strongswan配置l2tpd/ipsec连接VPN
安装软件
安装依赖
1
yum install pam-devel openssl-devel make gcc gmp-devel wget -y
安装strongswan
1
2
3
4
5
6
7
8
9
10
11wget http://download.strongswan.org/strongswan-5.5.1.tar.gz
tar xzf strongswan-5.5.1.tar.gz
cd strongswan-5.5.1
./configure --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
--enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp
make && make install安装xl2tpd,httpd
1
yum install xl2tpd httpd
安装证书
生成CA证书私钥
1
ipsec pki --gen --outform pem > ca.pem
签名CA证书
1
2ipsec pki --self --in ca.pem --dn "C=com, O=myvpn, CN=VPN CA" \
--ca --outform pem >ca.cert.pem生成服务器证书使用的私钥
1
ipsec pki --gen --outform pem > server.pem
使用CA证书签发服务器证书
说明:
将下面命令中的121.xx.xx.82替换成自己服务器IP地址或域名,C=和O=的值保持与前面的信息一致
1 | ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \ |
- 生成客户端使用私钥
1
ipsec pki --gen --outform pem > client.pem
- 使用CA证书签发客户端证书
说明:
生成的ca.cert.pem证书复制一份命名为ca.cert.cer提供给手机客户端使用,C=和O=的值保持与前面的信息一致
1 | ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem \ |
生成pkcs12用户证书,使用
RSA模式连接时使用此证书,令中的-caname后面的引号里的值必须要与前面第二步CA中的CN=的值保持一致1
2
3openssl pkcs12 -export -inkey client.pem -in client.cert.pem \
-name "client" -certfile ca.cert.pem -caname "VPN CA" \
-out client.cert.p12服务器证书安装
1
2
3
4
5cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r server.pem /usr/local/etc/ipsec.d/private/
cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r client.pem /usr/local/etc/ipsec.d/private/
配置
配置主要涉及到如下几个文件
一、 xl2tpd相关配置
/etc/ppp/options.xl2tpd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18cat /etc/ppp/options.xl2tpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
noccp
auth
#crtscts
mtu 1410
mru 1410
nodefaultroute
#lock
proxyarp
#silent
ms-dns 8.8.8.8
ms-dns 8.8.4.4/etc/ppp/chap-secrets
1
2
3
4cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
"test" * "123456" */etc/xl2tpd/xl2tpd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13cat /etc/xl2tpd/xl2tpd.conf
[global]
port = 1701
[lns default]
ip range = 10.10.0.2-10.10.0.254
local ip = 10.10.0.1
length bit = yes
refuse pap = yes
refuse chap = yes
require authentication = yes
name = l2tp
pppoptfile = /etc/ppp/options.xl2tpd
二、 strongswan相关配置
/usr/local/etc/strongswan.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36cat /usr/local/etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
}
filelog {
/tmp/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# prepend connection name, simplifies grepping
ike_name = yes
# overwrite existing files
append = no
# increase default loglevel for all daemon subsystems
default = 1
# flush each line to disk
flush_line = yes
}
}
include strongswan.d/*.conf/usr/local/etc/ipsec.secrets
1 | cat /usr/local/etc/ipsec.secrets |
- /usr/local/etc/ipsec.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104cat /usr/local/etc/ipsec.conf
config setup
uniqueids=never
charondebug="chd 2,ike 1 ,ike 2, knl 2, net 2, esp 2, dmn 2, mgr 2, lib 1, cfg 1, enc 1"
conn QVPN_L2TP/IPsec-PSK
keyexchange=ikev1
left=192.168.0.61
leftsubnet=0.0.0.0/0
leftprotoport=17/1701
authby=secret
leftfirewall=no
right=%any
rightprotoport=17/%any
type=transport
auto=add
conn QVPN_L2TP/IPsec-RSA
keyexchange=ikev1
keyingtries=1
left=%any
leftprotoport=udp/l2tp
leftid=192.168.0.61
#leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
#leftsendcert=always
right=%any
rightprotoport=udp/%any
type=transport
auto=add
conn QVPN_IPsec-Xauth-PSK
keyexchange=ikev1
left=%defaultroute
leftauth=psk
leftsubnet=0.0.0.0/0
right=%any
rightauth=psk
rightauth2=xauth
rightsourceip=10.10.0.0/24
rightsubnet=0.0.0.0/0
auto=add
conn QVPN_IPsec-Xauth-RSA
keyexchange=ikev1
fragmentation = yes
leftsubnet=0.0.0.0/0
leftid=192.168.0.61
leftcert=server.cert.pem
leftsendcert=always
# secure cipher suits
#ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
#esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
rightsourceip=10.10.0.0/24
rightsubnet=0.0.0.0/0
rightca="C=CN, O=QiKuVPN, CN=360QiKU"
rightcert=client.cert.pem
rightauth2=xauth
xauth=server
auto=add
conn QVPN_IPsec-Hybrid-RSA
keyexchange=ikev1
leftid=192.168.0.61
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
leftsendcert=always
leftauth=pubkey
leftfirewall=yes
right=%any
rightsourceip=10.10.0.0/24
rightsubnet=0.0.0.0/0
rightauth=xauth
xauth=server
auto=add
conn ios_ikev2
keyexchange=ikev2
ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
esp=aes256-sha256,3des-sha1,aes256-sha1!
rekey=no
left=%defaultroute
leftid=192.168.0.61
leftsendcert=always
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=10.31.4.0/24
rightsendcert=never
eap_identity=%any
dpdaction=clear
fragmentation=yes
auto=add
conn windows7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=10.31.5.0/24
rightsendcert=never
eap_identity=%any
auto=add
配置iptables和内核参数
内核参数配置
1
2
3
4
5cat >> /etc/sysctl.conf<<-EOF
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
EOFiptables配置
说明
10.10.0.0根据/etc/xl2tpd/xl2tpd.conf文件设置的IP进行修改eth0根据具体的服务器网卡名进行修改1
2
3
4
5
6
7
8iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp --dport 1723 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.10.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -m policy --dir out --pol none -j MASQUERADE
配置证书下载
拷贝证书
1
2
3
4mkdir /var/www/html/key
cp -p ca.cert.pem /var/www/html/key/ca.cert.cer
cp -p ca.cert.pem /var/www/html/key/
cp -p client.cert.p12 /var/www/html/key/添加apach配置段
1
2
3
4
5
6
7
8
9
10
11
12
13
14# 配置apache登录账户密码
htpasswd -c -b /etc/httpd/htpasdb test 123456
# 在apache配置文件/etc/httpd/conf/httpd.conf最后追加:
<directory />
options indexes
AuthType Basic
AuthName "!!!"
AuthBasicProvider file
AuthUserFile /etc/httpd/htpasdb
Require user test
</directory>启动httpd服务
1
service httpd restart
测试
省略…