The following is the packet processing, sending process: (1) the source host TCP layer by calling ip_output () function, the call to the IP layer to send a packet to a router; (2) the router packet for aim host, query the policy engine, based on security policy enforcement plus A or ESP header; (3) processing, no IKE SA's security policy to establish new SA; (4) SA, increase the serial number field; (5) channel mode, typically VPN using channel mode, plus an additional IP header; (6) routers send this safety packets.
Receiver process: (1) on the other side of the router receives this packet, stripped of additional IP header, and use the packet of Ah or ESP header called IPsec layer; (2) IPsec layer from the AH or ESP header excerpt from SPI, elected from the IP header source and destination addresses and protocols; (3) IPsec layer with the above parameters from the SAD, remove desired SA, if I can't find it, just drop the bag; (4) SAD returns SA, IPsec will AH and ESP defined rules are processed on this bag; (5) verify and this bag corresponding strategy, which in turn determine IPsec processing application is correct, that the policy is passed a pointer to SA or use selector query SPD shall come; and (6) if the validation is correct, then decrypt and put the packet is forwarded to the real purpose of the host. Linux install IPsec examples src/linux, and compile, install, and reboot the kernel, to test the new kernel. In the IPSec working before you must ensure that the network is working properly. Then extract the source code to IPSecforLinux/usr/local/src directory, run the Setup program, "makemenugo" kernel "patches"-and then run the kernel's configuration program. The last is installed IPSec tools and the kernel. # Cd/usr/src/# cp/usr/src/linux-2.4.2linux # cd/usr/src/linux # makemenuconig # cd .../# tarzvxffreeswan-1.91-1.tar.gz # cdfreeswan-1.91 # makemenugo ensure saved good kernel configuration. Particular attention to the native card model, when compiling the kernel to NIC driver added, otherwise, the network will get through. Now we need to modify the LILO configuration file lilo.conf and rerun lilo and reboot the system kernel. Lilo.conf file example: boot =/dev/da map =/boot/map install =/boot/boot.b prompt timeout = 100 image =/usr/src/linux/arch/i386/boot/bzImageboot/vmlinuz-2.2.10-ipsec linux-ipsec root = label =/dev/da1 read-only image =/boot/vmlinuz-2.2.10 label = linux root =/dev/da1 read-only rerun lilo, the system prompts: linux-ipsec * linux and then restart with the 2.4.2 kernel IPSec support system. System restart several errors occur, mainly IPSec default uses actual non-existent eth999 interface. Recommended that you use IPSec application path to the user environment variable. IPSec network settings. First, you need to allow the gateway server TCP-IP forwarding. In OrbitaLinux3.0 system method: direct modifications to the/proc file system, perform the following command: # vi/proc/sys/net/ipv4/ip_forward to "0" to "1". Since most people are using the default security policy prohibiting IP forwarding, but must allow data from remote network or host to the local network or host. Moreover, any use of IPSec's internal network of all artifacts (masquerade) rules must allow IPSec rules, otherwise the host will attempt to camouflage (masquerade) packets, not pass them on to IPSec. The following example illustrates how the two have used the IPmasquerading disguised protected network through IPSec for secure Internet connection: Manual (fixed) key join (Manualconnectionkeying) first by using manual (fixed) key, and edit ipsec.conf and firewall rules to establish a secure connection. In ipsec.conf province parameter, use the random number generator produces single digit, and retains its leading character Hex 0x. we need to modify the parameters as follows: connmy-tunnel type = tunnel left = 1.2.3.4 leftnexthop = 1.2.3.1 leftsubnet = 10.0.0.0/24 right = 5.6.7.8 rightnexthop = 5.6.7.1 rightsubnet = 192.168.0.0/24spibase=0x200 esp=3des-md5-96 espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcde0 espauthkey=0x12345678_9abcdef0_2468ace0_13579bd
No comments:
Post a Comment