使用strongswan配置ipsec隧道

摘要

使用strongswan配置ipsec隧道打通vpc与办公网

官方下载地址

安装strongswan

安装依赖

1
yum install -y pam-devel openssl-devel make gcc curl wget

设置环境变量

1
2
3
4
WORKDIR="/usr/local/src"
INSTALL_DIR="/usr/local/product"
SOFT_DIR="/usr/local"
VERSION="5.6.2"

编译安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
cd ${WORKDIR}
wget https://download.strongswan.org/strongswan-${VERSION}.tar.gz
tar xvf strongswan-${VERSION}.tar.gz && cd strongswan-${VERSION}
./configure \
--prefix=${INSTALL_DIR}/strongswan-${VERSION} \
--enable-eap-identity \
--enable-eap-md5 \
--enable-eap-mschapv2 \
--enable-eap-tls \
--enable-eap-ttls \
--enable-eap-peap \
--enable-eap-tnc \
--enable-eap-dynamic \
--enable-eap-radius \
--enable-xauth-eap \
--enable-xauth-pam \
--enable-dhcp \
--enable-openssl \
--enable-addrblock \
--enable-unity \
--enable-certexpire \
--enable-radattr \
--enable-swanctl \
--enable-openssl \
--disable-gmp

make && make install
ln -s ${INSTALL_DIR}/strongswan-${VERSION} ${SOFT_DIR}/strongswan

修改配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
mkdir -p /data/logs/strongswan

cat strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
interfaces_use = eth0
load_modular = yes
filelog {
/data/logs/strongswan/strongswan.charon.log {
time_format = %b %e %T
default = 1
append = yes
flush_line = yes
}
}
plugins {
include strongswan.d/charon/*.conf
}
}

include strongswan.d/*.conf

###############

cat ipsec.conf
config setup
uniqueids = never
charondebug="ike 4, knl 4, net 4, cfg 4"

conn %defualt
type=tunnel
ikelifetime=60m
keylife=5m
dpddelay=10s
rekeymargin=3m
keyingtries=3
mobike=no

conn site-to-site-beijing
keyexchange=ikev1
left=0.0.0.0
leftid=vpc-beijing
leftsubnet=172.16.1.0/24
leftfirewall=no
right=x.x.x.x
rightid=BaseManager
authby=secret
ike=aes128-sha1-modp1024
esp=aes128-sha1
rightsubnet=172.32.0.0/16
auto=start

生成ca证书

待续。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
进行CA配置
CA 生成存放目录为 /usr/local/src/ca
创建ca目录
mkdir /usr/local/src/ca

生成私钥和根证书,并且根证书使用的是自签名形式
这里C表示国家名,O表示组织单位,CN表示通用名字

ipsec pki --gen --outform pem > ca.key.pem
ipsec pki --self --in ca.key.pem --dn "C=CN, O=MyStrongSwan, CN=MyStrongSwan CA" --ca --lifetime 3650 --outform pem > ca.cert.pem
生成服务器证书
ipsec pki --gen --outform pem > server.key.pem
ipsec pki --pub --in server.key.pem --outform pem > server.pub.pem
ipsec pki --issue --lifetime 1200 --cacert ca.cert.pem --cakey ca.key.pem --in server.pub.pem --dn "C=CN, O=MyStrongSwan, CN=myDomain.com" --san="myDomain.com" --san="YourIP" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
注意事项 : 服务器这边的CN一定是你网卡的ip,或者你网卡ip对应的域名,--san 设置设置别名,建议设置两个或者两个以上,分别为你的域名和网卡ip;–flag serverAuth 表示证书使用用途,不加windows 7会报错,非 iOS 的 Mac OS X 要求了“IP 安全网络密钥互换居间(IP Security IKE Intermediate)”这种增强型密钥用法(EKU),–flag ikdeIntermediate;

生成客户端证书 (可选)
ipsec pki --gen --outform pem > client.key.pem
ipsec pki --pub --in client.key.pem --outform pem > client.pub.pem
ipsec pki --issue --lifetime 1200 --cacert ca.cert.pem --cakey ca.key.pem --in client.pub.pem --dn "C=CN, O=MyStrongSwan, CN=MyDomain.com" --outform pem > client.cert.pem

#以下生成证书需要密码地,请设置密码,因为MAC不能导入密码为空的证书
openssl pkcs12 -export -inkey client.key.pem -in client.cert.pem -name "MyStrongSwan Client Cert" -certfile ca.cert.pem -caname "MyStrongSwan CA" -out client.cert.p12
安装证书
\cp -r ca.key.pem /usr/local/strongswan/etc/ipsec.d/private/
\cp -r ca.cert.pem /usr/local/strongswan/etc/ipsec.d/cacerts/
\cp -r server.cert.pem /usr/local/strongswan/etc/ipsec.d/certs/
\cp -r server.key.pem /usr/local/strongswan/etc/ipsec.d/private/
\cp -r client.cert.pem /usr/local/strongswan/etc/ipsec.d/certs/
\cp -r client.key.pem /usr/local/strongswan/etc/ipsec.d/private/
配置ipsec.conf
vim /usr/local/strongswan/etc/ipsec.conf

config setup
uniqueids=no
conn %default
compress = yes
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
keyexchange = ike
keyingtries = 1
#for andorid、ios、mac
conn cisco_xauth_psk
left = %any
leftid = YourIP or Domain
leftauth = psk
leftfirewall = yes
fragmentation = yes
leftsubnet = 0.0.0.0/0
right = %any
rightauth = psk
rightauth2 = xauth
rightsourceip = 172.16.6.0/24
rekey = no
auto = add
dpdaction=clear
#for windows 7/10 , strongswan agent and other ca
conn IKEv2-EAP-Windows
leftca = "C=CN, O=,MyStrongSwan; CN=YourIP or domain"
leftcert = server.cert.pem
leftsendcert = always
rightsendcert = never
leftid = YourIP or domain
left = %any
right = %any
leftauth = pubkey #使用证书形式认证
rightauth = eap-radius #认证使用radius
leftfirewall = yes
leftsubnet = 0.0.0.0/0 #全部流量走vpn
rightsourceip = 172.16.7.0/24
fragmentation = yes #包重组
eap_identity = %any
rekey = no #不重复检查,用来开启多设备登录
auto = add
dpdaction=clear #断开后清空
配置 strongswan.conf
vim /usr/local/strongswan/etc/strongswan.conf

charon {
filelog {
/var/log/strongswan.charon.log {
time_format = %b %e %T
default = 2
append = no
flush_line = yes
}
}
load_modular = yes
duplicheck.enable = no #是为了你能同时连接多个设备,所以要把冗余检查关闭
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 223.5.5.5
#only for windows
nbns1 = 8.8.8.8
nbns2 = 223.5.5.5
}
include strongswan.d/*.conf
配置 ipsec.secrets
: RSA server.key.pem
: PSK "visionsrv"
: XAUTH "visionsrv"
myvpn %any : EAP "123456"
配置Firewall和转发
1.开放端口
firewall-cmd --add-port=500/tcp --permanent
firewall-cmd --add-port=500/udp --permanent
firewall-cmd --add-port=4500/tcp --permanent
firewall-cmd --add-port=4500/udp --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --reload
2.编辑 /etc/systcl.conf

vim /etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
3.开启 firewall的转发功能

iptables -t nat -A POSTROUTING -s 172.16.6.0/24 -o ens160 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.7.0/24 -o ens160 -j MASQUERADE
启动服务
ipsec start
systemctl restart strongswan
三、 各种终端测试