本文参考:https://kifarunix.com/how-to-configure-ipsec-vpn-using-strongswan-on-ubuntu-18-04/
本文操作的vps是美国的buyvm.net购买的,特点就是不限带宽,不限流量,要干啥你可以猜到,购买链接。
如果是ubuntu22.04,参考文章:
https://moneyslow.com/2023%e5%b9%b4%e9%85%8d%e7%bd%aestrongswan-on-ubuntu-22-04.html
安装软件:
apt install strongswan libcharon-extra-plugins
下面是手工生成证书:
apt install strongswan-pki
ipsec pki --gen --size 4096 --type rsa --outform pem > vpn-ca.key.pem
ipsec pki --self --in vpn-ca.key.pem --type rsa --dn "CN=VPN Server root CA" --ca --lifetime 3650 --outform pem > vpn-ca.cert.pem
ipsec pki --gen --size 4096 --type rsa --outform pem > vpn-server.key.pem
ipsec pki --pub --in vpn-server.key.pem --type rsa \ |
ipsec pki --issue --lifetime 2750 \
--cacert vpn-ca.cert.pem \
--cakey vpn-ca.key.pem \
--dn "CN=vpnsvr.example.com" \
--san="vpnsvr.example.com" \
--flag serverAuth --flag ikeIntermediate --outform pem > vpn-server.cert.pem以上不建议,建议自己签个正规的https证书即可。
部署证书位置:
/etc/ipsec.d/cacerts/Digicert-OV-DV-root.cer
/etc/ipsec.d/private/moneyslow.com.key
/etc/ipsec.d/certs/moneyslow.com.pem配置文件:
cp /etc/ipsec.conf /etc/ipsec.conf.bak
root@VM-0-14-ubuntu:/etc# cat ipsec.conf
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
strictcrlpolicy=no
uniqueids=yes
cachecrls=no
conn ipsec-ikev2-vpn
auto=add
compress=no
type=tunnel # defines the type of connection, tunnel.
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@moneyslow.com # if using IP, define it without the @ sign
leftcert=/etc/ipsec.d/certs/moneyslow.com.pem # reads the VPN server cert in /etc/ipsec.d/certs
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24 # IP address Pool to be assigned to the clients
rightdns=8.8.8.8 # DNS to be assigned to clients
rightsendcert=never
eap_identity=%identity # defines the identity the client uses to reply to an EAP Identity request.配置密码:
/etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: RSA /etc/ipsec.d/private/moneyslow.com.key # VPN server key generated above
# <user id> : EAP <secret>
vpnsecure : EAP "P@sSw0Rd" # Random其中vpnsecure是用户名,P@sSw0Rd 是密码,/etc/ipsec.d/private/moneyslow.com.key 是证书私钥
重启服务:
systemctl restart strongswan
查看ipsec证书信息
root@VM-0-14-ubuntu:~# ipsec listcerts
List of X.509 End Entity Certificates
subject: "CN=moneyslow"
issuer: "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Encryption Everywhere DV TLS CA - G1"
validity: not before May 18 08:00:00 2023, ok
not after May 19 07:59:59 2024, ok (expires in 81 days)
serial: 0c:3b:85:4a:2f:a5:af:ab:16:e2:07:4b:2a:9f:3f:64
altNames: moneyslow.com
flags: serverAuth clientAuth
OCSP URIs: http://ocsp.digicert.com
certificatePolicies:
2.23.140.1.2.1
CPS: http://www.digicert.com/CPS
authkeyId: 55:74:4f:b2:72:4f:f5:60:ba:50:d2:d7:e6:51:5c:9a:01:87:1a:d1
subjkeyId: a7:88:bb:87:a1:2a:79:d9:53:93:34:69:8c:27:cf:f9:6d:5b:9f:3
pubkey: RSA 2048 bits, has private key
keyid: 8f:e7:5b:80:68:ce:90:07:56:c9:b2:36:39:f8:d7:0a:30:7e:bd:8f
subjkey: a7:88:bb:87:a1:2a:79:d9:53:93:24:39:8c:27:cf:f9:6d:5b:9f:34UFW 防火墙开启短裤:
ufw allow 500,4500/udp
查看默认路由:
root@VM-0-14-ubuntu:~# ip route show default
default via 172.21.0.1 dev eth0 proto static
配置vpn网段的路由:/etc/ufw/before.rules ,下面粗体部分是新加的(由于加了tinc0,所以走tinc0接口):
...
# Don't delete these required lines, otherwise there will be errors
*nat
-A POSTROUTING -s 10.10.10.0/24 -o tinc0 -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o tinc0 -j MASQUERADE
COMMIT
*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT执行命令,ufw生效:
ufw disable && ufw enable
配置内核ip转发参数:/etc/ufw/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net/ipv4/ip_forward=1
...
# Do not accept ICMP redirects (prevent MITM attacks)
net/ipv4/conf/all/accept_redirects = 0
...
# Do not send ICMP redirects (we are not a router)
net/ipv4/conf/all/send_redirects = 0
...
Disble Path MTU discovery to prevent packet fragmentation by adding the line below
net/ipv4/ip_no_pmtu_disc=1重启服务:
systemctl restart strongswan
systemctl enable strongswan
检查服务状态:
root@VM-0-14-ubuntu:~# systemctl status strongswan
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2024-02-27 10:14:23 CST; 23min ago
Main PID: 7896 (starter)
Tasks: 18 (limit: 2311)
CGroup: /system.slice/strongswan.service
├─7896 /usr/lib/ipsec/starter --daemon charon --nofork
└─7933 /usr/lib/ipsec/charon --debug-ike 2 --debug-knl 2 --debug-cfg 2 --debug-net 2 --debug-esp 2 -
Feb 27 10:37:02 VM-0-14-ubuntu charon[7933]: 12[MGR] IKE_SA ipsec-ikev2-vpn[3] successfully checked out
Feb 27 10:37:02 VM-0-14-ubuntu charon[7933]: 12[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 in
Feb 27 10:37:02 VM-0-14-ubuntu charon[7933]: 12[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Feb 27 10:37:02 VM-0-14-ubuntu charon[7933]: 12[MGR] checkin IKE_SA ipsec-ikev2-vpn[3]
Feb 27 10:37:02 VM-0-14-ubuntu charon[7933]: 12[MGR] checkin of IKE_SA successful
Feb 27 10:37:19 VM-0-14-ubuntu charon[7933]: 14[MGR] checkout IKEv2 SA with SPIs eb831f0764452cc2_i 1e61304fe13
Feb 27 10:37:19 VM-0-14-ubuntu charon[7933]: 14[MGR] IKE_SA ipsec-ikev2-vpn[3] successfully checked out
Feb 27 10:37:19 VM-0-14-ubuntu charon[7933]: 14[KNL] querying policy 0.0.0.0/0 === 10.10.10.1/32 out
Feb 27 10:37:19 VM-0-14-ubuntu charon[7933]: 14[MGR] checkin IKE_SA ipsec-ikev2-vpn[3]
Feb 27 10:37:19 VM-0-14-ubuntu charon[7933]: 14[MGR] checkin of IKE_SA successful
lines 1-19/19 (END)ipsec命令的状态显示:
root@VM-0-14-ubuntu:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-212-generic, x86_64):
uptime: 24 minutes, since Feb 27 10:14:23 2024
malloc: sbrk 3268608, mmap 532480, used 1475168, free 1793440
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Virtual IP pools (size/online/offline):
10.10.10.0/24: 254/1/0
Listening IP addresses:
172.21.0.14
172.21.0.16
192.168.0.1
Connections:
ipsec-ikev2-vpn: %any...%any IKEv2, dpddelay=300s
ipsec-ikev2-vpn: local: [moneyslow.com] uses public key authentication
ipsec-ikev2-vpn: cert: "CN=moneyslow.com"
ipsec-ikev2-vpn: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ipsec-ikev2-vpn: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
ipsec-ikev2-vpn[3]: ESTABLISHED 6 minutes ago, 172.21.0.14[moneyslow.com]...123.123.123.123[172.10.0.4]
ipsec-ikev2-vpn[3]: Remote EAP identity: fox
ipsec-ikev2-vpn[3]: IKEv2 SPIs: eb831f0764452cc2_i 1e61304fe13a7b48_r*, rekeying disabled
ipsec-ikev2-vpn[3]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
ipsec-ikev2-vpn{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cbbedc17_i 0b63ac5e_o
ipsec-ikev2-vpn{3}: AES_CBC_256/HMAC_SHA2_256_128, 89247 bytes_i (689 pkts, 4s ago), 173064 bytes_o (462 pkts, 4s ago), rekeying disabled
ipsec-ikev2-vpn{3}: 0.0.0.0/0 === 10.10.10.1/32
root@VM-0-14-ubuntu:~# 从mac或者iphone就可以连上来了,参考文章:
https://moneyslow.com/%e8%87%aa%e5%bb%ba%e6%9c%8d%e5%8a%a1%e5%99%a8strongswanikev2iphone%e5%92%8cmac%e9%83%bd%e5%8f%af%e7%94%a8.html
###################################################################
安装:
yum -y install epel-release
yum install -y strongswan
###################################################################
准备一个域名,签署证书后,放置的位置:
[root@iZj6cfyy3aoyx9juakjhtoZ ~]# find /etc/strongswan/ipsec.d
/etc/strongswan/ipsec.d/cacerts/Digicert-OV-DV-root.cer
/etc/strongswan/ipsec.d/certs/srv6.info.pem
/etc/strongswan/ipsec.d/private/srv6.info.key
###################################################################
编辑配置文件:
[root@iZj6cfyy3aoyx9juakjhtoZ strongswan]# cat ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="ike 1, knl 1, cfg 1"
uniqueids=no
# Add connections here.
conn %default
left=%any
# Windows requires aes256-sha1-modp1024 to be placed in the 1st position
# these lines end without '!' to append default crypto suites automatically
ike=aes256-sha1-modp1024
esp=aes256-sha1
compress=no
type=tunnel
fragmentation=yes
forceencaps=yes
dpddelay=300s
dpdtimeout=30s
dpdaction=restart
forceencaps=yes
ikelifetime=4h
lifetime=2h
conn ras-winlinux
eap_identity=%identity
auto=add
rekey=no
dpdaction=clear
leftid=%any
leftcert=/etc/strongswan/ipsec.d/certs/srv6.info.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.255.255.1/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
conn ras-apple
also=ras-winlinux
leftid=srv6.info
说明:
ike, esp: 这两个参数是设置密码算法的,由于Windows的bug原因,必须把上述范例里的这两个算法放在最前面。
leftsubnet: IKEv2支持split tunnel,也就是本地流量走本地,远端流量走服务器。如果要让所有互联网流量走服务器,就要配置为0.0.0.0/0,否则配置为远端目标网段,例如192.168.100.0/24。
rightsourceip: VPN客户端动态分配的地址池。
rightdns: VPN客户端使用的DNS服务器地址,只在leftsubnet为0.0.0.0/0才有意义。
leftid: 对应苹果客户端要求设置的remote id,一般都配置为服务器的域名,也可以是任何字符串。
###################################################################
systemctl enable strongswan
systemctl start strongswan
systemctl status strongswan
查看证书是否正确装载
strongswan listcerts
显示所有连接状态。
strongswan statusall
###################################################################
配置密钥文件:
# cat /etc/strongswan/ipsec.secrets
: RSA /etc/strongswan/ipsec.d/private/srv6.info.key
fox : EAP "wodepassword"
###################################################################
配置防火墙策略实现以下目的:
允许IPSec相关流量进入;
允许转发客户端流量,并对客户端IP进行地址转换;
对TCP包设置最大包大小,避免大包碎片化造成性能下降;
###################################################################
编辑(允许转发) /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
###################################################################
防火墙命令:
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --add-service=ssh --permanent
#将“AH”和“ESP”添加到firewalld中以进行身份验证和加密协议。
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'
#添加ipsec UDP端口和服务,允许IPSec流量进入
firewall-cmd --zone=public --permanent --add-port=500/udp
firewall-cmd --zone=public --permanent --add-port=4500/udp
firewall-cmd --zone=public --permanent --add-service="ipsec"
#设置出口地址转换NAT,让远端客户端可以使用服务器IP访问相关资源。重启服务。
firewall-cmd --zone=public --permanent --add-masquerade
firewall-cmd --reload
# 查看防火墙列表
[root@iZj6cfyy3aoyx9juakjhtoZ ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client http https ipsec ssh
ports: 500/udp 4500/udp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule protocol value="esp" accept
rule protocol value="ah" accept
将新配置的策略永久保存,下次重启时firewalld会自动装载
[root@iZj6cfyy3aoyx9juakjhtoZ ]# firewall-cmd --runtime-to-permanent
success
以下未使用:
设置TCP MSS(最大报文段长度),避免过多的碎片包影响性能。一般我们可以设置TCP大小在360字节左右,如果再考虑某些使用GRE隧道的情况,建议设置在1300字节更保险。
firewall-cmd --direct --add-passthrough ipv4 -t mangle -I FORWARD -p tcp --syn -j TCPMSS --set-mss 1300
######################################################
#没有任何连接的时候:
[root@iZj6cfyy3aoyx9juakjhtoZ strongswan]# strongswan status
Security Associations (0 up, 0 connecting):
none
#有一个连接拨号进来:
[root@iZj6cfyy3aoyx9juakjhtoZ strongswan]# strongswan status
Security Associations (1 up, 0 connecting):
ras-apple[1]: ESTABLISHED 3 seconds ago, 172.31.186.190[srv6.info]...223.104.39.5[10.77.176.213]
ras-apple{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c65a9821_i 0f468e19_o
ras-apple{1}: 0.0.0.0/0 === 10.255.255.1/32
######################################################
[root@iZj6cfyy3aoyx9juakjhtoZ strongswan]# systemctl status strongswan
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2021-02-19 17:09:04 CST; 1min 54s ago
Main PID: 3513 (starter)
CGroup: /system.slice/strongswan.service
├─3513 /usr/libexec/strongswan/starter --daemon charon --nofork
└─3522 /usr/libexec/strongswan/charon --debug-ike 1 --debug-knl 1 --debug-cfg 1
Feb 19 17:09:04 iZj6cfyy3aoyx9juakjhtoZ systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Feb 19 17:09:04 iZj6cfyy3aoyx9juakjhtoZ ipsec_starter[3513]: Starting strongSwan 5.7.2 IPsec [starter]...
Feb 19 17:09:04 iZj6cfyy3aoyx9juakjhtoZ strongswan[3513]: Starting strongSwan 5.7.2 IPsec [starter]...
Feb 19 17:09:04 iZj6cfyy3aoyx9juakjhtoZ ipsec_starter[3513]: charon (3522) started after 40 ms
Feb 19 17:09:04 iZj6cfyy3aoyx9juakjhtoZ strongswan[3513]: charon (3522) started after 40 ms
######################################################
日志调试:
/etc/strongswan/strongswan.d/charon-logging.conf
/var/log/charon_log {
flush_line = yes
ike_name = yes
######################################################
如果替换证书要修改的地方:
/etc/strongswan/ipsec.d/certs/srv6.info.pem
/etc/strongswan/ipsec.d/private/srv6.info.key
/etc/strongswan/ipsec.conf
/etc/strongswan/ipsec.secrets