FreeBSD的配置

来源:岁月联盟 编辑:zhu 时间:2008-01-19
FreeBSD的配置内容简介:【FreeBSD教程】 配置网络:/etc/rc.conf network_interface=   【FreeBSD教程】配置网络:/etc/rc.conf
  
  network_interface="dc0 lo0"
  ifconfig_dc0="192.168.2.11"
  defaultrouter="192.168.2.1"
  
  远程登陆
  
  FreeBSD远程登陆默认的是ssh,但是不能su到root,为了能su到root,打开/etc/group文件把你的用户名添加的wheel组中:
  
  wheel:*:0:root,name
  
  重新配置内核
  
  #cd /usr/src/sys/i386/conf
  #cp GENERIC MYKERNEL
  
  编辑MYKERNEL加入
  
  options IPSEC
  options IPSEC_ESP
  options IPSEC_DEBUG
  
  然后
  
  #/usr/sbin/config MYKERNEL
  #cd ../compile/MYKERNEL
  #make depend
  #make
  #make install
  
  安装racoon
  
  #cd /usr/ports/security/racoon
  #make install clean
  
  要确保你的/usr/ports/distfiles目录中有racoon-20021120a.tar.gz,没有的话就下一个吧。
  
  3.创建证书
  认证的方法选择证书的方法。利用OpenSSL来创建证书。
  
  首先创建CA,然后为将要互连的两个计算机发放证书。先创建RSA公私钥对,然后创建子签名的证书。
  
  创建CA
  
  $ openssl genrsa -des3 -out ca.key 1024
  warning, not much extra random data, consider using the -rand option
  Generating RSA private key, 1024 bit long modulus
  ..............
  ................
  e is 65537 (0x10001)
  Enter PEM pass phrase: fearBeans
  Verifying password - Enter PEM pass phrase: fearBeans
  
  $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
  Using configuration from /etc/ssl/openssl.cnf
  Enter PEM pass phrase: fearBeans
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [AU]:CN
  State or Province Name (full name) [Some-State]:Heilongjiang
  Locality Name (eg, city) []:Daqing
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linuxdevice
  Organizational Unit Name (eg, section) []:
  Common Name (eg, YOUR name) []:zhangp
  Email Address []:zhangp@cy9.dq.cnpc.com.cn
  
  为主机创建证书,首先创建RSA私钥,然后创建CA签名的证书。
  
  $ openssl genrsa -out win2k.key 1024
  warning, not much extra random data, consider using the -rand option
  Generating RSA private key, 1024 bit long modulus
  .....
  .....
  e is 65537 (0x10001)
  
  $ openssl req -new -key win2k.key -out win2k.csr
  Using configuration from /etc/ssl/openssl.cnf
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [AU]:CN
  State or Province Name (full name) [Some-State]:Heilongjiang
  Locality Name (eg, city) []:Daqing
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linuxdevice
  Organizational Unit Name (eg, section) []:
  Common Name (eg, YOUR name) []:win2k
  Email Address []:win2k@cy9.dq.cnpc.com.cn
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:
  
  $ openssl x509 -req -days 182 -in win2k.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out win2k.crt
  Signature ok
  subject=/C=CN/ST=Heilongjiang/L=Daqing/O=Linuxdevice/
  CN=win2k/Email=win2k@cy9.dq.cnpc.com.cn
  Getting CA Private Key
  Enter PEM pass phrase: 123456
  
  类似的为主机freebsd创建证书。对于win2k的证书来说,还要做成PKCS12的格式。
  
  $ openssl pkcs12 -export -inkey win2k.key -certfile ca.crt -in win2k.crt -out win2k.p12
  Enter Export Password: 123456
  Verifying password - Enter Export Password: 123456
  
  配置FreeBSD
  预备配置文件 /etc/ipsec.conf,其中192.168.2.11为FreeBSD,192.168.2.6为win2k:
  
  spdadd 192.168.2.11/32 192.168.2.6/32 any -P out ipsec
  esp/transport/192.168.2.11-192.168.2.6/require;
  spdadd 192.168.2.6/32 192.168.2.11/32 any -P in ipsec
  esp/transport/192.168.2.6-192.168.2.11/require;
  
  在配置文件/etc/rc.conf中加入:
  
  ipsec_enable="YES"
  
  预备配置文件/usr/local/etc/racoon/racoon.conf:
  
  # Directory in which we will store this, and other machines' certificates
  
  path certificate "/usr/local/etc/racoon/certs" ;
  
  log debug2;
  
  # Padding values. These have been copied verbatim from the example.
  padding
  {
  maximum_length 20; # maximum padding length.
  randomize off; # enable randomize length.
  strict_check off; # enable strict check.
  exclusive_tail off; # extract last one octet.
  }
  
  # Timer values. I've bumped up the phase 1 & 2 timeouts.
  timer
  {
  # These value can be changed per remote node.
  counter 5; # maximum trying count to send.
  interval 20 sec; # maximum interval to resend.
  persend 1; # the number of packets per a send.
  
  # timer for waiting to complete each phase.
  phase1 90 sec;
  phase2 60 sec;
  }
  
  remote anonymous
  {
  exchange_mode main,aggressive;
  #exchange_mode aggressive,main;
  doi ipsec_doi;
  situation identity_only;
  my_identifier user_fqdn "zhangp@cy9.dq.cnpc.com.cn";
  peers_identifier user_fqdn "win2k@cy9.dq.cnpc.com.cn";
  certificate_type x509 "freebsd.crt" "freebsd.key";
  peers_certfile "win2k.crt";
  
  nonce_size 16;
  lifetime time 4 hour; # sec,min,hour
  initial_contact on;
  support_mip6 on;
  proposal_check obey; # obey, strict or claim
  
  # This is the same as one of the default proposals on Windows.
  # 3DES, MD5 and RSA (certificate) authentication.
  proposal {
  encryption_algorithm 3des;
  hash_algorithm md5;
  authentication_method rsasig;
  dh_group 2 ;
  }
  }
  
  sainfo anonymous
  {
  pfs_group 1;
  lifetime time 30 sec;
  encryption_algorithm 3des,des ;
  authentication_algorithm hmac_sha1,hmac_md5;
  compression_algorithm deflate ;
  }
  
  把证书存储到/usr/local/etc/racoon/certs中:
  
  #mkdir -m 0700 /usr/local/etc/racoon/certs
  #cp freebsd.crt freebsd.key win2k.crt /usr/local/etc/racoon/certs
  #chmod 0600 /usr/local/etc/racoon/certs/*
  
  现在可以启动守护程序racoon了
  
  #racoon

图片内容