StrongSwan 搭建IPsec (IKEv1 and IKEv2) 实现不同局域网之间通讯

96
AllenWGZ
2016.12.11 20:11* 字数 584

<h5 align = "center">使用strongswan搭建属于你自己的IPsec (IKEv1 & IKEv2)</h5>

在现实之中,VPN可以满足我们很多的需求,比如总公司和分公司之间,如果需要实现局域网之间通讯互相访问,使用VPN是一个很好的解决方案,还有我们服务器,很多时候服务器可能只是允许某个ip进行登陆,需要允许管理员进行拨号进行,下面教程是以StrongSwan为基础来搭建我们的VPN平台

一、 环境和前期准备工作
   1. 环境

  • CentOS 7 最小化安装版
  • strongswan-5.3.5   到strongswan官网下载,或者点击这里下载
  • 1G 内存
  • 1核CPU

2. 配置环境

  1. 配置主机名 (可选)
  2. 关闭selinux(Centos)
vim /etc/selinux/conf
# 把 SELINUX=enforcing 改为 SELINUX=disabled

setenforce = 0
  1. 安装必要地软件包,直接使用yum安装
#CentOS 安装如下
yum update -y
yum upgrade -y
yum -y install pam-devel openssl-devel make gcc curl wget 
#Ubuntu 安装如下
apt-get update -y ; apt-get upgrade -y
apt-get -y install libpam0g-dev libssl-dev make gcc curl wget

<br />


二、 搭建步骤

我们下载所有软件地存放位置是 /usr/local/src 这里

  • 下载strongswan,并解压安装
cd /usr/local/src   #进到下载目录 
wget --no-check-certificate https://download.strongswan.org/strongswan-5.3.5.tar.gz #进行下载
tar -zvxf strongswan-5.3.5.tar.gz   #解压软件
cd strongswan-5.3.5 #进到目录
mkdir /usr/local/strongswan     #创建安装目录
#编译安装
#KVM、XEN虚拟化方案的主机使用以下配置编译,OpenVZ的主机需要在后面添加 --enable-kernel-libipsec

./configure --prefix=/usr/local/strongswan  --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam  --enable-dhcp  --enable-openssl  --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp

make    #编译
make install #安装

# 做软连接
ln -s /usr/local/strongswan/sbin/* /usr/local/sbin
ln -s /usr/local/strongswan/bin/* /usr/local/bin

注意事项: 安装后一定要做软连接,并且清楚自己的虚拟化方案是哪个,加入正确的配置,否者会照成无法上网


  • 进行CA配置

CA 生成存放目录为 /usr/local/src/ca
创建ca目录
mkdir /usr/local/src/ca

  • 生成私钥和根证书,并且根证书使用的是自签名形式

这里C表示国家名,O表示组织单位,CN表示通用名字

ipsec pki --gen --outform pem > ca.key.pem
ipsec pki --self --in ca.key.pem --dn "C=CN, O=MyStrongSwan, CN=MyStrongSwan CA" --ca --lifetime 3650 --outform pem > ca.cert.pem
  • 生成服务器证书
ipsec pki --gen --outform pem > server.key.pem
ipsec pki --pub --in server.key.pem --outform pem > server.pub.pem
ipsec pki --issue --lifetime 1200 --cacert ca.cert.pem --cakey ca.key.pem --in server.pub.pem --dn "C=CN, O=MyStrongSwan, CN=myDomain.com" --san="myDomain.com" --san="YourIP" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem

注意事项 : 服务器这边的CN一定是你网卡的ip,或者你网卡ip对应的域名,--san 设置设置别名,建议设置两个或者两个以上,分别为你的域名和网卡ip;–flag serverAuth 表示证书使用用途,不加windows 7会报错,非 iOS 的 Mac OS X 要求了“IP 安全网络密钥互换居间(IP Security IKE Intermediate)”这种增强型密钥用法(EKU),–flag ikdeIntermediate;

  • 生成客户端证书 (可选)
ipsec pki --gen --outform pem > client.key.pem
ipsec pki --pub --in client.key.pem --outform pem > client.pub.pem
ipsec pki --issue --lifetime 1200 --cacert ca.cert.pem --cakey ca.key.pem --in client.pub.pem --dn "C=CN, O=MyStrongSwan, CN=MyDomain.com" --outform pem > client.cert.pem

#以下生成证书需要密码地,请设置密码,因为MAC不能导入密码为空的证书
openssl pkcs12 -export -inkey client.key.pem -in client.cert.pem -name "MyStrongSwan Client Cert" -certfile ca.cert.pem -caname "MyStrongSwan CA" -out client.cert.p12
  • 安装证书
\cp -r ca.key.pem /usr/local/strongswan/etc/ipsec.d/private/
\cp -r ca.cert.pem /usr/local/strongswan/etc/ipsec.d/cacerts/
\cp -r server.cert.pem /usr/local/strongswan/etc/ipsec.d/certs/
\cp -r server.key.pem /usr/local/strongswan/etc/ipsec.d/private/
\cp -r client.cert.pem /usr/local/strongswan/etc/ipsec.d/certs/
\cp -r client.key.pem /usr/local/strongswan/etc/ipsec.d/private/
  • 配置ipsec.conf

vim /usr/local/strongswan/etc/ipsec.conf

    config setup
        uniqueids=no
    conn %default
        compress = yes
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
    keyexchange = ike
    keyingtries = 1
    #for andorid、ios、mac 
    conn cisco_xauth_psk
        left = %any
        leftid = YourIP or Domain
        leftauth = psk
        leftfirewall = yes
        fragmentation = yes
        leftsubnet = 0.0.0.0/0
        right = %any
        rightauth = psk
        rightauth2 = xauth
        rightsourceip = 172.16.6.0/24
        rekey = no
        auto = add     
        dpdaction=clear
    #for windows 7/10 , strongswan agent and other ca
    conn IKEv2-EAP-Windows
        leftca = "C=CN, O=,MyStrongSwan; CN=YourIP or domain"
        leftcert = server.cert.pem
        leftsendcert = always
        rightsendcert = never
        leftid = YourIP or domain
        left = %any
        right = %any
        leftauth = pubkey   #使用证书形式认证
        rightauth = eap-radius  #认证使用radius
        leftfirewall = yes
        leftsubnet = 0.0.0.0/0  #全部流量走vpn
        rightsourceip = 172.16.7.0/24
        fragmentation = yes  #包重组
        eap_identity = %any
        rekey = no  #不重复检查,用来开启多设备登录
        auto = add
    dpdaction=clear #断开后清空
  • 配置 strongswan.conf

vim /usr/local/strongswan/etc/strongswan.conf

charon {
    filelog {
               /var/log/strongswan.charon.log {
                   time_format = %b %e %T
                   default = 2
                   append = no
                   flush_line = yes
               }
       }
    load_modular = yes
    duplicheck.enable = no #是为了你能同时连接多个设备,所以要把冗余检查关闭
    compress = yes
    plugins {
        include strongswan.d/charon/*.conf
    }
    dns1 = 8.8.8.8
    dns2 = 223.5.5.5
#only for windows
    nbns1 = 8.8.8.8
    nbns2 = 223.5.5.5
}
include strongswan.d/*.conf
  • 配置 ipsec.secrets
: RSA server.key.pem
: PSK "visionsrv"
: XAUTH "visionsrv"
 myvpn %any : EAP "123456"
  • 配置Firewall和转发
    1.开放端口
firewall-cmd --add-port=500/tcp --permanent
firewall-cmd --add-port=500/udp --permanent
firewall-cmd --add-port=4500/tcp --permanent
firewall-cmd --add-port=4500/udp --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --reload

2.编辑 /etc/systcl.conf

vim /etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

3.开启 firewall的转发功能

iptables -t nat -A POSTROUTING -s 172.16.6.0/24 -o ens160 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.7.0/24 -o ens160 -j MASQUERADE
  • 启动服务
    ipsec start
    systemctl restart strongswan

三、 各种终端测试

IT技术
Gupao