32.4. IKEv2 VPN Server

32.4. IKEv2 VPN Server
上一页	第 32 章 VPN (Virtual Private Network)	下一页

32.4.1. OpenVPN Ikev2

		
[root@development ~]# dnf install openvpn
[root@development ~]# dnf install easy-rsa

服务器端

						
[root@development ~]# cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/vars			
[root@development ~]# cd /etc/openvpn/
[root@development openvpn]# 
[root@development openvpn]# /usr/share/easy-rsa/3/easyrsa init-pki   				#建立一个空的pki结构，生成一系列的文件和目录
[root@development openvpn]# /usr/share/easy-rsa/3/easyrsa build-ca nopass			#创建ca  密码 和 cn那么需要记住
[root@development openvpn]# /usr/share/easy-rsa/3/easyrsa gen-req server nopass  	#创建服务端证书  common name 最好不要跟前面的cn那么一样
[root@development openvpn]# /usr/share/easy-rsa/3/easyrsa sign server server   	#签约服务端证书
[root@development openvpn]# /usr/share/easy-rsa/3/easyrsa gen-dh  				#创建Diffie-Hellman			

[root@development ~]# mv pki /etc/openvpn/

服务端所需要的证书文件

			
[root@development openvpn]# ls -1 pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem 
pki/ca.crt
pki/dh.pem
pki/issued/server.crt
pki/private/server.key

			
[root@development openvpn]# openvpn --genkey secret server/ta.key

			
# IKEv2 server configuration

config setup
    keydir = /etc/openvpn/pki

server 10.8.0.0 255.255.255.0
        dev tun
        proto udp
        port 1194
        ca ca.crt
        cert issued/server.crt
        key private/server.key
        dh dh.pem
        keepalive 10 120
        tls-auth server/ta.key 0
        server config
                push "redirect-gateway def1 bypass-dhcp"
                push "dhcp-option DNS 8.8.8.8"
                push "dhcp-option DNS 8.8.4.4"
        ifconfig-pool-persist ipp.txt
        client config
                max-clients 100
                status openvpn-status.log
                log /var/log/openvpn.log
        tls-server
        auth-user-pass-file clients.db

			
[root@development ~]# ls /etc/openvpn/server/ikev2.conf 
/etc/openvpn/server/ikev2.conf

[root@development ~]# systemctl start openvpn-server@ikev2

客户端

			
[root@development openvpn]# /usr/share/easy-rsa/3/easyrsa gen-req neo nopass
[root@development openvpn]# /usr/share/easy-rsa/3/easyrsa sign client neo

客户端所需要的证书文件

			
[root@development openvpn]# ls -1 pki/ca.crt pki/issued/neo.crt pki/private/neo.key 
pki/ca.crt
pki/issued/neo.crt
pki/private/neo.key

32.4.2. IKEv2 VPN Server on Docker

https://github.com/gaomd/docker-ikev2-vpn-server

启动 VPN Server

		
docker run --privileged -d --name ikev2-vpn-server --restart=always -p 500:500/udp -p 4500:4500/udp gaomd/ikev2-vpn-server:0.3.0

复制配置文件，并将配置文件 ikev2-vpn.mobileconfig 发送给客户端

		
docker run --privileged -i -t --rm --volumes-from ikev2-vpn-server -e "HOST=vpn1.example.com" gaomd/ikev2-vpn-server:0.3.0 generate-mobileconfig > ikev2-vpn.mobileconfig

docker run --privileged -i -t --rm --volumes-from ikev2-vpn-server -e "HOST=8.219.81.14" gaomd/ikev2-vpn-server:0.3.0 generate-mobileconfig > ikev2-vpn.mobileconfig

32.4.3. strongswan - IPSec utilities for strongSwan

Windows 10 + IKEv2 VPN

http://www.strongswan.org/

	
User -> Windows 10 Desktop -> Inside Greatwall -> VPN Server(Hongkong/Other) -> Outside Greatwall

首先在海外部署一台服务器，将服务器配置成为VPN服务器，然后桌面用户通过该服务器，你懂的......

由于pptp,l2tp,openvpn 先后被墙，所以我选择了IKEv2。

安装 strongswan VPN 服务器

CentOS 7 环境

yum install -y strongswane

yum install -y haveged
systemctl enable haveged
systemctl start haveged

cd /etc/strongswan

创建自签名CA根证书

# 私钥证书
strongswan pki --gen --type rsa --size 4096 --outform der > ipsec.d/private/CARootKey.der
chmod 600 ipsec.d/private/CARootKey.der

# 公钥证书
strongswan pki --self --ca --lifetime 3650 --in ipsec.d/private/CARootKey.der --type rsa --dn "C=NL, O=Example Company, CN=StrongSwan Root CA" --outform der > ipsec.d/cacerts/CARootCert.der
strongswan  pki --print --in ipsec.d/cacerts/CARootCert.der

颁发服务器证书

# 私钥证书
strongswan pki --gen --type rsa --size 2048 --outform der > ipsec.d/private/ServerKey.der
chmod 600 ipsec.d/private/ServerKey.der

# 公钥证书
strongswan pki --pub --in ipsec.d/private/ServerKey.der --type rsa | strongswan pki --issue --lifetime 730 --cacert ipsec.d/cacerts/CARootCert.der --cakey ipsec.d/private/CARootKey.der --dn "C=NL, O=Example Company, CN=vpn.example.org" --san vpn.example.com --san vpn.example.net --san 147.90.44.87  --san @147.90.44.87 --flag serverAuth --flag ikeIntermediate --outform der > ipsec.d/certs/ServerCert.der
strongswan pki --print --in ipsec.d/certs/ServerCert.der

颁发客户端用户证书

# 私钥证书
cd /etc/strongswan/
strongswan pki --gen --type rsa --size 2048 --outform der > ipsec.d/private/ClientKey.der
chmod 600 ipsec.d/private/ClientKey.der

# 公钥证书
strongswan pki --pub --in ipsec.d/private/ClientKey.der --type rsa | strongswan pki --issue --lifetime 730 --cacert ipsec.d/cacerts/CARootCert.der --cakey ipsec.d/private/CARootKey.der --dn "C=NL, O=Example Company, CN=netkiller@msn.com" --san "netkiller@msn.com" --san "neo.chan@live.com" --outform der > ipsec.d/certs/ClientCert.der

# 证书转换，转过过程是 der -> pem -> p12 
openssl rsa -inform DER -in ipsec.d/private/ClientKey.der -out ipsec.d/private/ClientKey.pem -outform PEM
openssl x509 -inform DER -in ipsec.d/certs/ClientCert.der -out ipsec.d/certs/ClientCert.pem -outform PEM
openssl x509 -inform DER -in ipsec.d/cacerts/CARootCert.der -out ipsec.d/cacerts/CARootCert.pem -outform PEM

# 请为证书设置一个密码
openssl pkcs12 -export  -inkey ipsec.d/private/ClientKey.pem -in ipsec.d/certs/ClientCert.pem -name "Client's VPN Certificate"  -certfile ipsec.d/cacerts/CARootCert.pem -caname "strongSwan Root CA" -out Client.p12				
		</screen>
		<para>p12中包含了CA证书，客户端私钥证书，客户端公钥证书。Client.p12 发送给最终用户即可</para>
		<tip>
		<para>如果你安装过 OpenVPN 那么会很好理解，上述的几个步骤等同于：</para>
		<screen><![CDATA[	
build-ca 				= CARootKey/CARootCert
build-key-server server = ServerKey/ServerCert
build-key client1		= Client.p12

防火墙配置

开启转发

		
cat > /etc/sysctl.d/vpn.conf <<EOF
# VPN
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
EOF

sysctl -p /etc/sysctl.d/vpn.conf

开放500，4500两个端口，注意是UDP协议，允许esp,ah协议通过，最后IP伪装

# for ISAKMP (handling of security associations)
iptables -A INPUT -p udp --dport 500 --j ACCEPT

# for NAT-T (handling of IPsec between natted devices)
iptables -A INPUT -p udp --dport 4500 --j ACCEPT

# for ESP payload (the encrypted data packets)
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT

# for the routing of packets on the server
iptables -I POSTROUTING -t nat -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx

xxx.xxx.xxx.xxx 改为你的出口IP，也就是 eth1的IP地址。

启动 strongswan 服务

如果你使用 CentOS 7 firewalld 请用下面命令

		
firewall-cmd --zone=dmz --permanent --add-rich-rule='rule protocol value="esp" accept' # ESP (the encrypted data packets)
firewall-cmd --zone=dmz --permanent --add-rich-rule='rule protocol value="ah" accept' # AH (authenticated headers)
firewall-cmd --zone=dmz --permanent --add-port=500/udp #IKE  (security associations)
firewall-cmd --zone=dmz --permanent --add-port=4500/udp # IKE NAT Traversal (IPsec between natted devices)
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --zone=dmz --permanent --add-masquerade
firewall-cmd --permanent --set-default-zone=dmz
firewall-cmd --reload
firewall-cmd --list-all

配置 IPSEC

下面配置 IPSEC 复制粘贴即可

		
cp /etc/strongswan/ipsec.conf{,.original}
cat > /etc/strongswan/ipsec.conf <<EOF
# ipsec.conf - strongSwan IPsec configuration file

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
    keyexchange=ikev2
    ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftsubnet=0.0.0.0/0
    leftcert=ServerCert.der
    right=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.0.0/24

conn IPSec-IKEv2
    keyexchange=ikev2
    auto=add

conn IPSec-IKEv2-EAP
    also="IPSec-IKEv2"
    rightauth=eap-mschapv2
    rightauthby2=pubkey
    rightsendcert=never
    eap_identity=%any

conn CiscoIPSec
    keyexchange=ikev1
    forceencaps=yes
    authby=xauthrsasig
    xauth=server
    auto=add
EOF

配置 VPN 账号与密码

		
# VPN user accounts and secrets
cat > /etc/strongswan/ipsec.secrets <<EOF
: RSA ServerKey.der

neo : EAP "hWAS5IJWD8NxlQvVFaUVAKid6IFJ6uNO" 
jam : EAP "1cNEwkfsaN6GzcmWYLedUvJXSpb16UPH" 
EOF

启动 strongswan

systemctl enable strongswan
systemctl start strongswan

Windows 10 VPN 客户端配置

导入客户端p12证书，直接双击Client.p12文件即可

选择“本地计算机”

下一步

输入证书密码，下一步

下一步

点击“完成”按钮

证书导入成功

接下来配置 Windows 10 VPN 链接

任务条最右测系统托盘区，点击网络图标，再点击“网络设置”

点击“VPN”，然后点击“添加 VPN 链接”

填写信息并保存

点击“更改适配器选项”

找到VPN网络适配器，鼠标右键点击，选择“属性”

切换到“网络”选项卡，选中“IPv4”后点击“属性按钮”

点击“高级”按钮

勾选“在远程网络上使用默认网关”，然后点击“确定”按钮

回到网络设置界面，点击VPN图标，再点击链接

现在查看你的IP地址，正确应该是经过VPN Server 访问互联网。

FAQ

查看证书信息

strongswan  pki --print --in ipsec.d/cacerts/CARootCert.der
strongswan pki --print --in ipsec.d/certs/ServerCert.der

或使用openssl查看

openssl x509 -inform DER -in ipsec.d/certs/ServerCert.der -noout -text

上一页	上一级	下一页
32.3. l2tpd - dummy package for l2tpd to xl2tpd transition	起始页	32.5. openswan - IPSEC utilities for Openswan