此内容没有您所选择的语言版本。

2.7.3. Host-To-Host VPN Using Libreswan


To configure Libreswan to create a host-to-host IPsec VPN, between two hosts referred to as left and right, and enter the following commands as root on both of the hosts (left and right) to create new raw RSA key pairs:
~]# ipsec newhostkey --configdir /etc/ipsec.d \
--output /etc/ipsec.d/myvpn.secrets
Generated RSA key pair using the NSS database
This generates an RSA key pair for the host. The process of generating RSA keys can take many minutes, especially on virtual machines with low entropy.
To view the public key, issue the following command as root on either of the hosts. For example, to view the public key on the left host, run:
~]# ipsec showhostkey --left
ipsec showhostkey loading secrets from "/etc/ipsec.secrets"
ipsec showhostkey loading secrets from "/etc/ipsec.d/myvpn.secrets"
ipsec showhostkey loaded private key for keyid: PPK_RSA:AQOjAKLlL
	# rsakey AQOjAKLlL
	leftrsasigkey=0sAQOjAKLlL4a7YBv [...]
You have to add this key to the configuration file as explained in the following paragraphs.
The secret part is stored in /etc/ipsec.d/*.db files, also called the NSS database.
To make a configuration file for this host-to-host tunnel, the lines leftrsasigkey= and rightrsasigkey= from above, are added to a custom configuration file placed in the /etc/ipsec.d/ directory.
Using an editor running as root, create a file with a corresponding name in the following format:
/etc/ipsec.d/myvpn.conf
Edit the file as follows:
conn myvpn
    leftid=@west.example.com
    left=192.1.2.23
    leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...] W2n417C/4urYHQkCvuIQ==
    rightid=@east.example.com
    right=192.1.2.45
    rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
    authby=rsasig
    # load and initiate automatically
    auto=start
You can use the identical configuration file on both left and right hosts. They auto-detect if they are left or right. If one of the hosts is a mobile host, which implies the IP address is not known in advance, then on the mobile host use %defaultroute as its IP address. This picks up the dynamic IP address automatically. On the static host that accepts connections from incoming mobile hosts, specify the mobile host using %any for its IP address.
Ensure the leftrsasigkey value is obtained from the left host and the rightrsasigkey value is obtained from the right host.
Restart ipsec to ensure it reads the new configuration:
~]# service ipsec --full-restart
To check the tunnel is succesfully established, and additionally see how much traffic has gone through the tunnel, enter the following command as root:
~]# ipsec whack --trafficstatus
006 #2: "myvpn", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@east'
Alternatively, if not using the auto=start option in the /etc/ipsec.d/*.conf file or if a tunnel is not succesfully established, use the following command as root to load the IPsec tunnel:
~]# ipsec auto --add myvpn
To bring up the tunnel, issue the following command as root, on the left or the right side:
~]# ipsec auto --up myvpn

2.7.3.1. Verify Host-To-Host VPN Using Libreswan

The IKE negotiation takes place on UDP port 500. IPsec packets show up as Encapsulated Security Payload (ESP) packets. When the VPN connection needs to pass through a NAT router, the ESP packets are encapsulated in UDP packets on port 4500.
To verify that packets are being sent via the VPN tunnel, issue a command as root in the following format:
~]# tcpdump -n -i interface esp or udp port 500 or udp port 4500
00:32:32.632165 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1a), length 132
00:32:32.632592 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1a), length 132
00:32:32.632592 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 7, length 64
00:32:33.632221 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1b), length 132
00:32:33.632731 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1b), length 132
00:32:33.632731 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 8, length 64
00:32:34.632183 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1c), length 132
00:32:34.632607 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1c), length 132
00:32:34.632607 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 9, length 64
00:32:35.632233 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1d), length 132
00:32:35.632685 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1d), length 132
00:32:35.632685 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 10, length 64
Where interface is the interface known to carry the traffic. To end the capture with tcpdump, press Ctrl+C.

Note

The tcpdump commands interacts a little unexpectedly with IPsec. It only sees the outgoing encrypted packet, not the outgoing plaintext packet. It does see the encrypted incoming packet, as well as the decrypted incoming packet. If possible, run tcpdump on a router between the two machines and not on one of the endpoints itself.
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.