首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第32期->技术专题
作者:backend <backend@nsfocus.com>
出处:http://www.nsfocus.com
主页:http://www.nsfocus.com
日期:2002-06-19
by backend <backend@nsfocus.com>
2002/05/29
--[ 简介 ]------------------
一直以来都是追求安全性第一,所以搭建VPN只考虑基于IPSec的。IPSec的优点当然很多,极高的安全性,灵活的配置,多种加密/签名算法,适用于各种应用场合,等等。但其缺点是由于对高安全性的要求,使得其运算量比较大,也就是说在大流量通讯时如果使用IPSec来对数据进行加密,硬件要求较高。因此基于IPSec的VPN适用于对数据传输安全性要求高且拥有足够档次的硬件资源的关键应用、ISP/IDC应用或大型企业业务应用。
同时,由于IPSec目前在多种操作系统平台上的兼容性不一。类UNIX平台之间的IPSec通讯通常不会有什么问题,但与Windows平台进行IPSec会话时则往往由于双方对密钥协商的实现存在差异而失败。(使用SSH公司的Sential for Windows时通过一些trick操作可以成功。)
在由于上述因素使得搭建基于IPSec的VPN遇到不少困难时,我们可以考虑基于非IPSec的VPN技术,例如L2TP、PPTP、IPIP等。这些技术相当成熟且稳定,各大操作系统
基本上都支持它们,而且对硬件的性能要求较之IPSec低,特别适用中小型企业的VPN应用需求。
本文将通过一个实例,来讲解如何利用开放源代码(GNU)的mpd软件来搭建一个基于PPTP(Point-to-Point Tunnel Protocol)协议的VPN通道。
--[ 网络环境与拓扑结构 ]------------------
两端的防火墙网关均采用FreeBSD 4.5-Stable + IP Filter 3.4.27
+==================+
| |
| 192.168.1.0/24 |
| |
+========+=========+
| _______________xl1: 192.168.1.254
|/
+--------+---------+
| GW-A |
+--------+---------+
|\_______________xl0: 211.xxx.xxx.31
.
Internet . (PPTP Tunnel)
. _______________xl0: 202.yyy.yyy.25
|/
+--------+---------+
| GW-B |
+--------+---------+
|\_______________xl1: 192.168.2.254
|
+========+=========+
| |
| 192.168.2.0/24 |
| |
+==================+
--[ 安装 ]------------------
注:GW-A和GW-B的mpd软件包安装过程完全相同。
GW-A # cd /usr/ports/net/mpd
GW-A # make
GW-A # make install
这是FreeBSD ports的安装标准三步,最简单不过了。
如果是手工下载mpd软件包,步骤也差不多,只不过需要自己手工修改Makefile中的一
些参数而已。
--[ 配置 ]------------------
1、 确保系统支持netgraph和ng_*。可以修改内核编译配置文件将其编译到内核中,但缺省情况下它们通常都会被编译成内核模块,可以由内核自动加载。因此,只需确保/modules目录下包含以下内核模块:
netgraph.ko
ng_bpf.ko
ng_iface.ko
ng_ksocket.ko
ng_mppc.ko
ng_ppp.ko
ng_pptpgre.ko
ng_socket.ko
ng_vjc.ko
2、 确保系统的securelevel不大于零,否则无法加载内核模块。(如果将内核模块直接编译到内核中,则无此限制。)
GW-A # sysctl kern.securelevel
kern.securelevel: -1
3、 创建GW-A的/usr/local/etc/mpd.*配置文件。
GW-A # cd /usr/local/etc/mpd
GW-A # cat > mpd.conf << __EOF__
default:
load nsfocusvpn
nsfocusvpn:
new -i ng0 vpn vpn
set iface disable on-demand
set iface addrs 192.168.1.254 192.168.2.254
set iface idle 0
set iface route 192.168.2.0/24
set bundle disable multilink
set bundle authname "NSFLogin"
set bundle password "NSFPassword"
set link yes acfcomp protocomp
set link no pap
set link yes chap
# If remote machine is NT you need this..
# set link enable no-orig-auth
set link keep-alive 10 75
set ipcp yes vjcomp
set ipcp ranges 192.168.1.254/32 192.168.2.254/32
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set bundle enable crypt-reqd
set ccp yes mpp-stateless
__EOF__
GW-A # cat > mpd.links << __EOF__
#
# For our PPTP VPN connection to 192.168.2.0/24
#
nsfocusvpn:
set link type pptp
set pptp self 211.xxx.xxx.31
set pptp peer 202.yyy.yyy.25
set pptp enable originate incoming outcall
__EOF__
4、 创建GW-B的/usr/local/etc/mpd.*配置文件。
GW-B # cd /usr/local/etc/mpd
GW-B # cat > mpd.conf << __EOF__
default:
load nsfocusvpn
nsfocusvpn:
new -i ng0 vpn vpn
set iface disable on-demand
set iface addrs 192.168.2.254 192.168.1.254
set iface idle 0
set iface route 192.168.1.0/24
set bundle disable multilink
set bundle authname "NSFLogin"
set bundle password "NSFPassword"
set link yes acfcomp protocomp
set link no pap
set link yes chap
# If remote machine is NT you need this..
# set link enable no-orig-auth
set link keep-alive 10 75
set ipcp yes vjcomp
set ipcp ranges 192.168.2.254/32 192.168.1.254/32
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set bundle enable crypt-reqd
set ccp yes mpp-stateless
__EOF__
GW-A # cat > mpd.links << __EOF__
#
# For our PPTP VPN connection to 192.168.1.0/24
#
nsfocusvpn:
set link type pptp
set pptp self 202.yyy.yyy.25
set pptp peer 211.xxx.xxx.31
set pptp enable originate incoming outcall
__EOF__
5、配置防火墙规则,以允许VPN协商及通讯通过。
(注:以下为手工添加规则,待测试成功后需将这些规则写入启动配置文件中。)
GW-A # ipf -f -
@1 pass in quick on ng0 all
@2 pass in quick on xl0 proto tcp from 202.yyy.yyy.25 to 211.xxx.xxx.31 port = 1723 keep state
@3 pass in quick on xl0 proto gre all
@4 pass in quick on xl1 proto tcp/udp from 192.168.1.0/24 to 192.168.2.0/24 keep state
@5 pass in quick on xl1 proto icmp from 192.168.1.0/24 to 192.168.2.0/24 keep state
...
...
@1 pass out quick on ng0 all
@2 pass out quick on xl0 proto tcp from 211.xxx.xxx.31 to 202.yyy.yyy.25 port = 1723 keep state
@3 pass out quick on xl0 proto gre all
@4 pass out quick on xl1 proto tcp/udp from 192.168.2.0/24 to 192.168.1.0/24 keep state
@5 pass out quick on xl1 proto icmp from 192.168.2.0/24 to 192.168.1.0/24 keep state
...
...
GW-B # ipf -f -
@1 pass in quick on ng0 all
@2 pass in quick on xl0 proto tcp from 211.xxx.xxx.31 to 202.yyy.yyy.25 port = 1723 keep state
@3 pass in quick on xl0 proto gre all
@4 pass in quick on xl1 proto tcp/udp from 192.168.2.0/24 to 192.168.1.0/24 keep state
@5 pass in quick on xl1 proto icmp from 192.168.2.0/24 to 192.168.1.0/24 keep state
...
...
@1 pass out quick on ng0 all
@2 pass out quick on xl0 proto tcp from 202.yyy.yyy.25 to 211.xxx.xxx.31 port = 1723 keep state
@3 pass out quick on xl0 proto gre all
@4 pass out quick on xl1 proto tcp/udp from 192.168.1.0/24 to 192.168.2.0/24 keep state
@5 pass out quick on xl1 proto icmp from 192.168.1.0/24 to 192.168.2.0/24 keep state
...
...
--[ 启动和测试 ]------------------
1、 启动mpd守护进程
/usr/local/sbin/mpd -b
(不带-b参数运行则mpd进程将在前台运行,会输出显示一些信息。)
2、 测试
首先检查PPTP通道是否已成功建立。
GW-A # ifconfig ng0
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1496
inet 192.168.1.254 --> 192.168.2.254 netmask 0xffffffff
GW-B # ifconfig ng0
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1496
inet 192.168.2.254 --> 192.168.1.254 netmask 0xffffffff
然后在192.168.1.0/24和192.168.2.0/24之间进行网络访问测试。
--[ 系统自启动配置 ]------------------
1、 将正确的ipfilter规则写入到启动时加载的规则文件中的适当位置。
2、 创建mpd守护进程的自启动和控制脚本:
GW-A # cat > /usr/local/etc/rc.d/mpd.sh << __EOF__
#!/bin/sh
PREFIX="/usr/local"
case "$1" in
start)
if [ -x ${PREFIX}/sbin/mpd -a -f ${PREFIX}/etc/mpd/mpd.conf ]; then
(cd ${PREFIX}/etc ; ${PREFIX}/sbin/mpd -b) ; echo ' mpd startt
ed'
fi
;;
stop)
killall mpd ; echo ' mpd stopped'
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: `basename $0` {start|stop|restart}" >&2
;;
esac
exit 0
__EOF__
GW-A # chmod u+x /usr/local/etc/rc.d/mpd.sh
GW-B的配置操作与GW-A完全相同。
<<< 完 >>>
版权所有,未经许可,不得转载