ot spider(12-07-2004)
reiting (22)
[  dobre ]
[  zle ]
 Variant za otpechatvane
Purvo neka da utochnim kakvo vsushtnost predstavliava poniatieto VPN ?
VPN e abreviatura na Virtual Private Network (virtualna chastna mrezha).
Nai-obshto kazano VPN e zashtiten tunel, izpolzvasht internet za vruzka mezhdu dve mrezhi i prenos na danni mezhdu tiah.
Ako vzemem naprimer dadena firma s ofisi v Sofiia i Varna, chrez VPN mozhe da se obediniat mrezhite na
dvata ofisa, taka che da rabotiat kato edna goliama mrezha i suotvetno sluzhitelite ot ofisa v Sofiia shte mogat
da obmeniat danni sus sluzhitelite ot ofisa vuv Varna i obratno.
Ima mnogo sredstva za konfigurirane na VPN :
PoPToP ( http://www.poptop.org/ ),
CIPE ( http://sites.inka.de/sites/bigred/devel/cipe.html )
IPSec - Openswan ( http://www.openswan.org/ ), Freeswan ( http://www.freeswan.org/ )
PPP over SSH
OpenVPN ( http://openvpn.sourceforge.net/ )
.......
V nastoiashtata statiia shte izpolzvame Openswan ( http://www.openswan.org/ ) kato sredstvo za konfigurirane na VPN.
SHTe popitate zashto tochno Openswan ?
Otgovorut e v chetirite mu osnovni harakteristiki :
1.Sigurnost - Openswan izpolzva IPSec (Internet Protocol SECurity),
mnogo moshten protokol,osiguriavasht dulboko kriptirane na dannite
2.Stabilnost
3.Otvoren kod
4.Goliama platformena poddruzhka - Openswan poddurzha iadra 2.0.x, 2.2.x, 2.4.x i 2.6.x,
kakto i platformi x86, ia64, mips i arm.
SHTe izpolzvame po-gore posocheniia primer - firma "X", koiato ima ofisi vuv Sofiia i Varna.
Nashata zadacha e da konfigurirame VPN mezhdu dvata ofisa.
V ofisa v Sofiia imame kompyutur s instaliran Linux (Fedora Core 2 s iadro 2.6.6-1),
koito sluzhi kato firewall i router i suotvetno razpredelia interneta kum drugite kompyutri ot vutreshnata mrezha.
Vunshniiat IP adres (adresa na mrezhovata karta kum internet) e 1.1.1.2 sus gateway 1.1.1.1 i hostname "x-sofia" .
Vutreshniiat IP adres (adresa na mrezhovata karta kum vutreshnata mrezha) e 192.168.1.1 .
Kompyutrite ot vutreshnata mrezha imat IP-ta ot 192.168.1.2 do 192.168.1.254,
mrezhova maska 255.255.255.0 i gateway i DNS 192.168.1.1
V ofisa vuv Varna imame kompyutur s instaliran Linux (Fedora Core 2 s iadro 2.6.5-1),
koito sluzhi kato firewall i router i suotvetno razpredelia interneta kum drugite kompyutri ot vutreshnata mrezha.
Vunshniiat IP adres (adresa na mrezhovata karta kum internet) e 2.2.2.2 sus gateway 2.2.2.1 i hostname "x-varna" .
Vutreshniiat IP adres (adresa na mrezhovata karta kum vutreshnata mrezha) e 192.168.2.1 .
Kompyutrite ot vutreshnata mrezha imat IP-ta ot 192.168.2.2 do 192.168.2.254,
mrezhova maska 255.255.255.0 i gateway i DNS 192.168.2.1
Priemame, che rabotim v ofisa v Sofiia i imame direkten dostup do linux mashinata,
a do linux-a vuv Varna imame dostup po ssh.
Vsichki komandi i nastroiki se izpulniavat kato potrebitel root.
I taka kakto se kazva "let's the party begin" :
1. Svaliame neobhodimite paketi :
wget http://www.openswan.org/code/openswan-2.1.4-1.fc2.i386.rpm
wget http://www.openswan.org/code/openswan.signingkey.asc
2. Importirame signaturata na paketa :
rpm --import openswan.signingkey.asc
3. Proveriavame digitalnata signatura na paketa :
rpm --checksig openswan-2.1.4-1.fc2.i386.rpm
Ako vsichko e nared triabva da poluchim :
openswan-2.1.4-1.fc2.i386.rpm: sha1 md5 OK
4.Instalirame Openswan :
rpm -ivh openswan-2.1.4-1.fc2.i386.rpm
5.Suzdavame RSA key, koito shte bude izpolzvan za identifikatsiia :
5.1 Za ofisa v Sofiia izpulniavame :
ipsec newhostkey --output /etc/ipsec.secrets --hostname x-sofia
chmod 600 /etc/ipsec.secrets
5.2 Za ofisa vuv Varna izpulniavame :
ipsec newhostkey --output /etc/ipsec.secrets --hostname x-varna
chmod 600 /etc/ipsec.secrets
6.Startirame ipsec :
service ipsec start
7. Proveriavame dali vsichko e nared :
ipsec verify
Ako vsichko e nared triabva da poluchim :
Checking your system to see if IPsec got installed and started correctly
Version check and ipsec on-path [OK]
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
8.Za da produlzhim po-natatuk shte ni triabvat klyuchovete suzdadeni v stupka 5 i na dvete linux mashini :
8.1 Za ofisa v Sofiia izpulniavame :
ipsec showhostkey --left
SHTe poluchim neshto kato :
# RSA 2192 bits x-sofia Fri Jul 9 11:11:44 2004
leftrsasigkey=0sAQOnwiBPt...
8.2 Za ofisa vuv Varna izpulniavame :
ipsec showhostkey --right
SHTe poluchim neshto kato :
# RSA 2192 bits x-varna Fri Jul 9 11:20:44 2004
leftrsasigkey=0sfhjvhhGFkj...
Samite klyuchove sa zapisani vuv faila /etc/ipsec.secrets, taka che mogat da se vzemat i ot tam.
9.Nai-vazhnata chast - nastroika na faila /etc/ipsec.conf :
Otvariame faila s nakoi tekstov redaktor i sled reda
# Add connections here
dobaviame :
conn sofia-to-varna # Tova e imeto na vruzkata
left=1.1.1.2 # vunshniiat IP adres na linux-a v Sofiia
leftsubnet=192.168.1.0/24 # vutreshnata mrezha na linux-a v Sofiia
leftid=@x-sofia # hostname-a na linux-a v Sofiia
leftrsasigkey=0sAQOnwiBPt... # RSA klyucha na linux-a v Sofiia (stupka 8.1)
leftnexthop=1.1.1.1 # gateway-ia na linux-a v Sofiia
right=2.2.2.2 # vunshniiat IP adres na linux-a vuv Varna
rightsubnet=192.168.2.0/24 # vutreshnata mrezha na linux-a vuv Varna
rightid=@x-varna # hostname-a na linux-a vuv Varna
rightrsasigkey=0sfhjvhhGFkj... # RSA klyucha na linux-a vuv Varna (stupka 8.2)
rightnexthop=2.2.2.1 # gateway-ia na linux-a vuv Varna
auto=add # avtomatichno dobaviane na vruzkata pri startirane na sistemata
Zabelezhka: faila /etc/ipsec.conf triabva da bude absolyutno ednakuv i za dvata linux-a,
taka che sled kato konfigurirame faila na linux-a v Sofiia go kopirame na linux-a vuv Varna,
tova mozhe da stane s komandata :
scp /etc/ipsec.conf root@2.2.2.2:/etc/ipsec.conf
10.Restartirame dvata linux survura i testvame vruzkata :
ipsec auto --up sofia-to-varna
Ako vsichko e nared triabva da poluchim :
104 "sofia-to-varna" #10: STATE_MAIN_I1: initiate
106 "sofia-to-varna" #10: STATE_MAIN_I2: sent MI2, expecting MR2
108 "sofia-to-varna" #10: STATE_MAIN_I3: sent MI3, expecting MR3
004 "sofia-to-varna" #10: STATE_MAIN_I4: ISAKMP SA established
112 "sofia-to-varna" #11: STATE_QUICK_I1: initiate
004 "sofia-to-varna" #11: STATE_QUICK_I2: sent QI2, IPsec SA established
Zabelezhka: ako izpolzvate firewall triabva da otvorite UDP port 500 (IKE) i protokol 50 (ESP),
koito se izpolzvat za osushtestviavane na IPSec vruzka, za tselta mozhete da dobavite kum vashiia
firewall slednite redove :
# IKE negotiations
iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
11.Dovurshvane na nastroikite :
Ako vsichko e nared sled stupka 10, otnovo otvariame /etc/ipsec.conf i promeniame :
auto=add
na
auto=start
Taka VPN vruzkata shte se startira avtomatichno pri startirane na linux survurite.
Zabelezhka: kakto veche kazahme failut /etc/ipsec.conf triabva da bude absolyutno ednakuv i na dvata
linux survura, taka che posochenite promeni v tazi stupka triabva da budat napraveni i na dvete mesta.
12.Dopulnitelni nastroiki :
Ako izpolzvate IP masquerade ili Network Address Translation (NAT)
pri rutiraneto triabva da napravite suotvetnite promeni.
Naprimer ako izpolzvate :
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
triabva da go promenite na:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d \! 192.168.2.0/24 -j MASQUERADE
Tova e vsichko, veche triabva da imate VPN mezhdu dvata ofisa.
Ako vuzniknat niakakvi problemi shte se radvam da pomogna s kakvoto moga.
Preporuchvam da prochetete dokumentatsiiata na adres : http://www.openswan.org/docs/
Vruzki :
http://fedora.redhat.com/ # ofitsialna stranitsa na proekta Fedora
http://openswan.org/ # ofitsialna stranitsa na proekta Openswan
http://www.netfilter.org/ # ofitsialna stranitsa na proekta iptables
http://www.tldp.org/HOWTO/VPN-HOWTO/ # VPN Howto
http://www.vpnc.org/ # VPN Konsortsium, polezna informatsiia za VPN standartite i IPSec protokola.
<< Instalirane na SuSE Linux 9.1 | Primer za upotreba na Access Control Lists s Linuks >>
|
