IPSec-VPN 编译与部署（Strongswan 5.4.0 ）

来源：互联网发布：淘宝运营视频编辑：程序博客网时间：2024/06/05 10:45

使用Virtualbox, 模拟四个虚拟机 Mint linux（ubuntu）

虚拟机1：作为网关，eth0 192.168.1.119 / eth1 192.85.0.1 ，两个网卡，一个为桥接（eth0），一个选择内部网络（eth1）

虚拟机2：作为网关（远程），eth0 192.168.1.120 / eth1 192.86.0.1，两个网卡，一个为桥接（eth0），一个选择内部网络（eth1）

虚拟机3： 192.85.0.2，作为虚拟机1内网机器

虚拟机4： 192.86.0.2，作为虚拟机2内网机器

参考https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples，Remote access / site - site 方式

1. x86下编译安装

wget http://download.strongswan.org/strongswan-5.4.0.tar.bz2apt-get install libgmp-devapt-get install libssl-dev./configure  --sysconfdir=/etc --enable-openssl make && make install

2. 启动服务

ipsec start
ipsec restart

重要配置文件：
/etc/ipsec.conf
/etc/ipsec.secrets
/etc/strongswan.conf
配置目录:
/etc/ipsec.d
/etc/strongswan.d

3. 证书以及安装证书

为了方便，只产生一份CA证书，gscakey.pem，该文件请拷贝到4台虚拟机 /etc/ipsec.d/cacerts中

在虚拟机1，2分别产生各自的服务器、客户端证书

证书clientcert.pem / servercert.pem放在各自的/etc/ipsec.d/certs中

私钥clientkey.pem / serverkey.pem放在各自的/etc/ipsec.d/private中

#!/bin/bash# HostName has no real meaningexport HostName=`hostname`# The IP is the WAN IP addressexport TheIP=`ifconfig eth0 | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`# Certification PATHexport CertPath=""# CA证书，作为相互认可的发证机构：ipsec pki --gen --outform pem > gscakey.pemipsec pki --self --in gscakey.pem --dn "C=CH, O=women, CN=gs" --ca --outform pem > gscacert.pem#服务器证书，由上述发证机构认证（公钥）：#Android 和 iOS 都要求服务器别名（serverAltName）就是服务器的 URL 或 IP 地址，--sanipsec pki --gen --outform pem > serverkey.pemipsec pki --pub --in serverkey.pem | ipsec pki --issue --cacert gscacert.pem --cakey gscakey.pem --dn "C=CH, O=women, CN=@women.server.com" --san="$TheIP" --flag serverAuth --outform pem > servercert.pem#客户端证书：ipsec pki --gen --outform pem > clientkey.pemipsec pki --pub --in clientkey.pem | ipsec pki --issue --cacert gscacert.pem  --cakey gscakey.pem  --dn "C=CH, O=women, CN=@women.client.com" --outform pem > clientcert.pem#生成 pkcs12 证书（可选，针对手机或者windows）#openssl pkcs12 -export -inkey clientkey.pem -in clientcert.pem -name "client.$HostName" -certfile gscacert.pem -caname "client.$TheIP" -out clientcert."$HostName".p12

4. /etc/ipsec.conf / 虚拟机1,192.168.1.119

config setupuniqueids=neverconn %defaultikelifetime=60mkeylife=20mrekeymargin=3mkeyingtries=1keyexchange=ikev2mobike=noconn networkmanager-strongswankeyexchange=ikev2#密钥交换算法 left=%anyleftid=@women.server.comleftauth=pubkeyleftfirewall=yesleftsubnet=0.0.0.0/0leftcert=servercert.pemright=%any#rightauth=eap-mschapv2 #eap-md5(windows)客户端校验方式#KEv2 EAP(Username/Password)  rightauth=pubkey#客户端校验方式，使用证书rightsourceip=10.39.165.0/24rightcert=clientcert.pemauto=addconn win10-EAPkeyexchange=ikev2#密钥交换算法 left=%anyleftid=@women.server.comleftauth=pubkeyleftfirewall=yesleftsubnet=0.0.0.0/0leftcert=servercert.pemright=%anyrightauth=eap-mschapv2 #eap-md5(windows)客户端校验方式#KEv2 EAP(Username/Password)  rightsourceip=10.39.165.0/24auto=addconn net-netkeyexchange=ikev2left=192.168.1.119#leftsubnet=192.85.0.0/16leftid=@women.server.comleftfirewall=yesleftsourceip=%configleftcert=clientcert.remoteserver.pemright=192.168.1.120rightsubnet=192.86.0.0/16rightid=%anyauto=addconn net-net-pskkeyexchange=ikev2authby=secretleft=192.168.1.119leftsubnet=192.85.0.0/16leftid=@women.server.comleftfirewall=yesright=192.168.1.120rightsubnet=192.86.0.0/16rightid=@women.server.comauto=add

5. /etc/ipsec.secrets / 虚拟机1,192.168.1.119 / 虚拟机2,192.168.1.120

包含EAP / eap-mschapv2认证用户moon，用于windows10 登录（实测）

psk（prepare shared key）方式，常见于很多路由器VPN配置

# /etc/ipsec.secrets - strongSwan IPsec secrets file: RSA serverkey.pem: RSA clientkey.remoteserver.pemmoon : EAP "moon" @women.server.com %any : PSK "hello"

6. /etc/strongswan.conf / 虚拟机1,192.168.1.119 / 虚拟机2,192.168.1.120

产生log，/var/log/strongswan.charon.log，便于分析问题

# strongswan.conf - strongSwan configuration file## Refer to the strongswan.conf(5) manpage for details## Configuration changes should be made in the included filescharon {load_modular = yesduplicheck.enable = nodns1=192.168.1.1nbns1 = 192.168.1.1plugins {include strongswan.d/charon/*.conf}filelog {/var/log/strongswan.charon.log {time_format = %b %e %Tdefault = 2append = noflush_line = yes}}}include strongswan.d/*.conf

7. /etc/ipsec.conf / 虚拟机2,192.168.1.120

config setupuniqueids=neverconn %defaultikelifetime=60mkeylife=20mrekeymargin=3mkeyingtries=1keyexchange=ikev2mobike=noconn networkmanager-strongswankeyexchange=ikev2#密钥交换算法 left=%anyleftid=@women.server.comleftauth=pubkeyleftfirewall=yesleftsubnet=0.0.0.0/0leftcert=servercert.pemright=%any#rightauth=eap-mschapv2 #eap-md5(windows)客户端校验方式#KEv2 EAP(Username/Password)  rightauth=pubkey#客户端校验方式，使用证书rightsourceip=10.39.15.0/24rightcert=clientcert.pemauto=addconn win10-EAPkeyexchange=ikev2#密钥交换算法 left=%anyleftid=@women.server.comleftauth=pubkeyleftfirewall=yesleftsubnet=0.0.0.0/0leftcert=servercert.pemright=%anyrightauth=eap-mschapv2 #eap-md5(windows)客户端校验方式#KEv2 EAP(Username/Password)  rightsourceip=10.39.15.0/24auto=addconn net-netkeyexchange=ikev2left=192.168.1.120#leftsubnet=192.86.0.0/16leftid=@women.server.comleftfirewall=yesleftsourceip=%configleftcert=clientcert.remoteserver.pemright=192.168.1.119rightsubnet=192.85.0.0/16rightid=%anyauto=addconn net-net-pskkeyexchange=ikev2authby=secretesp=3des-sha1!left=192.168.1.120leftsubnet=192.86.0.0/16leftid=@women.server.comleftfirewall=yesright=192.168.1.119rightsubnet=192.85.0.0/16rightid=@women.server.comauto=add

8. 虚拟机1，2 网络配置（相同）

sudo iptables -A INPUT -p udp --dport 500 -j ACCEPTsudo iptables -A INPUT -p udp --dport 4500 -j ACCEPTsudo iptables -t nat -A POSTROUTING -s 192.86.0.0/16 -o eth0 -j MASQUERADEsudo iptables -A FORWARD -s 192.86.0.0/16 -j ACCEPTsudo iptables -t nat -A POSTROUTING -s 192.85.0.0/16 -o eth0 -j MASQUERADEsudo iptables -A FORWARD -s 192.85.0.0/16 -j ACCEPTsudo echo 1 > /proc/sys/net/ipv4/ip_forwardiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

9. 虚拟机4配置，可参考进行虚拟机3配置

ifconfig eth0 192.86.0.2 netmask 255.255.255.0route add default gw 192.86.0.1echo 1 > /proc/sys/net/ipv4/ip_forward

10. 虚拟机1，2互联VPN

ipsec up net-net-psk

将对方证书放在自己的/etc/ipsec.d/certs/clientcert.remoteserver.pem，可以下面方式互联

ipsec up net-net

虚拟机3，4将能互相访问

交叉编译与部署

1.交叉编译请预先编译好openssl gmp ，放到/disk2/tools/arm-release

./configure --host=arm-xilinx-linux-gnueabi --prefix=/disk2/tools/ipsec-vpn/arm-release-5.4.0/ --enable-openssl --with-lib-prefix=/disk2/tools/arm-release --sysconfdir=/etc/ipsec --libexecdir=/libexec --with-ipseclibdir=/lib/ipsec --disable-scepclient

make && make install

2. linux 内核调整

参考 https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules

0 0

IPSec-VPN 编译与部署 （Strongswan 5.4.0 ）

IPSec-VPN 编译与部署（Strongswan 5.4.0 ）