m_vpn

FreeBSD 架設多點虛擬私人網路 VPN ( Virtual Private Network ) 採用 IPSec+NAT+VPN

Description：

虛擬私人網路 VPN ﹝Virtual Private Network ﹞，其技術是利用公眾網路﹝Public Internet ﹞的骨幹做私人的加密資料傳輸， VPN 虛擬私人網路，運用在企業上，可以讓分散在世界各地的子公司一起分享具機密性的資料，而總公司與子公司之間數據資料傳輸，也如同在企業的 Intranet 內網之下傳遞，既安全又穩定。其實企業虛擬網路最大一項的優點，在於網路管理工作的簡化。

Environment :

硬體：A B C 三台 Server
網卡：6片網卡 ( 每台機器兩片 )
作業系統：FreeBSD 4.7 Release

	Server A	Server B	Server C
真實 IP	203.107.34.2	203.107.34.3	203.107.34.4
虛擬 IP	192.168.0.0/24	192.168.1.0/24	192.168.2.0/24
Gateway IP	192.168.0.254	192.168.1.254	192.168.2.254
lo0 alias0 IP	10.255.255.1/28	10.255.255.2/28	10.255.255.3/28

Setp 1.

讓 FreeBSD 支援 VPN 的功能必須重新compiler kernel 加入下面幾行，再重新 compiler kernel 即可。

options IPDIVERT
options IPFIREWALL
options DUMMYNET
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG

pseudo-device gif 4 # IPv6 and IPv4 tunneling

Setp 2.

Server A：

Server A# vi /etc/rc.conf 內容如下：

defaultrouter="203.107.34.62"
hostname="Server A.ntut.idv.tw"
ifconfig_de0="inet 203.107.34.2 netmask 255.255.255.192"
ifconfig_fxp0="inet 192.168.0.254 netmask 255.255.255.0"
ifconfig_lo0_alias0="inet 10.255.255.1 netmask 255.255.255.240"
gif_interfaces="gif0 gif1"
gifconfig_gif0="203.107.34.2 203.107.34.3"
gifconfig_gif1="203.107.34.2 203.107.34.4"
ifconfig_gif0="inet 10.255.255.1 10.255.255.2 netmask 255.255.255.240"
ifconfig_gif1="inet 10.255.255.1 10.255.255.3 netmask 255.255.255.240"
firewall_enable="YES"
firewall_type="OPEN"
gateway_enable="YES"
natd_enable="YES"
natd_interface="de0"
sshd_enable="YES"

Server A# vi /etc/rc.firewall 內容如下：

#!/bin/sh
#delete all rule
/sbin/ipfw -f flush
#define NAT pass to de0
/sbin/ipfw add divert natd all from any to any via de0
/sbin/ipfw add 65000 allow ip from any to any

Server A# vi /usr/local/etc/rc.d/ipsec.sh 內容如下：

#!/bin/sh
# Make a static route!!!
route add -net 192.168.1.0/24 10.255.255.2
route add -net 192.168.2.0/24 10.255.255.3
# read in the config
setkey -f /etc/ipsec.conf

Server A# vi /etc/ipsec.conf 內容如下：

# This is the test if the network connection will work
flush;
spdflush;

add 203.107.34.3 203.107.34.2 esp 9993 -E blowfish-cbc "123456789";
add 203.107.34.2 203.107.34.3 esp 9994 -E blowfish-cbc "123456789";
add 203.107.34.2 203.107.34.4 esp 9995 -E blowfish-cbc "123456789";
add 203.107.34.4 203.107.34.2 esp 9996 -E blowfish-cbc "123456789";

spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/203.107.34.2-203.107.34.3/require;
spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/203.107.34.3-203.107.34.2/require;
spdadd 192.168.0.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/203.107.34.2-203.107.34.4/require;
spdadd 192.168.2.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/203.107.34.4-203.107.34.2/require;

Server B：

Server B#vi /etc/rc.conf 內容如下：

defaultrouter="203.107.34.62"
hostname="B.ntut.idv.tw"
ifconfig_de0="inet 203.107.34.3 netmask 255.255.255.192"
ifconfig_vr0="inet 192.168.1.254 netmask 255.255.255.0"
ifconfig_lo0_alias0="inet 10.255.255.2 netmask 255.255.255.240"
gif_interfaces="gif0 gif1"
gifconfig_gif0="203.107.34.3 203.107.34.4"
gifconfig_gif1="203.107.34.3 203.107.34.2"
ifconfig_gif0="inet 10.255.255.2 10.255.255.3 netmask 255.255.255.240"
ifconfig_gif1="inet 10.255.255.2 10.255.255.1 netmask 255.255.255.240"
firewall_enable="YES"
firewall_type="OPEN"
gateway_enable="YES"
natd_enable="YES"
natd_interface="de0"
sshd_enable="YES"

Server B#vi /etc/rc.firewall 內容如下：

#!/bin/sh
#delete all rule
/sbin/ipfw -f flush
#define NAT pass to de0
/sbin/ipfw add divert natd all from any to any via de0
/sbin/ipfw add 65000 allow ip from any to any

Server B#vi /usr/local/etc/rc.d/ipsec.sh 內容如下：

#!/bin/sh
# Make a static route!!!
route add -net 192.168.2.0/24 10.255.255.3
route add -net 192.168.0.0/24 10.255.255.1
# read in the config
setkey -f /etc/ipsec.conf

Server B#vi /etc/ipsec.conf 內容如下：

flush;
spdflush;

add 203.107.34.3 203.107.34.4 esp 9991 -E blowfish-cbc "123456789";
add 203.107.34.4 203.107.34.3 esp 9992 -E blowfish-cbc "123456789";
add 203.107.34.3 203.107.34.2 esp 9993 -E blowfish-cbc "123456789";
add 203.107.34.2 203.107.34.3 esp 9994 -E blowfish-cbc "123456789";

spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/203.107.34.3-203.107.34.4/require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/203.107.34.4-203.107.34.3/require;
spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/203.107.34.3-203.107.34.2/require;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/203.107.34.2-203.107.34.3/require;

Server C：

Server C#vi /etc/rc.conf 內容如下：

defaultrouter="203.107.34.62"
hostname="C.ntut.idv.tw"
ifconfig_rl0="inet 203.107.34.4 netmask 255.255.255.192"
ifconfig_fxp0="inet 192.168.2.254 netmask 255.255.255.0"
ifconfig_lo0_alias0="inet 10.255.255.3 netmask 255.255.255.240"
gif_interfaces="gif0 gif1"
gifconfig_gif0="203.107.34.4 203.107.34.3"
gifconfig_gif1="203.107.34.4 203.107.34.2"
ifconfig_gif0="inet 10.255.255.3 10.255.255.2 netmask 255.255.255.240"
ifconfig_gif1="inet 10.255.255.3 10.255.255.1 netmask 255.255.255.240"
firewall_enable="YES"
firewall_type="OPEN"
gateway_enable="YES"
natd_enable="YES"
natd_interface="rl0"
sshd_enable="YES"

Server C#vi /etc/rc.firewall 內容如下：

#!/bin/sh
#delete all rule
/sbin/ipfw -f flush
#define NAT pass to rl0
/sbin/ipfw add divert natd all from any to any via rl0
/sbin/ipfw add 65000 allow ip from any to any

Server C#vi /usr/local/etc/rc.d/ipsec.sh 內容如下：

#!/bin/sh
# Make a static route!!!
route add -net 192.168.1.0/24 10.255.255.2
route add -net 192.168.0.0/24 10.255.255.1
# read in the config
setkey -f /etc/ipsec.conf

Server C#vi /etc/ipsec.conf 內容如下：

flush;
spdflush;

add 203.107.34.3 203.107.34.4 esp 9991 -E blowfish-cbc "123456789";
add 203.107.34.4 203.107.34.3 esp 9992 -E blowfish-cbc "123456789";
add 203.107.34.2 203.107.34.4 esp 9995 -E blowfish-cbc "123456789";
add 203.107.34.4 203.107.34.2 esp 9996 -E blowfish-cbc "123456789";

spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/203.107.34.4-203.107.34.3/require;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec esp/tunnel/203.107.34.3-203.107.34.4/require;
spdadd 192.168.2.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/203.107.34.4-203.107.34.2/require;
spdadd 192.168.0.0/24 192.168.2.0/24 any -P in ipsec esp/tunnel/203.107.34.2-203.107.34.4/require;

Setp 3.

Server A# ifconfig # 看網路介面和 ip
de0: flags=8843 mtu 1500
inet6 fe80::200:e8ff:fe4f:527e%de0 prefixlen 64 scopeid 0x1
inet 203.107.34.2 netmask 0xffffffc0 broadcast 203.107.34.63
ether 00:00:e8:4f:52:7e
media: Ethernet autoselect (10baseT/UTP)
status: active
fxp0: flags=8843 mtu 1500
inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::2a0:c9ff:fe93:438c%fxp0 prefixlen 64 scopeid 0x2
ether 00:a0:c9:93:43:8c
media: Ethernet autoselect (none)
status: no carrier
lp0: flags=8810 mtu 1500
ppp0: flags=8010 mtu 1500
sl0: flags=c010 mtu 552
faith0: flags=8002 mtu 1500
lo0: flags=8049 mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 10.255.255.1 netmask 0xfffffff0
inet 127.0.0.1 netmask 0xff000000
gif0: flags=8051 mtu 1280
tunnel inet 203.107.34.2 --> 203.107.34.3
inet6 fe80::200:e8ff:fe4f:527e%gif0 prefixlen 64 scopeid 0x8
inet 10.255.255.1 --> 10.255.255.2 netmask 0xfffffff0
gif1: flags=8051 mtu 1280
tunnel inet 203.107.34.2 --> 203.107.34.4
inet6 fe80::200:e8ff:fe4f:527e%gif1 prefixlen 64 scopeid 0x9
inet 10.255.255.1 --> 10.255.255.3 netmask 0xfffffff0

Server A# setkey -DP # 看ipsec 有無起動
192.168.1.0/24[any] 192.168.0.0/24[any] any
in ipsec
esp/tunnel/203.107.34.3-203.107.34.2/require
spid=10 seq=3 pid=300
refcnt=1
192.168.2.0/24[any] 192.168.0.0/24[any] any
in ipsec
esp/tunnel/203.107.34.4-203.107.34.2/require
spid=12 seq=2 pid=300
refcnt=1
192.168.0.0/24[any] 192.168.1.0/24[any] any
out ipsec
esp/tunnel/203.107.34.2-203.107.34.3/require
spid=9 seq=1 pid=300
refcnt=1
192.168.0.0/24[any] 192.168.2.0/24[any] any
out ipsec
esp/tunnel/203.107.34.2-203.107.34.4/require
spid=11 seq=0 pid=300
refcnt=1

Server A# setkey -D
203.107.34.4 203.107.34.2
esp mode=any spi=9996(0x0000270c) reqid=0(0x00000000)
E: blowfish-cbc 31323334 35363738 39
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Jan 21 14:28:33 2003 current: Jan 21 16:41:49 2003
diff: 7996(s) hard: 0(s) soft: 0(s)
last: Jan 21 14:33:10 2003 hard: 0(s) soft: 0(s)
current: 1464(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 21 hard: 0 soft: 0
sadb_seq=3 pid=301 refcnt=1
203.107.34.2 203.107.34.4
esp mode=any spi=9995(0x0000270b) reqid=0(0x00000000)
E: blowfish-cbc 31323334 35363738 39
seq=0x00000015 replay=0 flags=0x00000040 state=mature
created: Jan 21 14:28:33 2003 current: Jan 21 16:41:49 2003
diff: 7996(s) hard: 0(s) soft: 0(s)
last: Jan 21 14:33:10 2003 hard: 0(s) soft: 0(s)
current: 2196(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 21 hard: 0 soft: 0
sadb_seq=2 pid=301 refcnt=2
203.107.34.2 203.107.34.3
esp mode=any spi=9994(0x0000270a) reqid=0(0x00000000)
E: blowfish-cbc 31323334 35363738 39
seq=0x00000004 replay=0 flags=0x00000040 state=mature
created: Jan 21 14:28:33 2003 current: Jan 21 16:41:49 2003
diff: 7996(s) hard: 0(s) soft: 0(s)
last: Jan 21 14:31:20 2003 hard: 0(s) soft: 0(s)
current: 400(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4 hard: 0 soft: 0
sadb_seq=1 pid=301 refcnt=2
203.107.34.3 203.107.34.2
esp mode=any spi=9993(0x00002709) reqid=0(0x00000000)
E: blowfish-cbc 31323334 35363738 39
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Jan 21 14:28:33 2003 current: Jan 21 16:41:49 2003
diff: 7996(s) hard: 0(s) soft: 0(s)
last: Jan 21 14:31:20 2003 hard: 0(s) soft: 0(s)
current: 480(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 8 hard: 0 soft: 0
sadb_seq=0 pid=301 refcnt=1

Server A#netstat -nr # 查看 Routting table
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 203.107.34.62 UGSc 1 4782 de0
10.255.255.1 10.255.255.1 UH 0 0 lo0
10.255.255.2 10.255.255.1 UH 1 0 gif0
10.255.255.3 10.255.255.1 UH 1 0 gif1
127.0.0.1 127.0.0.1 UH 0 0 lo0
192.168.0 link#2 UC 0 0 fxp0
192.168.1 10.255.255.2 UGSc 0 8 gif0
192.168.2 10.255.255.3 UGSc 0 25 gif1
203.107.34/26 link#1 UC 4 0 de0
203.107.34.3 link#1 UHLW 1 12 de0
203.107.34.4 link#1 UHLW 1 21 de0
203.107.34.11 00:50:04:c3:7d:59 UHLW 2 2020 de0 1149
203.107.34.62 00:01:63:8c:68:54 UHLW 1 0 de0 1042

最後確認 ping 看看可不可以到達其他網段：

Server A#ping 192.168.1.254
Server A#ping 192.168.2.254
Server B#ping 192.168.0.254
Server B#ping 192.168.2.254
Server C#ping 192.168.0.254
Server C#ping 192.168.1.254