跨境电商哪个平台比较好做,吉林长春seo网站建设网站优化,php做的网站如何运行,有哪些做品牌特卖的网站使用 FreeBSD 网关在两个被 Internet 分开的网络之间架设 ,以实现两个网络通过通道互访#xff0c;IPsec 是一种建立在 Internet 协议 (IP) 层之上的协议#xff0c;它能够让两个或更多主机以安全的方式来通讯#xff0c;IPsec 既可以用来直接加密主机之间的网络通讯 (也就是… 使用 FreeBSD 网关在两个被 Internet 分开的网络之间架设 ×××,以实现两个网络通过×××通道互访IPsec 是一种建立在 Internet 协议 (IP) 层之上的协议它能够让两个或更多主机以安全的方式来通讯IPsec 既 可以用来直接加密主机之间的网络通讯 (也就是 传输模式) 也可以用来在两个子网之间建造 “虚拟隧道” 用于两个网络之间的安全通讯 (也就是 隧道模式)。 后一种更多的被称为是 虚拟专用网 (×××)。 1、编译内核-------------------------------#要把 IPsec 支持放进内核 应该在配置文件中加入下面的选项 options IPSEC #IP securityoptions IPSEC_ESPdevice crypto #如果需要 IPsec 的调试支持 还应增加 options IPSEC_DEBUG #debug for IP securitydevice gif # IPv6 and IPv4 tunneling #编译内核 2、×××配置---------------------------------#security/ipsec-tools安装 server1# tar -zxvf ipsec-tools-0.8-alpha20090422.tar.bz2server1# cd ipsec-tools-0.8-alpha20090422server1# ./configureserver1# make;make install server1:server1# ifconfig gif0 createserver1# ifconfig gif0 222.11.33.23 222.11.34.56server1# ifconfig gif0 tunnel 10.10.10.100 172.16.16.100 server2:server2# ifconfig gif0 createserver2# ifconfig gif0 222.11.34.56 222.11.33.23server2# ifconfig gif0 tunnel 172.16.16.100 10.10.10.100 #一旦完成以后两个私有的 IP 地址都应该能像下面ping命令输出那样互相访问server1# ping 172.16.16.100PING 172.16.16.100 (172.16.16.100): 56 data bytes64 bytes from 172.16.16.100: icmp_seq0 ttl64 time7.140 ms64 bytes from 172.16.16.100: icmp_seq1 ttl64 time7.268 ms64 bytes from 172.16.16.100: icmp_seq2 ttl64 time7.070 ms64 bytes from 172.16.16.100: icmp_seq3 ttl64 time7.020 ms^C--- 172.16.16.100 ping statistics ---4 packets transmitted, 4 packets received, 0.0% packet lossround-trip min/avg/max/stddev 7.020/7.125/7.268/0.093 ms server2# ping 10.10.10.100PING 10.10.10.100 (10.10.10.100): 56 data bytes64 bytes from 10.10.10.100: icmp_seq0 ttl64 time7.186 ms64 bytes from 10.10.10.100: icmp_seq1 ttl64 time7.079 ms64 bytes from 10.10.10.100: icmp_seq2 ttl64 time7.001 ms64 bytes from 10.10.10.100: icmp_seq3 ttl64 time7.064 ms64 bytes from 10.10.10.100: icmp_seq4 ttl64 time6.989 ms^C--- 10.10.10.100 ping statistics ---5 packets transmitted, 5 packets received, 0.0% packet lossround-trip min/avg/max/stddev 6.989/7.064/7.186/0.070 ms #配置路由规则使两边私有地址都能相互访问server1:server1# route add 172.16.16.0 172.16.16.100 255.255.255.0server1# route add net 172.16.16.0: gateway 172.16.16.100 server2:server2# route add 10.10.10.0 10.10.10.100 255.255.255.0server2# route add net 10.10.10.0: gateway 10.10.10.100 #这样配置后不论从网关还是网关后的机器都能访问内部的网络server1# ping 172.16.16.23PING 172.16.16.23 (172.16.16.23): 56 data bytes64 bytes from 172.16.16.23: icmp_seq0 ttl64 time7.140 ms64 bytes from 172.16.16.23: icmp_seq1 ttl64 time7.268 ms64 bytes from 172.16.16.23: icmp_seq2 ttl64 time7.070 ms64 bytes from 172.16.16.23: icmp_seq3 ttl64 time7.020 ms^C--- 172.16.16.23 ping statistics ---4 packets transmitted, 4 packets received, 0.0% packet lossround-trip min/avg/max/stddev 7.020/7.125/7.268/0.093 ms server2# ping 10.10.10.16PING 10.10.10.100 (10.10.10.16): 56 data bytes64 bytes from 10.10.10.16: icmp_seq0 ttl64 time7.186 ms64 bytes from 10.10.10.16: icmp_seq1 ttl64 time7.079 ms64 bytes from 10.10.10.16: icmp_seq2 ttl64 time7.001 ms64 bytes from 10.10.10.16: icmp_seq3 ttl64 time7.064 ms64 bytes from 10.10.10.16: icmp_seq4 ttl64 time6.989 ms^C--- 10.10.10.16 ping statistics ---5 packets transmitted, 5 packets received, 0.0% packet lossround-trip min/avg/max/stddev 6.989/7.064/7.186/0.070 ms 3、通道的加密传输------------------------------------------------------#使用 pre-sharedPSKRSA 密钥对通道进行加密保证数据的安全传输#安装security/ipsec-toolsserver1# server1# vi /usr/local/etc/racoon/racoon.conf //两边文件差不多一样只做稍许修改 path pre_shared_key /usr/local/etc/racoon/psk.txt; #location of pre-shared key filelog debug; #log verbosity setting: set to notify when testing and debugging is complete padding # options are not to be changed{ maximum_length 20; randomize off; strict_check off; exclusive_tail off;} timer # timing options. change as needed{ counter 5; interval 20 sec; persend 1;# natt_keepalive 15 sec; phase1 30 sec; phase2 15 sec;} listen # address [port] that racoon will listening on{ isakmp 222.11.33.23 [500]; isakmp_natt 222.11.33.23 [4500];} remote 222.11.34.56 [500]{ exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address 222.11.33.23; peers_identifier address 222.11.34.56; lifetime time 8 hour; passive off; proposal_check obey;# nat_traversal off; generate_policy off; proposal { encryption_algorithm blowfish; hash_algorithm md5; authentication_method pre_shared_key; lifetime time 30 sec; dh_group 1; }} sainfo (address 10.10.10.0/24 any address 172.16.16.0/24 any) # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp){ # $network must be the two internal networks you are joining. pfs_group 1; lifetime time 36000 sec; encryption_algorithm blowfish,3des,des; authentication_algorithm hmac_md5,hmac_sha1; compression_algorithm deflate;} server1# vi /usr/local/etc/racoon/setkey.conf flush;spdflush;# To the home networkspdadd 10.10.10.0/24 172.16.16.0/24 any -P out ipsec esp/tunnel/222.11.33.23-222.11.34.56/use;spdadd 172.16.16.0/24 10.10.10.0/24 any -P in ipsec esp/tunnel/222.11.34.56-222.11.33.23/use; #一旦完成后便使用下面的命令在两边的网关上都启动 racoonserver1# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.confserver2# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf #确认一下“隧道”是否正常工作server1# tcpdump -i em0 host 222.11.33.23 and dst 222.11.34.56 4、防火墙设置------------------------------------------------#ipfw设置 ipfw add 00201 allow log esp from any to anyipfw add 00202 allow log ah from any to anyipfw add 00203 allow log ipencap from any to anyipfw add 00204 allow log udp from any 500 to any #pf设置 pass in quick proto esp from any to anypass in quick proto ah from any to anypass in quick proto ipencap from any to anypass in quick proto udp from any port 500 to any port 500pass in quick on gif0 from any to anypass out quick proto esp from any to anypass out quick proto ah from any to anypass out quick proto ipencap from any to anypass out quick proto udp from any port 500 to any port 500pass out quick on gif0 from any to any #允许机器初始化的时候开始 ××× 支持 server1# vi /etc/rc.conf ipsec_enableYESipsec_program/usr/local/sbin/setkeyipsec_file/usr/local/etc/racoon/setkey.conf # allows setting up spd policies on bootracoon_enableyes 转载于:https://blog.51cto.com/kerry/239106
