Ubuntu16.04搭建IKEv2 VPN

    技术教程 vpnxxw 来源:ixiaohei 655次浏览 0个评论 扫描二维码

    第一步: 安装

    1.安装StrongSwan

    apt-get install strongswan strongswan-plugin-af-alg strongswan-plugin-agent strongswan-plugin-certexpire strongswan-plugin-coupling strongswan-plugin-curl strongswan-plugin-dhcp strongswan-plugin-duplicheck strongswan-plugin-eap-aka strongswan-plugin-eap-aka-3gpp2 strongswan-plugin-eap-dynamic strongswan-plugin-eap-gtc strongswan-plugin-eap-mschapv2 strongswan-plugin-eap-peap strongswan-plugin-eap-radius strongswan-plugin-eap-tls strongswan-plugin-eap-ttls strongswan-plugin-error-notify strongswan-plugin-farp strongswan-plugin-fips-prf strongswan-plugin-gcrypt strongswan-plugin-gmp strongswan-plugin-ipseckey strongswan-plugin-kernel-libipsec strongswan-plugin-ldap strongswan-plugin-led strongswan-plugin-load-tester strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pgp strongswan-plugin-pkcs11 strongswan-plugin-pubkey strongswan-plugin-radattr strongswan-plugin-sshkey strongswan-plugin-systime-fix strongswan-plugin-whitelist strongswan-plugin-xauth-eap strongswan-plugin-xauth-generic strongswan-plugin-xauth-noauth strongswan-plugin-xauth-pam

    2.安装iptables-persistent

    sudo apt-get install iptables-persistent

    第二步:创建自签CA证书

    1.建立工作目录

    mkdir vpn-certs
    
    cdvpn-certs

    2.生成自签CA证书私钥

    ipsec pki --gen --type rsa --size 4096 --outform pem>server-root-key.pem
    
    chmod 600 server-root-key.pem

    3.生成自签CA证书

    ipsec pki --self --ca --lifetime 3650 \
    
    --in server-root-key.pem \
    
    --type rsa --dn"C=US, O=VPN Server, CN=VPN Server Root CA"\
    
    --outform pem>server-root-ca.pem

    4.为服务器生成自签证书私钥

    ipsec pki --gen --type rsa --size 4096 --outform pem>vpn-server-key.pem

    5.为服务器生成自签证书;注意其中CN可以改成服务器ip地址或者域名,但是其中C和O必须要CA证书匹配

    ipsec pki --pub --in vpn-server-key.pem \
    
    --type rsa|ipsec pki --issue --lifetime 1825 \
    
    --cacert server-root-ca.pem \
    
    --cakey server-root-key.pem \
    
    --dn"C=US, O=VPN Server, CN=server_name_or_ip"\
    
    --san server_name_or_ip \
    
    --flag serverAuth --flag ikeIntermediate \
    
    --outform pem>vpn-server-cert.pem

    注意:其中—san和server_name_or_ip保持一致即可,此参数可以添加多个

    6.将服务器证书复制到StrongSwan证书位置,并更改权限

    sudo cp ./vpn-server-cert.pem /etc/ipsec.d/certs/vpn-server-cert.pem
    
    sudo cp ./vpn-server-key.pem /etc/ipsec.d/private/vpn-server-key.pem
    
    sudo chown root /etc/ipsec.d/private/vpn-server-key.pem
    
    sudo chgrp root /etc/ipsec.d/private/vpn-server-key.pem
    
    sudo chmod 600 /etc/ipsec.d/private/vpn-server-key.pem

    第三步:配置strongswan

    1.备份strongswan原始配置文件

    sudo cp /etc/ipsec.conf /etc/ipsec.conf.original

    2.创建空白strongswan配置文件

    echo''|sudo tee /etc/ipsec.conf

    3.打开strongswan配置文件

    vi /etc/ipsec.conf

    4.编辑/etc/ipsec.conf文件如下内容

    config setup
    
    charondebug="ike 1, knl 1, cfg 0"
    
    uniqueids=no
    
    conn ios_ikev2
    
    keyexchange=ikev2
    
    ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048,aes256-sha1-modp1024,3des-sha1-modp1024!
    
    esp=aes256-sha256,3des-sha1,aes256-sha1!
    
    rekey=no
    
    left=%any
    
    [email protected]_name_or_ip
    
    leftsendcert=always
    
    leftsubnet=0.0.0.0/0
    
    leftdns=8.8.8.8,8.8.4.4
    
    leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
    
    right=%any
    
    rightauth=eap-mschapv2
    
    rightsourceip=10.10.10.0/24
    
    rightdns=8.8.8.8,8.8.4.4
    
    rightsendcert=never
    
    eap_identity=%identity
    
    dpdaction=clear
    
    fragmentation=yes
    
    auto=add

    其中注意leftid:为域名是需要添加“@”在域名:

    比如:

    [email protected].example.com

    为ip时如下列子:

    leftid=111.111.111.111

    第四步:配置VPN授权文件

    1.打开ipsec.secrets文件

    /etc/ipsec.secrets

    2.写入如下配置

    server_name_or_ip:RSA"/etc/ipsec.d/private/vpn-server-key.pem"
    
    your_username %any%:EAP"your_password"

    注意:其中参数server_name_or_ip变更服务器ip或者域名;your_username变更为账户;your_password变更为密码;双引号要带上

    3.重新加载ipsec

    ipsec reload

    第五步:配置iptables

    1.情况iptabels默认规则,如果有

    iptables -P INPUT ACCEPT
    
    iptables -P FORWARD ACCEPT
    
    iptables -F
    
    iptables -Z

    2.放开ssh 22端口

    sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

    3.放开本地回路

    sudo iptables -A INPUT -i lo -j ACCEPT

    4.放开ipsec链接

    sudo iptables -A INPUT -p udp --dport  500 -j ACCEPT
    
    sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT

    5.转发ESP (Encapsulating Security Payload) 流量链接

    sudo iptables -A FORWARD --match policy --pol ipsec --dirin--proto esp -s 10.10.10.10/24 -j ACCEPT
    
    sudo iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.10/24 -j ACCEPT

    6.最重要一步了,转发流量(修改SNAT)

    sudo iptables -t nat -A POSTROUTING -s 10.10.10.10/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
    
    sudo iptables -t nat -A POSTROUTING -s 10.10.10.10/24 -o eth0 -j MASQUERADE

    注意:其中eth0要改成出口网卡

    7.放开链接状态的链接,具体state(我也不是很懂)

    sudo iptables -t mangle -A FORWARD --match policy --pol ipsec --dirin-s 10.10.10.10/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

    8.拒绝其他流量(可以不用)

    sudo iptables -A INPUT -j DROP
    
    sudo iptables -A FORWARD -j DROP

    注意:如果服务器还开启其他服务会导致其他服务不可用,自己根据情况添加

    9.使用netfilter-persistent保存规则和重新加载(防止机器重启iptables规则丢失)

    sudo netfilter-persistent save
    
    sudo netfilter-persistent reload

    第六步:开启内核转发(不然链接VPN服务器而不能翻墙)

    1.打开/etc/sysctl.conf文件

    vi /etc/sysctl.conf

    2.修改如下内容:

    net.ipv4.ip_forward=1
    
    net.ipv4.conf.all.accept_redirects = 0
    
    net.ipv4.conf.all.send_redirects = 0
    
    net.ipv4.ip_no_pmtu_disc = 1

    3.重启

    sudo reboot

    第七步:连接VPN

    1.windows、ios、mac导致CA证书(导致这个vpn_root_certificate.pem)

    此步骤省略,请自行百度。

    2.连接注意选择IKEv2协议,另外服务器远程ID填写一致,另外本地ID随意,账户和密码为ipsec.secrets文件中your_usernameyour_password配置

    注意:

    第八步:问题诊断

    1.ipsec日志地址:

    tail -f /var/log/syslog

    2.另外可能因为strongswan插件没有装好导致不支持eap-mschapv2验证协议,请通过如下确认是否

    ipsec statusall

    返回如下:(注意其中loaded plugins中是否有eap-mschapv2)

    Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-81-generic, x86_64):
    
    uptime: 3 days, since Jun 22 22:58:56 2017
    
    malloc: sbrk 2158592, mmap 532480, used 1022368, free 1136224
    
    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
    
    loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
    
    Virtual IP pools (size/online/offline):
    
    10.10.10.0/24: 254/0/1
    
    Listening IP addresses:
    
    172.21.146.14
    
    172.17.0.1
    
    Connections:
    
    ios_ikev2:  %any...%any  IKEv2, dpddelay=30s
    
    ios_ikev2:  local:  [server_name_or_ip] uses public key authentication
    
    ios_ikev2:    cert:"C=US, O=VPN Server, CN=server_name_or_ip"
    
    ios_ikev2:  remote: uses EAP_MSCHAPV2 authentication with EAP identity'%any'
    
    ios_ikev2:  child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
    
    Security Associations (0 up, 0 connecting):
    
    none

    经验证以上方法完美支持windows10、ios10、mac10.12系统

    anyShare分享到:

    VPN信息网 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权 , 转载请注明-VPN信息网-Ubuntu16.04搭建IKEv2 VPN
    喜欢 (0)
    发表我的评论
    取消评论

    表情 贴图 加粗 删除线 居中 斜体 签到

    Hi,您需要填写昵称和邮箱!

    • 昵称 (必填)
    • 邮箱 (必填)
    • 网址