if
#===================fast break disalive link================#
set optimization aggressive
#===================ip pack regrouped=======================#
scrub in all
#===================NAT build===============================#
nat on $ext_if from $int_net to any ->; 192.168.1.2
#===================in out rules============================#
#-------------------block rules-----------------------------#
block all
#block in on fxp0 inet proto tcp all
#block in on fxp0 inet proto icmp all
#block in on fxp1 inet proto tcp all
#block in on fxp1 inet proto icmp all
#block drop in quick on $ext_if from $priv_nets to any
#block drop out quick on $ext_if from any to $priv_nets
#-------------------no ipv6---------------------------------#
block in quick inet6 all
block out quick inet6 all
#-------------------localback accept------------------------#
pass in quick on $loop all
pass out quick on $loop all
#-----accept allow in port-----#
pass in quick on $int_if from $int_net to any keep state
#-----accept allow out port-----#
pass out quick on $int_if from any to $int_net keep state
#===================End=====================================#
//PF 使用规则
#vi /etc/rc.conf
并将PF这一行改为如下所示:
#pf=YES
重启系统就可以工作了。
#pfctl –e
//enable PF
#pfctl –d
//disable PF
#pfctl -R pf.conf
//读取规则
#pfctl –f /etc/pf.conf
//载入pf.conf配置文件
#pfctl –nf /etc/pf.conf
//解析pf.conf文件, 但不载入。
#pfctl –Nf /etc/pf.conf
//只从文件中载入NAT规则链。
#pfctl –Rf /etc/pf.conf
//只从文件中载入过滤规则链。
#pfctl –sn
//显示当前的NAT规则链
#pfctl –sr
//显示当前的过滤规则链
#pfctl –ss
******************************************************************************************
4,配置VPN
******************************************************************************************
由于是两台OpenBSD网关,这里分别指
OpenBSD1(本地LAN:10.1.8.0/24,WAN:202.135.16.252)
OpenBSD2(异地LAN:10.1.9.0/24,WAN:220.115.232.25)
这里使用X.509证书进行IKE认证,同时也避免了因预共享密钥泄露引起的VPN系统安全问题。
当然也可以不用证书只用AUTHENTICATION也可以,且相对简单,基本应用看个人需要了.
利用X.509配置IKE,可分两步进行:
首先创建X.509证书;然后修改配置文件,使IKE进程使用X.509证书进行认证
创建自己的CA证书
OpenBSD1#openssl genrsa -out /etc/ssl/private/ca.key 1024
OpenBSD1#openssl req -new /etc/ssl/private/ca.key \
-out /etc/ssl/private/ca.csr
利用CA的私钥为CA自己签署证书
OpenBSD1#openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \
-signkey /etc/ssl/private/ca.key -out /etc/ssl/ca.crt
为每个IPSec网关创建私钥和证书
这里先对OpenBSD1开始
OpenBSD1#openssl genrsa -out /etc/isakmpd/private/local.key 1024
OpenBSD1#openssl req -new -key /etc/isakmpd/private/local.key \
-out /etc/isakmpd/private/202.135.16.252.csr
将证书请求传给CA进行签署
OpenBSD1##openssl x509 -req -days 365 -in 202.135.16.252.csr \
-CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \
-CAcreateserial -out 202.135.16.252.crt
必须运行工具certpatch在证书中增加一些扩展项,以使它可以被isakmpd所用
OpenBSD1#certpatch -i 202.135.16.252 -k /etc/ssl/private/ca.key \
202.135.16.252.crt 202.135.16.252.crt
OpenBSD1#cp /etc/isakmpd/private/202.135.16.252.csr /etc/isakmpd/certs/
OpenBSD1#cp /etc/ssl/private/ca.key /etc/isakmpd/ca/
对网关OpenBSD2同样执行上述步骤,将202.135.16.252改成对应公网IP地址220.115.232.25即可。
编辑策略文件
OpenBSD1#vi /etc/isakmpd/isakmpd.policy
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Authorizer:"OLICY"
Conditions:app_domain == "IPsec policy" &&
(esp_present == "yes" || ah_present == "yes"->; "true";
OpenBSD1#vi /etc/isakmpd/isakmpd.conf
#===================Start of VPN ===========================#
[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on= 202.135.16.252 #不用Listen-on= 表示侦听一切ip,如过不知道本地WAN-ip可不要这条
[Phase 1]
220.115.232.25= ISAKMP-LAN2-gw #指定跳到对端VPN的IP地址[ISAKMP-LAN2-gw]
[Phase 2]
Connections= IPsec-LAN1-dsl
#指定跳到直接IPsec的连接[IPsec-LAN1-dsl]
[ISAKMP-LAN2-gw] #由[Phase 1] 跳到此
Phase= 1 #IKE的第一阶段
Transport= udp #所用的协议
Local-address= 202.135.16.252 #本地地址
Address= 220.115.232.25 #远端地址
Configuration= Default-main-mode #IKE的第一阶段所用的配置为[Default-main-mode]
#Authentication= SecRetPhrasE #预共享密匙为:SecRetPhrasE 这里我们不用,用X509证书
[IPsec-LAN1-dsl] #由[Phase 2] 跳到此
Phase= 2 #IKE的第2阶段
ISAKMP-peer= ISAKMP-LAN2-gw #相对的上一阶段名
Configuration= Default-quick-mode #IKE的第2阶段所用的配置为[Default-quick-mode]
Local-ID= Net-LAN1 #指出本地ID
Remote-ID= Net-LAN2 #指出远程ID
[Net-LAN2] #远程ID
ID-type= IPV4_ADDR_SUBNET #远程ip协议版本
Network= 10.1.9.0 #远程网段
Netmask= 255.255.255.0 #远程掩码
[Net-LAN1] #本地ID
ID-type= IPV4_ADDR_SUBNET #本地ip协议版本
Network= 10.1.8.0 #本地网段
Netmask= 255.255.255.0 #本地掩码
#===================Main mode descriptions==================#
[Default-main-mode] #从[ISAKMP-LAN2-gw]跳到这
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT #这里是主模式,aggressive是野蛮模式
Transforms= 3DES-MD5 #建议转换码,跳到下行[3DES-MD5]处
[X509-certificates] #系统保留变量名
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
Private-key= /etc/isakmpd/private/local.key
#===================Main mode transforms====================#
[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= RSA_SIG
GROUP_DESCRIPTION= MODP_1024
#===================Quick mode descriptions=================#
[Default-quick-mode] #从[IPsec-LAN1-dsl]跳到这
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE #IKE的第2阶段快速模式
Suites= QM-ESP-3DES-MD5-PFS-SUITE #跳到再下个段[QM-ESP-3DES-MD5-PFS-SUITE]处
[QM-ESP-3DES-MD5-PFS-SUITE] #从[Default-quick-mode] 跳到这
Protocols= QM-ESP-3DES-MD5-PFS #跳到[QM-ESP-3DES-MD5-PFS]
[QM-ESP-3DES-MD5-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-MD5-PFS-XF #跳到[QM-ESP-3DES-MD5-PFS-XF]
[QM-ESP-3DES-MD5-PFS-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_MD5
GROUP_DESCRIPTION= MODP_1024
#===================End=====================================#
远端VPN2的配置基本类似,不再累赘
启动isakmpd进程
#isakmpd
验证VPN是否正常工作
#setkey -DP (这个命令,我man的到但试不通)
也可以在2个lan中分别ping 对方,TTL应该至少128
( 完 )
