Setup IPSec VPN with strongSwan

 

<![CDATA[

之前用Strongswan搭好了IKEv2 VPN,主要用在WP上了。近来到手一部iOS设备,拿到后迅速给升到iOS8.2,iOS8开始原生支持IKEv2了,不过苹果并没有升级GUI,想用IKEv2还要弄一些东西(而且我看不懂TAT),所以给之前搭好的IPSec加入了适配iOS的代码(IPsec VPN via IKEv1)。本文主要对所参考的文章里的代码依据个人搭建经验做整理合并。

References:

Running on DigitalOcean VPS ubuntu14.04 x64


安装strongswan

sudo apt-get install build-essential     #编译环境 
  sudo aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libpam0g-dev     #编译所需要的软件 
  apt-get install strongswan* 
  ipsec version     #验证安装

 

 

生成、安装证书

CA certificate:

 

ipsec pki --gen --outform pem > caKey.pem 
  ipsec pki --self --in caKey.pem --dn "C=CH, O=strongSwan, CN=your-own-domain-or-ip CA" --ca --outform pem > caCert.pem 
  Notice:其中CN(Common Name)的值就是服务器的域名/IP,连接时填写的必须和此处的CN值一致

 

Server certificate:

 

ipsec pki --gen --outform pem > serverKey.pem 
  ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CH, O=strongSwan, CN=your-own-domain-or-ip" --flag serverAuth --outform pem > serverCert.pem

 

Client (iOS) certificate:

 

ipsec pki --gen --outform pem > clientKey.pem 
  ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem

 

PKCS#12 file:

 

openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12

 

Install certificates:

 

cp -f caCert.pem /etc/ipsec.d/cacerts/ 
  cp -f serverCert.pem /etc/ipsec.d/certs/ 
  cp -f serverKey.pem /etc/ipsec.d/private/

 

move client certificate to specified floder:

 

cp clientCert.pem /etc/ipsec.d/certs/ 
  cp clientKey.pem /etc/ipsec.d/private/ 
  cp clientCert.p12 /etc/ipsec.d/certs/

 

 

配置strongSwan

配置/etc/ipsec.conf文件
vim /etc/ipsec.conf

 

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
  uniqueids = no         #允许多设备同时在线
  nat_traversal=yes

# Add connections here.
# Sample VPN connections
#conn sample-self-signed
#          leftsubnet=10.1.0.0/16
#          leftcert=selfCert.der
#          leftsendcert=never
#          right=192.168.0.2
#          rightsubnet=10.2.0.0/16
#          rightcert=peerCert.der
#          auto=start
conn ikev2                          #适用于Win端的IKEv2协议VPN
             keyexchange=ikev2
             ike=aes256-sha1-modp1024!
             esp=aes256-sha1!
             dpdaction=clear
             dpddelay=300s
             rekey=no
             left=%defaultroute
             leftsubnet=0.0.0.0/0
             leftauth=pubkey
             leftcert=serverCert.pem
             leftid=ikev2
             right=%any
             rightsourceip=10.11.1.0/24   #连接vpn后分配的内网IP网段
             rightauth=eap-mschapv2
             rightsendcert=never
             eap_identity=%any
             auto=add  
conn ios                          #适用于iOS端的IKEv1协议VPN
             keyexchange=ikev1
             authby=xauthrsasig
             xauth=server
             left=%defaultroute
             leftsubnet=0.0.0.0/0
             leftfirewall=yes
             leftcert=serverCert.pem
             right=%any
             rightsubnet=10.0.0.0/24
             rightsourceip=10.0.0.2
             rightcert=clientCert.pem
             pfs=no
             dpdaction=clear
             auto=add

修改/etc/ipsec.secrets文件
vim /etc/ipsec.secrets

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
: RSA serverKey.pem
: EAP "User_Password"         #配置Windows/WP端时要填入的密码
UserName : XAUTH “User_Password”  #配置iOS端时要填入的用户名和密码

Notice:此时配置Win/WP端时用户名可以随意填写,也可以把那句改成:

: RSA serverKey.pem
UserName : EAP "User_Password" #win7+
WP设备名称\UserName : EAP "User_Password"  #仅对windowsphone8.1设备
*对于windowsphone8.1,在客户端输入的用户名发送到服务器显示为设备名称\用户名的形式,故认证需加上设备名称,设备名称在`设置-关于-手机信息` 中查看*

配置/etc/strongswan.conf文件
vim /etc/strongswan.conf

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
    load_modular = yes
    dns1 = 8.8.8.8
    dns2 = 8.8.4.4
    plugins {
        include strongswan.d/charon/*.conf
    }
}

include strongswan.d/*.conf

配置 Iptables 转发

iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
iptables -t nat -I POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE
iptables-save

启动strongSwan

service strongswan restart

Notice:if service start failed, run ipsec status or ipsec start may help.

客户端连接配置

Windows/WP:
把生成的caCert.pem下载下来安装到Win端,设置VPN连接,填写对应的服务器地址、用户名、指定的密码。

iOS:
将生成的caCert.pem和clientCert.p12通过邮件的方式或通过web方式下载到iOS设备上,并进行证书安装。配置VPN时选择client证书,填写指定的用户名、对应密码!

All Done!

Leave a Reply

Your email address will not be published. Required fields are marked *