使用StrongSwan 搭建IPSec ×××支持IOS 6.0 & 6.0+
1.背景:
此次研究StrongSwan搭建IPsec主要是因为IPhone手机升级到10.0版本后,原来公司搭建的PPTP ×××已经不再支持,所以需要立即采取其他的×××接入方式,于是在网上就了解这个StrongSwan,并开始部署和使用了
2.StrongSwan 安装
我的底层是centos6.6,安装方式有两种,yum 和源码包的安装,可从网上down些文档
wget http://download.strongswan.org/strongswan.tar.gz
tar xzf strongswan.tar.gz
cd strongswan-*
./configure --enable-eap-identity --enable-eap-md5 \ --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \ --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \ --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \ --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec
./configure --enable-eap-identity --enable-eap-md5 \ --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \ --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \ --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \ --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp
make; make install
3).生成证书和密钥
strongswan pki --gen --outform pem > ca.pem
yum install openssl
strongswan pki --gen --outform pem > ca.pem
strongswan pki --self --in ca.pem --dn "C=com, O=IPSec×××, CN=×××CA" --ca --outform pem>ca.cert.pem
strongswan pki --gen --outform pem > server.pem
strongswan pki --pub --in server.pem | strongswan pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com,O=IPSec×××,CN=123.58.230.60" --san="123.58.230.60" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
strongswan pki --gen --outform pem > client.pem
strongswan pki --pub --in client.pem | strongswan pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com,O=IPSec×××,CN=××× Client" --outform pem > client.cert.pem
openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client " -certfile ca.cert.pem -caname "×××CA" -out client.cert.p12
mv -f ca.cert.pem /etc/strongswan/ipsec.d/cacerts/
mv -f server.cert.pem /etc/strongswan/ipsec.d/certs/
mv -f server.pem /etc/strongswan/ipsec.d/private/
conn iOS_cert
keyexchange=ikev2
fragmentation=yes
left=�faultroute
leftauth=pubkey
leftsubnet=10.130.0.0/16
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightauth2=xauth
rightsourceip=10.4.2.2/16
rightcert=client.cert.pem
auto=add
conn android_xauth_psk #红色字体表示可以任意的定义,但是要确保唯一
keyexchange=ikev1 #ipsec ***目前使用的是ike1
left=%any #letf相对于right,letf代表server端,rigth代表client端,%any代表server端
地址是任意的!
#type = tunnel 这个是隧道模式tunnel 可选的还有transparent
leftauth=psk #这个是使用预共享密钥做认证
leftsubnet=0.0.0.0/0 # client should be told to route through the tunnel
right=%any # client IP is unkown
rightauth=psk
rightauth2=xauth
rightsourceip=172.28.0.66/16 #client vip to access leftsubnet
auto=add
conn networkmanager-strongswan
keyexchange=ikev2
left=�faultroute
leftauth=pubkey
leftsubnet=10.130.0.0/16
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightsourceip=10.4.2.2/16
rightcert=client.cert.pem
auto=add
conn windows7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
left=�faultroute
leftauth=pubkey
leftsubnet=10.130.0.0/16
leftcert=server.cert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=10.4.250.160/27
rightsendcert=never
eap_identity=%any
auto=add
#绿色部分代表是我当前在用的配置文件
5.配置strongswan.conf 文件
cat /etc/strongswan/strongswan.conf
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
}
include strongswan.d/*.conf
6.配置/etc/strongswan/ipsec.secrets
: RSA server.pem
: PSK "xxxxx"
: XAUTH "xxxxx"
zhanglong : EAP "xxxx2"
7.IPhone手机连接
雪飘人间带你走进StrongSwan
转载于:https://blog.51cto.com/2825930/2286864