本配置为2个linux 的通过IKE 协议连接
环境如下:
客户端(Centos7) -- 服务器端(Centos7)首先假定服务器端的IP地址为:1.2.3.4
一、服务器端安装与配置
1、安装准备
1 2 |
yum install epel-release yum install openssl-devel |
2、安装strongswan
1 2 |
yum install strongswan service strongswan start |
注意:服务器端不能安装 strongswan-libipsec 否则客户端连接不上
3、配置证书
vi /root/zhengshu.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
strongswan pki --gen --outform pem > ca.key.pem strongswan pki --self --in ca.key.pem --dn "C=CN, O=ITnmg, CN=strongSwan CA" --ca --lifetime 3650 --outform pem > ca.cert.pem strongswan pki --gen --outform pem > server.key.pem strongswan pki --pub --in server.key.pem --outform pem > server.pub.pem strongswan pki --issue --lifetime 1200 --cacert ca.cert.pem --cakey ca.key.pem --in server.pub.pem --dn "C=CN, O=huayu, CN=1.2.3.4" --san="1.2.3.4" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem strongswan pki --gen --outform pem > client.key.pem strongswan pki --pub --in client.key.pem --outform pem > client.pub.pem strongswan pki --issue --lifetime 1200 --cacert ca.cert.pem --cakey ca.key.pem --in client.pub.pem --dn "C=CN, O=huayu, CN=1.2.3.4" --outform pem > client.cert.pem openssl pkcs12 -export -inkey client.key.pem -in client.cert.pem -name "strongSwan Client Cert" -certfile ca.cert.pem -caname "strongSwan CA" -out client.cert.p12 cp -r ca.key.pem /etc/strongswan/ipsec.d/private/ cp -r ca.cert.pem /etc/strongswan/ipsec.d/cacerts/ cp -r server.cert.pem /etc/strongswan/ipsec.d/certs/ cp -r server.key.pem /etc/strongswan/ipsec.d/private/ cp -r client.cert.pem /etc/strongswan/ipsec.d/certs/ cp -r client.key.pem /etc/strongswan/ipsec.d/private/ echo "ok" |
1 2 3 |
chmod +x /root/zhengshu.sh /root/zhengshu.sh |
提示输入密码时直接回车
4、编辑strongswan配置文件
1 |
vi /etc/strongswan/ipsec.conf |
内容如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
config setup uniqueids=never #允许多个客户端使用同一个证书 #供linux客户端 conn ipke2vpn keyexchange=ikev2 ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! esp=aes256-sha256,aes256-sha1,3des-sha1! dpdaction=clear dpddelay=300s rekey=no left=%defaultroute leftsubnet=0.0.0.0/0 leftcert=server.cert.pem leftid="2.2.2.2" right=%any rightsourceip=10.0.0.0/24 authby=secret rightsendcert=never eap_identity=%any auto=add |
修改共享密钥
1 |
vi /etc/strongswan/ipsec.secrets |
增加如下内容:
1 |
www.beijinghuayu.com.cn : PSK fastvpn123 |
二、linux 客户端安装与配置
1、安装准备
1 2 3 |
yum install epel-release yum install openssl-devel yum install strongswan-libipsec |
2、安装strongswan
1 2 |
yum install strongswan service strongswan start |
3、将 VPN 服务器端生成的 CA 证书 ca.cert.pem 复制到客户端的/etc/pki/ca-trust/source/anchors,然后在客户端运行
1 |
/bin/update-ca-trust |
4、将客户端的 /etc/strongswan/ipsec.secrets 文件内容与 服务器端对应的文件内容配置一致.
1 |
vi /etc/strongswan/ipsec.secrets |
内容如下:
1 |
www.beijinghuayu.com.cn : PSK fastvpn123 |
5、修改客户端strongswan配置文件
vi /etc/strongswan/ipsec.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
config setup uniqueids=never conn centos keyexchange=ikev2 ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! esp=aes256-sha256,aes256-sha1,3des-sha1! left=%any leftid=zhuchunmao #id任意 leftsourceip=%any authby=secret right=2.2.2.2 rightid=2.2.2.2 rightsubnet=0.0.0.0/0 #访问服务器的哪个网络 type=tunnel auto=add |
6、连接服务器端VPN
服务器端:
1 |
service strongswan start |
客户端:
1 2 |
strongswan start strongswan up centos |
7、验证连接状态
在客户端使用ifconfig 命令查看
1 2 3 4 5 6 7 8 9 |
[fusion_builder_container hundred_percent="yes" overflow="visible"][fusion_builder_row][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"][root@KvmServer ~]# ifconfig ipsec0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1400 inet 10.0.0.1 netmask 255.255.255.255 destination 10.0.0.1 inet6 fe80::9294:d172:36e2:d7d4 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC) RX packets 4808 bytes 6188956 (5.9 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 4822 bytes 349627 (341.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
1 2 3 4 5 |
[root@KvmServer ~]# strongswan status Security Associations (1 up, 0 connecting): centos[2]: ESTABLISHED 16 minutes ago, 192.168.0.20[jack]...1.2.3.4[1.2.3.4] centos{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: e2e1dc71_i c2dc4e7e_o centos{2}: 10.0.0.1/32 === 0.0.0.0/0 |
6、连接vpn后无法访问局域网
Linux 连接 ikev2 VPN Server 后, 会无法访问本地局域网内其他机器, 因为 ikev2 VPN 自动添加的路由表 (table id 和优先级都是 220.) 比系统默认路由表优先级高.
1 2 3 |
[root@iZ25w2u145vZ ~]# ip route show table 220 1.2.3.4 via 客户端网关地址 dev eth1 proto static src 客户端ip地址 default dev ipsec0 proto static src 10.0.0.1 |
解决方法
1 2 |
ip rule add from 192.168.0.0/24 table main prio 1 ip rule add from 100.101.100.0/24 table main prio 1 |
其中192.168.0.0/24与 100.101.100.0/24 为Linux VPN客户端物理接口地址的路由网段,可以通过
ip route命令来查看
7、客户端共享VPN给其它用户
1 2 3 |
sysctl -w net.ipv4.ip_forward=1 # 10.0.0.1 是客户端从服务器分配到的虚拟VPN地址 iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.0.0.1 |
则其它机器将 Gateway 设为 VPN 客户端的地址 即可自动通过 VPN 访问 Internet.
8、如果VPN作为中转,可以通过下面命令
1 |
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ipsec0 -j MASQUERADE |
注意事项:如果VPN断开后,需要先将这条nat删除,否则将出现无法连接诶
参考文献
https://oogami.name/1467/
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2ClientConfig