使用strongswan搭建属于你自己的IPsec (IKEv1 & IKEv2)
在现实之中,VPN可以满足我们很多的需求,比如总公司和分公司之间,如果需要实现局域网之间通讯互相访问,使用VPN是一个很好的解决方案,还有我们服务器,很多时候服务器可能只是允许某个ip进行登陆,需要允许管理员进行拨号进行,下面教程是以StrongSwan为基础来搭建我们的VPN平台
一、 环境和前期准备工作
1. 环境
- CentOS 7 最小化安装版
- strongswan-5.3.5 到strongswan官网下载,或者点击这里下载
- 1G 内存
- 1核CPU
2. 配置环境
- 配置主机名 (可选)
- 关闭selinux(Centos)
vim /etc/selinux/conf
# 把 SELINUX=enforcing 改为 SELINUX=disabled
setenforce = 0
- 安装必要地软件包,直接使用yum安装
#CentOS 安装如下
yum update -y
yum upgrade -y
yum -y install pam-devel openssl-devel make gcc curl wget
#Ubuntu 安装如下
apt-get update -y ; apt-get upgrade -y
apt-get -y install libpam0g-dev libssl-dev make gcc curl wget
二、 搭建步骤
我们下载所有软件地存放位置是 /usr/local/src 这里
- 下载strongswan,并解压安装
cd /usr/local/src #进到下载目录
wget --no-check-certificate https://download.strongswan.org/strongswan-5.3.5.tar.gz #进行下载
tar -zvxf strongswan-5.3.5.tar.gz #解压软件
cd strongswan-5.3.5 #进到目录
mkdir /usr/local/strongswan #创建安装目录
#编译安装
#KVM、XEN虚拟化方案的主机使用以下配置编译,OpenVZ的主机需要在后面添加 --enable-kernel-libipsec
./configure --prefix=/usr/local/strongswan --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp
make #编译
make install #安装
# 做软连接
ln -s /usr/local/strongswan/sbin/* /usr/local/sbin
ln -s /usr/local/strongswan/bin/* /usr/local/bin
注意事项: 安装后一定要做软连接,并且清楚自己的虚拟化方案是哪个,加入正确的配置,否者会照成无法上网
- 进行CA配置
CA 生成存放目录为 /usr/local/src/ca
创建ca目录
mkdir /usr/local/src/ca
- 生成私钥和根证书,并且根证书使用的是自签名形式
这里C表示国家名,O表示组织单位,CN表示通用名字
ipsec pki --gen --outform pem > ca.key.pem
ipsec pki --self --in ca.key.pem --dn "C=CN, O=MyStrongSwan, CN=MyStrongSwan CA" --ca --lifetime 3650 --outform pem > ca.cert.pem
- 生成服务器证书
ipsec pki --gen --outform pem > server.key.pem
ipsec pki --pub --in server.key.pem --outform pem > server.pub.pem
ipsec pki --issue --lifetime 1200 --cacert ca.cert.pem --cakey ca.key.pem --in server.pub.pem --dn "C=CN, O=MyStrongSwan, CN=myDomain.com" --san="myDomain.com" --san="YourIP" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
注意事项 : 服务器这边的CN一定是你网卡的ip,或者你网卡ip对应的域名,--san 设置设置别名,建议设置两个或者两个以上,分别为你的域名和网卡ip;–flag serverAuth 表示证书使用用途,不加windows 7会报错,非 iOS 的 Mac OS X 要求了“IP 安全网络密钥互换居间(IP Security IKE Intermediate)”这种增强型密钥用法(EKU),–flag ikdeIntermediate;
- 生成客户端证书 (可选)
ipsec pki --gen --outform pem > client.key.pem
ipsec pki --pub --in client.key.pem --outform pem > client.pub.pem
ipsec pki --issue --lifetime 1200 --cacert ca.cert.pem --cakey ca.key.pem --in client.pub.pem --dn "C=CN, O=MyStrongSwan, CN=MyDomain.com" --outform pem > client.cert.pem
#以下生成证书需要密码地,请设置密码,因为MAC不能导入密码为空的证书
openssl pkcs12 -export -inkey client.key.pem -in client.cert.pem -name "MyStrongSwan Client Cert" -certfile ca.cert.pem -caname "MyStrongSwan CA" -out client.cert.p12
- 安装证书
\cp -r ca.key.pem /usr/local/strongswan/etc/ipsec.d/private/
\cp -r ca.cert.pem /usr/local/strongswan/etc/ipsec.d/cacerts/
\cp -r server.cert.pem /usr/local/strongswan/etc/ipsec.d/certs/
\cp -r server.key.pem /usr/local/strongswan/etc/ipsec.d/private/
\cp -r client.cert.pem /usr/local/strongswan/etc/ipsec.d/certs/
\cp -r client.key.pem /usr/local/strongswan/etc/ipsec.d/private/
- 配置ipsec.conf
vim /usr/local/strongswan/etc/ipsec.conf
config setup
uniqueids=no
conn %default
compress = yes
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
keyexchange = ike
keyingtries = 1
#for andorid、ios、mac
conn cisco_xauth_psk
left = %any
leftid = YourIP or Domain
leftauth = psk
leftfirewall = yes
fragmentation = yes
leftsubnet = 0.0.0.0/0
right = %any
rightauth = psk
rightauth2 = xauth
rightsourceip = 172.16.6.0/24
rekey = no
auto = add
dpdaction=clear
#for windows 7/10 , strongswan agent and other ca
conn IKEv2-EAP-Windows
leftca = "C=CN, O=,MyStrongSwan; CN=YourIP or domain"
leftcert = server.cert.pem
leftsendcert = always
rightsendcert = never
leftid = YourIP or domain
left = %any
right = %any
leftauth = pubkey #使用证书形式认证
rightauth = eap-radius #认证使用radius
leftfirewall = yes
leftsubnet = 0.0.0.0/0 #全部流量走vpn
rightsourceip = 172.16.7.0/24
fragmentation = yes #包重组
eap_identity = %any
rekey = no #不重复检查,用来开启多设备登录
auto = add
dpdaction=clear #断开后清空
- 配置 strongswan.conf
vim /usr/local/strongswan/etc/strongswan.conf
charon {
filelog {
/var/log/strongswan.charon.log {
time_format = %b %e %T
default = 2
append = no
flush_line = yes
}
}
load_modular = yes
duplicheck.enable = no #是为了你能同时连接多个设备,所以要把冗余检查关闭
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 223.5.5.5
#only for windows
nbns1 = 8.8.8.8
nbns2 = 223.5.5.5
}
include strongswan.d/*.conf
- 配置 ipsec.secrets
: RSA server.key.pem
: PSK "visionsrv"
: XAUTH "visionsrv"
myvpn %any : EAP "123456"
- 配置Firewall和转发
1.开放端口
firewall-cmd --add-port=500/tcp --permanent
firewall-cmd --add-port=500/udp --permanent
firewall-cmd --add-port=4500/tcp --permanent
firewall-cmd --add-port=4500/udp --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --reload
2.编辑 /etc/systcl.conf
vim /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
3.开启 firewall的转发功能
iptables -t nat -A POSTROUTING -s 172.16.6.0/24 -o ens160 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.7.0/24 -o ens160 -j MASQUERADE
- 启动服务
ipsec start
systemctl restart strongswan
三、 各种终端测试