使用strongswan搭建屬于你自己的私有IPsec (IKEv1 & IKEv2)
在現(xiàn)實之中吭产,虛擬網(wǎng)絡專用通道可以滿足我們很多的需求坯钦,比如總公司和分公司之間盈滴,如果需要實現(xiàn)局域網(wǎng)之間通訊互相訪問迹淌,使用虛擬網(wǎng)絡專用通道是一個很好的解決方案顷牌,還有我們服務器展父,很多時候服務器可能只是允許某個ip進行登陸返劲,需要允許管理員進行撥號進行,下面教程是以StrongSwan為基礎來搭建我們的VPN平臺
一栖茉、 環(huán)境和前期準備工作
?? 1. 環(huán)境
- CentOS 7 最小化安裝版
- strongswan-5.3.5 ? 到strongswan官網(wǎng)下載篮绿,或者點擊這里下載
- 1G 內(nèi)存
- 1核CPU
2. 配置環(huán)境
- 配置主機名 (可選)
- 關閉selinux(Centos)
vim /etc/selinux/conf
# 把 SELINUX=enforcing 改為 SELINUX=disabled
setenforce = 0
- 安裝必要地軟件包,直接使用yum安裝
#CentOS 安裝如下
yum update -y
yum upgrade -y
yum -y install pam-devel openssl-devel make gcc curl wget
#Ubuntu 安裝如下
apt-get update -y ; apt-get upgrade -y
apt-get -y install libpam0g-dev libssl-dev make gcc curl wget
<br />
二吕漂、 搭建步驟
我們下載所有軟件地存放位置是 /usr/local/src 這里
- 下載strongswan,并解壓安裝
cd /usr/local/src #進到下載目錄
wget --no-check-certificate https://download.strongswan.org/strongswan-5.3.5.tar.gz #進行下載
tar -zvxf strongswan-5.3.5.tar.gz #解壓軟件
cd strongswan-5.3.5 #進到目錄
mkdir /usr/local/strongswan #創(chuàng)建安裝目錄
#編譯安裝
#KVM亲配、XEN虛擬化方案的主機使用以下配置編譯,OpenVZ的主機需要在后面添加 --enable-kernel-libipsec
./configure --prefix=/usr/local/strongswan --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp
make #編譯
make install #安裝
# 做軟連接
ln -s /usr/local/strongswan/sbin/* /usr/local/sbin
ln -s /usr/local/strongswan/bin/* /usr/local/bin
注意事項: 安裝后一定要做軟連接痰娱,并且清楚自己的虛擬化方案是哪個弃榨,加入正確的配置,否者會照成無法上網(wǎng)
- 進行CA配置
CA 生成存放目錄為 /usr/local/src/ca
創(chuàng)建ca目錄
mkdir /usr/local/src/ca
- 生成私鑰和根證書,并且根證書使用的是自簽名形式
這里C表示國家名,O表示組織單位梨睁,CN表示通用名字
ipsec pki --gen --outform pem > ca.key.pem
ipsec pki --self --in ca.key.pem --dn "C=CN, O=MyStrongSwan, CN=MyStrongSwan CA" --ca --lifetime 3650 --outform pem > ca.cert.pem
- 生成服務器證書
ipsec pki --gen --outform pem > server.key.pem
ipsec pki --pub --in server.key.pem --outform pem > server.pub.pem
ipsec pki --issue --lifetime 1200 --cacert ca.cert.pem --cakey ca.key.pem --in server.pub.pem --dn "C=CN, O=MyStrongSwan, CN=myDomain.com" --san="myDomain.com" --san="YourIP" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
注意事項 : 服務器這邊的CN一定是你網(wǎng)卡的ip鲸睛,或者你網(wǎng)卡ip對應的域名,--san 設置設置別名坡贺,建議設置兩個或者兩個以上官辈,分別為你的域名和網(wǎng)卡ip;–flag serverAuth 表示證書使用用途箱舞,不加windows 7會報錯,非 iOS 的 Mac OS X 要求了“IP 安全網(wǎng)絡密鑰互換居間(IP Security IKE Intermediate)”這種增強型密鑰用法(EKU)拳亿,–flag ikdeIntermediate;
- 生成客戶端證書 (可選)
ipsec pki --gen --outform pem > client.key.pem
ipsec pki --pub --in client.key.pem --outform pem > client.pub.pem
ipsec pki --issue --lifetime 1200 --cacert ca.cert.pem --cakey ca.key.pem --in client.pub.pem --dn "C=CN, O=MyStrongSwan, CN=MyDomain.com" --outform pem > client.cert.pem
#以下生成證書需要密碼地晴股,請設置密碼,因為MAC不能導入密碼為空的證書
openssl pkcs12 -export -inkey client.key.pem -in client.cert.pem -name "MyStrongSwan Client Cert" -certfile ca.cert.pem -caname "MyStrongSwan CA" -out client.cert.p12
- 安裝證書
\cp -r ca.key.pem /usr/local/strongswan/etc/ipsec.d/private/
\cp -r ca.cert.pem /usr/local/strongswan/etc/ipsec.d/cacerts/
\cp -r server.cert.pem /usr/local/strongswan/etc/ipsec.d/certs/
\cp -r server.key.pem /usr/local/strongswan/etc/ipsec.d/private/
\cp -r client.cert.pem /usr/local/strongswan/etc/ipsec.d/certs/
\cp -r client.key.pem /usr/local/strongswan/etc/ipsec.d/private/
- 配置ipsec.conf
vim /usr/local/strongswan/etc/ipsec.conf
config setup
uniqueids=no
conn %default
compress = yes
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
keyexchange = ike
keyingtries = 1
#for andorid肺魁、ios电湘、mac
conn cisco_xauth_psk
left = %any
leftid = YourIP or Domain
leftauth = psk
leftfirewall = yes
fragmentation = yes
leftsubnet = 0.0.0.0/0
right = %any
rightauth = psk
rightauth2 = xauth
rightsourceip = 172.16.6.0/24
rekey = no
auto = add
dpdaction=clear
#for windows 7/10 , strongswan agent and other ca
conn IKEv2-EAP-Windows
leftca = "C=CN, O=,MyStrongSwan; CN=YourIP or domain"
leftcert = server.cert.pem
leftsendcert = always
rightsendcert = never
leftid = YourIP or domain
left = %any
right = %any
leftauth = pubkey #使用證書形式認證
rightauth = eap-radius #認證使用radius
leftfirewall = yes
leftsubnet = 0.0.0.0/0 #全部流量走vpn
rightsourceip = 172.16.7.0/24
fragmentation = yes #包重組
eap_identity = %any
rekey = no #不重復檢查,用來開啟多設備登錄
auto = add
dpdaction=clear #斷開后清空
- 配置 strongswan.conf
vim /usr/local/strongswan/etc/strongswan.conf
charon {
filelog {
/var/log/strongswan.charon.log {
time_format = %b %e %T
default = 2
append = no
flush_line = yes
}
}
load_modular = yes
duplicheck.enable = no #是為了你能同時連接多個設備鹅经,所以要把冗余檢查關閉
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 223.5.5.5
#only for windows
nbns1 = 8.8.8.8
nbns2 = 223.5.5.5
}
include strongswan.d/*.conf
- 配置 ipsec.secrets
: RSA server.key.pem
: PSK "visionsrv"
: XAUTH "visionsrv"
myvpn %any : EAP "123456"
- 配置Firewall和轉發(fā)
1.開放端口
firewall-cmd --add-port=500/tcp --permanent
firewall-cmd --add-port=500/udp --permanent
firewall-cmd --add-port=4500/tcp --permanent
firewall-cmd --add-port=4500/udp --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --reload
2.編輯 /etc/systcl.conf
vim /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
3.開啟 firewall的轉發(fā)功能
iptables -t nat -A POSTROUTING -s 172.16.6.0/24 -o ens160 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.7.0/24 -o ens160 -j MASQUERADE
- 啟動服務
ipsec start
systemctl restart strongswan
三寂呛、 各種終端測試