CentOS7 Strongswan IKEV2 架设梯子

发表于 | 分类于 | | 阅读次数:

长城防火墙

参考:
1.https://linsir.org/post/how_to_install_IPSec_IKEV2_base_on_strongswan_with_CentOS7
2.https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html

strongswan.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/bin/sh
#strongswan.sh

yum install strongswan -y

yum install haveged -y
systemctl enable haveged
systemctl start haveged


cd /etc/strongswan
strongswan pki --gen --type rsa --size 4096 --outform der > ipsec.d/private/ca.key.der
chmod 600 ipsec.d/private/ca.key.der


strongswan pki --self --ca --lifetime 7300 --in ipsec.d/private/ca.key.der --type rsa --dn "C=CN, O=VPN, CN=StrongSwan Root CA" --outform der > ipsec.d/cacerts/ca.crt.der


strongswan pki --print --in ipsec.d/cacerts/ca.crt.der
strongswan pki --gen --type rsa --size 4096 --outform der > ipsec.d/private/vpn.key.der
openssl x509 -inform DER -in ipsec.d/cacerts/ca.crt.der -out ipsec.d/cacerts/ca.crt.pem -outform PEM
chmod 600 ipsec.d/private/vpn.key.der


strongswan pki --pub --in ipsec.d/private/vpn.key.der --type rsa | strongswan pki --issue --lifetime 7300 --cacert ipsec.d/cacerts/ca.crt.der --cakey ipsec.d/private/ca.key.der --dn "C=CN, O=VPN, CN=vpn.0xa.in" --san vpn.0xa.in --san 163.44.166.55  --san @163.44.166.55 --flag serverAuth --flag ikeIntermediate --outform der > ipsec.d/certs/vpn.crt.der
strongswan pki --print --in ipsec.d/certs/vpn.crt.der
openssl x509 -inform DER -in ipsec.d/certs/vpn.crt.der -noout -text


strongswan pki --gen --type rsa --size 4096 --outform der > ipsec.d/private/baiyangliu.key.der
chmod 600 ipsec.d/private/baiyangliu.key.der
strongswan pki --pub --in ipsec.d/private/baiyangliu.key.der --type rsa | strongswan pki --issue --lifetime 7300 --cacert ipsec.d/cacerts/ca.crt.der --cakey ipsec.d/private/ca.key.der --dn "C=CN, O=VPN, CN=vpn.0xa.in" --san "lc@baiyangliu.com" --outform der > ipsec.d/certs/baiyangliu.crt.der
openssl rsa -inform DER -in ipsec.d/private/baiyangliu.key.der -out ipsec.d/private/baiyangliu.key.pem -outform PEM
openssl x509 -inform DER -in ipsec.d/certs/baiyangliu.crt.der -out ipsec.d/certs/baiyangliu.crt.pem -outform PEM
openssl pkcs12 -export  -inkey ipsec.d/private/baiyangliu.key.pem -in ipsec.d/certs/baiyangliu.crt.pem -name "Baiyangliu VPN Certificate"  -certfile ipsec.d/cacerts/ca.crt.pem -caname "StrongSwan Root CA" -out baiyangliu.vpn.p12
/etc/strongswan/ipsec.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#/etc/strongswan/ipsec.conf

config setup
    uniqueids=never


conn %default
    keyexchange=ike
    left=%any
    leftsubnet=0.0.0.0/0
    right=%any

conn IKE-BASE
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    leftcert=vpn.crt.der
    rightsourceip=10.0.18.0/24

    
conn ike2-eap
    also=IKE-BASE
    keyexchange=ikev2
    ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048,aes256-sha1-modp1024!
    esp=aes256-sha256,3des-sha1,aes256-sha1!
    leftsendcert=always
    leftid=vpn.0xa.in
    leftauth=pubkey
    leftfirewall=yes
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    rekey=no
    dpdaction=clear
    fragmentation=yes
    auto=add


conn IPSec-IKEv1-PSK
    also=IKE-BASE
    keyexchange=ikev1
    fragmentation=yes
    leftauth=psk
    rightauth=psk
    rightauth2=xauth
    auto=add


conn IPSec-xauth
    also=IKE-BASE
    leftauth=psk
    leftfirewall=yes
    right=%any
    rightauth=psk
    rightauth2=xauth
    auto=add
/etc/strongswan/strongswan.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#/etc/strongswan/strongswan.conf

charon {
    load_modular = yes
    duplicheck.enable = no
    compress = yes
    plugins {
        include strongswan.d/charon/*.conf
    }
    dns1 = 8.8.8.8
    dns2 = 8.8.4.4
    
    nbns1 = 8.8.8.8
    nbns2 = 8.8.4.4
}

include strongswan.d/*.conf
/etc/strongswan/ipsec.secrets
1
2
3
4
5
6
7
8
#/etc/strongswan/ipsec.secrets

: RSA vpn.key.der

username1 : EAP "password1"
username2 : EAP "password2"
username3 : EAP "password3"
hipster: XAUTH "tbkiT571KxqpaKy/ap1H4kcWX0SZkogJ"
/etc/sysctl.conf
1
2
3
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
配置防火墙
1
2
3
4
5
6
7
firewall-cmd --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --permanent --add-rich-rule='rule protocol value="ah" accept'
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --permanent --add-port=500/udp
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
启动
1
2
3
sysctl -p
systemctl enable strongswan
strongswan restart