安装Installing StrongSwan

Ubuntu 18.04 安装ipsec strongswan

本文参考:https://kifarunix.com/how-to-configure-ipsec-vpn-using-strongswan-on-ubuntu-18-04/

本文操作的vps是美国的buyvm.net购买的,特点就是不限带宽,不限流量,要干啥你可以猜到,购买链接

Ubuntu 18.04 安装ipsec strongswan
不限流量的美国vps推荐

如果是ubuntu22.04,参考文章:
https://moneyslow.com/2023%e5%b9%b4%e9%85%8d%e7%bd%aestrongswan-on-ubuntu-22-04.html
安装软件:
apt install strongswan libcharon-extra-plugins
下面是手工生成证书:

apt install strongswan-pki
ipsec pki --gen --size 4096 --type rsa --outform pem > vpn-ca.key.pem
ipsec pki --self --in vpn-ca.key.pem --type rsa --dn "CN=VPN Server root CA" --ca --lifetime 3650 --outform pem > vpn-ca.cert.pem
ipsec pki --gen --size 4096 --type rsa --outform pem > vpn-server.key.pem
ipsec pki --pub --in vpn-server.key.pem --type rsa \ |
ipsec pki --issue --lifetime 2750 \
--cacert vpn-ca.cert.pem \
--cakey vpn-ca.key.pem \
--dn "CN=vpnsvr.example.com" \
--san="vpnsvr.example.com" \
--flag serverAuth --flag ikeIntermediate --outform pem > vpn-server.cert.pem

以上不建议,建议自己签个正规的https证书即可。
部署证书位置:

/etc/ipsec.d/cacerts/Digicert-OV-DV-root.cer
/etc/ipsec.d/private/moneyslow.com.key
/etc/ipsec.d/certs/moneyslow.com.pem

配置文件:

cp /etc/ipsec.conf /etc/ipsec.conf.bak
root@VM-0-14-ubuntu:/etc# cat ipsec.conf
config setup
        charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
        strictcrlpolicy=no
        uniqueids=yes
        cachecrls=no
conn ipsec-ikev2-vpn
      auto=add
      compress=no
      type=tunnel  # defines the type of connection, tunnel.
      keyexchange=ikev2
      fragmentation=yes
      forceencaps=yes
      dpdaction=clear
      dpddelay=300s
      rekey=no
      left=%any
      leftid=@moneyslow.com    # if using IP, define it without the @ sign
      leftcert=/etc/ipsec.d/certs/moneyslow.com.pem  # reads the VPN server cert in /etc/ipsec.d/certs
      leftsendcert=always
      leftsubnet=0.0.0.0/0
      right=%any
      rightid=%any
      rightauth=eap-mschapv2
      rightsourceip=10.10.10.0/24  # IP address Pool to be assigned to the clients
      rightdns=8.8.8.8  # DNS to be assigned to clients
      rightsendcert=never
      eap_identity=%identity  # defines the identity the client uses to reply to an EAP Identity request.

配置密码:

/etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
  
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: RSA /etc/ipsec.d/private/moneyslow.com.key   # VPN server key generated above
# <user id> : EAP <secret>
vpnsecure : EAP "P@sSw0Rd"   # Random

其中vpnsecure是用户名,P@sSw0Rd 是密码,/etc/ipsec.d/private/moneyslow.com.key 是证书私钥
重启服务:
systemctl restart strongswan

查看ipsec证书信息
root@VM-0-14-ubuntu:~# ipsec listcerts

List of X.509 End Entity Certificates

  subject:  "CN=moneyslow"
  issuer:   "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Encryption Everywhere DV TLS CA - G1"
  validity:  not before May 18 08:00:00 2023, ok
             not after  May 19 07:59:59 2024, ok (expires in 81 days)
  serial:    0c:3b:85:4a:2f:a5:af:ab:16:e2:07:4b:2a:9f:3f:64
  altNames:  moneyslow.com
  flags:     serverAuth clientAuth 
  OCSP URIs: http://ocsp.digicert.com
  certificatePolicies:
             2.23.140.1.2.1
             CPS: http://www.digicert.com/CPS
  authkeyId: 55:74:4f:b2:72:4f:f5:60:ba:50:d2:d7:e6:51:5c:9a:01:87:1a:d1
  subjkeyId: a7:88:bb:87:a1:2a:79:d9:53:93:34:69:8c:27:cf:f9:6d:5b:9f:3
  pubkey:    RSA 2048 bits, has private key
  keyid:     8f:e7:5b:80:68:ce:90:07:56:c9:b2:36:39:f8:d7:0a:30:7e:bd:8f
  subjkey:   a7:88:bb:87:a1:2a:79:d9:53:93:24:39:8c:27:cf:f9:6d:5b:9f:34

UFW 防火墙开启短裤:
ufw allow 500,4500/udp

查看默认路由:
root@VM-0-14-ubuntu:~# ip route show default
default via 172.21.0.1 dev eth0 proto static

配置vpn网段的路由:/etc/ufw/before.rules ,下面粗体部分是新加的(由于加了tinc0,所以走tinc0接口):

...
# Don't delete these required lines, otherwise there will be errors
*nat
-A POSTROUTING -s 10.10.10.0/24 -o tinc0 -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o tinc0 -j MASQUERADE
COMMIT
*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT

执行命令,ufw生效:
ufw disable && ufw enable

配置内核ip转发参数:/etc/ufw/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net/ipv4/ip_forward=1
...
# Do not accept ICMP redirects (prevent MITM attacks)
net/ipv4/conf/all/accept_redirects = 0
...
# Do not send ICMP redirects (we are not a router)
net/ipv4/conf/all/send_redirects = 0
...
Disble Path MTU discovery to prevent packet fragmentation by adding the line below
net/ipv4/ip_no_pmtu_disc=1

重启服务:
systemctl restart strongswan
systemctl enable strongswan
检查服务状态:

root@VM-0-14-ubuntu:~# systemctl status strongswan
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2024-02-27 10:14:23 CST; 23min ago
 Main PID: 7896 (starter)
    Tasks: 18 (limit: 2311)
   CGroup: /system.slice/strongswan.service
           ├─7896 /usr/lib/ipsec/starter --daemon charon --nofork
           └─7933 /usr/lib/ipsec/charon --debug-ike 2 --debug-knl 2 --debug-cfg 2 --debug-net 2 --debug-esp 2 -

Feb 27 10:37:02 VM-0-14-ubuntu charon[7933]: 12[MGR] IKE_SA ipsec-ikev2-vpn[3] successfully checked out
Feb 27 10:37:02 VM-0-14-ubuntu charon[7933]: 12[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 in
Feb 27 10:37:02 VM-0-14-ubuntu charon[7933]: 12[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Feb 27 10:37:02 VM-0-14-ubuntu charon[7933]: 12[MGR] checkin IKE_SA ipsec-ikev2-vpn[3]
Feb 27 10:37:02 VM-0-14-ubuntu charon[7933]: 12[MGR] checkin of IKE_SA successful
Feb 27 10:37:19 VM-0-14-ubuntu charon[7933]: 14[MGR] checkout IKEv2 SA with SPIs eb831f0764452cc2_i 1e61304fe13
Feb 27 10:37:19 VM-0-14-ubuntu charon[7933]: 14[MGR] IKE_SA ipsec-ikev2-vpn[3] successfully checked out
Feb 27 10:37:19 VM-0-14-ubuntu charon[7933]: 14[KNL] querying policy 0.0.0.0/0 === 10.10.10.1/32 out
Feb 27 10:37:19 VM-0-14-ubuntu charon[7933]: 14[MGR] checkin IKE_SA ipsec-ikev2-vpn[3]
Feb 27 10:37:19 VM-0-14-ubuntu charon[7933]: 14[MGR] checkin of IKE_SA successful
lines 1-19/19 (END)

ipsec命令的状态显示:

root@VM-0-14-ubuntu:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-212-generic, x86_64):
  uptime: 24 minutes, since Feb 27 10:14:23 2024
  malloc: sbrk 3268608, mmap 532480, used 1475168, free 1793440
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/1/0
Listening IP addresses:
  172.21.0.14
  172.21.0.16
  192.168.0.1
Connections:
ipsec-ikev2-vpn:  %any...%any  IKEv2, dpddelay=300s
ipsec-ikev2-vpn:   local:  [moneyslow.com] uses public key authentication
ipsec-ikev2-vpn:    cert:  "CN=moneyslow.com"
ipsec-ikev2-vpn:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ipsec-ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
ipsec-ikev2-vpn[3]: ESTABLISHED 6 minutes ago, 172.21.0.14[moneyslow.com]...123.123.123.123[172.10.0.4]
ipsec-ikev2-vpn[3]: Remote EAP identity: fox
ipsec-ikev2-vpn[3]: IKEv2 SPIs: eb831f0764452cc2_i 1e61304fe13a7b48_r*, rekeying disabled
ipsec-ikev2-vpn[3]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
ipsec-ikev2-vpn{3}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cbbedc17_i 0b63ac5e_o
ipsec-ikev2-vpn{3}:  AES_CBC_256/HMAC_SHA2_256_128, 89247 bytes_i (689 pkts, 4s ago), 173064 bytes_o (462 pkts, 4s ago), rekeying disabled
ipsec-ikev2-vpn{3}:   0.0.0.0/0 === 10.10.10.1/32
root@VM-0-14-ubuntu:~# 

从mac或者iphone就可以连上来了,参考文章:
https://moneyslow.com/%e8%87%aa%e5%bb%ba%e6%9c%8d%e5%8a%a1%e5%99%a8strongswanikev2iphone%e5%92%8cmac%e9%83%bd%e5%8f%af%e7%94%a8.html

京ICP备11047313号-21