大型网络架构书籍下载

转载

技术极客之光 2025-05-30 14:05:14

文章标签 大型网络架构书籍下载网络开发工具操作系统 IP 文章分类 架构后端开发

1. 案例需求分析

本案例主要基于RHEL5 和Windows XP系统环境，跨越不安全的Internet网络，为异地的两个局域网及远程网管工作站建立安全的SSL ×××连接（如图8.2所示）。

其中，北京总部和上海分公司的网关服务器均使用 RHEL5 系统，需要分别配置 Open×××，用于连接两个异地的局域网 LAN1、LAN2。此外，位于 Internet 中的网管工作站使用 Windows XP系统，需要随时通过 ××× 安全隧道访问总部的局域网 LAN1 和上海分公司的局域网 LAN2。

基于 Linux 的 Open××× 网络

Open××× 远程虚拟专用网络架构

基于上述需求，可以将北京总部的网关服务器 GW1 配置为 ××× Server 模式，上海的网关服务器GW2和Internet网管工作站PC1均使用××× Client模式。分别建立两条点对点

（Point-to-Point）的SSL ×××安全隧道——“GW1 <----> GW2”、“GW1 <----> PC1”即可。

由于Internet 网络的细节不是本案例的重点，因此GW1、GW2的公网IP地址分别使用

173.74.75.76和173.74.75.77来模拟。其他网络接口地址设置如下：

GW1、GW2 的内网接口 IP 地址分别为 192.168.1.1、192.168.2.1。

? GW1 <----> GW2 隧道：分别使用虚拟 IP 地址 10.8.0.1/30、10.8.0.2/30。

? GW1 <----> PC1 隧道：分别使用虚拟 IP 地址 10.9.0.1/30、10.9.0.2/30。

另外，两地局域网的客户机需要正确设置好 IP 地址、默认网关等参数：

? LAN1 的主机使用 192.168.1.0/24 网段，默认网关设为 192.168.1.1。

? LAN2 的主机使用 192.168.2.0/24 网段，默认网关设为 192.168.2.1。

2. 配置 GW1 <----> GW2 隧道连接

本小节主要阐述如何创建第 1 条 SSL ××× 隧道，用于连接 GW1、GW2 两台服务器，以便实现北京、上海两地局域网（LAN1、LAN2）的安全互联。

主要实现过程如下：

第一步、配置主服务器（GW1）——北京

A. 配置 Internet 连接及 SNAT、路由转发

1) 配置 IP 地址

eth0 接口(173.74.75.76/24)用于连接 Internet，eth1 接口（192.168.1.1/24）用于连

接局域网（配置过程略）

2) 开启路由及 SNAT 转换

[root@gw1 ~]# vim /opt/gw1_nat.sh
sysctl -w net.ipv4.ip_forward=1
/sbin/iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to-source 173.74.75.76
[root@gw1 ~]# chmod a+x /opt/gw1_nat.sh
[root@gw1 ~]# echo "/opt/gw1_nat.sh" >> /etc/rc.local
[root@gw1 ~]# /opt/gw1_nat.sh
net.ipv4.ip_forward = 1
[root@gw1 ~]# sysctl –p

B. 安装 Open××× 服务

[root@gw1 soft_dir]# tar zxvf lzo-2.03.tar.gz
[root@gw1 soft_dir]# cd lzo-2.03
[root@gw1 lzo-2.03]# ./configure && make && make install
[root@gw1 lzo-2.03]# cd ../
[root@gw1 soft_dir]# tar zxvf open***-2.0.9.tar.gz
[root@gw1 open***-2.0.9]# ./configure && make && make install
[root@gw1 ~]# cd /soft_dir/
[root@gw1 soft_dir]# cp -p open***-2.0.9/sample-scripts/open***.init /etc/init.d/open***
[root@gw1 soft_dir]# chmod +x /etc/init.d/open***
[root@gw1 soft_dir]# chkconfig --add open***
[root@gw1 soft_dir]# chkconfig --level 2345 open*** on

C. 创建证书和密钥文件

证书和密钥文件主要用于点对点客户端的认证，以便增强安全性。为了降低密钥创建过程的复杂性，可以充分利用 Open××× 源码包提供的 easy-rsa/目录，该目录中包含一系列简单易用的脚本工具（参考“open***-2.0.9/easy-rsa/README”文件）。

3) 配置变量环境

修改 easy-rsa/vars 文件，根据实际情况适当修改预定义变量，或保持默认。在后续

创建相关文件的过程中，将会直接读取这些变量的内容。其中“KEY_DIR”变量的值决定了

新创建的密钥等文件的存放位置。

[root@gw1 ~]# cd /soft_dir/open***-2.0.9/easy-rsa/
[root@gw1 easy-rsa]# vim vars

export D=`pwd` export KEY_CONFIG=$D/openssl.cnf export KEY_DIR=$D/keys echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR export KEY_SIZE=1024 export KEY_COUNTRY=CN export KEY_PROVINCE=BeiJing export KEY_CITY=BeiJing export KEY_ORG="BENET.Inc" export KEY_EMAIL="***adm@benet.com"

export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=BeiJing
export KEY_CITY=BeiJing
export KEY_ORG="BENET.Inc"
export KEY_EMAIL="***adm@benet.com"

[root@gw1 easy-rsa]# source vars //执行 vars 文件中的代码
NOTE: when you run ./clean-all, I will be doing a rm -rf on /soft_dir/open***-2.0.9/easy-rsa/keys
[root@gw1 easy-rsa]# ./clean-all //预先清除$KEY_DIR 目录

4) 创建 CA 证书

执行“./build-ca”脚本建立 CA 证书文件，根据脚本提示设置好国家代码、省份、城市、

公司名等信息，如通用识别名称“Common Name”项可以设置为 GW1 的 FQDN 名称。

后续创建的密钥文件需要依据该 CA 文件。

[root@gw1 easy-rsa]# ./build-ca

Generating a 1024 bit RSA private key .....++++++ ..............................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BeiJing]: Locality Name (eg, city) [BISHKEK]: Organization Name (eg, company) [BENET.Inc]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:gw1.benet.com Email Address [***adm@benet.com]:

Generating a 1024 bit RSA private key
.....++++++
..............................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [BENET.Inc]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:gw1.benet.com
Email Address [***adm@benet.com]:

5) 创建 dh（Diffie-Hellman）密钥算法文件

执行“./build-dh”脚本即可建立 dh 文件

[root@gw1 easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..........................................................................+.................................+................................................................+...................+.........................................+..+................................................................+.....................................................................................+........+.............+..............................+.......................................................................................+..........+.........................+.......................................................................................+.................+..............................+........+..............................+.........................................................................................................................................................+....................+......+.............+.........................................................+......+.......+.........................+.........................................................................................+.........................................+............................+............................+..........................................+.............................++*++*++*

6) 创建 GW1 主服务器端密钥

执行“./build-key-server”脚本可以建立××× 服务端密钥文件，根据提示设置好Common Name（gw1.benet.com），最后依次按“y”键签署（Sign）及提交（Commit）。

[root@gw1 easy-rsa]# ./build-key-server gw1 Generating a 1024 bit RSA private key .............................++++++ ....................................++++++ writing new private key to 'gw1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BeiJing]: Locality Name (eg, city) [BISHKEK]: Organization Name (eg, company) [BENET.Inc]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:gw1.benet.com Email Address [*adm@benet.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /soft_dir/open-2.0.9/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BeiJing' localityName :PRINTABLE:'BISHKEK' organizationName :PRINTABLE:'BENET.Inc' commonName :PRINTABLE:'gw1.benet.com' emailAddress :IA5STRING:'**adm@benet.com' Certificate is to be certified until Jul 12 02:42:17 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

[root@gw1 easy-rsa]# ./build-key-server gw1
Generating a 1024 bit RSA private key
.............................++++++
....................................++++++
writing new private key to 'gw1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [BENET.Inc]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:gw1.benet.com
Email Address [***adm@benet.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /soft_dir/open***-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BeiJing'
localityName :PRINTABLE:'BISHKEK'
organizationName :PRINTABLE:'BENET.Inc'
commonName :PRINTABLE:'gw1.benet.com'
emailAddress :IA5STRING:'***adm@benet.com'
Certificate is to be certified until Jul 12 02:42:17 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

7) 创建 GW2 对端服务器密钥

执行“./build-key”脚本可以建立 ××× 客户端密钥文件，同样根据提示设置好 Common Name（gw2.benet.com），最后依次按“y”签署（Sign）及提交（Commit）。

[root@gw1 easy-rsa]# ./build-key gw2 Generating a 1024 bit RSA private key ...................++++++ ..++++++ writing new private key to 'gw2.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BeiJing]: Locality Name (eg, city) [BISHKEK]: Organization Name (eg, company) [BENET.Inc]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:gw2.benet.com Email Address [*adm@benet.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /soft_dir/open-2.0.9/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BeiJing' localityName :PRINTABLE:'BISHKEK' organizationName :PRINTABLE:'BENET.Inc' commonName :PRINTABLE:'gw2.benet.com' emailAddress :IA5STRING:'**adm@benet.com' Certificate is to be certified until Jul 12 02:44:30 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

[root@gw1 easy-rsa]# ./build-key gw2
Generating a 1024 bit RSA private key
...................++++++
..++++++
writing new private key to 'gw2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [BENET.Inc]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:gw2.benet.com
Email Address [***adm@benet.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /soft_dir/open***-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BeiJing'
localityName :PRINTABLE:'BISHKEK'
organizationName :PRINTABLE:'BENET.Inc'
commonName :PRINTABLE:'gw2.benet.com'
emailAddress :IA5STRING:'***adm@benet.com'
Certificate is to be certified until Jul 12 02:44:30 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

注意：

使用“./build-key”脚本创建密钥时，不同的客户端对应的“Common Name”不能相同。

8) 生成 tls-auth 密钥

tls-auth 密钥可以为点对点的 ××× 连接提供了进一步的安全验证，如果选择使用这一方式，服务器端和客户端都必须拥有该密钥文件。

open*** 命令跟上“--genkey --secret”选项可以用于建立 ta 密钥文件。

[root@gw1 easy-rsa]# open*** --genkey --secret keys/ta.key

9) 最后将上述文件所在的 keys/文件夹转移至/etc/open***/目录

[root@gw1 easy-rsa]# mkdir -p /etc/open***/
[root@gw1 easy-rsa]# mv keys/ /etc/open***/

D. 创建主服务器配置文件

在服务器配置文件中指定使用 Server 模式，监听默认的 UDP 1194 端口。虚拟接口采用tun0设备。可以参考open*** 源码目录中的配置范例（open***-2.0.9/sample-config-files/server.conf）

[root@gw1 ~]# vim /etc/open***/gw1_tun0.conf

local 173.74.75.76 //指定监听服务的 IP 地址 port 1194 //为第 1 条隧道开启默认的 1194 端口 proto udp dev tun //使用 SSL Tune 的 ××× 隧道模式 ca keys/ca.crt cert keys/gw1.crt key keys/gw1.key dh keys/dh1024.pem server 10.8.0.0 255.255.255.0 //使用服务器模式，并指定 ××× 虚拟网络地址 ifconfig-pool-persist ipp.txt push "route 192.168.1.0 255.255.255.0" //为 GW2 添加到 LAN1 网段的路由 push "route 10.9.0.0 255.255.255.0" //为 GW2 添加到 PC1 的路由 push "dhcp-options DNS 210.22.84.3" //为客户端设置 DNS 服务器地址 route 192.168.2.0 255.255.255.0 //为 GW1 添加到 LAN2 网段的路由 client-config-dir ccd //允许读取 ccd/目录下的客户端配置文件 keepalive 10 120 tls-auth keys/ta.key 0 //指定 tls-auth 密钥 cipher BF-CBC //加密算法与客户端要保持一致 comp-lzo max-clients 100 //允许的最大并发 ××× 连接数 user nobody group nobody persist-key persist-tun status open*-status.log log-append open*.log verb 3 mute 20

local 173.74.75.76 //指定监听服务的 IP 地址
port 1194 //为第 1 条隧道开启默认的 1194 端口
proto udp
dev tun //使用 SSL Tune 的 ××× 隧道模式
ca keys/ca.crt
cert keys/gw1.crt
key keys/gw1.key
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0 //使用服务器模式，并指定 ××× 虚拟网络地址
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" //为 GW2 添加到 LAN1 网段的路由
push "route 10.9.0.0 255.255.255.0" //为 GW2 添加到 PC1 的路由
push "dhcp-options DNS 210.22.84.3" //为客户端设置 DNS 服务器地址
route 192.168.2.0 255.255.255.0 //为 GW1 添加到 LAN2 网段的路由
client-config-dir ccd //允许读取 ccd/目录下的客户端配置文件
keepalive 10 120
tls-auth keys/ta.key 0 //指定 tls-auth 密钥
cipher BF-CBC //加密算法与客户端要保持一致
comp-lzo
max-clients 100 //允许的最大并发 ××× 连接数
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
log-append open***.log
verb 3
mute 20

E. 建立用于 GW2 的 ccd 配置文件

[root@gw1 ~]# mkdir -p /etc/open***/ccd
[root@gw1 ~]# cd /etc/open***/ccd/ //为对端服务器 GW2 创建独立的配置文件
[root@gw1 ccd]# vim gw2.benet.com

`iroute 192.168.2.0 255.255.255.0 //声明 GW2 后端的 LAN2 子网络 ifconfig-push 10.8.0.2 10.8.0.1 //指定 GW2 的本地地址（tun0）、对端地址（P-t-P）`

F. 启动 Open××× 服务

[root@gw1 ~]# service open*** start

正在启动 open***： [确定]

[root@gw1 ~]# netstat -anp | grep open***
udp 0 0 173.74.75.76:1194 0.0.0.0:* 11220/open***

附：详细的PDF完整技术文档下载：http://down.51cto.com/data/102973

转载于:https://blog.51cto.com/jiayf/349847

本文章为转载内容，我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题，欢迎原作者联系我们进行内容更正或删除文章。

上一篇：python工程如何构建st

下一篇：android查看当前task栈安卓查看进程命令

提问和评论都可以，用心的回复会被更多人看到评论

发布评论

相关文章

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯

大型网络架构 书籍下载

大型网络架构 书籍下载

51CTO博客

大型网络架构书籍下载

大型网络架构书籍下载