欢迎光临
我们一直在努力

Centos6.5 下Strongswan + IKEV2 VPN搭建

“一、系统及要求

系统:cnetos6.5

二、编译安装strongswan

1.下载

wget http://download.strongswan.org/strongswan.tar.gz

2.安装相关库

1 yum install pam-devel openssl-devel make gcc gmp-devel

3.编译安装

1 tar zxvf strongswan.tar.gz
2 cd strongswan-*
3 ./configure
--prefix=/usr --sysconfdir=/etc  --enable-openssl
--enable-nat-transport --disable-mysql --disable-ldap  --disable-static
--enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka
--enable-eap-aka-3gpp2  --enable-eap-gtc --enable-eap-identity
--enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim
--enable-eap-sim-file --enable-eap-simaka-pseudonym
--enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls
--enable-eap-tnc --enable-eap-ttls
4 make && make install

 

三、证书生成

1. 生成证书

01 ipsec pki --gen --outform pem > ca.pem
02 ipsec pki --self --in ca.pem --dn ""C=com, O=myvpn, CN=VPN CA"" --ca --outform pem >ca.cert.pem
03 ipsec pki --gen --outform pem > server.pem
04 ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \
05 --cakey ca.pem --dn ""C=com, O=myvpn, CN=112.74.112.209"" \
06 --san=""112.74.112.209"" --flag serverAuth --flag ikeIntermediate \
07 --outform pem > server.cert.pem
08 ipsec pki --gen --outform pem > client.pem
09 ipsec
pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem
--cakey ca.pem --dn ""C=com, O=myvpn, CN=VPN Client"" --outform pem >
client.cert.pem
10 openssl
pkcs12 -export -inkey client.pem -in client.cert.pem -name ""client""
-certfile ca.cert.pem -caname ""VPN CA""  -out client.cert.p12

 

注:上述中的123.123.123.123表示服务器本身IP。

2. 安装证书

1 cp -rf ca.cert.pem /etc/ipsec.d/cacerts/
2 cp -rf server.cert.pem /etc/ipsec.d/certs/
3 cp -rf server.pem /etc/ipsec.d/private/
4 cp -rf client.cert.pem /etc/ipsec.d/certs/
5 cp -rf client.pem  /etc/ipsec.d/private/

3.卸载证书(如果需要卸载旧证书才执行此步,一般不需要执行这一步)

 

1 rm -rf /etc/ipsec.d/cacerts/ca.cert.pem
2 rm -rf /etc/ipsec.d/certs/server.cert.pem
3 rm -rf /etc/ipsec.d/private/server.pem
4 rm -rf /etc/ipsec.d/certs/client.cert.pem
5 rm -rf /etc/ipsec.d/private/client.pem

四、配置 strongswan

1. 修改/etc/ipsec.conf,将内容替换成如下

01 config setup
02     strictcrlpolicy=no
03     uniqueids=no #多台设备同时在线
04
05 conn windows7
06     keyexchange=ikev2
07     ike=aes256-sha1-modp1024!
08     rekey=no
09     left=%defaultroute
10     leftauth=pubkey
11     leftsubnet=0.0.0.0/0
12     leftcert=server.cert.pem
13     right=%any
14     rightauth=eap-mschapv2
15     rightsourceip=10.11.0.0/24
16     rightsendcert=never
17     eap_identity=%any
18     auto=add
19
20 conn android_xauth_psk
21     keyexchange=ikev1
22     left=%defaultroute
23     leftauth=psk
24     leftsubnet=0.0.0.0/0
25     right=%any
26     rightauth=psk
27     rightauth2=xauth
28     rightsourceip=10.11.0.0/24
29     auto=add

2.修改/etc/strongswan.conf 将内容替换成如下:

01 charon {
02         load_modular = yes
03         duplicheck.enable = no
04         compress = yes
05         plugins {
06                 include strongswan.d/charon/*.conf
07         }
08         dns1 = 8.8.8.8
09         dns2 = 8.8.4.4
10         nbns1 = 8.8.8.8
11         nbns2 = 8.8.4.4
12 }
13 include strongswan.d/*.conf

3.修改/etc/ipsec.secrets(没有此文件请自行创建)

1 : RSA server.pem
2 : PSK ""123456""
3 : XAUTH ""123456""
4 %any %any : EAP ""123456""

其中%any为账户名,123456为密码。表示任意用户名登陆,密码为123456,可以将第一个%any改成固定用户名。

 

 

五、配置网络转发规则转发

1.设置iptables规则

01 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
02 iptables -A FORWARD -s 10.11.0.0/24  -j ACCEPT
03 iptables -A FORWARD -s 10.11.1.0/24  -j ACCEPT
04 iptables -A FORWARD -s 10.11.2.0/24  -j ACCEPT
05 iptables -A INPUT -i eth1 -p esp -j ACCEPT
06 iptables -A INPUT -i eth1 -p udp --dport 500 -j ACCEPT
07 iptables -A INPUT -i eth1 -p tcp --dport 500 -j ACCEPT
08 iptables -A INPUT -i eth1 -p udp --dport 4500 -j ACCEPT
09 iptables -A INPUT -i eth1 -p udp --dport 1701 -j ACCEPT
10 iptables -A INPUT -i eth1 -p tcp --dport 1723 -j ACCEPT
11 iptables -A FORWARD -j REJECT
12 iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -o eth1 -j MASQUERADE
13 iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth1 -j MASQUERADE
14 iptables -t nat -A POSTROUTING -s 10.11.2.0/24 -o eth1 -j MASQUERADE

然后执行:

1 service iptables save
2 service iptables restart

 

2.设置ip_forward转发

vim /etc/sysctl.conf

找到net.ipv4.ip_forward = 0 ,将后面的值置为1

保存退出 ,执行sysctl -p

六、WIN7客户端登陆

客户端登陆需要导入证书,client.cert.p12″

赞(0)
未经允许不得转载:老徐小屋老徐小屋 » Centos6.5 下Strongswan + IKEV2 VPN搭建
分享到: 更多 (0)