在 CentOS/Ubuntu VPS上使用Strongswan架设IPSec Ikev1/v2 VPN 教程
IPSec是虚拟私密网络(VPN)的一种协议,它通过认证和加密每一个IP数据包来确保IP通信的安全。
用ssh连接上你的VPS, 在命令行中输入下列命令:
$ cat /dev/net/tun
输出应该是:
cat: /dev/net/tun: File descriptor in bad state
再输入以下命令:
$ cat /dev/ppp
输出应该是:
cat: /dev/ppp: No such device or address
若没有以上输出则无法继续下一步, 请联系你VPS的客服
CentOS:
# yum update
# yum install gmp-devel pam-devel openssl-devel libssl-dev make gcc
Ubuntu:
# apt-get update
# apt-get install libgmp3-dev openssl libssl-dev make gcc
$ wget http://download.strongswan.org/strongswan.tar.bz2
$ tar xjvf strongswan.tar.bz2
$ cd strongswan-*
Xen、KVM类型
$ ./configure --prefix=/usr --sysconfdir=/etc \
--enable-eap-mschapv2 --enable-xauth-eap --enable-eap-identity --enable-eap-tls \
--enable-eap-ttls --enable-eap-md5 --enable-eap-tnc --enable-eap-dynamic \
--enable-openssl --disable-gmp --enable-eap-aka --enable-nat-transport
OpenVZ类型 (需添加enable-kernel-libipsec)
$ ./configure --prefix=/usr --sysconfdir=/etc \
--enable-eap-mschapv2 --enable-xauth-eap --enable-eap-identity --enable-eap-tls \
--enable-eap-ttls --enable-eap-md5 --enable-eap-tnc --enable-eap-dynamic \
--enable-openssl --disable-gmp --enable-eap-aka --enable-nat-transport \
--enable-kernel-libipsec
# make
# make install
$ cd /etc/ipsec.d/
$ ipsec pki --gen --type rsa --size 2048 \
--outform pem \
> private/ca.key.pem
$ chmod 600 private/ca.key.pem
$ ipsec pki --self --ca --lifetime 730 \
--in private/ca.key.pem --type rsa \
--dn "C=CN, O=strongSwan, CN=strongSwan Root CA" \
--outform pem \
> cacerts/ca.cert.pem
size 2048: 2048 bit 的 RSA 密钥
lifetime 730: 730天 (2年)
dn: C 代表国家, O 代表组织, CN(common name) 代表名称
$ cd /etc/ipsec.d/
$ ipsec pki --gen --type rsa --size 2048 \
--outform pem \
> private/host.key.pem
$ chmod 600 private/host.key.pem
$ ipsec pki --pub --in private/host.key.pem --type rsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/ca.cert.pem \
--cakey private/ca.key.pem \
--dn "C=CN, O=strongSwan, CN=vpn.example.com" \
--san "1.2.3.4" \
--flag serverAuth --flag ikeIntermediate \
--outform pem > certs/host.cert.pem
CN: 填的是你服务器的 URL 或 IP
san: 填的是服务器IP
$ cd /etc/ipsec.d/
$ ipsec pki --gen --type rsa --size 2048 \
--outform pem \
> private/client.key.pem
$ chmod 600 private/client.key.pem
$ ipsec pki --pub --in private/client.key.pem --type rsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/ca.cert.pem \
--cakey private/ca.key.pem \
--dn "C=CN, O=strongSwan, CN=myself@example.com" \
--san myself@example.com \
--outform pem > certs/client.cert.pem
$ openssl pkcs12 -export -inkey private/client.key.pem \
-in certs/client.cert.pem -name "My own VPN client certificate" \
-certfile cacerts/ca.cert.pem \
-caname "strongSwan Root CA" \
-out client.p12
生成该证书时要输入密码,在客户端安装该证书时会用到这个密码。
为在IOS设备上安装密码最好为4位数字,密码也可以为空
然后将该证书发生到客户端安装 (IOS设备要发送ca.cert.pem和client.p12)
更详细参考Strongswan Wiki: IKEv2 on iOS 9 & OS X 10.11 / IKEv2 on Win7+
# /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
uniqueids = never
conn %default
dpdaction = clear
dpddelay = 35s
dpdtimeout = 300s
# for IOS 6+ and Android 4+ without install CA
conn IPSec-IKEv1-PSK
keyexchange = ikev1
fragmentation = yes
#left -- local(server) side
left = %any
leftauth = psk
leftsubnet = 0.0.0.0/0
#right -- remote(client) side
right = %any
rightauth = psk
rightauth2 = xauth
rightsourceip = 10.36.1.0/24
auto = add
# for IOS 8+ Android 4.4+ Win 7+
conn IPSec-IKEv2
keyexchange = ikev2
ike = aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp = aes256-sha256,aes256-sha1,3des-sha1!
eap_identity = %any
fragmentation = yes
rekey = no
mobike = no
#left -- local(server) side
left = %any
leftauth = pubkey
leftcert = host.cert.pem
leftsubnet = 0.0.0.0/0
leftsendcert = always
#right -- remote(client) side
right = %any
rightauth = eap-mschapv2
rightcert = client.cert.pem
rightsourceip = 10.36.2.0/24
rightsendcert = never
auto = add
# /etc/ipsec.secrets
# ipsec.secrets
: RSA host.key.pem
: PSK "your_psk"
# use XAUTH
user1 : XAUTH "password"
user2 : XAUTH "password"
# use EAP
user3 : EAP "password"
user4 : EAP "password"
# /etc/strongswan.conf - strongSwan configuration file
charon {
load_modular = yes
duplicheck.enable = no #是为了你能同时连接多个设备,所以要把冗余检查关闭
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.4.4
dns2 = 8.8.8.8
# for Windows WINS Server
nbns1 = 8.8.4.4
nbns2 = 8.8.8.8
}
include strongswan.d/*.conf
在终端执行下列命令(需要root权限):
# sysctl -w net.ipv4.ip_forward = 1
# sysctl -w net.ipv4.conf.all.accept_redirects = 0
# sysctl -w net.ipv4.conf.all.send_redirects = 0
OpenVZ类型, 执行:
# iptables -A INPUT -i venet0 -p esp -j ACCEPT
# iptables -A INPUT -i venet0 -p udp --dport 500 -j ACCEPT
# iptables -A INPUT -i venet0 -p udp --dport 4500 -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.36.1.0/24 -o venet0 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s 10.36.2.0/24 -o venet0 -j MASQUERADE
# iptables -A FORWARD -s 10.36.1.0/24 -j ACCEPT
# iptables -A FORWARD -s 10.36.2.0/24 -j ACCEPT
Xen、KVM类型, 执行:
# iptables -A INPUT -i eth0 -p esp -j ACCEPT
# iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
# iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.36.1.0/24 -o eth0 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s 10.36.2.0/24 -o eth0 -j MASQUERADE
# iptables -A FORWARD -s 10.36.1.0/24 -j ACCEPT
# iptables -A FORWARD -s 10.36.2.0/24 -j ACCEPT
CentOS, 执行:
# /sbin/service iptables save
Ubuntu:
先将防火墙规则保存到/etc/iptables.up.rules文件中
# iptables-save > /etc/iptables.up.rules
然后修改/etc/network/interfaces,在网卡eth0手动添加最后一行:
auto eth0
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.up.rules
详细参考:Ubuntu IptablesHowTo
# ipsec start
CentOS 7 / Ubuntu 开机自启动:
# systemctl enable strongswan