FreeBSD的配置
点击次数:31 次 发布日期:2008-11-22 10:21:37 作者:源代码网
|
network_interface="dc0 lo0" ifconfig_dc0="192.168.2.11" defaultrouter="192.168.2.1" 远程登陆 FreeBSD远程登陆默认的是ssh,但是不能su到root,为了能su到root,打开/etc/group文件把你的用户名添加的wheel组中: wheel:*:0:root,name 重新配置内核 #cd /usr/src/sys/i386/conf #cp GENERIC MYKERNEL 编辑MYKERNEL加入 options IPSEC options IPSEC_ESP options IPSEC_DEBUG 然后 #/usr/sbin/config MYKERNEL #cd ../compile/MYKERNEL #make depend #make #make install 安装racoon #cd /usr/ports/security/racoon #make install clean 要确保你的/usr/ports/distfiles目录中有racoon-20021120a.tar.gz,没有的话就下一个吧。 3.创建证书 认证的方法选择证书的方法。利用OpenSSL来创建证书。 首先创建CA,然后为将要互连的两个计算机发放证书。先创建RSA公私钥对,然后创建子签名的证书。 创建CA $ openssl genrsa -des3 -out ca.key 1024 warning, not much extra random data, consider using the -rand option Generating RSA private key, 1024 bit long modulus ..............++++++ ................++++++ e is 65537 (0x10001) Enter PEM pass phrase: fearBeans Verifying password - Enter PEM pass phrase: fearBeans $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt Using configuration from /etc/ssl/openssl.cnf Enter PEM pass phrase: fearBeans You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ".", the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Heilongjiang Locality Name (eg, city) []:Daqing Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linuxdevice Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:zhangp Email Address []:zhangp@cy9.dq.cnpc.com.cn 为主机创建证书,首先创建RSA私钥,然后创建CA签名的证书。 $ openssl genrsa -out win2k.key 1024 warning, not much extra random data, consider using the -rand option Generating RSA private key, 1024 bit long modulus .....++++++ .....++++++ e is 65537 (0x10001) $ openssl req -new -key win2k.key -out win2k.csr Using configuration from /etc/ssl/openssl.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ".", the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Heilongjiang Locality Name (eg, city) []:Daqing Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linuxdevice Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:win2k Email Address []:win2k@cy9.dq.cnpc.com.cn Please enter the following "extra" attributes to be sent with your certificate request A challenge password []: An optional company name []: $ openssl x509 -req -days 182 -in win2k.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out win2k.crt Signature ok subject=/C=CN/ST=Heilongjiang/L=Daqing/O=Linuxdevice/ CN=win2k/Email=win2k@cy9.dq.cnpc.com.cn Getting CA Private Key Enter PEM pass phrase: 123456 类似的为主机freebsd创建证书。对于win2k的证书来说,还要做成PKCS12的格式。 $ openssl pkcs12 -export -inkey win2k.key -certfile ca.crt -in win2k.crt -out win2k.p12 Enter Export Password: 123456 Verifying password - Enter Export Password: 123456 配置FreeBSD 准备配置文件 /etc/ipsec.conf,其中192.168.2.11为FreeBSD,192.168.2.6为win2k: spdadd 192.168.2.11/32 192.168.2.6/32 any -P out ipsec esp/transport/192.168.2.11-192.168.2.6/require; spdadd 192.168.2.6/32 192.168.2.11/32 any -P in ipsec esp/transport/192.168.2.6-192.168.2.11/require; 在配置文件/etc/rc.conf中加入: ipsec_enable="YES" 准备配置文件/usr/local/etc/racoon/racoon.conf: # Directory in which we will store this, and other machines" certificates path certificate "/usr/local/etc/racoon/certs" ; log debug2; # Padding values. These have been copied verbatim from the example. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Timer values. I"ve bumped up the phase 1 & 2 timeouts. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 90 sec; phase2 60 sec; } remote anonymous { exchange_mode main,aggressive; #exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier user_fqdn "zhangp@cy9.dq.cnpc.com.cn"; peers_identifier user_fqdn "win2k@cy9.dq.cnpc.com.cn"; certificate_type x509 "freebsd.crt" "freebsd.key"; peers_certfile "win2k.crt"; nonce_size 16; lifetime time 4 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim # This is the same as one of the default proposals on Windows. # 3DES, MD5 and RSA (certificate) authentication. proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method rsasig; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des,des ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } 把证书存储到/usr/local/etc/racoon/certs中: #mkdir -m 0700 /usr/local/etc/racoon/certs #cp freebsd.crt freebsd.key win2k.crt /usr/local/etc/racoon/certs #chmod 0600 /usr/local/etc/racoon/certs/* 现在可以启动守护程序racoon了 #racoon 源代码网供稿. |
