搭建IPSEC/IKEV2 VPN服务器

  IPsec 是 虚拟私密网络(VPN) 的一种,用于在服务器和客户端之间建立加密隧道并传输敏感数据之用。它由两个阶段组成,第一阶段(Phrase 1, ph1),交换金钥建立连接,使用互联网金钥交换(ike)协议; 第二阶段(Phrase 2, ph2),连接建立后对数据进行加密传输,使用封装安全载荷(esp)协议

安装

  1. 安装必须的库

    yum update
    yum install pam-devel openssl-devel make gcc
    
  2. 下载strongswan并解压

    wget http://download.strongswan.org/strongswan.tar.gz
    tar xzf strongswan.tar.gz
    cd strongswan-*
    
  3. 编译Strongswan Xen、KVM使用以下参数

    ./configure  --enable-eap-identity --enable-eap-md5 \
    --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap  \
    --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap  \
    --enable-xauth-pam  --enable-dhcp  --enable-openssl  --enable-addrblock --enable-unity  \
    --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp
    
  4. 编译并安装

    make; make install
    

配置证书

  1. 生成CA证书的私钥

    # ipsec pki --gen --outform pem > ca.pem
    ipsec pki --gen > caKey.der
    
  2. 使用私钥,签名CA证书

    # ipsec pki --self --in ca.pem --dn "C=com, O=wodedata, CN=VPN CA" --ca --outform pem >ca.cert.pem
    ipsec pki --self --in caKey.der --dn "C=com, O=wodedata, CN=Wodedata CA" --ca > caCert.der
    openssl x509 -inform der -in caCert.der -out caCert.pem
    
  3. 生成服务器证书所需的私钥

    # ipsec pki --gen --outform pem > server.pem
    ipsec pki --gen > serverKey.der
    
  4. 用CA证书签发服务器证书(命令中的”C=”和”O=”的值要与第2步CA中的C,O的值保持一致)

    # ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com, O=wodedata, CN=my.wodedata.com" --san="my.wodedata.com" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
    ipsec pki --pub --in serverKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=com, O=wodedata, CN=my.wodedata.com" --san="my.wodedata.com" > serverCert.der
    openssl x509 -inform der -in serverCert.der -out serverCert.pem
    openssl rsa -inform der -in serverKey.der -out serverKey.pem
    
  5. 生成客户端证书所需的私钥

    # ipsec pki --gen --outform pem > client.pem
    ipsec pki --gen > clientKey.der
    
  6. 用CA签名客户端证书:(C,O的值要与上面第2步CA的值一致,CN的值随意)

    # ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=com, O=wodedata, CN=VPN Client" --outform pem > client.cert.pem
    ipsec pki --pub --in clientKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=com, O=wodedata, CN=Wodedata Client" > clientCert.der
    openssl x509 -inform der -in clientCert.der -out clientCert.pem
    openssl rsa -inform der -in clientKey.der -out clientKey.pem
    
  7. 生成pkcs12证书:(命令中的”-caname”后面的引号里的值必须要与第2步CA中的”CN=”的值保持一致)

    # openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "VPN CA"  -out client.cert.p12
    openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "Wodedata CA"  -out clientCert.p12
    
  8. 安装证书

     # cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
     # cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/
     # cp -r server.pem /usr/local/etc/ipsec.d/private/
     # cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/
     # cp -r client.pem  /usr/local/etc/ipsec.d/private/
    
     cp -r caCert.pem /usr/local/etc/ipsec.d/cacerts/
     cp -r serverCert.pem /usr/local/etc/ipsec.d/certs/
     cp -r serverKey.pem /usr/local/etc/ipsec.d/private/
     cp -r clientCert.pem /usr/local/etc/ipsec.d/certs/
     cp -r clientKey.pem  /usr/local/etc/ipsec.d/private/
    

启动 strongSwan

  • 启动:ipsec start
  • 重新加载配置文件:ipsec reload
  • 重新加载用户名密码文件:ipsec rereadsecrets

参考链接:

{{ message }}

{{ 'Comments are closed.' | trans }}