此内容没有您所选择的语言版本。
2.7. Securing Virtual Private Networks (VPNs)
In Red Hat Enterprise Linux 6, a Virtual Private Network (VPN) can be configured using the
IPsec
tunneling protocol which is supported by the Libreswan application. Libreswan is a fork of the Openswan application and examples in documentation should be interchangeable. The NetworkManager IPsec
plug-in is called NetworkManager-openswan.
Note
Libreswan replaced Openswan as the preferred implementation of IPsec in Red Hat Enterprise Linux 6.8. Performing an upgrade from a version earlier than 6.8 replaces the openswan package with libreswan.
Libreswan is an open-source, user-space
IPsec
implementation available in Red Hat Enterprise Linux 6. It uses the Internet key exchange (IKE) protocol. IKE
version 1 and 2 are implemented as a user-level daemon. Manual key establishment is also possible via ip xfrm
commands, however this is not recommended. Libreswan interfaces with the Linux kernel using netlink to transfer the encryption keys. Packet encryption and decryption happen in the Linux kernel.
Libreswan uses the network security services (NSS) cryptographic library, which is required for Federal Information Processing Standard (FIPS) security compliance.
2.7.1. IPsec VPN Using Libreswan
To install Libreswan, issue the following command as
root
. Note that the libreswan package is available from the Extras repository, which needs to be enabled for the installation to succeed. See How to enable/disable a repository using Red Hat Subscription Manager? (The ID of the Extras repository is rhel-6-server-extras-rpms
.)
~]# yum install libreswan
To check that Libreswan is installed, issue the following command:
~]$ yum info libreswan
After a new installation of Libreswan the NSS database should be initialized as part of the install process. However, should you need to start a new database, first remove the old database as follows:
~]# rm /etc/ipsec.d/*db
Then, to initialize a new NSS database, issue the following command as
root
:
~]# ipsec initnss
Initializing NSS database
See 'man pluto' if you want to protect the NSS database with a password
To start the
ipsec
daemon provided by Libreswan, issue the following command as root
:
~]# service ipsec start
To confirm that the daemon is now running:
~]$ service ipsec status
pluto (pid 3496) is running...
To ensure that Libreswan will start when the system starts, issue the following command as
root
:
~]# chkconfig ipsec on
Configure any intermediate as well as host-based firewalls to permit the
ipsec
service. See Section 2.8, “Firewalls” for information on firewalls and allowing specific services to pass through. Libreswan requires the firewall to allow the following packets:
UDP
port 500 for theInternet Key Exchange
(IKE) protocolUDP
port 4500 forIKE NAT-Traversal
- Protocol 50 for
Encapsulated Security Payload
(ESP)IPsec
packets - Protocol 51 for
Authenticated Header
(AH)IPsec
packets (uncommon)
We present three examples of using Libreswan to set up an
IPsec
VPN. The first example is for connecting two hosts together so that they may communicate securely. The second example is connecting two sites together to form one network. The third example is supporting roaming users, known as road warriors in this context.