“一、系统及要求
系统:cnetos6.5
二、编译安装strongswan
1.下载
wget http://download.strongswan.org/strongswan.tar.gz
2.安装相关库
1 |
yum install pam-devel openssl-devel make gcc gmp-devel |
3.编译安装
1 |
tar zxvf strongswan.tar.gz |
3 |
./configure
--prefix=/usr --sysconfdir=/etc --enable-openssl
--enable-nat-transport --disable-mysql --disable-ldap --disable-static
--enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka
--enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity
--enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim
--enable-eap-sim-file --enable-eap-simaka-pseudonym
--enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls
--enable-eap-tnc --enable-eap-ttls |
三、证书生成
1. 生成证书
01 |
ipsec pki --gen --outform pem > ca.pem |
02 |
ipsec pki --self --in ca.pem --dn ""C=com, O=myvpn, CN=VPN CA"" --ca --outform pem >ca.cert.pem |
03 |
ipsec pki --gen --outform pem > server.pem |
04 |
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \ |
05 |
--cakey ca.pem --dn ""C=com, O=myvpn, CN=112.74.112.209"" \ |
06 |
--san=""112.74.112.209"" --flag serverAuth --flag ikeIntermediate \ |
07 |
--outform pem > server.cert.pem |
08 |
ipsec pki --gen --outform pem > client.pem |
09 |
ipsec
pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem
--cakey ca.pem --dn ""C=com, O=myvpn, CN=VPN Client"" --outform pem >
client.cert.pem |
10 |
openssl
pkcs12 -export -inkey client.pem -in client.cert.pem -name ""client""
-certfile ca.cert.pem -caname ""VPN CA"" -out client.cert.p12 |
注:上述中的123.123.123.123表示服务器本身IP。
2. 安装证书
1 |
cp -rf ca.cert.pem /etc/ipsec.d/cacerts/ |
2 |
cp -rf server.cert.pem /etc/ipsec.d/certs/ |
3 |
cp -rf server.pem /etc/ipsec.d/private/ |
4 |
cp -rf client.cert.pem /etc/ipsec.d/certs/ |
5 |
cp -rf client.pem /etc/ipsec.d/private/ |
3.卸载证书(如果需要卸载旧证书才执行此步,一般不需要执行这一步)
1 |
rm -rf /etc/ipsec.d/cacerts/ca.cert.pem |
2 |
rm -rf /etc/ipsec.d/certs/server.cert.pem |
3 |
rm -rf /etc/ipsec.d/private/server.pem |
4 |
rm -rf /etc/ipsec.d/certs/client.cert.pem |
5 |
rm -rf /etc/ipsec.d/private/client.pem |
四、配置 strongswan
1. 修改/etc/ipsec.conf,将内容替换成如下
03 |
uniqueids=no #多台设备同时在线 |
07 |
ike=aes256-sha1-modp1024! |
12 |
leftcert=server.cert.pem |
14 |
rightauth=eap-mschapv2 |
15 |
rightsourceip=10.11.0.0/24 |
20 |
conn android_xauth_psk |
28 |
rightsourceip=10.11.0.0/24 |
2.修改/etc/strongswan.conf 将内容替换成如下:
03 |
duplicheck.enable = no |
06 |
include strongswan.d/charon/*.conf |
13 |
include strongswan.d/*.conf |
3.修改/etc/ipsec.secrets(没有此文件请自行创建)
4 |
%any %any : EAP ""123456"" |
其中%any为账户名,123456为密码。表示任意用户名登陆,密码为123456,可以将第一个%any改成固定用户名。
五、配置网络转发规则转发
1.设置iptables规则
01 |
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT |
02 |
iptables -A FORWARD -s 10.11.0.0/24 -j ACCEPT |
03 |
iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT |
04 |
iptables -A FORWARD -s 10.11.2.0/24 -j ACCEPT |
05 |
iptables -A INPUT -i eth1 -p esp -j ACCEPT |
06 |
iptables -A INPUT -i eth1 -p udp --dport 500 -j ACCEPT |
07 |
iptables -A INPUT -i eth1 -p tcp --dport 500 -j ACCEPT |
08 |
iptables -A INPUT -i eth1 -p udp --dport 4500 -j ACCEPT |
09 |
iptables -A INPUT -i eth1 -p udp --dport 1701 -j ACCEPT |
10 |
iptables -A INPUT -i eth1 -p tcp --dport 1723 -j ACCEPT |
11 |
iptables -A FORWARD -j REJECT |
12 |
iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -o eth1 -j MASQUERADE |
13 |
iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth1 -j MASQUERADE |
14 |
iptables -t nat -A POSTROUTING -s 10.11.2.0/24 -o eth1 -j MASQUERADE |
然后执行:
2 |
service iptables restart |
2.设置ip_forward转发
vim /etc/sysctl.conf
找到net.ipv4.ip_forward = 0 ,将后面的值置为1
保存退出 ,执行sysctl -p
六、WIN7客户端登陆
客户端登陆需要导入证书,client.cert.p12″
老徐小屋
