首先编译安装Strongswan
1. 安装必须的库
apt-get update
apt-get install build-essential libpam0g-dev openssl libssl-dev make gcc wget -y
2. 下载Strongswan并解压(*代表当前版本号,这里采用最新的版本)
wget http://download.strongswan.org/strongswan.tar.gz
tar xzf strongswan.tar.gz
cd strongswan-*
3. 编译Strongswan : Xen 、Kvm使用以下参数(这里也是如此)
./configure --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
--enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp
如果是openVZ则需要额外增加一个 enable-kernel-libipsec
4. 编译并安装 (默认的安装路径,安装完成之后配置文件位于 /usr/local/etc/目录下)
make; make install
编译完成后,如果没有报错且使用ipsec version指令能出现如下类似的版本信息,则表示安装成功
root@zyk:/etc# ipsec version
Linux strongSwan U5.3.2/K3.16.0-30-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
配置证书(关键环节)
1. 生成CA证书的私钥
ipsec pki --gen --type rsa --size 4096 --outform pem > strongswanKey.pem
2. 使用私钥,签名CA证书
ipsec pki --self --ca --lifetime 3650 --in strongswanKey.pem --type rsa --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" --outform pem > strongswanCert.pem
3. 生成服务器证书所需的私钥:
ipsec pki --gen --type rsa --size 2048 --outform pem > vpnHostKey.pem
4,用CA证书签发服务器证书
请先确认你的服务器的IP地址或域名,以后客户端连接时只能使用证书中的地址连接(多服务器使用相同根证书CA的,请先做好服务器的域名解析),
然后将下面命令中的$HOSTNAME替换为自己服务器的IP地址或域名,一共需要替换两处:
ipsec pki --pub --in vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert strongswanCert.pem --cakey strongswanKey.pem --dn "C=CH, O=strongSwan, CN=$HOSTNAME" --san @$HOSTNAME --san "$HOSTNAME" --flag serverAuth --flag ikeIntermediate --outform pem > vpnHostCert.pem
注意以上命令中的”C=”和”O=”的值要与第2步CA中的C,O的值保持一致.
5,生成客户端证书所需的私钥:
ipsec pki --gen --type rsa --size 2048 --outform pem > xauthKey.pem
6,用CA签名客户端证书(C,O的值要与上面第2步CA的值一致,CN的值随意):
ipsec pki --pub --in xauthKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert strongswanCert.pem --cakey strongswanKey.pem --dn "C=CH, O=strongSwan, CN=VPNClient" --flag userAuth --flag ikeIntermediate --outform pem > xauthCert.pem
7,生成pkcs12证书:
openssl pkcs12 -export -inkey xauthKey.pem -in xauthCert.pem -name "XAuth VPN Certificate" -certfile strongswanCert.pem -caname "strongSwan Root CA" -out /var/xauth.p12
8,安装证书:(安装证书的时候,可能需要用chmod 600 来修改private文件夹下的证书权限)
cp -r strongswanCert.pem /usr/local/etc/ipsec.d/cacerts/
cp -r strongswanKey.pem /usr/local/etc/ipsec.d/private/
cp -r vpnHostCert.pem /usr/local/etc/ipsec.d/certs/
cp -r vpnHostKey.pem /usr/local/etc/ipsec.d/private/
cp -r xauthCert.pem /usr/local/etc/ipsec.d/certs/
cp -r xauthKey.pem /usr/local/etc/ipsec.d/private/
配置Strongswan
1,编辑/usr/local/etc/ipsec.conf文件:
vi /usr/local/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange=ikev2
fragmentation=yes
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes128-sha256-modp1536,aes256-sha384
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
right=%any
rightdns=61.134.1.4,8.8.8.8
rightsourceip=10.10.0.0/24
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
conn IPSec-IKEv2-EAP-iOS
also="IPSec-IKEv2-EAP"
left=172.16.0.50
leftid=172.16.0.50
rightid=iOS@172.16.0.50
conn CiscoIPSec
keyexchange=ikev1
fragmentation=yes
rightauth=pubkey
rightauth2=xauth
rightsubnet=10.7.0.0/24
rightsourceip=10.7.0.0/24
rightdns=61.134.1.4,8.8.8.8
auto=route
conn IPSec_xauth_psk
keyexchange=ikev1
fragmentation=yes
left=%defaultroute
leftauth=psk
leftsubnet=0.0.0.0/0
right=%any
rightauth=psk
rightauth2=xauth
rightsubnet=10.7.0.0/24
rightsourceip=10.7.0.0/24
rightdns=61.134.1.4,8.8.8.8
auto=route
2. 编辑/usr/local/etc/strongswan.conf文件:
charon {
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
#for windows only
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
}
include strongswan.d/*.conf
3. 编辑/usr/local/etc/ipsec.secrets文件:
: RSA server.pem
: PSK "myPSKkey"
: XAUTH "myXAUTHPass"
[用户名] %any : EAP "[密码]" #如 %any %any : EAP "123456" ; 为任意用户名
将上面的myPSKkey单词更改为你需要的PSK认证方式的密钥;
将上面的myXAUTHPass单词更改为你需要的XAUTH认证方式的密码,该认证方式的用户名是随意的;
将上面的[用户名]改为自己想要的登录名,[密码]改为自己想要的密码([]符号去掉),可以添加多行,得到多个用户,这即是使用IKEv2的用户名+密码认证方式的登录凭据.
配置防火墙
1,编辑/etc/sysctl.conf,将net.ipv4.ip_forward=1一行前面的#号去掉(否则Ikev2 vpn连接上后将无法访问外网),保存后执行sysctl -p(如果执行后有报错的,重新打开sysctl.conf将报错的部分#注释掉保存,直到执行sysctl -p不再报错为止)。
2,配置iptables: (打开相关端口, 配置路由转发)
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.0.0.0/8 -j ACCEPT
sysctl net.ipv4.ip_forward=1
3. 开机自动载入iptables:
iptables-save > /etc/iptables.rules
cat > /etc/network/if-up.d/iptables<<EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
EOF
chmod +x /etc/network/if-up.d/iptables
最后,启动服务就可以了
ipsec start
来源:oschina
链接:https://my.oschina.net/u/2344681/blog/475591