时间:2018年4月
关键字:ikev2、strongswan、vpn、免证书、ca
前言
这里说的免证书是指客户端不用导入证书,只使用用户名密码进行登录。
对于IKEv2来说,服务器端和客户端都需要配置证书,但服务器端可以采用CA签发的证书,这样客户端就可以自动完成证书的验证,就像https一样。
本文仅对建立VPN链接进行了描述,通过VPN访问Internet需要进行iptables设置,请自行查找资料。
第一步,申请CA签发的证书
详细参考:https://blog.fish2bird.com/?p=780
这里使用域名vpn.fish2bird.com,这个域名需要和后续提到的配置文件中的leftid对应。
第二步,安装strangswan
操作系统Debian 9,除了安装strongswan,还需要安装libcharon-extra-plugins。
root@debian:~# apt-get install strongswan libcharon-extra-plugins
第三步,修改配置文件
root@debian:~# vim /etc/ipsec.conf
...
conn %default
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=10.0.0.0/24
dpdaction=clear
fragmentation=yes
conn ikev2-eap
keyexchange=ikev2
ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
esp=aes256-sha256,3des-sha1,aes256-sha1!
rekey=no
leftauth=pubkey # 服务器端使用公钥方式验证
leftcert=/etc/letsencrypt/live/vpn.fish2bird.com/cert.pem # 证书文件
leftsendcert=always
leftid=vpn.fish2bird.com # 需要和申请CA签发证书中的域名一致
rightauth=eap-mschapv2 # 客户端使用eap方式验证
rightsendcert=never
eap_identity=%any
auto=add
...
root@debian:~# ipsec restart
第四步,修改账号密码配置文件
root@debian:~# vim /etc/ipsec.secrets
...
: RSA /etc/letsencrypt/live/vpn.fish2bird.com/privkey.pem # 与证书对应的私钥文件
# 用户名 : 验证方式 "密码明文"
user1 : EAP "1234abcd"
...
root@debian:~# ipsec restart
客户端设置
iOS/macOS系统
VPN Type:IKEv2
Server Address:vpn.fish2bird.com
Remote ID:vpn.fish2bird.com
Local ID:
Authentication Settings:
Username/Certicate/None
Username:user1
Password:1234abcd
使用NAT访问外网
root@debian:~# iptables -t NAT -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
root@debian:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@debian:~# vim /etc/strongswan.d/charon.conf
charon {
...
#dns1 =
dns1 = 114.114.114.114
...
:wq
root@debian:~# ipsec restart
常见问题
常用调试命令
root@debian:~# ipsec listall
root@debian:~# ipsec status
root@debian:~# ipsec statusall
打开调试信息
root@localhost:~# vim /etc/strongswan.d/charon-logging.conf
charon {
# Section to define file loggers, see LOGGER CONFIGURATION in
# strongswan.conf(5).
filelog {
# <filename> is the full path to the log file.
# <filename> {
/var/log/charon.log {
# Loglevel for a specific subsystem.
# =
# If this option is enabled log entries are appended to the existing
# file.
# append = yes
# Default loglevel.
# default = 1
default = 1
# Enabling this option disables block buffering and enables line
# buffering.
# flush_line = no
flush_line = yes
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
# ike_name = no
ike_name = yes
# Adds the milliseconds within the current second after the
# timestamp (separated by a dot, so time_format should end with %S
# or %T).
# time_add_ms = no
# Prefix each log entry with a timestamp. The option accepts a
# format string as passed to strftime(3).
# time_format =
# }
}
}
# Section to define syslog loggers, see LOGGER CONFIGURATION in
# strongswan.conf(5).
syslog {
# Identifier for use with openlog(3).
# identifier =
# is one of the supported syslog facilities, see LOGGER
# CONFIGURATION in strongswan.conf(5).
# {
# Loglevel for a specific subsystem.
# =
# Default loglevel.
# default = 1
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
# ike_name = no
# }
}
}