moneyslow.com

安装Installing StrongSwan

2023年配置StrongSwan on Ubuntu 22.04

from

moneyslow
of

以下配置经过验证,可以无脑复制粘贴,注意本例子走tinc接口,所以/etc/ufw/before.rules文件POSTROUTING部分中是tinc0,可以自己根据需求改为eth0或eth1

Step 1 — 安装Installing StrongSwan
apt update
apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins

Step 2 — 准备https证书 a Certificate Authority

/etc/ipsec.d/cacerts/Digicert-OV-DV-root.cer
/etc/ipsec.d/private/moneyslow.com.key
/etc/ipsec.d/certs/moneyslow.com.pem

Step 3 — 配置 Configuring StrongSwan ,就一个文件,注意文件格式,标准对齐的,不然载入报错。
#cat /etc/ipsec.conf
config setup
        charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
        strictcrlpolicy=no
        uniqueids=yes
        cachecrls=no
conn ipsec-ikev2-vpn
      auto=add
      compress=no
      type=tunnel  # defines the type of connection, tunnel.
      keyexchange=ikev2
      fragmentation=yes
      forceencaps=yes
      dpdaction=clear
      dpddelay=300s
      rekey=no
      left=%any
      leftid=@moneyslow.com    # if using IP, define it without the @ sign
      leftcert=/etc/ipsec.d/certs/moneyslow.com.pem  # reads the VPN server cert in /etc/ipsec.d/certs
      leftsendcert=always
      leftsubnet=0.0.0.0/0
      right=%any
      rightid=%any
      rightauth=eap-mschapv2
      rightsourceip=10.10.10.0/24  # IP address Pool to be assigned to the clients
      rightdns=8.8.8.8  # DNS to be assigned to clients
      rightsendcert=never
      eap_identity=%identity  # defines the identity the client uses to reply to an EAP Identity request.

Step 4 — 配置密码 Configuring Authentication

root@us:~# cat /etc/ipsec.secrets
: RSA /etc/ipsec.d/private/moneyslow.com.key
myname : EAP "mypassword"

重启服务,确认状态
root@us:~# systemctl restart strongswan-starter
root@us:~# systemctl status strongswan-starter 
● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
     Loaded: loaded (/lib/systemd/system/strongswan-starter.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2023-08-17 02:04:18 UTC; 9s ago
............

Step 5 — 配置防火墙和内核ip转发 Configuring the Firewall & Kernel IP Forwarding
ufw allow OpenSSH
ufw enable
ufw allow 500,4500/udp

root@us:~# ip route show default
default via 200.200.200.1 dev eth0 proto dhcp src 200.200.200.55 metric 100
这里确认网卡的名称是eth0
this result shows the interface named eth0

配置防火墙规则,下面红色字体是添加的
root@us:~# cat /etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#
*nat
-A POSTROUTING -s 10.10.10.0/24 -o tinc0 -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o tinc0 -j MASQUERADE
COMMIT

*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

配置内核参数
root@us:~# cat /etc/ufw/sysctl.conf
net/ipv4/ip_forward=1
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0

# Ignore bogus ICMP errors
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0

# Don't log Martian Packets (impossible addresses)
# packets
net/ipv4/conf/all/log_martians=0
net/ipv4/conf/default/log_martians=0

重新载入防火墙规则生效:
ufw disable && ufw enable

查看防火墙规则:
root@us:~# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] OpenSSH                    ALLOW IN    Anywhere                  
[ 2] 500,4500/udp               ALLOW IN    Anywhere                  
[ 3] OpenSSH (v6)               ALLOW IN    Anywhere (v6)             
[ 4] 500,4500/udp (v6)          ALLOW IN    Anywhere (v6)

容易忽略的点:请确保服务器的防火墙开放端口:UDP 4500,500
总之,最后确定以下3条命令的服务是正常的,基本就没问题:

root@VM-8-2-ubuntu:~# systemctl status strongswan-starter
● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
     Loaded: loaded (/lib/systemd/system/strongswan-starter.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2024-04-05 18:56:46 CST; 3h 29min ago
root@VM-8-2-ubuntu:~# ufw status numbered
Status: active
     To                         Action      From
     --                         ------      ----
.........                      
[14] 500,4500/udp (v6)          ALLOW IN    Anywhere (v6)              # strongswan

root@VM-8-2-ubuntu:~# iptables -nL -t nat
.......
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.10.10.0/24        0.0.0.0/0            policy match dir out pol ipsec
MASQUERADE  all  --  10.10.10.0/24        0.0.0.0/0

下面是有客户端连上来的状态,用“ipsec statusall”这个命令,看到红色字体部分,就是客户端的信息:

root@VM-8-2-ubuntu:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-94-generic, x86_64):
  uptime: 3 hours, since Apr 05 18:56:47 2024
  malloc: sbrk 3805184, mmap 0, used 2031488, free 1773696
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/1/0
Listening IP addresses:
  10.0.8.2
  192.168.0.1
Connections:
ipsec-ikev2-vpn:  %any...%any  IKEv2, dpddelay=300s
ipsec-ikev2-vpn:   local:  [moneyslow.com] uses public key authentication
ipsec-ikev2-vpn:    cert:  "CN=moneyslow.com"
ipsec-ikev2-vpn:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ipsec-ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
ipsec-ikev2-vpn[13]: ESTABLISHED 15 seconds ago, 10.0.8.2[moneyslow.com]...110.25.28.150[192.168.3.38]
ipsec-ikev2-vpn[13]: Remote EAP identity: puaf
ipsec-ikev2-vpn[13]: IKEv2 SPIs: e9602a44a30a43d7_i 61711ef5c466430b_r*, rekeying disabled
ipsec-ikev2-vpn[13]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
ipsec-ikev2-vpn{7}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c86a581d_i 0d9e1e0d_o
ipsec-ikev2-vpn{7}:  AES_CBC_256/HMAC_SHA2_256_128, 794 bytes_i (11 pkts, 15s ago), 1655 bytes_o (10 pkts, 14s ago), rekeying disabled
ipsec-ikev2-vpn{7}:   0.0.0.0/0 === 10.10.10.1/32

客户端的各种配置参考文章:

https://moneyslow.com/%e8%87%aa%e5%bb%bavpn%e6%9c%8d%e5%8a%a1%e5%99%a8%ef%bc%88strongswanikev2%ef%bc%89iphone%e5%92%8cmac%e7%a7%92%e8%bf%9e-500%e5%85%83.html
旧文章

参考:https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-22-04#step-7-testing-the-vpn-connection-on-windows-macos-ubuntu-ios-and-android