碼上歡樂
相關內容    簡體    繁體

strongswan基本用法

本文轉載自   查看原文   2020-03-22 11:41   4081 


0x01 安裝

====> CentOS

RPM安裝 下載:https://pkgs.org/download/strongswan
wget http://download-ib01.fedoraproject.org/pub/epel/7/x86_64/Packages/s/strongswan-5.7.2-1.el7.x86_64.rpm
rpm -ivh strongswan-*.rpm

或者是

yum -y install epel-release
yum -y install openssl-devel strongswan
查找相關插件 yum search swan
其它插件無需安裝,尤其是strongswan-libipsec ,貌似與高於2.6的內核有沖突,導致無法連接服務器
libipsec用於創建ipsec0網卡和UDP封裝,高版本使用kernel-netlink

====> Ubuntu

apt -y install openssl libssl-dev strongswan libstrongswan

apt -y install libcharon-extra-plugins libstrongswan-extra-plugins

0x02 服務器端

====> ipsec.conf

# EAP(Extensible Authentication Portocol) 可擴展身份認證協議
# IKE/ESP 密鑰交換協議和數據驗證加密
# right 是 remote 服務器端
# left 是 local 本地端

config setup
  charondebug="cfg 2" # log 提議
  uniqueids=never # 多個客戶連接同一用戶

conn %default
  ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
  esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
  keyingtries=1

conn myvpn
  keyexchange=ikev2
  # ike=aes256-aes192-aes128-sha384-sha256-sha1-modp3072-modp2048-modp1536-modp1024!
  # esp=aes256-aes192-aes128-sha384-sha256-sha1!
  rekey=no
  compress=no

  left=%any
  # leftid=%domain.ltd
  # leftfirewall=no
  leftupdown=/etc/strongswan/strongswan.d/proxyndp.updown
  leftsubnet=0.0.0.0/0,::/0
  leftauth=pubkey
  leftsendcert=always
  leftcert=server.cert.pem

  right=%any
  # rightid=%hostname
  rightsourceip=10.10.2.1/24,2001:db8::/96
  rightdns=8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844
  rightsendcert=never
  rightauth=eap-mschapv2

  # tfc=%mtu
  eap_identity=%any
  dpdaction=clear
  dpddelay=2400s
  fragmentation=yes
  auto=add

  

====> ipsec.secrets

# 取決於ipsec.conf 中的 leftauth的這兩行之一
: RSA <private_key.file> "私約加密密碼"
<username> : EAP "password"

====> 防火牆和路由轉發

iptables -t nat -A POSTROUTING -s {IPv4}/24 -o eth0 -j MASQUERADE
ip6tables -t nat -A POSTROUTING -s {IPv6}/112 -o eth0 -j MASQUERADE

在 /etc/sysctl.conf 中追加如下三行

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp=1

執行 sysctl -p

====> 啟動/停止

ipsec/strongswan restart


0x03 客戶端

====> ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration

config setup
  # strictcrlpolicy=yes
  uniqueids = never

# Add connections here.
conn client
  keyexchange=ikev2
  # ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
  # esp=aes256-sha256,3des-sha1,aes256-sha1!
  right=pub.6tu.me
  rightid=%pub.6tu.me
  rightsubnet=0.0.0.0/0,::/0
  rightauth=pubkey

  leftsourceip=%config,%config6
  # leftauth=eap-mschapv2
  leftauth=eap
  eap_identity=user
  type=tunnel
  auto=add

#配置LAN訪問不走IPsec通道
conn exempt
  right=127.0.0.1
  leftsubnet=192.168.0.0/24
  rightsubnet=192.168.0.0/24
  type=passthrough
  auto=route

 

====> ipsec.secrets

# 取決於ipsec.conf 中的 leftauth的這兩行之一
: RSA <private_key.file> "私約加密密碼"
<username> : EAP "password"

====> 防火牆和路由轉發

用 ip -6 route 或者 ip route 查看當前路由
ip route 或者 ip route show table 220命令來查看

ip rule add from {IPv4}/24 table main prio 1
ip -6 rule add from {IPv6}/64 table main prio 1

====> 啟動/停止

# systemctl restart network
ipsec/strongswan restart
ipsec/strongswan up/down ccc

0x04 其它事項

====> 證書認證(IKEV2必須)

在配置證書這一環節,要求是 SAN 證書,建議使用 acme.sh 制作證書。

ipsec pki  或者是 openssl 生成自簽名證書都可以

證書目錄

cp chain.pem           /etc/ipsec.d/cacerts/
cp server.cert.pem   /etc/ipsec.d/certs/
cp server.key           /etc/ipsec.d/private/

 

yum/apt -y install ca-certificates

cp ca.pem /etc/pki/ca-trust/source/anchors/
cp ca.pem /etc/pki/tls/certs/

update-ca-trust extract

 

====> 參考資料

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2

https://oogami.name/1467/
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2ClientConfig
https://libreswan.org/wiki/Subnet_to_subnet_VPN
https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
Linux開源VPN之strongSwan
https://www.jianshu.com/p/ce6c545efd8a
https://www.cnblogs.com/Su-per-man/p/9952292.html
https://blog.csdn.net/puppylpg/article/details/64918562

0x05 注意事項

====> 配置選項

# leftauth=pubkey or eap, 取決於所選的網關配置
# leftcert=certificate, 僅當 leftauth=pubkey (e.g. peerCert.der)
# eap_identity=username, 僅當 leftauth=eap (e.g. peer)
# leftprotoport = 17/1701 需要注釋掉
# rightprotoport = 17/%any 需要注釋掉
type=passthrough
type=transport
auto=route

keyingtries=%forever
dpdaction=restart
closeaction=restart
====> 錯誤調試

啟動后拋出如下錯誤,一般是內核不支持 IKE,隧道。嘗試 modprobe af_key

no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!

proxyndp.updown 腳本,在IPV6網絡無效時使用

#!/bin/bash
IFACE=eth0  # configure me
ADDR=${PLUTO_PEER_CLIENT%/*}
case $PLUTO_VERB in
        up-client-v6)
                echo "Adding proxy NDP for $ADDR via $IFACE"
                ip -6 neigh add proxy $ADDR dev $IFACE
                ;;
        down-client-v6)
                echo "Removing proxy NDP for $ADDR via $IFACE"
                ip -6 neigh delete proxy $ADDR dev $IFACE
                ;;
        up-client)
                echo "Adding proxy ARP for $ADDR via $IFACE"
                ip neigh add proxy $ADDR dev $IFACE
                ;;
        down-client)
                echo "Removing proxy ARP for $ADDR via $IFACE"
                ip neigh delete proxy $ADDR dev $IFACE
                ;;
esac 2>&1 | logger -t proxyndp.updown

 

 

0x06 各個功能模塊說明

charon :貌似管理 IKE(Internet Key Exchange) 守護進程

strongSwan IPsec client
charon-cmd charon-systemd

strongSwan IPsec client, pki 制作數字證書命令工具, SCEP(簡單證書注冊協議) client
strongswan-pki strongswan-scepclient

strongSwan IPsec client, swanctl command
strongswan-swanctl

IPsec VPN 主程序
strongswan

strongSwan 守護啟動器和配置文件解析器
strongswan-starter

IKE(Internet Key Exchange) 守護進程
strongswan-charon strongswan-libcharon

strongSwan charon library
libcharon-standard-plugins libcharon-extra-plugins

strongSwan 實用和加密庫
libstrongswan libstrongswan-standard-plugins libstrongswan-extra-plugins

網絡管理框架插件 / 可與NetworkManager進行交互的插件
network-manager-strongswan strongswan-nm

TNC(Trusted Network Connect's ) 可信網絡連接協議
IF-MAP(Interface for Metadata Access Point)
PDP(Packet Data Protoco)

base / client / server files
strongswan-tnc-base strongswan-tnc-client strongswan-tnc-server

TNC 的插件
strongswan-tnc-ifmap strongswan-tnc-pdp


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 openswan & strongswan [strongswan] strongswan是如何實現與xfrm之間的trap機制的 [ipsec][strongswan]strongswan源碼分析--(零)引子 Strongswan搭建IPSecVPN strongswan--插件的加載 VPP和StrongSwan搭建IPSec centos 7搭建 strongSwan strongSwan配置、運行及測試 strongswan -- 配置文件strongswan.conf的讀取與處理 [ipsec][strongswan] strongswan源碼分析--(一)SA整體分析
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM