IPSec-VPN 编译与部署 (Strongswan 5.4.0 )
来源:互联网 发布:淘宝运营视频 编辑:程序博客网 时间:2024/06/05 10:45
使用Virtualbox, 模拟四个虚拟机 Mint linux(ubuntu)
虚拟机1: 作为网关,eth0 192.168.1.119 / eth1 192.85.0.1 ,两个网卡,一个为桥接(eth0),一个选择内部网络(eth1)
虚拟机2: 作为网关(远程),eth0 192.168.1.120 / eth1 192.86.0.1,两个网卡,一个为桥接(eth0),一个选择内部网络(eth1)
虚拟机3: 192.85.0.2, 作为虚拟机1内网机器
虚拟机4: 192.86.0.2, 作为虚拟机2内网机器
参考https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples,Remote access / site - site 方式
1. x86下编译安装
wget http://download.strongswan.org/strongswan-5.4.0.tar.bz2apt-get install libgmp-devapt-get install libssl-dev./configure --sysconfdir=/etc --enable-openssl make && make install
2. 启动服务
ipsec start
ipsec restart
重要配置文件:
/etc/ipsec.conf
/etc/ipsec.secrets
/etc/strongswan.conf
配置目录:
/etc/ipsec.d
/etc/strongswan.d
3. 证书以及安装证书
为了方便,只产生一份CA证书,gscakey.pem,该文件请拷贝到4台虚拟机 /etc/ipsec.d/cacerts中
在虚拟机1,2分别产生各自的服务器、客户端证书
证书clientcert.pem / servercert.pem放在各自的/etc/ipsec.d/certs中
私钥clientkey.pem / serverkey.pem放在各自的/etc/ipsec.d/private中
#!/bin/bash# HostName has no real meaningexport HostName=`hostname`# The IP is the WAN IP addressexport TheIP=`ifconfig eth0 | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`# Certification PATHexport CertPath=""# CA证书,作为相互认可的发证机构:ipsec pki --gen --outform pem > gscakey.pemipsec pki --self --in gscakey.pem --dn "C=CH, O=women, CN=gs" --ca --outform pem > gscacert.pem#服务器证书,由上述发证机构认证(公钥):#Android 和 iOS 都要求服务器别名(serverAltName)就是服务器的 URL 或 IP 地址,--sanipsec pki --gen --outform pem > serverkey.pemipsec pki --pub --in serverkey.pem | ipsec pki --issue --cacert gscacert.pem --cakey gscakey.pem --dn "C=CH, O=women, CN=@women.server.com" --san="$TheIP" --flag serverAuth --outform pem > servercert.pem#客户端证书:ipsec pki --gen --outform pem > clientkey.pemipsec pki --pub --in clientkey.pem | ipsec pki --issue --cacert gscacert.pem --cakey gscakey.pem --dn "C=CH, O=women, CN=@women.client.com" --outform pem > clientcert.pem#生成 pkcs12 证书(可选,针对手机或者windows)#openssl pkcs12 -export -inkey clientkey.pem -in clientcert.pem -name "client.$HostName" -certfile gscacert.pem -caname "client.$TheIP" -out clientcert."$HostName".p12
4. /etc/ipsec.conf / 虚拟机1,192.168.1.119
config setupuniqueids=neverconn %defaultikelifetime=60mkeylife=20mrekeymargin=3mkeyingtries=1keyexchange=ikev2mobike=noconn networkmanager-strongswankeyexchange=ikev2#密钥交换算法 left=%anyleftid=@women.server.comleftauth=pubkeyleftfirewall=yesleftsubnet=0.0.0.0/0leftcert=servercert.pemright=%any#rightauth=eap-mschapv2 #eap-md5(windows)客户端校验方式#KEv2 EAP(Username/Password) rightauth=pubkey#客户端校验方式,使用证书rightsourceip=10.39.165.0/24rightcert=clientcert.pemauto=addconn win10-EAPkeyexchange=ikev2#密钥交换算法 left=%anyleftid=@women.server.comleftauth=pubkeyleftfirewall=yesleftsubnet=0.0.0.0/0leftcert=servercert.pemright=%anyrightauth=eap-mschapv2 #eap-md5(windows)客户端校验方式#KEv2 EAP(Username/Password) rightsourceip=10.39.165.0/24auto=addconn net-netkeyexchange=ikev2left=192.168.1.119#leftsubnet=192.85.0.0/16leftid=@women.server.comleftfirewall=yesleftsourceip=%configleftcert=clientcert.remoteserver.pemright=192.168.1.120rightsubnet=192.86.0.0/16rightid=%anyauto=addconn net-net-pskkeyexchange=ikev2authby=secretleft=192.168.1.119leftsubnet=192.85.0.0/16leftid=@women.server.comleftfirewall=yesright=192.168.1.120rightsubnet=192.86.0.0/16rightid=@women.server.comauto=add
5. /etc/ipsec.secrets / 虚拟机1,192.168.1.119 / 虚拟机2,192.168.1.120
包含EAP / eap-mschapv2认证用户moon,用于windows10 登录(实测)
psk(prepare shared key)方式,常见于很多路由器VPN配置
# /etc/ipsec.secrets - strongSwan IPsec secrets file: RSA serverkey.pem: RSA clientkey.remoteserver.pemmoon : EAP "moon" @women.server.com %any : PSK "hello"
6. /etc/strongswan.conf / 虚拟机1,192.168.1.119 / 虚拟机2,192.168.1.120
产生log,/var/log/strongswan.charon.log,便于分析问题
# strongswan.conf - strongSwan configuration file## Refer to the strongswan.conf(5) manpage for details## Configuration changes should be made in the included filescharon {load_modular = yesduplicheck.enable = nodns1=192.168.1.1nbns1 = 192.168.1.1plugins {include strongswan.d/charon/*.conf}filelog {/var/log/strongswan.charon.log {time_format = %b %e %Tdefault = 2append = noflush_line = yes}}}include strongswan.d/*.conf
7. /etc/ipsec.conf / 虚拟机2,192.168.1.120
config setupuniqueids=neverconn %defaultikelifetime=60mkeylife=20mrekeymargin=3mkeyingtries=1keyexchange=ikev2mobike=noconn networkmanager-strongswankeyexchange=ikev2#密钥交换算法 left=%anyleftid=@women.server.comleftauth=pubkeyleftfirewall=yesleftsubnet=0.0.0.0/0leftcert=servercert.pemright=%any#rightauth=eap-mschapv2 #eap-md5(windows)客户端校验方式#KEv2 EAP(Username/Password) rightauth=pubkey#客户端校验方式,使用证书rightsourceip=10.39.15.0/24rightcert=clientcert.pemauto=addconn win10-EAPkeyexchange=ikev2#密钥交换算法 left=%anyleftid=@women.server.comleftauth=pubkeyleftfirewall=yesleftsubnet=0.0.0.0/0leftcert=servercert.pemright=%anyrightauth=eap-mschapv2 #eap-md5(windows)客户端校验方式#KEv2 EAP(Username/Password) rightsourceip=10.39.15.0/24auto=addconn net-netkeyexchange=ikev2left=192.168.1.120#leftsubnet=192.86.0.0/16leftid=@women.server.comleftfirewall=yesleftsourceip=%configleftcert=clientcert.remoteserver.pemright=192.168.1.119rightsubnet=192.85.0.0/16rightid=%anyauto=addconn net-net-pskkeyexchange=ikev2authby=secretesp=3des-sha1!left=192.168.1.120leftsubnet=192.86.0.0/16leftid=@women.server.comleftfirewall=yesright=192.168.1.119rightsubnet=192.85.0.0/16rightid=@women.server.comauto=add
sudo iptables -A INPUT -p udp --dport 500 -j ACCEPTsudo iptables -A INPUT -p udp --dport 4500 -j ACCEPTsudo iptables -t nat -A POSTROUTING -s 192.86.0.0/16 -o eth0 -j MASQUERADEsudo iptables -A FORWARD -s 192.86.0.0/16 -j ACCEPTsudo iptables -t nat -A POSTROUTING -s 192.85.0.0/16 -o eth0 -j MASQUERADEsudo iptables -A FORWARD -s 192.85.0.0/16 -j ACCEPTsudo echo 1 > /proc/sys/net/ipv4/ip_forwardiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
9. 虚拟机4配置,可参考进行虚拟机3配置
ifconfig eth0 192.86.0.2 netmask 255.255.255.0route add default gw 192.86.0.1echo 1 > /proc/sys/net/ipv4/ip_forward
10. 虚拟机1,2互联VPN
ipsec up net-net-psk
将对方证书放在自己的/etc/ipsec.d/certs/clientcert.remoteserver.pem,可以下面方式互联
ipsec up net-net
虚拟机3,4将能互相访问
交叉编译与部署
1.交叉编译请预先编译好openssl gmp , 放到/disk2/tools/arm-release
./configure --host=arm-xilinx-linux-gnueabi --prefix=/disk2/tools/ipsec-vpn/arm-release-5.4.0/ --enable-openssl --with-lib-prefix=/disk2/tools/arm-release --sysconfdir=/etc/ipsec --libexecdir=/libexec --with-ipseclibdir=/lib/ipsec --disable-scepclient
make && make install
2. linux 内核调整
参考 https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
- IPSec-VPN 编译与部署 (Strongswan 5.4.0 )
- 配置IPsec VPN(Strongswan)
- 基于Strongswan的IPSec VPN部署
- 使用 Strongswan 架设 Ipsec VPN
- 使用 Strongswan 架设 Ipsec VPN
- 使用 Strongswan 架设 Ipsec VPN
- 使用Strongswan搭建IPSec/IKEv2 VPN
- 使用Strongswan搭建IPSec/IKEv2 VPN
- UBUNTU、CENTOS搭建IPSEC/IKEV2 VPN服务器全攻略----Strongswan
- 在CentOS 7上使用strongSwan搭建IPsec VPN
- Andriod 手机和VM之间基于strongswan搭建IPsec VPN
- Intro to Configure IPsec VPN (Gateway-to-Gateway ) using Strongswan
- IOS iphone ipad CentOS7 安装配置 StrongSwan IPsec IKEv2 VPN
- IPSec VPN与SSL VPN 比较(转)
- 使用StrongSwan配置IPSec
- CentOS7下Strongswan架设IPSec-IKEv1, IKEv2, L2TP VPN,适用于 IOS9,OSX, Windows, Linux
- CentOS7下Strongswan架设IPSec-IKEv1, IKEv2, L2TP VPN,适用于 IOS9,OSX, Windows, Linux
- 香港云主机CentOS系统上安装strongSwan搭建IPsec VPN服务器
- java动态代理模式(jdk和cglib)
- 威佐夫博弈
- Linux下配置Java开发环境详述
- bzoj1056(挖个坑wa+tle,平衡树)
- iOS 中的单例模式
- IPSec-VPN 编译与部署 (Strongswan 5.4.0 )
- 结构体中动态内存的管理(malloc和free)
- SQL Server 连接字符串和身份验证
- 杭电oj 2002 计算球的体积
- Feast Coins(多重背包)
- per-CPU变量
- 持久化修改Android模拟器的system分区
- POJ - 3045/USACO - Nov05 Silver Cow Acrobats 牛的杂技 重庆一中高2018级竞赛班第四次测试 2016.7.25 Problem 3
- Postgresql ERROR: database is not accepting commands to avoid wraparound data loss in database